----------------------------------------- Version 12.5-Build4.62 2020-04-19T19:30:07 ----------------------------------------- Patch: SUSE-2014-85 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Severity: moderate References: 901845 Description: This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------- Patch: SUSE-2014-76 Released: Wed Nov 5 16:41:10 2014 Summary: Security update for wget Severity: moderate References: 902709,CVE-2014-4877 Description: wget was updated to fix one security issue. This security issue was fixed: - FTP symlink arbitrary filesystem access (CVE-2014-4877). ----------------------------------------- Patch: SUSE-2014-66 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Severity: moderate References: 899871 Description: This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------- Patch: SUSE-2014-97 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Severity: moderate References: 888308,902367,CVE-2014-3710 Description: file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------- Patch: SUSE-2014-113 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Severity: moderate References: 658010,907456,CVE-2014-9112 Description: This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------- Patch: SUSE-2015-4 Released: Wed Dec 3 15:57:25 2014 Summary: Security update for libyaml Severity: moderate References: 907809,CVE-2014-9130 Description: This libyaml update fixes the following security issue: - bnc#907809: assert failure when processing wrapped strings (CVE-2014-9130) ----------------------------------------- Patch: SUSE-2015-16 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Severity: moderate References: 907074,CVE-2014-9087 Description: This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------- Patch: SUSE-2015-34 Released: Fri Dec 19 15:16:12 2014 Summary: Security update for ruby2.1 Severity: moderate References: 902851,905326,CVE-2014-8080,CVE-2014-8090 Description: This ruby update fixes the following two security issues: - bnc#902851: fix CVE-2014-8080: Denial Of Service XML Expansion - bnc#905326: fix CVE-2014-8090: Another Denial Of Service XML Expansion - Enable tests to run during the build. This way we can compare the results on different builds. ----------------------------------------- Patch: SUSE-2014-126 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 Description: This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------- Patch: SUSE-2015-12 Released: Wed Jan 7 11:24:10 2015 Summary: Security update for unzip Severity: moderate References: 909214,CVE-2014-8139,CVE-2014-8140,CVE-2014-8141 Description: This update fixes the following security issues: - CVE-2014-8139: fix heap overflow condition in the CRC32 verification (fixes bnc#909214) - CVE-2014-8140 and CVE-2014-8141: fix write error (*_8349_*) shows a problem in extract.c:test_compr_eb(), and: read errors (*_6430_*, *_3422_*) show problems in process.c:getZip64Data() (fixes bnc#909214) ----------------------------------------- Patch: SUSE-2015-50 Released: Thu Jan 15 16:33:18 2015 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 888534 Description: The system root SSL certificates were updated to match Mozilla NSS 2.2. Some removed/disabled 1024 bit certificates were temporarily reenabled/readded, as openssl and gnutls have a different handling of intermediates than mozilla nss and would otherwise not recognize SSL certificates from commonly used sites like Amazon. Updated to 2.2 (bnc#888534) - The following CAs were added: + COMODO_RSA_Certification_Authority codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth + USERTrust_ECC_Certification_Authority codeSigning emailProtection serverAuth + USERTrust_RSA_Certification_Authority codeSigning emailProtection serverAuth + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal - The following CAs were changed: + Equifax_Secure_eBusiness_CA_1 remote code signing and https trust, leave email trust + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 only trust emailProtection - Updated to 2.1 (bnc#888534) - The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA - The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 - The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado Temporary reenable some root ca trusts, as openssl/gnutls have trouble using intermediates as root CA. - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - ValiCert Class 1 VA - ValiCert Class 2 VA - RSA Root Certificate 1 - Entrust.net Secure Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 ----------------------------------------- Patch: SUSE-2015-40 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 Description: This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------- Patch: SUSE-2015-92 Released: Fri Jan 30 14:51:02 2015 Summary: Security update for unzip Severity: moderate References: 914442,CVE-2014-9636 Description: unzip was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read/write in test_compr_eb() in extract.c (CVE-2014-9636). ----------------------------------------- Patch: SUSE-2015-76 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Severity: moderate References: 911662,CVE-2014-9447 Description: elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------- Patch: SUSE-2015-121 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Severity: low References: 912922 Description: This update for pam fixes updating of NIS passwords. ----------------------------------------- Patch: SUSE-2015-69 Released: Mon Feb 23 11:53:02 2015 Summary: Recommended update for timezone Severity: important References: 912415,915422,915693 Description: This update provides the latest timezone information (2015a) for your system, including the following changes: - Add positive leap second on 2015-06-30 23:59:60 UTC, as per IERS Bulletin C 49. (bsc#912415) - Mexico state Quintana Roo (America/Cancun) shifts from Central Time with DST to Eastern Time without DST on 2015-02-01 02:00. (bsc#915422) - Chile (America/Santiago) will retain old DST as standard time from April, also Pacific/Easter, and Antarctica/Palmer. This release also includes changes affecting past time stamps, documentation and some minor bug fixes. For a comprehensive list, refer to the release announcement from ICANN: - [http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html](http://mm.icann.org/pipermail/tz-announce/2015-January/000028.html) ----------------------------------------- Patch: SUSE-2015-274 Released: Mon Feb 23 22:21:35 2015 Summary: Recommended update for openslp Severity: moderate References: 909195 Description: This update for openslp provides the following fixes: - Fix storage handling in predicate code. It clashed with gcc's fortify_source extension and this could cause a segmentation fault. - Bring back allowDoubleEqualInPredicate option. ----------------------------------------- Patch: SUSE-2015-313 Released: Fri Mar 13 00:47:47 2015 Summary: Recommended update for pciutils Severity: low References: 837347 Description: This update for pciutils fixes a memory leak in function get_cache_name(). ----------------------------------------- Patch: SUSE-2015-275 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Severity: low References: 901202,908516 Description: This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------- Patch: SUSE-2015-146 Released: Mon Mar 23 11:45:22 2015 Summary: Recommended update for timezone Severity: low References: 923498 Description: This update provides the latest timezone information (2015b) for your system, including the following changes: - Mongolia will start observing DST again in 2015, from the last Saturday in March to the last Saturday in September. - Palestine will start DST on March 28, not March 27. - Fix integer overflow bug in reference 'mktime' implementation. This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcement from ICANN: - http://mm.icann.org/pipermail/tz-announce/2015-March/000029.html ----------------------------------------- Patch: SUSE-2015-156 Released: Tue Mar 24 17:51:59 2015 Summary: Security update for pigz Severity: moderate References: 913627,CVE-2015-1191 Description: Pigz, a multi-threaded implementation of gzip, was updated to fix one vulnerability. The following vulnerability was fixed: * A crafted file could have caused an unwanted directory traversal on extract (CVE-2015-1191) ----------------------------------------- Patch: SUSE-2015-169 Released: Wed Apr 15 02:34:35 2015 Summary: Recommended update for timezone Severity: low References: 927184 Description: This update provides the latest timezone information (2015c) for your system, including the following changes: - Egypt's spring-forward transition in 2015 will be on Thursday, April 30 at 24:00, not Friday, April 24 at 00:00. This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcement from ICANN: - http://mm.icann.org/pipermail/tz-announce/2015-April/000030.html ----------------------------------------- Patch: SUSE-2015-174 Released: Sat Apr 25 15:13:10 2015 Summary: Recommended update for timezone Severity: low References: 928246 Description: This update adjusts Egypt's time zone definitions, canceling DST from 2015 onwards. ----------------------------------------- Patch: SUSE-2015-296 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 Description: This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------- Patch: SUSE-2015-283 Released: Tue Jun 16 15:02:53 2015 Summary: Recommended update for timezone Severity: low References: 928841,934654 Description: This update provides the latest timezone information (2015e) for your system, including the following changes: - Morocco will suspend DST from 2015-06-14 03:00 through 2015-07-19 02:00, not 06-13 and 07-18. - Assume Cayman Islands will observe DST starting next year, using US rules. - Fix post-install script to overwrite the temporary file when attempting to create /etc/localtime as a hard link. (bsc#928841) This release also includes changes affecting past time stamps and documentation. For a comprehensive list, refer to the release announcements from ICANN: http://mm.icann.org/pipermail/tz-announce/2015-June/000032.html http://mm.icann.org/pipermail/tz-announce/2015-April/000031.html ----------------------------------------- Patch: SUSE-2015-361 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 Description: The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------- Patch: SUSE-2015-422 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Severity: low References: 926412,936050,937823 Description: This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------- Patch: SUSE-2015-416 Released: Tue Aug 11 18:18:42 2015 Summary: Recommended update for timezone Severity: low References: 941249 Description: This update provides the latest timezone information (2015f) for your system, including the following changes: - North Korea switches to +0830 on 2015-08-15. The abbreviation remains 'KST'. - Uruguay no longer observes DST. - Moldova starts and ends DST at 00:00 UTC, not at 01:00 UTC. This release also includes changes affecting past time stamps, documentation and some minor code fixes. For a comprehensive list, refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2015-August/000033.html ----------------------------------------- Patch: SUSE-2015-500 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Severity: moderate References: 920057,938343,CVE-2015-0837 Description: This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------- Patch: SUSE-2015-530 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Severity: low References: 933029 Description: This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------- Patch: SUSE-2015-546 Released: Wed Aug 26 21:16:17 2015 Summary: Recommended update for tar Severity: low References: 940120 Description: This update for tar enables support for ACLs, extended attributes (Xattr) and SELinux. ----------------------------------------- Patch: SUSE-2015-561 Released: Tue Sep 1 21:05:50 2015 Summary: Recommended update for kbd Severity: low References: 915473 Description: This update fixes loading of some console keymaps, including the default keymap used by 'loadkeys -d'. ----------------------------------------- Patch: SUSE-2015-568 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Severity: low References: 920386 Description: This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------- Patch: SUSE-2015-682 Released: Fri Oct 2 19:17:57 2015 Summary: Recommended update for timezone Severity: low References: 948227,948568 Description: This update provides the latest timezone information (2015g) for your system, including the following changes: - Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25. - Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time. - Fiji's 2016 fall-back transition is scheduled for January 17, not 24. - Fort Nelson, British Columbia will not fall back on 2015-11-01. It has effectively been on MST (-0700) since it advanced its clocks on 2015-03-08. Add new zone America/Fort_Nelson. This release also includes changes affecting past time stamps, documentation and some minor code fixes. For a comprehensive list, refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz/2015-October/022728.html ----------------------------------------- Patch: SUSE-2015-708 Released: Tue Oct 13 17:36:20 2015 Summary: Recommended update for pciutils-ids Severity: low References: 911528,944104,944436,944825 Description: The system's PCI IDs database has been updated to version 2015.10.07. Additionally, the merge-pciids.pl script was fixed to not print warnings about conflicting definitions by default. ----------------------------------------- Patch: SUSE-2015-776 Released: Fri Oct 30 08:06:58 2015 Summary: Recommended update for libyaml Severity: low References: 952625 Description: This update adjusts libyaml's packaging to require pkg-config at build time. ----------------------------------------- Patch: SUSE-2015-863 Released: Thu Dec 17 16:02:51 2015 Summary: Recommended update for tar Severity: moderate References: 950785 Description: The tar(1) archiving utility has been updated to fix one issue: When the --acls option is used, explicitly set or delete default ACLs for extracted directories. Prior to this update, arbitrary default ACLs based on standard file permissions were being created. ----------------------------------------- Patch: SUSE-2015-922 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 Description: The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------- Patch: SUSE-2015-869 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Severity: moderate References: 926826 Description: The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------- Patch: SUSE-2015-862 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Severity: moderate References: 945899 Description: This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------- Patch: SUSE-2016-46 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Severity: moderate References: 932232 Description: This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------- Patch: SUSE-2016-157 Released: Tue Jan 26 13:19:19 2016 Summary: Recommended update for ruby-common Severity: moderate References: 934328,953771 Description: This update for ruby-common provides several fixes and enhancements: - Help the solver to pick the right gem2rpm for the default Ruby version. (bsc#934328) - Fix premature return from from gem install. - Fail early if gem install fails, avoiding confusing error messages at the end of the build. - Implement cleaner solution for the extensions doc dir. - Do not overwrite options.otheropts. - Fixed forwarding of options to gem install. - Call ruby with -x from shell wrappers otherwise it might run into an endless loop. - Add shell-launcher to avoid dependency on a fixed Ruby version. - Ignore any files found in */.gem/*. In some versions of rubygems, gems that are installed are also copied to ~/.gem/. ----------------------------------------- Patch: SUSE-2016-252 Released: Fri Feb 12 14:58:06 2016 Summary: Recommended update for timezone Severity: low References: 963921 Description: This update provides the latest timezone information (2016a) for your system, including the following changes: - America/Cayman will not observe daylight saving this year. - Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00. - Asia/Tehran now has DST predictions for the year 2038 and later. - America/Metlakatla switched from PST all year to AKST/AKDT on 2015-11-01 at 02:00. - America/Santa_Isabel has been removed, and replaced with a backward compatibility link to America/Tijuana. - Asia/Karachi's two transition times in 2002 were off by a minute. This release also includes changes affecting past time stamps, documentation and some minor code fixes. For a comprehensive list, refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz/2016-January/023106.html ----------------------------------------- Patch: SUSE-2016-291 Released: Fri Feb 19 19:31:54 2016 Summary: Recommended update for openslp Severity: low References: 950777 Description: This update for OpenSLP adjusts slpd's initialization to use SystemD's forking mechanism, avoiding stale PID files after the daemon is stopped. ----------------------------------------- Patch: SUSE-2016-371 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Severity: low References: 960820 Description: This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------- Patch: SUSE-2016-462 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Severity: low References: 967838 Description: This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------- Patch: SUSE-2016-490 Released: Mon Mar 21 16:45:13 2016 Summary: Recommended update for timezone Severity: low References: 971377 Description: This update provides the latest timezone information (2016b) for your system, including the following changes: - New zones Europe/Astrakhan and Europe/Ulyanovsk for Astrakhan and Ulyanovsk Oblasts, Russia, both of which will switch from +03 to +04 on 2016-03-27 at 02:00 local time. - New zone Asia/Barnaul for Altai Krai and Altai Republic, Russia, which will switch from +06 to +07 on the same date and local time. - Asia/Sakhalin moves from +10 to +11 on 2016-03-27 at 02:00. - As a trial of a new system that needs less information to be made up, the new zones use numeric time zone abbreviations like '+04' instead of invented abbreviations like 'ASTT'. - Haiti will not observe DST in 2016. - Palestine's spring-forward transition on 2016-03-26 is at 01:00, not 00:00. - tzselect's diagnostics and checking, and checktab.awk's checking, have been improved. - tzselect now tests Julian-date TZ settings more accurately. ----------------------------------------- Patch: SUSE-2016-510 Released: Thu Mar 24 15:40:28 2016 Summary: Recommended update for timezone Severity: low References: 972433 Description: This update provides the latest timezone information (2016c) for your system, including the following changes: - Azerbaijan no longer observes DST (Asia/Baku) - Chile reverts from permanent to seasonal DST This release also includes changes affecting past time stamps and documentation. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html ----------------------------------------- Patch: SUSE-2016-543 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Severity: moderate References: 970882 Description: This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------- Patch: SUSE-2016-565 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 Description: The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------- Patch: SUSE-2016-587 Released: Fri Apr 8 17:06:56 2016 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 973042 Description: The root SSL certificate store ca-certificates-mozilla was updated to version 2.7 of the Mozilla NSS equivalent. (bsc#973042) - Newly added CAs: * CA WoSign ECC Root * Certification Authority of WoSign * Certification Authority of WoSign G2 * Certinomis - Root CA * Certum Trusted Network CA 2 * CFCA EV ROOT * COMODO RSA Certification Authority * DigiCert Assured ID Root G2 * DigiCert Assured ID Root G3 * DigiCert Global Root G2 * DigiCert Global Root G3 * DigiCert Trusted Root G4 * Entrust Root Certification Authority - EC1 * Entrust Root Certification Authority - G2 * GlobalSign * IdenTrust Commercial Root CA 1 * IdenTrust Public Sector Root CA 1 * OISTE WISeKey Global Root GB CA * QuoVadis Root CA 1 G3 * QuoVadis Root CA 2 G3 * QuoVadis Root CA 3 G3 * Staat der Nederlanden EV Root CA * Staat der Nederlanden Root CA - G3 * S-TRUST Universal Root CA * SZAFIR ROOT CA2 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * USERTrust ECC Certification Authority * USERTrust RSA Certification Authority * 沃通根证书 - Removed CAs: * AOL CA * A Trust nQual 03 * Buypass Class 3 CA 1 * CA Disig * Digital Signature Trust Co Global CA 1 * Digital Signature Trust Co Global CA 3 * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi * NetLock Expressz (Class C) Tanusitvanykiado * NetLock Kozjegyzoi (Class A) Tanusitvanykiado * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado * NetLock Uzleti (Class B) Tanusitvanykiado * SG TRUST SERVICES RACINE * Staat der Nederlanden Root CA * TC TrustCenter Class 2 CA II * TC TrustCenter Universal CA I * TDC Internet Root CA * UTN DATACorp SGC Root CA * Verisign Class 1 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * Verisign Class 3 Public Primary Certification Authority - G2 - Removed server trust from: * AC Raíz Certicámara S.A. * ComSign Secured CA * NetLock Uzleti (Class B) Tanusitvanykiado * NetLock Business (Class B) Root * NetLock Expressz (Class C) Tanusitvanykiado * TC TrustCenter Class 3 CA II * TURKTRUST Certificate Services Provider Root 1 * TURKTRUST Certificate Services Provider Root 2 * Equifax Secure Global eBusiness CA-1 * Verisign Class 4 Public Primary Certification Authority G3 - Enable server trust for: * Actalis Authentication Root CA ----------------------------------------- Patch: SUSE-2016-636 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Severity: moderate References: 965902,CVE-2015-7511 Description: libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------- Patch: SUSE-2016-643 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Severity: low References: 970260 Description: This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------- Patch: SUSE-2016-663 Released: Fri Apr 22 15:33:50 2016 Summary: Recommended update for timezone Severity: low References: 975875 Description: This update provides the latest timezone information (2016d) for your system, including the following changes: - Venezuela (America/Caracas) switches from -0430 to -04 on 2016-05-01 at 02:30. - Asia/Magadan switches from +10 to +11 on 2016-04-24 at 02:00. - New zone Asia/Tomsk, split off from Asia/Novosibirsk. It covers Tomsk Oblast, Russia, which switches from +06 to +07 on 2016-05-29 at 02:00. This release also includes changes affecting past time stamps. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz/2016-April/023563.html ----------------------------------------- Patch: SUSE-2016-689 Released: Wed Apr 27 20:08:42 2016 Summary: Recommended update for ruby2.1 Severity: low References: 973073 Description: This update for ruby2.1 brings performance improvements of Ruby on the IBM POWER platform. ----------------------------------------- Patch: SUSE-2016-729 Released: Fri May 6 15:53:38 2016 Summary: Recommended update for pciutils-ids Severity: low References: 958712 Description: The system's PCI IDs database has been updated to version 2016.04.04. ----------------------------------------- Patch: SUSE-2016-835 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Severity: moderate References: 979629 Description: This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------- Patch: SUSE-2016-898 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------- Patch: SUSE-2016-900 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 Description: This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------- Patch: SUSE-2016-967 Released: Mon Jun 20 12:05:16 2016 Summary: Recommended update for timezone Severity: low References: 982833 Description: This update provides the latest timezone information (2016e) for your system, including the following changes: - Africa/Cairo observes DST in 2016 from July 7 to the end of October. This release also includes changes affecting past time stamps. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2016-June/000039.html ----------------------------------------- Patch: SUSE-2016-987 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Severity: low References: 981616 Description: This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------- Patch: SUSE-2016-1026 Released: Wed Jul 6 17:20:17 2016 Summary: Recommended update for timezone Severity: moderate References: 987720 Description: This update provides the latest timezone information (2016f) for your system, including the following changes: - Egypt (Africa/Cairo) DST change 2016-07-07 cancelled (bsc#987720) - Asia/Novosibirsk switches from +06 to +07 on 2016-07-24 02:00 - Asia/Novokuznetsk and Asia/Novosibirsk now use numeric time zone abbreviations instead of invented ones - Europe/Minsk's 1992-03-29 spring-forward transition was at 02:00 not 00:00 ----------------------------------------- Patch: SUSE-2016-1028 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Severity: moderate References: 986935 Description: This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------- Patch: SUSE-2016-1141 Released: Wed Aug 3 15:24:30 2016 Summary: Security update for sqlite3 Severity: moderate References: 987394,CVE-2016-6153 Description: This update for sqlite3 fixes the following issues: The following security issue was fixed: - CVE-2016-6153: Fixed a tempdir selection vulnerability (bsc#987394) ----------------------------------------- Patch: SUSE-2016-1205 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Severity: low References: 829717,894610,940315,953532,965322,967728 Description: This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------- Patch: SUSE-2016-1228 Released: Tue Aug 16 09:29:01 2016 Summary: Security update for libidn Severity: moderate References: 923241,990189,990190,990191,CVE-2015-2059,CVE-2015-8948,CVE-2016-6261,CVE-2016-6262,CVE-2016-6263 Description: This update for libidn fixes the following issues: - CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189) - CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190) - CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191) - CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241) ----------------------------------------- Patch: SUSE-2016-1245 Released: Fri Aug 19 10:31:11 2016 Summary: Security update for python Severity: moderate References: 984751,985177,985348,989523,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699 Description: This update for python fixes the following issues: - CVE-2016-0772: smtplib vulnerability opens startTLS stripping attack (bsc#984751) - CVE-2016-5636: heap overflow when importing malformed zip files (bsc#985177) - CVE-2016-5699: incorrect validation of HTTP headers allow header injection (bsc#985348) - CVE-2016-1000110: HTTPoxy vulnerability in urllib, fixed by disregarding HTTP_PROXY when REQUEST_METHOD is also set (bsc#989523) ----------------------------------------- Patch: SUSE-2016-1247 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Severity: moderate References: 992966,CVE-2016-6318 Description: This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------- Patch: SUSE-2016-1252 Released: Mon Aug 22 15:12:43 2016 Summary: Recommended update for timezone Severity: low References: 988184 Description: This update for timezone adds a positive leap second at the end of 2016-12-31. ----------------------------------------- Patch: SUSE-2016-1309 Released: Fri Sep 2 13:37:41 2016 Summary: Security update for wget Severity: moderate References: 937096,958342,984060,CVE-2015-2059,CVE-2016-4971 Description: This update for wget fixes the following issues: - Fix for HTTP to a FTP redirection file name confusion vulnerability (bsc#984060, CVE-2016-4971). - Work around a libidn vulnerability (bsc#937096, CVE-2015-2059). - Fix for wget fails with basicauth: Failed writing HTTP request: Bad file descriptor (bsc#958342) ----------------------------------------- Patch: SUSE-2016-1326 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Description: This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------- Patch: SUSE-2016-1344 Released: Tue Sep 13 18:10:21 2016 Summary: Recommended update for kbd Severity: low References: 984958 Description: This update for kbd adds mapping for two keycodes to br-abnt2 map: - Slash (/): alt-gr + q - Question mark (?): alt-gr + w ----------------------------------------- Patch: SUSE-2016-1358 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Severity: low References: 983206 Description: This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------- Patch: SUSE-2016-1370 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Severity: moderate References: 994157,CVE-2016-6313 Description: This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------- Patch: SUSE-2016-1390 Released: Tue Sep 27 15:11:15 2016 Summary: Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit Severity: moderate References: 954210,990856,CVE-2015-8079,CVE-2016-6354 Description: Various packages included vulnerable parsers generated by 'flex'. This update provides a fixed 'flex' package and also rebuilds of packages that might have security issues caused by the auto generated code. Flex itself was updated to fix a buffer overflow in the generated scanner (bsc#990856, CVE-2016-6354) Packages that were rebuilt with the fixed flex: - at - bogofilter - cyrus-imapd - kdelibs4 - libQtWebKit4 - libbonobo - mdbtools - netpbm - openslp - sgmltool - virtuoso Also libqt5-qtwebkit received an additional security fix: - CVE-2015-8079: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode (bsc#954210). ----------------------------------------- Patch: SUSE-2016-1454 Released: Mon Oct 10 16:25:51 2016 Summary: Recommended update for timezone Severity: low References: 997830 Description: This update provides the latest timezone information (2016g) for your system, including the following changes: - Turkey will remain on UTC+03 after 2016-10-30. (bsc#997830) - Antarctica and nautical time zones now use numeric time zone abbreviations instead of obsolete alphanumeric ones. - Renamed Asia/Rangoon to Asia/Yangon. This release also includes changes affecting past time stamps and documentation. ----------------------------------------- Patch: SUSE-2016-1565 Released: Thu Oct 27 13:06:35 2016 Summary: Security update for openslp Severity: moderate References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567 Description: This update for openslp fixes two security issues and two bugs. The following vulnerabilities were fixed: - CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722) - CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600) The following bugfix changes are included: - bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code - bsc#974655: Removed no longer needed slpd init file ----------------------------------------- Patch: SUSE-2016-1621 Released: Tue Nov 8 16:20:57 2016 Summary: Recommended update for timezone Severity: low References: 1007725,1007726 Description: This update provides the latest timezone information (2016i) for your system, including the following changes: - Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on 2017-01-15 at 03:00. (bsc#1007725) - Northern Cyprus is now +03 year round, causing a split in Cyprus time zones starting 2016-10-30 at 04:00. This creates a zone Asia/Famagusta. (bsc#1007726) - Antarctica/Casey switched from +08 to +11 on 2016-10-22. - Asia/Gaza and Asia/Hebron end DST on 2016-10-29 at 01:00, not 2016-10-21 at 00:00. - Asia/Colombo now uses numeric time zone abbreviations. This release also includes changes affecting past time stamps and documentation. ----------------------------------------- Patch: SUSE-2016-1634 Released: Thu Nov 10 11:26:56 2016 Summary: Recommended update for pciutils Severity: low References: 1001888 Description: This update for pciutils fixes the following issues: - lspci(8) incorrectly tested bit 4, not bit 0, for 'CRS Software Visibility' in the Root Capabilities register, so it showed 'RootCap: CRSVisible-' even for devices that do support Software Visibility. This update fixes it to use the correct definition for PCI_EXP_RTCAP_CRSVIS. (bsc#1001888) ----------------------------------------- Patch: SUSE-2016-1690 Released: Thu Nov 24 08:36:43 2016 Summary: Security update for tar Severity: moderate References: 1007188,913058,CVE-2016-6321 Description: This update for tar fixes the following issues: - Fix the POINTYFEATHER vulnerability - GNU tar archiver can be tricked into extracting files and directories in the given destination, regardless of the path name(s) specified on the command line [bsc#1007188] [CVE-2016-6321] - Fix Amanda integration issue (bsc#913058) ----------------------------------------- Patch: SUSE-2016-1721 Released: Tue Nov 29 13:12:31 2016 Summary: Security update for vim Severity: important References: 1010685,988903,CVE-2016-1248 Description: This update for vim fixes the following security issues: - Fixed CVE-2016-1248 an arbitrary command execution vulnerability (bsc#1010685) This update for vim fixes the following issues: - Fix build with Python 3.5. (bsc#988903) ----------------------------------------- Patch: SUSE-2016-1734 Released: Thu Dec 1 10:34:07 2016 Summary: Recommended update for timezone Severity: low References: 1011797 Description: This update provides the latest timezone information (2016j) for your system, including the following changes: - Saratov, Russia switches from +03 to +04 on 2016-12-04 at 02:00. This change introduces a new zone Europe/Saratov split from Europe/Volgograd. This release also includes changes affecting past time stamps. For a comprehensive list, please refer to the release announcement from ICANN: http://mm.icann.org/pipermail/tz-announce/2016-November/000044.html ----------------------------------------- Patch: SUSE-2016-1744 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------- Patch: SUSE-2016-1827 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 Description: This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------- Patch: SUSE-2016-1831 Released: Thu Dec 15 17:47:09 2016 Summary: Recommended update for tar Severity: important References: 1012633 Description: This update for tar fixes a regression caused by the previous security update (bsc#1007188), which limited append and create operations (bsc#1012633) ----------------------------------------- Patch: SUSE-2016-1841 Released: Fri Dec 16 14:57:16 2016 Summary: Recommended update for suse-build-key Severity: moderate References: 1014151 Description: This update for suse-build-key extends the lifetime of the build@suse.de GPG key that is signing the SUSE Linux Enterprise 12 repositories. (bsc#1014151) UID: pub 2048R/39DB7C82 2013-01-31 [expires: 2020-12-06] uid SuSE Package Signing Key ----------------------------------------- Patch: SUSE-2016-1863 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Severity: low References: 1013286 Description: This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------- Patch: SUSE-2016-1908 Released: Fri Dec 23 14:45:12 2016 Summary: Recommended update for pciutils Severity: low References: 1006827 Description: This update for pciutils provides the following fixes: - Enable proper support for 32-bit PCI domain numbers. (bsc#1006827) ----------------------------------------- Patch: SUSE-2016-1911 Released: Fri Dec 23 18:02:19 2016 Summary: Security update for wget Severity: moderate References: 1005091,1012677,995964,CVE-2016-7098 Description: This update for wget fixes the following issues: Security issues fixed: - CVE-2016-7098: Fixed a potential race condition by creating files with .tmp ext and making them accessible to the current user only. (bsc#995964) Non security issues fixed: - bsc#1005091: Don't call xfree() on string returned by usr_error() - bsc#1012677: Add support for enforcing TLSv1.1 and TLSv1.2 (TLS 1.2 support was already present, but it was not enforcable). ----------------------------------------- Patch: SUSE-2017-32 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Severity: low References: 994794 Description: This update for dirmngr enables support for daemon mode. ----------------------------------------- Patch: SUSE-2017-138 Released: Mon Jan 23 13:26:01 2017 Summary: Security update for openssh Severity: moderate References: 1005480,1005893,1006221,1016366,1016368,1016369,1016370,CVE-2016-10009,CVE-2016-10010,CVE-2016-10011,CVE-2016-10012,CVE-2016-8858 Description: This update for openssh fixes several issues. These security issues were fixed: - CVE-2016-8858: The kex_input_kexinit function in kex.c allowed remote attackers to cause a denial of service (memory consumption) by sending many duplicate KEXINIT requests (bsc#1005480). - CVE-2016-10012: The shared memory manager (associated with pre-authentication compression) did not ensure that a bounds check is enforced by all compilers, which might allowed local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures (bsc#1016370). - CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c allowed remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket (bsc#1016366). - CVE-2016-10010: When forwarding unix domain sockets with privilege separation disabled, the resulting sockets have be created as 'root' instead of the authenticated user. Forwarding unix domain sockets without privilege separation enabled is now rejected. - CVE-2016-10011: authfile.c in sshd did not properly consider the effects of realloc on buffer contents, which might allowed local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process (bsc#1016369). These non-security issues were fixed: - Adjusted suggested command for removing conflicting server keys from the known_hosts file (bsc#1006221) - Properly verify CIDR masks in configuration (bsc#1005893) ----------------------------------------- Patch: SUSE-2017-147 Released: Tue Jan 24 23:01:42 2017 Summary: Recommended update for openssh Severity: important References: 1021626 Description: This update for openssh fixes the following issues: - A previous update contained a logic flaw that broke OpenSSH's interpretation of the 'DenyUser' config option. That regression could have lead to an exact inversion of the intended meaning, i.e. OpenSSH could have locked out all users except the one that was supposed to be denied access. [bsc#1021626] ----------------------------------------- Patch: SUSE-2017-185 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Severity: moderate References: 1020108,963448,CVE-2016-2037 Description: This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------- Patch: SUSE-2017-192 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 Description: This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------- Patch: SUSE-2017-209 Released: Tue Feb 7 17:00:47 2017 Summary: Recommended update for libseccomp Severity: low References: 1019900 Description: This update provides libseccomp version 2.3.1 which fixes the following issues: - Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900) - Fixed problems with ipc syscalls on 32-bit x86 - Fixed problems with socket and ipc syscalls on s390 and s390x ----------------------------------------- Patch: SUSE-2017-212 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 Description: This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------- Patch: SUSE-2017-261 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Severity: low References: 1019276 Description: This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------- Patch: SUSE-2017-354 Released: Thu Mar 9 11:31:22 2017 Summary: Recommended update for timezone Severity: low References: 1024676,1024677 Description: This update provides the latest timezone information (2017a) for your system, including the following changes: - Mongolia no longer observes DST. (bsc#1024676) - Chile's Region of Magallanes moves from -04/-03 to -03 year-round starting 2017-05-13 23:00. Split from America/Santiago creating a new zone America/Punta_Arenas. Also affects Antarctica/Palmer. (bsc#1024677) - Fixes to historical time stamps: Spain, Ecuador, Atyrau, Oral. - Switch to numeric, or commonly used time zone abbreviations. - zic(8) no longer mishandles some transitions in January 2038. - date and strftime now cause %z to generate '-0000' instead of '+0000' when the UT offset is zero and the time zone abbreviation begins with '-'. ----------------------------------------- Patch: SUSE-2017-439 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Severity: low References: 1028305,959693 Description: This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------- Patch: SUSE-2017-445 Released: Tue Mar 21 18:27:18 2017 Summary: Recommended update for man Severity: low References: 1025597,786679,986211 Description: This update for man provides the following fixes: - Stop using the wrapper that squashed root privileges down to uid man. (bsc#986211, bsc#1025597) - Add description of MAN_POSIXLY_CORRECT in man.man1. (bsc#786679) ----------------------------------------- Patch: SUSE-2017-448 Released: Wed Mar 22 13:31:03 2017 Summary: Recommended update for python Severity: moderate References: 1027282,964182 Description: This update provides Python 2.7.13, which brings several bug fixes. - Fix build with NCurses 6.0 and OPAQUE_WINDOW set to 1. - Update cipher lists for OpenSSL wrapper and support OpenSSL 1.1.0 and newer. - Incorporate more integer overflow checks from upstream. (bsc#964182) - Provide python2-* symbols to support new packages built as python2-. For a comprehensive list of changes, please refer to the upstream Release Notes available at https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS ----------------------------------------- Patch: SUSE-2017-451 Released: Wed Mar 22 15:55:40 2017 Summary: Security update for wget Severity: moderate References: 1028301,CVE-2017-6508 Description: This update for wget fixes the following issues: Security issue fixed: - CVE-2017-6508: (url_parse): Reject control characters in host part of URL (bsc#1028301). ----------------------------------------- Patch: SUSE-2017-457 Released: Fri Mar 24 12:35:18 2017 Summary: Recommended update for timezone Severity: low References: 1030417 Description: This update provides the latest timezone information (2017b) for your system, including following changes: - Haiti resumed observance of DST in 2017. - Liberia changed from -004430 to +00 on 1972-01-07, not 1972-05-01. - Use 'MMT' to abbreviate Liberia's time zone before 1972. ----------------------------------------- Patch: SUSE-2017-458 Released: Fri Mar 24 13:49:49 2017 Summary: Recommended update for fdupes Severity: low References: 1005386 Description: This update for fdupes provides the following fixes and enhancements: - Add new options: --nohidden, --permissions, --order, --reverse, --immediate. - Speed up file comparison. - Fix bug where fdupes fails to consistently ignore hardlinks, depending on file processing order, when F_CONSIDERHARDLINKS flag is not set. - Using tty for interactive input instead of regular stdin. This is to allow feeding filenames via stdin in future versions of fdupes without breaking interactive deletion feature. - Sort the output of fdupes by filename to make it deterministic for parallel builds. (bsc#1005386) ----------------------------------------- Patch: SUSE-2017-580 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Severity: important References: 1028410 Description: This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------- Patch: SUSE-2017-598 Released: Mon Apr 17 22:56:57 2017 Summary: Recommended update for ruby-common, rubygem-gem2rpm Severity: low References: 963710 Description: This update for ruby-common, rubygem-gem2rpm fixes the following issues: ruby-common: - Since rubygems 2.5.0 the default version in the gem bin stub changed from '>= 0' to '>= 0.a'. This was done to allow pre-release versions. Our patching script didn't take the '.a' into account and generated version fields like '= 0.10.1.a' instead of the expected '= 0.10.1'. This fix accounts for the '.a'. Changes in rubygem-gem2rpm: - Fix 'gem2rpm --fetch': prefer https for accessing rubygems.org. (bsc#963710) - Add support for Ruby 2.3.0 and 2.4.0. - Add :post_patch hook to run commands before we rebuild the gem used by libv8. - Add support for rubinius 2.5 and remove support for 2.2. - No longer require the Ruby version inside the sub-package. With BuildRequires we already make sure that the package is only built if we find a recent enough ABI. Then the normal $interpreter(abi) requires generated by rpm is enough. - Move to new packaging templates by default. ----------------------------------------- Patch: SUSE-2017-624 Released: Thu Apr 20 08:35:35 2017 Summary: Security update for ruby2.1 Severity: important References: 1014863,1018808,887877,909695,926974,936032,959495,986630,CVE-2014-4975,CVE-2015-1855,CVE-2015-3900,CVE-2015-7551,CVE-2016-2339 Description: This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed: - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' (bsc#1018808) - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL (bsc#959495) - CVE-2015-3900: hostname validation does not work when fetching gems or making API requests (bsc#936032) - CVE-2015-1855: Ruby'a OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames (bsc#926974) - CVE-2014-4975: off-by-one stack-based buffer overflow in the encodes() function (bsc#887877) Bugfixes: - SUSEconnect doesn't handle domain wildcards in no_proxy environment variable properly (bsc#1014863) - Segmentation fault after pack & ioctl & unpack (bsc#909695) - Ruby:HTTP Header injection in 'net/http' (bsc#986630) ChangeLog: - http://svn.ruby-lang.org/repos/ruby/tags/v2_1_9/ChangeLog ----------------------------------------- Patch: SUSE-2017-643 Released: Tue Apr 25 19:11:45 2017 Summary: Recommended update for ruby2.1 Severity: important References: 1014863,1035988 Description: This update for ruby2.1 fixes a regression introduced by a previous update that was intended to fix insufficient support for domain wildcards in the $no_proxy environment variable. ----------------------------------------- Patch: SUSE-2017-656 Released: Fri Apr 28 16:12:30 2017 Summary: Recommended update for sqlite3 Severity: low References: 1019518,1025034 Description: This update for sqlite3 provides the following fixes: - Avoid calling sqlite3OsFetch() on a file-handle for which the xFetch method is NULL. This prevents a potential segmentation fault. (bsc#1025034) - Fix defect in the in-memory journal logic that could leave the read cursor for the in-memory journal in an inconsistent state and result in a segmentation fault. (bsc#1019518) ----------------------------------------- Patch: SUSE-2017-732 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Severity: low References: 1030621 Description: This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------- Patch: SUSE-2017-735 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Severity: low References: 1036736,986783 Description: This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------- Patch: SUSE-2017-794 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Severity: moderate References: 1010845,1035371,CVE-2016-9401 Description: This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------- Patch: SUSE-2017-865 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 Description: This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------- Patch: SUSE-2017-891 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------- Patch: SUSE-2017-918 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Severity: moderate References: 1020143,1032445,1035818,1038189 Description: This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------- Patch: SUSE-2017-939 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 Description: This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------- Patch: SUSE-2017-959 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Severity: low References: 1043580 Description: This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------- Patch: SUSE-2017-962 Released: Wed Jun 14 16:33:07 2017 Summary: Security update for openldap2 Severity: moderate References: 1009470,1037396,1041764,972331,CVE-2017-9287 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764) Non security bugs fixed: - Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470) - Fix an uninitialised variable that causes startup failure (bsc#1037396) - Fix an issue with transaction management that can cause server crash (bsc#972331) ----------------------------------------- Patch: SUSE-2017-985 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Severity: moderate References: 1042326,931932,CVE-2017-9526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------- Patch: SUSE-2017-1036 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------- Patch: SUSE-2017-1040 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Severity: low References: 1043237 Description: This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------- Patch: SUSE-2017-1063 Released: Wed Jun 28 21:15:03 2017 Summary: Security update for vim Severity: moderate References: 1018870,1024724,1027053,1027057,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350 Description: This update for vim fixes the following issues: Security issues fixed: - CVE-2017-5953: Fixed a possible overflow with corrupted spell file (bsc#1024724) - CVE-2017-6350: Fixed a possible overflow when reading a corrupted undo file (bsc#1027053) - CVE-2017-6349: Fixed a possible overflow when reading a corrupted undo file (bsc#1027057) Non security issues fixed: - Speed up YAML syntax highlighting (bsc#1018870) ----------------------------------------- Patch: SUSE-2017-1082 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Severity: low References: 1045943 Description: This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------- Patch: SUSE-2017-1086 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 Description: This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------- Patch: SUSE-2017-1116 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Severity: moderate References: 1046607,CVE-2017-7526 Description: This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------- Patch: SUSE-2017-1119 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------- Patch: SUSE-2017-1142 Released: Wed Jul 12 15:48:23 2017 Summary: Recommended update for openssh Severity: moderate References: 1016709,1017099,1023275,1024251 Description: This update for openssh provides the following fixes: - Enable specific ioctl calls for ICA crypto card on the zSeries platform. Without this patch, users using the IBMCA engine are not able to perform ssh login as the filter blocks the communication with the crypto card. (bsc#1016709) - Enable case-insensitive hostname matching. (bsc#1017099) - Add a new switch for printing diagnostic messages in sftp client's batch mode. (bsc#1023275) - Better fix for core dumps from auditing code when trying to bind to an unavailable port. (bsc#1024251) - Remove the limit on the amount of tasks sshd can run. ----------------------------------------- Patch: SUSE-2017-1160 Released: Fri Jul 14 17:20:26 2017 Summary: Recommended update for openldap2 Severity: low References: 1031702 Description: This update for openldap2 provides the following fix: - Fix a regression in handling of non-blocking connection (bsc#1031702) ----------------------------------------- Patch: SUSE-2017-1192 Released: Thu Jul 20 20:07:36 2017 Summary: Recommended update for iptables Severity: low References: 1045130 Description: This update for iptables provides the following fix: - Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130) ----------------------------------------- Patch: SUSE-2017-1222 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Severity: low References: 1034563,1039941 Description: This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------- Patch: SUSE-2017-1243 Released: Wed Aug 2 16:00:30 2017 Summary: Recommended update for lsscsi Severity: low References: 1008935,1047884 Description: This update for lsscsi provides the following fixes: - Fix the detection of the WWN for SCSI disks (bsc#1008935) - Fix the output of 'lsscsi -t' (bsc#1047884) ----------------------------------------- Patch: SUSE-2017-1279 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------- Patch: SUSE-2017-1299 Released: Tue Aug 8 12:55:31 2017 Summary: Recommended update for openssh Severity: moderate References: 1016709,1017099,1023275,1024251 Description: This update for openssh provides the following fixes: - Enable specific ioctl calls for ICA crypto card on the zSeries platform. Without this patch, users using the IBMCA engine are not able to perform ssh login as the filter blocks the communication with the crypto card. (bsc#1016709) - Enable case-insensitive hostname matching. (bsc#1017099) - Add a new switch for printing diagnostic messages in sftp client's batch mode. (bsc#1023275) - Better fix for core dumps from auditing code when trying to bind to an unavailable port. (bsc#1024251) - Remove the limit on the amount of tasks sshd can run. ----------------------------------------- Patch: SUSE-2017-1316 Released: Thu Aug 10 13:54:27 2017 Summary: Recommended update for cyrus-sasl Severity: moderate References: 1014471,1026825,1044840,938657 Description: This update for cyrus-sasl provides the following fixes: - Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize - Fix unknown authentication mechanism: kerberos5 (bsc#1026825) - Really use SASLAUTHD_PARAMS variable (bsc#938657) - Make sure /usr/sbin/rcsaslauthd exists - Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471) - Silence 'GSSAPI client step 1' debug log message (bsc#1044840) ----------------------------------------- Patch: SUSE-2017-1326 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Severity: low References: 1038444,CVE-2017-8872 Description: This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------- Patch: SUSE-2017-1330 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Severity: low References: 954661 Description: This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------- Patch: SUSE-2017-1333 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Severity: low References: 1029561 Description: This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------- Patch: SUSE-2017-1347 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Severity: important References: 1053409 Description: This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------- Patch: SUSE-2017-1349 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Severity: low References: 1051626 Description: This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------- Patch: SUSE-2017-1390 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------- Patch: SUSE-2017-1419 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 Description: This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------- Patch: SUSE-2017-1447 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------- Patch: SUSE-2017-1450 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Severity: low References: 1035062,944903 Description: This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------- Patch: SUSE-2017-1453 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Severity: moderate References: 1043333,1046659,1047008 Description: This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------- Patch: SUSE-2017-1622 Released: Mon Oct 2 20:06:28 2017 Summary: Recommended update for yast2-xml Severity: low References: 1047449 Description: This update for yast2-xml provides the following fix: - Omit libxml2 memory cleanup to prevent a crash if rubygem-nokogiri is installed. (bsc#1047449) ----------------------------------------- Patch: SUSE-2017-1644 Released: Mon Oct 9 07:52:24 2017 Summary: Security update for krb5 Severity: moderate References: 1032680,1054028,1056995,903543,CVE-2017-11462 Description: This update for krb5 fixes several issues. This security issue was fixed: - CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995) These non-security issues were fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543) - Remove main package's dependency on systemd (bsc#1032680) ----------------------------------------- Patch: SUSE-2017-1796 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Severity: moderate References: 1058722 Description: This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------- Patch: SUSE-2017-1802 Released: Tue Oct 31 12:05:17 2017 Summary: Recommended update for iptables Severity: low References: 1045130 Description: This update for iptables provides the following fix: - Fix a locking issue of iptables-batch when other programs modify the iptables rules in parallel (bsc#1045130) ----------------------------------------- Patch: SUSE-2017-1826 Released: Wed Nov 8 08:47:17 2017 Summary: Security update for krb5 Severity: important References: 1065274,CVE-2017-15088 Description: This update for krb5 fixes the following issues: Security issues fixed: - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) ----------------------------------------- Patch: SUSE-2017-1794 Released: Thu Nov 16 11:17:40 2017 Summary: Security update for wget Severity: important References: 1064715,1064716,CVE-2017-13089,CVE-2017-13090 Description: This update for wget fixes the following security issues: - CVE-2017-13089,CVE-2017-13090: Missing checks for negative remaining_chunk_size in skip_short_body and fd_read_body could cause stack buffer overflows, which could have been exploited by malicious servers. (bsc#1064715,bsc#1064716) ----------------------------------------- Patch: SUSE-2017-1881 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 Description: The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------- Patch: SUSE-2017-1882 Released: Wed Nov 22 16:58:12 2017 Summary: Recommended update for timezone Severity: low References: 1064571 Description: This update provides the latest timezone information (2017c) for your system, including following changes: - Northern Cyprus switches from +03 to +02/+03 on 2017-10-29 - Fiji ends DST 2018-01-14, not 2018-01-21 - Namibia switches from +01/+02 to +02 on 2018-04-01 - Sudan switches from +03 to +02 on 2017-11-01 - Tonga likely switches from +13/+14 to +13 on 2017-11-05 - Turks and Caicos switches from -04 to -05/-04 on 2018-11-04 - Corrections to past DST transitions - Move oversized Canada/East-Saskatchewan to 'backward' file - zic(8) and the reference runtime now reject multiple leap seconds within 28 days of each other, or leap seconds before the Epoch. ----------------------------------------- Patch: SUSE-2017-1903 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------- Patch: SUSE-2017-1916 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Severity: important References: 1043333,1059723 Description: This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------- Patch: SUSE-2017-1917 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Severity: low References: 1056437,1062591,1062592 Description: The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------- Patch: SUSE-2017-1965 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 Description: The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------- Patch: SUSE-2017-1968 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Severity: low References: 1026567,1043059,965780 Description: This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------- Patch: SUSE-2017-1974 Released: Fri Dec 1 11:30:25 2017 Summary: Recommended update for zip Severity: low References: 1068346 Description: This update for zip provides the following fix: - Fix memory leaks when appending files (bsc#1068346) ----------------------------------------- Patch: SUSE-2017-2009 Released: Thu Dec 7 13:21:49 2017 Summary: Security update for openssh Severity: moderate References: 1006166,1048367,1065000,1068310,1069509,CVE-2008-1483,CVE-2017-15906 Description: This update for openssh fixes the following issues: Security issue fixed: - CVE-2017-15906: Stricter checking of operations in read-only mode in sftp server (bsc#1065000). Bug fixes: - FIPS: Startup selfchecks (bsc#1068310). - FIPS: Silent complaints about unsupported key exchange methods (bsc#1006166). - Refine handling of sockets for X11 forwarding to remove reintroduced CVE-2008-1483 (bsc#1069509). - Test configuration before running daemon to prevent looping resulting in service shutdown (bsc#1048367) ----------------------------------------- Patch: SUSE-2017-2021 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Severity: moderate References: 1070878,1070958 Description: This update for file fixes detection of JPEG files. ----------------------------------------- Patch: SUSE-2017-2088 Released: Fri Dec 15 14:10:31 2017 Summary: Recommended update for hwinfo Severity: low References: 1041090,1047218,1051076,1062562 Description: This update for hwinfo fixes the following issues: - Support SMBIOS 3.0 spec (bsc#1062562) - Ensure /var/lib/hardware/udi exists and with 755 permissions - Sort input files (bsc#1041090) - Allow to override current time (bsc#1047218) - Really set default timeout to 20s for Video BIOS emulation calls ----------------------------------------- Patch: SUSE-2018-4 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1057640,1067605,1068708,1071466,969569 Description: The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------- Patch: SUSE-2018-68 Released: Mon Jan 15 11:30:39 2018 Summary: Security update for openslp Severity: moderate References: 1001600,974655,980722,994989,CVE-2016-4912,CVE-2016-7567 Description: This update for openslp fixes two security issues and two bugs. The following vulnerabilities were fixed: - CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722) - CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600) The following bugfix changes are included: - bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code - bsc#974655: Removed no longer needed slpd init file ----------------------------------------- Patch: SUSE-2018-86 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 Description: This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------- Patch: SUSE-2018-146 Released: Thu Jan 25 11:44:23 2018 Summary: Recommended update for openldap2 Severity: moderate References: 1064397,1065083 Description: This update for openldap2 provides the following fixes: - Fix a leak of sockets in case of unsuccessful connection attempts. (bsc#1065083) - Fix a crash that would happen under heavy load when using back-relay. (bsc#1064397) ----------------------------------------- Patch: SUSE-2018-209 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 Description: This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------- Patch: SUSE-2018-214 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Severity: moderate References: 1076832,CVE-2018-6003 Description: This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------- Patch: SUSE-2018-250 Released: Fri Feb 2 17:33:48 2018 Summary: Recommended update for timezone, timezone-java Severity: low References: 1073275 Description: This update provides the latest timezone information (2018c) for your system, including following changes: - Sao Tome and Principe switched from +00 to +01 on 2018-01-01. - Southern Brazil's DST will now start on November's first Sunday. (bsc#1073275) - New zic option -t to specify the time zone file if TZ is unset. ----------------------------------------- Patch: SUSE-2018-265 Released: Tue Feb 6 14:58:28 2018 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1010996,1071152,1071390 Description: This update for ca-certificates-mozilla fixes the following issues: The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996) We removed the old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates as openssl is now able to handle it. Further changes coming from Mozilla: - New Root CAs added: * Amazon Root CA 1: (email protection, server auth) * Amazon Root CA 2: (email protection, server auth) * Amazon Root CA 3: (email protection, server auth) * Amazon Root CA 4: (email protection, server auth) * Certplus Root CA G1: (email protection, server auth) * Certplus Root CA G2: (email protection, server auth) * D-TRUST Root CA 3 2013: (email protection) * GDCA TrustAUTH R5 ROOT: (server auth) * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth) * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth) * ISRG Root X1: (server auth) * LuxTrust Global Root 2: (server auth) * OpenTrust Root CA G1: (email protection, server auth) * OpenTrust Root CA G2: (email protection, server auth) * OpenTrust Root CA G3: (email protection, server auth) * SSL.com EV Root Certification Authority ECC: (server auth) * SSL.com EV Root Certification Authority RSA R2: (server auth) * SSL.com Root Certification Authority ECC: (email protection, server auth) * SSL.com Root Certification Authority RSA: (email protection, server auth) * Symantec Class 1 Public Primary Certification Authority - G4: (email protection) * Symantec Class 1 Public Primary Certification Authority - G6: (email protection) * Symantec Class 2 Public Primary Certification Authority - G4: (email protection) * Symantec Class 2 Public Primary Certification Authority - G6: (email protection) * TrustCor ECA-1: (email protection, server auth) * TrustCor RootCert CA-1: (email protection, server auth) * TrustCor RootCert CA-2: (email protection, server auth) * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth) - Removed root CAs: * AddTrust Public Services Root * AddTrust Public CA Root * AddTrust Qualified CA Root * ApplicationCA - Japanese Government * Buypass Class 2 CA 1 * CA Disig Root R1 * CA WoSign ECC Root * Certification Authority of WoSign G2 * Certinomis - Autorité Racine * Certum Root CA * China Internet Network Information Center EV Certificates Root * CNNIC ROOT * Comodo Secure Services root * Comodo Trusted Services root * ComSign Secured CA * EBG Elektronik Sertifika Hizmet Sağlayıcısı * Equifax Secure CA * Equifax Secure eBusiness CA 1 * Equifax Secure Global eBusiness CA * GeoTrust Global CA 2 * IGC/A * Juur-SK * Microsec e-Szigno Root CA * PSCProcert * Root CA Generalitat Valenciana * RSA Security 2048 v3 * Security Communication EV RootCA1 * Sonera Class 1 Root CA * StartCom Certification Authority * StartCom Certification Authority G2 * S-TRUST Authentication and Encryption Root CA 2005 PN * Swisscom Root CA 1 * Swisscom Root EV CA 2 * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * UTN USERFirst Hardware Root CA * UTN USERFirst Object Root CA * VeriSign Class 3 Secure Server CA - G2 * Verisign Class 1 Public Primary Certification Authority * Verisign Class 2 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * WellsSecure Public Root Certificate Authority * Certification Authority of WoSign * WoSign China - Removed Code Signing rights from a lot of CAs (not listed here). - Removed Server Auth rights from: * AddTrust Low-Value Services Root * Camerfirma Chambers of Commerce Root * Camerfirma Global Chambersign Root * Swisscom Root CA 2 ----------------------------------------- Patch: SUSE-2018-276 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 Description: This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------- Patch: SUSE-2018-291 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Severity: low References: 1057452,1076909 Description: This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------- Patch: SUSE-2018-336 Released: Wed Feb 21 14:26:52 2018 Summary: Security update for libdb-4_8 Severity: moderate References: 1043886 Description: This update for libdb-4_8 fixes the following issues: - A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886) ----------------------------------------- Patch: SUSE-2018-375 Released: Wed Feb 28 16:33:37 2018 Summary: Recommended update for net-tools Severity: low References: 1009905,1063910 Description: This update for net-tools provides the following fix: - netstat: fix handling of large socket numbers (bsc#1063910) ----------------------------------------- Patch: SUSE-2018-472 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Severity: low References: 1074687,1075449,1076415,1079334,953130 Description: This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------- Patch: SUSE-2018-517 Released: Thu Mar 22 07:17:01 2018 Summary: Recommended update for openssh Severity: moderate References: 1048367,1048982,1051559,1061061 Description: This update for openssh provides the following fixes: - Enable systemd integration to work around various race conditions on reporting failures of the service. (bsc#1048367 bsc#1061061) - Re-add tcpwrappers support (forward ported) that had been removed with the upgrade to 6.6p1. Please note that tcpwrappers support will not be available in subsequent major releases of SUSE Linux Enterprise. (bsc#1048982) - Fix for socket forwarding when logging in as root on server-side (bsc#1051559) ----------------------------------------- Patch: SUSE-2018-560 Released: Wed Mar 28 16:39:25 2018 Summary: Recommended update for suse-build-key Severity: moderate References: 1082022,1085512 Description: This update for suse-build-key fixes the following issues: - The lifetime of the SUSE Linux Enterprise 11 signing key was extended (bsc#1085512) - A new security@suse.de E-Mail key was added (bsc#1082022) pub rsa4096/0x21FE92322BA9E067 2018-03-15 [SC] [expires: 2020-03-14] Key fingerprint = EC7C 5EAB 2C34 09A6 4F3B BE6E 21FE 9232 2BA9 E067 uid SUSE Security Team uid SUSE Security Team sub rsa4096/0xFF97314EC1E11A0E 2018-03-15 [E] [expires: 2020-03-14] ----------------------------------------- Patch: SUSE-2018-567 Released: Thu Mar 29 14:02:08 2018 Summary: Security update for krb5 Severity: moderate References: 1057662,1081725,1083926,1083927,CVE-2018-5729,CVE-2018-5730 Description: This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) ----------------------------------------- Patch: SUSE-2018-594 Released: Thu Apr 5 17:22:37 2018 Summary: Security update for libidn Severity: moderate References: 1056450,CVE-2017-14062 Description: This update for libidn fixes one issues. This security issue was fixed: - CVE-2017-14062: Prevent integer overflow in the decode_digit function that allowed remote attackers to cause a denial of service or possibly have unspecified other impact (bsc#1056450). ----------------------------------------- Patch: SUSE-2018-656 Released: Wed Apr 18 12:08:13 2018 Summary: Recommended update for timezone, timezone-java Severity: low References: 1086729 Description: This update provides the latest timezone information (2018d) for your system, including following changes: - In 2018, Palestine starts DST on March 24, not March 31. - Casey Station in Antarctica changed from +11 to +08 on 2018-03-11 at 04:00 (bsc#1086729). - corrections for historical transitions. ----------------------------------------- Patch: SUSE-2018-730 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------- Patch: SUSE-2018-736 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 Description: This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------- Patch: SUSE-2018-779 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Severity: low References: 1003714,1027925,1069934 Description: This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------- Patch: SUSE-2018-797 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 Description: This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------- Patch: SUSE-2018-910 Released: Tue May 15 12:21:24 2018 Summary: Recommended update for timezone, timezone-java Severity: low References: 1073299 Description: This update provides the latest timezone information (2018e) for your system, including following changes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter (bsc#1073299) ----------------------------------------- Patch: SUSE-2018-957 Released: Tue May 22 15:14:05 2018 Summary: Security update for wget Severity: moderate References: 1092061,CVE-2018-0494 Description: This update for wget fixes the following issues: - CVE-2018-0494: Fixed a cookie injection vulnerability by checking for and joining continuation lines. (bsc#1092061) ----------------------------------------- Patch: SUSE-2018-964 Released: Tue May 22 18:31:29 2018 Summary: Security update for python Severity: moderate References: 1068664,1079300,CVE-2017-1000158,CVE-2018-1000030 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2017-1000158: Fixed integer overflows in PyString_DecodeEscape that could have resulted in heap-based buffer overflow attacks and possible arbitrary code execution (bsc#1068664). - CVE-2018-1000030: Fixed crash inside the Python interpreter when multiple threads used the same I/O stream concurrently (bsc#1079300). ----------------------------------------- Patch: SUSE-2018-970 Released: Wed May 23 16:44:49 2018 Summary: Recommended update for hwinfo Severity: important References: 1072450,1078511 Description: This update for hwinfo provides the following fixes: - Detect usb controller in ARM platform devices. (bsc#1072450) - Add more sanity checking on scsi serial id. (bsc#1078511) - Make CDBISDN_DATE ignore timezone. ----------------------------------------- Patch: SUSE-2018-977 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 Description: This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------- Patch: SUSE-2018-998 Released: Tue May 29 11:35:50 2018 Summary: Recommended update for pciutils-ids Severity: moderate References: 1081065 Description: This update provides the latest PCI ID definitions for pciutils-ids (bsc#1081065) ----------------------------------------- Patch: SUSE-2018-1028 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Severity: low References: 1089884 Description: This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------- Patch: SUSE-2018-1082 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Severity: moderate References: 1073879,1080078,964063 Description: This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------- Patch: SUSE-2018-1141 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Severity: important References: 1096745,CVE-2018-12020 Description: This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------- Patch: SUSE-2018-1156 Released: Tue Jun 19 15:10:45 2018 Summary: Recommended update for openslp Severity: moderate References: 1076035,1080964 Description: This update for openslp provides the following fixes: - Fix slpd using the peer address as local address for TCP connections. (bsc#1076035) - Use TCP connections for unicast requests. (bsc#1080964) ----------------------------------------- Patch: SUSE-2018-1193 Released: Wed Jun 20 18:48:16 2018 Summary: Recommended update for openslp Severity: moderate References: 1076035,1080964 Description: This update for openslp provides the following fixes: - Fix slpd using the peer address as local address for TCP connections. (bsc#1076035) - Use TCP connections for unicast requests. (bsc#1080964) ----------------------------------------- Patch: SUSE-2018-1242 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------- Patch: SUSE-2018-1328 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------- Patch: SUSE-2018-1352 Released: Thu Jul 19 09:47:01 2018 Summary: Security update for openssh Severity: moderate References: 1076957,CVE-2016-10708 Description: This update for openssh fixes the following issues: Security issue fixed: - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). ----------------------------------------- Patch: SUSE-2018-1376 Released: Mon Jul 23 10:54:47 2018 Summary: Security update for python Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------- Patch: SUSE-2018-1413 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------- Patch: SUSE-2018-1450 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------- Patch: SUSE-2018-1610 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------- Patch: SUSE-2018-1612 Released: Thu Aug 16 14:04:38 2018 Summary: Security update for python Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------- Patch: SUSE-2018-1619 Released: Thu Aug 16 14:49:40 2018 Summary: Security update for openssh Severity: moderate References: 1076957,CVE-2016-10708 Description: This update for openssh fixes the following issues: Security issue fixed: - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). ----------------------------------------- Patch: SUSE-2018-1636 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------- Patch: SUSE-2018-1643 Released: Thu Aug 16 17:41:07 2018 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1100415 Description: The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store. Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------- Patch: SUSE-2018-1688 Released: Mon Aug 20 09:02:23 2018 Summary: Recommended update for openslp Severity: moderate References: 1076035,1080964 Description: This update for openslp provides the following fixes: - Fix slpd using the peer address as local address for TCP connections. (bsc#1076035) - Use TCP connections for unicast requests. (bsc#1080964) ----------------------------------------- Patch: SUSE-2018-1689 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Severity: low References: 1096282 Description: This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------- Patch: SUSE-2018-1695 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 Description: This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------- Patch: SUSE-2018-1753 Released: Fri Aug 24 14:24:17 2018 Summary: Security update for python Severity: moderate References: 1083507,CVE-2017-18207 Description: This update for python fixes the following issues: The following security vulnerabilities were addressed: - Add a check to Lib/wave.py that verifies that at least one channel is provided. Prior to this, attackers could cause a denial of service via a crafted wav format audio file. [bsc#1083507, CVE-2017-18207] ----------------------------------------- Patch: SUSE-2018-1763 Released: Mon Aug 27 09:30:15 2018 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1104780 Description: This update for ca-certificates-mozilla fixes the following issues: The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - Removed server auth from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Removed CAs - ComSign CA - Added new CAs - GlobalSign ----------------------------------------- Patch: SUSE-2018-1766 Released: Mon Aug 27 11:17:25 2018 Summary: Security update for openssh Severity: moderate References: 1076957,CVE-2016-10708 Description: This update for openssh fixes the following issues: Security issue fixed: - CVE-2016-10708: Prevent DoS due to crashes caused by out-of-sequence NEWKEYS message (bsc#1076957). ----------------------------------------- Patch: SUSE-2018-1942 Released: Fri Sep 21 07:51:02 2018 Summary: Security update for openslp Severity: important References: 1090638,CVE-2017-17833 Description: This update for openslp fixes the following issues: - CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing ----------------------------------------- Patch: SUSE-2018-1969 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 Description: This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------- Patch: SUSE-2018-1985 Released: Mon Sep 24 11:56:08 2018 Summary: Recommended update for openldap2 Severity: moderate References: 1089640 Description: This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------- Patch: SUSE-2018-2117 Released: Tue Oct 2 16:30:51 2018 Summary: Security update for unzip Severity: moderate References: 1013992,1013993,1080074,910683,914442,950110,950111,CVE-2014-9636,CVE-2014-9913,CVE-2015-7696,CVE-2015-7697,CVE-2016-9844,CVE-2018-1000035 Description: This update for unzip fixes the following security issues: - CVE-2014-9913: Specially crafted zip files could trigger invalid memory writes possibly resulting in DoS or corruption (bsc#1013993) - CVE-2015-7696: Specially crafted zip files with password protection could trigger a crash and lead to denial of service (bsc#950110) - CVE-2015-7697: Specially crafted zip files could trigger an endless loop and lead to denial of service (bsc#950111) - CVE-2016-9844: Specially crafted zip files could trigger invalid memory writes possibly resulting in DoS or corruption (bsc#1013992) - CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of password-protected archives that allowed an attacker to perform a denial of service or to possibly achieve code execution (bsc#1080074). - CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression (bsc#914442). This non-security issue was fixed: +- Allow processing of Windows zip64 archives (Windows archivers set total_disks field to 0 but per standard, valid values are 1 and higher) (bnc#910683) ----------------------------------------- Patch: SUSE-2018-2132 Released: Thu Oct 4 06:47:56 2018 Summary: Security update for openslp Severity: important References: 1090638,CVE-2017-17833 Description: This update for openslp fixes the following issues: - CVE-2017-17833: Prevent heap-related memory corruption issue which may have manifested itself as a denial-of-service or a remote code-execution vulnerability (bsc#1090638) - Prevent out of bounds reads in message parsing ----------------------------------------- Patch: SUSE-2018-2162 Released: Fri Oct 5 14:46:53 2018 Summary: Recommended update for krb5 Severity: moderate References: 1088921 Description: This update for krb5 provides the following fix: - Resolve krb5 GSS credentials immediately if the application requests the lifetime. (bsc#1088921) ----------------------------------------- Patch: SUSE-2018-2181 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 Description: This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------- Patch: SUSE-2018-2196 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Severity: low References: 1084812,1084842,1087550,1094222,1102564 Description: The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------- Patch: SUSE-2018-2217 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Severity: moderate References: 1094121,1107430 Description: This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------- Patch: SUSE-2018-2296 Released: Wed Oct 17 14:49:12 2018 Summary: Recommended update for hwinfo Severity: moderate References: 1072450,1105003 Description: This update for hwinfo provides the following fixes: - Try a more aggressive approach to catch all usb platform controllers. (bsc#1072450) - Detect ARM HISILICON SAS controller. (bsc#1072450) - Check for vmware only when running in a vm. (bsc#1105003) - Add support for RISC-V. ----------------------------------------- Patch: SUSE-2018-2341 Released: Sat Oct 20 09:50:41 2018 Summary: Recommended update for pciutils Severity: moderate References: 1098094,1098228 Description: This update for pciutils provides the following fixes: - Fix the displaying of the gen4 speed for GEN 4 cards like Mellanox CX5. (bsc#1098094) - Add support for commonly used vendor specific VPD keywords described in 'Table 160. LoPAPR VPD Fields' of the Linux on Power Architecture Platform Reference (LoPAPR). (bsc#1098228) ----------------------------------------- Patch: SUSE-2018-2373 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------- Patch: SUSE-2018-2473 Released: Thu Oct 25 16:55:27 2018 Summary: Recommended update for tar Severity: low References: 1071340 Description: This update for tar provides the following fix: - Revert an upstream commit meant for optimizing sparse files as it causes a regression on offline files. (bsc#1071340) ----------------------------------------- Patch: SUSE-2018-2475 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Severity: moderate References: 1099982,1109877,408814,556664,939392 Description: This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------- Patch: SUSE-2018-2488 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Severity: low References: 1076810,889138 Description: This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------- Patch: SUSE-2018-2516 Released: Mon Oct 29 16:14:48 2018 Summary: Recommended update for console-setup, kbd Severity: moderate References: 1010880,1027379,1056449,1062303,1069468,1085432,360993,675317,825385,830805,958562,963942,984958 Description: This update for kbd and console-setup provides the following fixes: Changes in console-setup: - Add console-setup to SLE 12 to make it possible for kbd to provide converted X keymaps. (fate#325454, fate#318426) - Make the package build reproducible. (bsc#1062303) - Removed unneeded requires to kbd in order to resolve build cycle between kbd and console-setup. (bsc#963942) Changes in kbd: - Update to version 2.0.4, including the following fixes (FATE#325454): * Disable characters greater than or equal to =U+F000 as they do not work properly. (bsc#1085432) * Move initial NumLock handling from systemd back to kbd: * Add kbdsettings service. (bsc#1010880) * Exclude numlockbios support for non x86 platforms * Drop references to KEYTABLE and COMPOSETABLE. (bsc#1010880) * Drop from some fill-up templates and a couple of sysconfig variables not read by systemd anymore. (fate#319454) * Replace references to /var/adm/fillup-templates with new %_fillupdir macro. (bsc#1069468) * Add vlock.pamd PAM file. (bsc#1056449) * Enable vlock (bsc#1056449). * Revert dropping of kdb-legacy requirement as there are still packages and installation flows that needs this to be present. (bsc#1027379) * Fix data/keymaps/i386/querty/br-abnt2.map. (bsc#984958) * Fix missing dependency on coreutils for initrd macros. (bsc#958562) * Call missing initrd macro at postun. (bsc#958562) * Add the genmap4systemd.sh tool to generate entries for systemd's kbd-model-map table from xkeyboard-config converted keymaps. (fate#318426) * genmap4systemd.sh: Use 'abnt2' model for 'br' layouts, 'jp106' model for 'jp' layouts and 'microsoftpro' for anything else (instead of 'pc105' previously used). (fate#318426) * Include xkb layouts from xkeyboard-config converted to console keymaps. (fate#318426) * euro.map, euro1.map and euro2.map now produce correct unicode character for Euro sign. (bsc#360993) * Drop doshell reference from openvt.1 man page. (bsc#675317) * Drop the --userwait option as it is not used. (bsc#830805) * Fix a typo in the mac-querty-layout.inc. (bsc#825385) ----------------------------------------- Patch: SUSE-2018-2520 Released: Mon Oct 29 17:28:57 2018 Summary: Security update for python, python-base Severity: moderate References: 1086001,1088004,1088009,1109663,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061 Description: This update for python, python-base fixes the following issues: Security issues fixed: - CVE-2018-1000802: Prevent command injection in shutil module (make_archive function) via passage of unfiltered user input (bsc#1109663). - CVE-2018-1061: Fixed DoS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib (bsc#1088004). - CVE-2018-1060: Fixed DoS via regular expression catastrophic backtracking in apop() method in pop3lib (bsc#1088009). Bug fixes: - bsc#1086001: python tarfile uses random order. ----------------------------------------- Patch: SUSE-2018-2525 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Severity: important References: 1113117 Description: This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------- Patch: SUSE-2018-2567 Released: Fri Nov 2 18:59:06 2018 Summary: Recommended update for apparmor Severity: moderate References: 1047937,1057150,1057900,1099452,906858 Description: This update for apparmor provides the following fixes: - Add profile for usr.bin.lessopen.sh (bsc#906858) - Fix dovecot apparmor profile (bsc#1057150) - Fix creating profile rules from scanned logs when the chown operation is used (bsc#1047937) - Fix the traceroute profile to allow ipv6 usage (bsc#1057900) - Fix duplicate entry of capability when performing aa-logprof (bsc#1099452) ----------------------------------------- Patch: SUSE-2018-2593 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Severity: moderate References: 1095148,1113100 Description: This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------- Patch: SUSE-2018-2637 Released: Mon Nov 12 20:38:05 2018 Summary: Recommended update for timezone, timezone-java Severity: moderate References: 1104700,1113554 Description: This update provides the latest time zone definitions (2018g), including the following changes: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates ----------------------------------------- Patch: SUSE-2018-2766 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 Description: This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------- Patch: SUSE-2018-1697 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 Description: This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------- Patch: SUSE-2018-1696 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------- Patch: SUSE-2018-2783 Released: Mon Nov 26 17:47:36 2018 Summary: Security update for openssh Severity: moderate References: 1091396,1105010,964336,CVE-2018-15473 Description: This update for openssh fixes the following issues: Following security issues have been fixed: - CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010) The following non-security issues were fixed: - Stop leaking File descriptors (bsc#964336) - sftp-client.c returns wrong error code upon failure [bsc#1091396] ----------------------------------------- Patch: SUSE-2018-2824 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Severity: important References: 1115929,CVE-2018-19211 Description: This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------- Patch: SUSE-2018-2836 Released: Wed Dec 5 09:29:31 2018 Summary: Recommended update for apparmor Severity: moderate References: 1111965,1113125 Description: This update for apparmor fixes the following issues: - Systemd aware apparmor.spec, remove old insserv from spec file (bsc#1113125) - Fix warnings produced because of use of uninitialized variables (bsc#1111965) ----------------------------------------- Patch: SUSE-2018-2842 Released: Wed Dec 5 10:00:35 2018 Summary: Recommended update for suse-build-key Severity: moderate References: 1044232 Description: This update for suse-build-key fixes the following issues: - Install the PTF key also to /usr/lib/rpm/gnupg/keys/ so it can exists also on systems where documentation is not installed. (bsc#1044232) ----------------------------------------- Patch: SUSE-2018-2846 Released: Wed Dec 5 12:50:41 2018 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1100078,1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 Description: This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). ----------------------------------------- Patch: SUSE-2018-2906 Released: Tue Dec 11 21:48:05 2018 Summary: Recommended update for blog Severity: moderate References: 1071568 Description: This update for blog fixes the following issues: - Hardening of the console list generation (bsc#1071568) - Changed description of blog-plymouth in same manner as used by the release notes ----------------------------------------- Patch: SUSE-2018-2947 Released: Mon Dec 17 08:51:28 2018 Summary: Security update for openldap2 Severity: moderate References: 1073313,CVE-2017-17740 Description: This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2017-17740: When both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) ----------------------------------------- Patch: SUSE-2018-3029 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Severity: moderate References: 1117355 Description: This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------- Patch: SUSE-2018-3035 Released: Fri Dec 21 17:35:52 2018 Summary: Recommended update for lvm2 Severity: moderate References: 1110872,1114113 Description: This update for lvm2 provides the following fixes: - Take back resource agents for clvmd and cmirror. (bsc#1110872) - Prevent writing beyond metadata area. (bsc#1114113) ----------------------------------------- Patch: SUSE-2018-3054 Released: Fri Dec 28 17:45:34 2018 Summary: Recommended update for hwinfo Severity: moderate References: 1018271,1084700,1107196 Description: This update for hwinfo provides the following fixes: - Add script tp update PCI and USB IDs. (fate#326431) - Adjust hwinfo know about RISC-V. - Update git2log script. - Fix curl commands. - Fix ID of S-Par storage controller. (bsc#1107196) - Add network interfaces found on mdio bus. (bsc#1018271) - The location of the S-Par drivers virtual buses has changed. (bsc#1107196) - Ensure udev device links are unique. (bsc#1084700) ----------------------------------------- Patch: SUSE-2019-43 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Severity: low References: 953659 Description: This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------- Patch: SUSE-2019-101 Released: Tue Jan 15 18:02:39 2019 Summary: Recommended update for timezone Severity: moderate References: 1120402 Description: This update for timezone fixes the following issues: - Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------- Patch: SUSE-2019-111 Released: Thu Jan 17 14:18:31 2019 Summary: Security update for krb5 Severity: important References: 1120489,CVE-2018-20217 Description: This update for krb5 fixes the following issues: Security issue fixed: - CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489) ----------------------------------------- Patch: SUSE-2019-120 Released: Fri Jan 18 12:35:24 2019 Summary: Recommended update for yast2, yast2-firewall Severity: important References: 1093052,1121627 Description: This update for yast2, yast2-firewall provides the following fixes: Fixes in yast2: - In case of only one installed Firewall it will be used by YaST. (bsc#1093052) Fixes in yast2-firewall: - Adjust package requirements to ensure firewall_chooser exists. (bsc#1121627) ----------------------------------------- Patch: SUSE-2019-132 Released: Mon Jan 21 09:34:57 2019 Summary: Security update for openssh Severity: important References: 1121571,1121816,1121818,1121821,CVE-2018-20685,CVE-2019-6109,CVE-2019-6110,CVE-2019-6111 Description: This update for openssh fixes the following issues: Security issue fixed: - CVE-2018-20685: Fixed an issue where scp client allows remote SSH servers to bypass intended access restrictions (bsc#1121571) - CVE-2019-6109: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate terminal output via the object name, e.g. by inserting ANSI escape sequences (bsc#1121816) - CVE-2019-6110: Fixed an issue where the scp client would allow malicious remote SSH servers to manipulate stderr output, e.g. by inserting ANSI escape sequences (bsc#1121818) - CVE-2019-6111: Fixed an issue where the scp client would allow malicious remote SSH servers to execute directory traversal attacks and overwrite files (bsc#1121821) ----------------------------------------- Patch: SUSE-2019-143 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Severity: important References: 1121450 Description: This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------- Patch: SUSE-2019-149 Released: Wed Jan 23 17:58:18 2019 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1121446 Description: This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------- Patch: SUSE-2019-159 Released: Thu Jan 24 13:54:09 2019 Summary: Recommended update for hwinfo Severity: moderate References: 1117982 Description: This update for hwinfo provides the following fix: - Adjust system type detection. (bsc#1117982) ----------------------------------------- Patch: SUSE-2019-182 Released: Mon Jan 28 14:12:40 2019 Summary: Recommended update for kmod Severity: moderate References: 1118629 Description: This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------- Patch: SUSE-2019-212 Released: Thu Jan 31 13:05:47 2019 Summary: Recommended update for openssh Severity: important References: 1123028 Description: This update for openssh fixes the following issues: - A previously applied security patch unintendedly changed the behavior of OpenSSH's 'scp' utility such that server-side brace expansion would no longer be supported. Attempts to copy a set files from a remote machine to the local one by running 'scp 'remote:{file-a,file-b}' /tmp' would fail. This change in behavior broke Corosync and, potentially, many user scripts that relied on brace expansion. [bsc#1123028] ----------------------------------------- Patch: SUSE-2019-261 Released: Wed Feb 6 11:26:21 2019 Summary: Recommended update for pam-config Severity: moderate References: 1114835 Description: This update for pam-config fixes the following issues: - Adds support for more pam_cracklib options. (bsc#1114835) ----------------------------------------- Patch: SUSE-2019-434 Released: Tue Feb 19 12:19:02 2019 Summary: Recommended update for libsemanage Severity: moderate References: 1115500 Description: This update for libsemanage provides the following fix: - Prevent an error message when reading module version if the directory does not exist. (bsc#1115500) ----------------------------------------- Patch: SUSE-2019-440 Released: Tue Feb 19 18:52:51 2019 Summary: Recommended update for dmidecode Severity: moderate References: 1120149 Description: This update for dmidecode fixes the following issues: - Extensions to Memory Device (Type 17) (FATE#326831 bsc#1120149) - Add 'Logical non-volatile device' to the memory device types (FATE#326831 bsc#1120149) ----------------------------------------- Patch: SUSE-2019-450 Released: Wed Feb 20 16:42:38 2019 Summary: Security update for procps Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 Description: This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). (These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.) Also the following non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) ----------------------------------------- Patch: SUSE-2019-482 Released: Mon Feb 25 11:57:46 2019 Summary: Security update for python Severity: important References: 1073748,1109847,1122191,CVE-2018-14647,CVE-2019-5010 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191). - CVE-2018-14647: Fixed a denial-of-service vulnerability in Expat (bsc#1109847). Non-security issue fixed: - Fixed a bug where PyWeakReference struct was not initialized correctly leading to a crash (bsc#1073748). ----------------------------------------- Patch: SUSE-2019-514 Released: Thu Feb 28 15:39:05 2019 Summary: Recommended update for apparmor Severity: moderate References: 1112300 Description: This update for apparmor fixes the following issues: - Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300) ----------------------------------------- Patch: SUSE-2019-563 Released: Wed Mar 6 17:20:15 2019 Summary: Security update for audit Severity: moderate References: 1042781,1085003,1125535,941922,CVE-2015-5186 Description: This update for audit fixes the following issues: Audit on SUSE Linux Enterprise 12 SP4 was updated to 2.8.1 to bring new features and bugfixes. (bsc#1125535 FATE#326346) * Many features were added to auparse_normalize * cli option added to auditd and audispd for setting config dir * In auditd, restore the umask after creating a log file * Option added to auditd for skipping email verification The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog - Change openldap dependency to client only (bsc#1085003) Minor security issue fixed: - CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922) ----------------------------------------- Patch: SUSE-2019-572 Released: Fri Mar 8 09:24:21 2019 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1117951,1127080,CVE-2019-1559 Description: This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951) - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). ----------------------------------------- Patch: SUSE-2019-662 Released: Wed Mar 20 14:53:15 2019 Summary: Recommended update for lvm2 Severity: moderate References: 1123327,1123803 Description: This update for lvm2 fixes the following issues: - StartLimitInterval in wrong section (bsc#1123327, bsc#1123803) ----------------------------------------- Patch: SUSE-2019-794 Released: Thu Mar 28 12:09:29 2019 Summary: Recommended update for krb5 Severity: moderate References: 1087481 Description: This update for krb5 fixes the following issues: - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. (bsc#1087481). ----------------------------------------- Patch: SUSE-2019-799 Released: Fri Mar 29 07:06:57 2019 Summary: Recommended update for timezone Severity: moderate References: 1130557 Description: This update for timezone fixes the following issues: timezone was update to 2019a (bsc#1130557): * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------- Patch: SUSE-2019-838 Released: Tue Apr 2 09:52:06 2019 Summary: Security update for bash Severity: important References: 1130324,CVE-2019-9924 Description: This update for bash fixes the following issues: Security issue fixed: - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). ----------------------------------------- Patch: SUSE-2019-839 Released: Tue Apr 2 13:13:21 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360). - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-910 Released: Tue Apr 9 08:06:27 2019 Summary: Recommended update for python Severity: low References: 1129287 Description: This update ships missing python-devel packages for the LTSS product lines. ----------------------------------------- Patch: SUSE-2019-913 Released: Tue Apr 9 11:19:07 2019 Summary: Security update for sqlite3 Severity: moderate References: 1119687,1131576,CVE-2018-20346,CVE-2018-20506 Description: This update for sqlite3 fixes the following issues: Security issues fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). - CVE-2018-20506: Fixed an integer overflow when FTS3 extension is enabled (bsc#1131576). ----------------------------------------- Patch: SUSE-2019-956 Released: Tue Apr 16 13:07:38 2019 Summary: Security update for wget Severity: important References: 1131493,CVE-2019-5953 Description: This update for wget fixes the following issues: Security issue fixed: - CVE-2019-5953: Fixed a buffer overflow vulnerability which might cause code execution (bsc#1131493). ----------------------------------------- Patch: SUSE-2019-1102 Released: Tue Apr 30 12:07:42 2019 Summary: Security update for glibc Severity: moderate References: 1100396,1110661,1122729,1127223,1127308,1128574,1131994,CVE-2009-5155,CVE-2016-10739,CVE-2019-9169 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: regex: fix read overrun (bsc#1127308, BZ #24114) - CVE-2016-10739: Fully parse IPv4 address strings (bsc#1122729, BZ #20018) - CVE-2009-5155: ERE '0|()0|\1|0' causes regexec undefined behavior (bsc#1127223, BZ #18986) Non-security issues fixed: - Enable TLE only if GLIBC_ELISION_ENABLE=yes is defined (bsc#1131994, fate#322271) - Add more checks for valid ld.so.cache file (bsc#1110661, BZ #18093) - Added cfi information for start routines in order to stop unwinding (bsc#1128574) - ja_JP locale: Add entry for the new Japanese era (bsc#1100396, fate#325570, BZ #22964) ----------------------------------------- Patch: SUSE-2019-1131 Released: Thu May 2 15:39:59 2019 Summary: Recommended update for libidn Severity: moderate References: 1092034 Description: This update for libidn fixes the following issues: - Obsoletes now the libidn 32bit package (bsc#1092034) ----------------------------------------- Patch: SUSE-2019-1208 Released: Fri May 10 14:03:54 2019 Summary: Security update for sqlite3 Severity: moderate References: 1085790,1132045,CVE-2017-10989,CVE-2018-8740 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2018-8740: Fixed a NULL pointer dereference related to corrupted databases schemas (bsc#1085790). - CVE-2017-10989: Fixed a heap-based buffer over-read in getNodeSize() (bsc#1132045). ----------------------------------------- Patch: SUSE-2019-1259 Released: Wed May 15 14:06:20 2019 Summary: Recommended update for sysvinit Severity: moderate References: 1131982 Description: This update for sysvinit fixes the following issues: - Handle various optional fields of /proc//mountinfo on the entry/ies before the hyphen (bsc#1131982) ----------------------------------------- Patch: SUSE-2019-1354 Released: Fri May 24 19:04:57 2019 Summary: Security update for screen Severity: moderate References: 1130831,944458,CVE-2015-6806 Description: This update for screen fixes the following issues: Security issue fixed: - CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458). Non-security issue fixed: - Fixed segmentation faults related to altscreen and resizing screen (bsc#1130831). ----------------------------------------- Patch: SUSE-2019-1379 Released: Wed May 29 15:07:04 2019 Summary: Security update for libtasn1 Severity: moderate References: 1040621,1105435,CVE-2017-6891,CVE-2018-1000654 Description: This update for libtasn1 fixes the following issues: Security issues fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). - CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621). ----------------------------------------- Patch: SUSE-2019-1431 Released: Wed Jun 5 16:50:13 2019 Summary: Recommended update for xz Severity: moderate References: 1135709 Description: This update for xz does only update the license: - Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709) ----------------------------------------- Patch: SUSE-2019-1439 Released: Thu Jun 6 17:50:33 2019 Summary: Security update for python Severity: important References: 1129346,1130847,CVE-2019-9636,CVE-2019-9948 Description: This update for python fixes the following issues: Security issues fixed: - CVE-2019-9948: Fixed a 'file:' blacklist bypass in URIs by using the 'local-file:' scheme instead (bsc#1130847). - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------- Patch: SUSE-2019-1456 Released: Tue Jun 11 10:08:27 2019 Summary: Security update for vim Severity: important References: 1137443,CVE-2019-12735 Description: This update for vim fixes the following issue: Security issue fixed: - CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443). ----------------------------------------- Patch: SUSE-2019-1475 Released: Wed Jun 12 14:46:33 2019 Summary: Recommended update for permissions Severity: moderate References: 1110797 Description: This update for permissions fixes the following issues: - Updated permissons for amanda (bsc#1110797) ----------------------------------------- Patch: SUSE-2019-1516 Released: Mon Jun 17 11:04:15 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1128383 Description: This update for e2fsprogs fixes the following issues: - e2fsck: Check and fix tails of all bitmap blocks. (bsc#1128383) ----------------------------------------- Patch: SUSE-2019-1524 Released: Mon Jun 17 17:30:16 2019 Summary: Security update for openssh Severity: moderate References: 1065237,1090671,1119183,1121816,1121821,1131709,CVE-2019-6109,CVE-2019-6111 Description: This update for openssh fixes the following issues: Security vulnerabilities addressed: - CVE-2019-6109: Fixed an character encoding issue in the progress display of the scp client that could be used to manipulate client output, allowing for spoofing during file transfers (bsc#1121816). - CVE-2019-6111: Properly validate object names received by the scp client to prevent arbitrary file overwrites when interacting with a malicious SSH server (bsc#1121821). Other issues fixed: - Fixed two race conditions in sshd relating to SIGHUP (bsc#1119183). - Returned proper reason for port forwarding failures (bsc#1090671). - Fixed a double free() in the KDF CAVS testing tool (bsc#1065237). ----------------------------------------- Patch: SUSE-2019-1543 Released: Tue Jun 18 10:54:33 2019 Summary: Recommended update for systemd-presets-branding-SLE Severity: moderate References: 1128428 Description: This update for systemd-presets-branding-SLE fixes the following issues: - Enabling nvmefc-boot-connections.service to discover network-provided nvme drives on boot (bsc#1128428) ----------------------------------------- Patch: SUSE-2019-1556 Released: Wed Jun 19 08:53:31 2019 Summary: Recommended update for yast2-add-on Severity: moderate References: 1055126 Description: This update for yast2-add-on provides the following fixes: - Update repository will be registered while installing an add-on on a running system. (bsc#1055126) ----------------------------------------- Patch: SUSE-2019-1589 Released: Thu Jun 20 19:49:46 2019 Summary: Recommended update for permissions Severity: moderate References: 1128598 Description: This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------- Patch: SUSE-2019-1601 Released: Fri Jun 21 10:21:39 2019 Summary: Security update for sqlite3 Severity: important References: 1136976,CVE-2019-8457 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-8457: Fixed a Heap out-of-bound read in rtreenode() when handling invalid rtree tables (bsc#1136976). ----------------------------------------- Patch: SUSE-2019-1623 Released: Fri Jun 21 11:13:05 2019 Summary: Recommended update for yast2 Severity: moderate References: 1128032 Description: This update for yast2 fixes the following issues: - Stop 'ls: write error: Broken pipe' messages. (bsc#1128032) ----------------------------------------- Patch: SUSE-2019-1716 Released: Thu Jun 27 13:15:38 2019 Summary: Security update for glibc Severity: moderate References: 1117993,1132678,941234,CVE-2015-5180 Description: This update for glibc fixes the following issues: Security issue fixed: - CVE-2015-5180: Fixed a NULL pointer dereference with internal QTYPE (bsc#941234). Feature work: - IBM zSeries arch13 hardware support in glibc added (fate#327072, bsc#1132678) Other issue addressed: - Fixed a concurrency issue with ldconfig (bsc#1117993). ----------------------------------------- Patch: SUSE-2019-1733 Released: Wed Jul 3 13:54:39 2019 Summary: Security update for elfutils Severity: low References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 Description: This update for elfutils fixes the following issues: Security issues fixed: - CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067). - CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472). - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007). - CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476). - CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685). - CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390). - CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088). - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090). - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084). - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085). - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087). - CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723). - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089). - CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973). - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726). ----------------------------------------- Patch: SUSE-2019-1818 Released: Thu Jul 11 07:48:39 2019 Summary: Recommended update for timezone Severity: moderate References: 1135262,1140016 Description: This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------- Patch: SUSE-2019-1834 Released: Fri Jul 12 17:55:14 2019 Summary: Security update for expat Severity: moderate References: 1139937,CVE-2018-20843 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------- Patch: SUSE-2019-1844 Released: Mon Jul 15 07:13:09 2019 Summary: Recommended update for pam Severity: low References: 1116544 Description: This update for pam fixes the following issues: - restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544) ----------------------------------------- Patch: SUSE-2019-1896 Released: Thu Jul 18 16:26:45 2019 Summary: Security update for libxml2 Severity: moderate References: 1010675,1110146,1126613,CVE-2016-9318 Description: This update for libxml2 fixes the following issues: Issue fixed: - Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146). ----------------------------------------- Patch: SUSE-2019-1904 Released: Fri Jul 19 12:47:59 2019 Summary: Recommended update for openssh Severity: important References: 1138936 Description: This update for openssh fixes the following issues: - Fix a regression in utf-8 handling that could cause crashes of scp (bsc#1138936). ----------------------------------------- Patch: SUSE-2019-1915 Released: Mon Jul 22 08:43:49 2019 Summary: Recommended update for openslp Severity: moderate References: 1117969,1136136 Description: This update for openslp fixes the following issues: - Use tcp connects to talk with other directory agents (DAs) (bsc#1117969) - Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136) ----------------------------------------- Patch: SUSE-2019-1955 Released: Tue Jul 23 11:42:41 2019 Summary: Security update for bzip2 Severity: important References: 1139083,985657,CVE-2016-3189,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------- Patch: SUSE-2019-1972 Released: Thu Jul 25 15:00:03 2019 Summary: Security update for libsolv, libzypp, zypper Severity: moderate References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 Description: This update for libsolv, libzypp and zypper fixes the following issues: libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). libzypp received following fixes: - Fixes a bug where locking the kernel was not possible (bsc#1113296) zypper received following fixes: - Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226) - Improved the displaying of locks (bsc#1112911) - Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542) - zypper will now always warn when no repositories are defined (bsc#1109893) ----------------------------------------- Patch: SUSE-2019-2013 Released: Mon Jul 29 15:42:41 2019 Summary: Security update for bzip2 Severity: important References: 1139083,CVE-2019-12900 Description: This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------- Patch: SUSE-2019-2091 Released: Thu Aug 8 13:25:31 2019 Summary: Security update for python Severity: important References: 1138459,1141853,CVE-2018-20852,CVE-2019-10160 Description: This update for python fixes the following issues: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). ----------------------------------------- Patch: SUSE-2019-2120 Released: Wed Aug 14 11:17:39 2019 Summary: Recommended update for pam Severity: moderate References: 1136298,SLE-7257 Description: This update for pam fixes the following issues: - Enable pam_userdb.so (SLE-7257,bsc#1136298) - Upgraded pam_userdb to 1.3.1. (bsc#1136298) ----------------------------------------- Patch: SUSE-2019-2240 Released: Wed Aug 28 14:57:51 2019 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1144169 Description: This update for ca-certificates-mozilla fixes the following issues: - Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169) - Removed Root CAs: - Certinomis - Root CA - Added root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------- Patch: SUSE-2019-2264 Released: Mon Sep 2 09:07:12 2019 Summary: Security update for perl Severity: important References: 1114674,CVE-2018-18311 Description: This update for perl fixes the following issues: Security issue fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). ----------------------------------------- Patch: SUSE-2019-2355 Released: Wed Sep 11 13:18:25 2019 Summary: Recommended update for lvm2 Severity: moderate References: 1122666,1135984,1137296,1145232 Description: This update for lvm2 fixes the following issues: - Fixes an issue where the message 'unknown feature in status' message was wrongly shown (bsc#1135984) - Fixes an issue with the usage of device aliases with lvmetad (bsc#1137296) - Fixes an issue with SD card readers where the error 'open failed: No medium found' was shown (bsc#1122666) ----------------------------------------- Patch: SUSE-2019-2372 Released: Thu Sep 12 14:01:27 2019 Summary: Recommended update for krb5 Severity: moderate References: 1139942,1140914,SLE-7081 Description: This update for krb5 fixes the following issues: - Fix missing responder if there is no pre-auth; (bsc#1139942) - Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081) - Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081) ----------------------------------------- Patch: SUSE-2019-2390 Released: Tue Sep 17 15:46:02 2019 Summary: Security update for openldap2 Severity: moderate References: 1143194,1143273,CVE-2019-13057,CVE-2019-13565 Description: This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194). - CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273). ----------------------------------------- Patch: SUSE-2019-2440 Released: Mon Sep 23 17:15:13 2019 Summary: Security update for expat Severity: moderate References: 1149429,CVE-2019-15903 Description: This update for expat fixes the following issues: Security issue fixed: - CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429) ----------------------------------------- Patch: SUSE-2019-2456 Released: Wed Sep 25 08:36:31 2019 Summary: Recommended update for lvm2 Severity: moderate References: 1145231 Description: This update for lvm2 fixes the following issues: - MD devices will now get detected by LVM2 with metadata=1.0/0.9 (bsc#1145231) ----------------------------------------- Patch: SUSE-2019-2480 Released: Fri Sep 27 13:12:08 2019 Summary: Security update for gpg2 Severity: moderate References: 1124847,1141093,CVE-2019-13050 Description: This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093) Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847). ----------------------------------------- Patch: SUSE-2019-2504 Released: Tue Oct 1 13:07:07 2019 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1131291,1150003,1150250,CVE-2019-1547,CVE-2019-1563 Description: This update for openssl-1_0_0 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) In addition fixed invalid curve attacks by validating that an EC point lies on the curve (bsc#1131291). ----------------------------------------- Patch: SUSE-2019-2510 Released: Tue Oct 1 17:37:12 2019 Summary: Security update for libgcrypt Severity: moderate References: 1148987,CVE-2019-13627 Description: This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987) ----------------------------------------- Patch: SUSE-2019-2536 Released: Thu Oct 3 15:03:14 2019 Summary: Security update for sqlite3 Severity: moderate References: 1150137,CVE-2019-16168 Description: This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------- Patch: SUSE-2019-2551 Released: Fri Oct 4 13:19:48 2019 Summary: Recommended update for lvm2 Severity: important References: 1152530 Description: This update for lvm2 fixes the following issues: - Remedy a regression that could cause serious performance degradation when lvm2 operated in a chroot environment. [bsc#1152530] ----------------------------------------- Patch: SUSE-2019-2677 Released: Tue Oct 15 21:07:14 2019 Summary: Recommended update for e2fsprogs Severity: moderate References: 1145716,1152101,CVE-2019-5094 Description: This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------- Patch: SUSE-2019-2740 Released: Tue Oct 22 15:34:30 2019 Summary: Recommended update for timezone Severity: moderate References: 1150451 Description: This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------- Patch: SUSE-2019-2761 Released: Thu Oct 24 07:08:33 2019 Summary: Recommended update for pciutils-ids Severity: moderate References: 1149149 Description: This update for pciutils-ids fixes the following issues: - updates the list of devices so that more devices will get identified (bsc#1149149) ----------------------------------------- Patch: SUSE-2019-2818 Released: Tue Oct 29 17:22:01 2019 Summary: Recommended update for zypper and libzypp Severity: important References: 1049825,1116995,1140039,1145521,1146415,1153557 Description: This update for zypper and libzypp fixes the following issues: Package: zypper - Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521) - Rephrased the file conflicts check summary (bsc#1140039) - Fixes an issue where the bash completion was wrongly expanded (bsc#1049825) Package: libzypp - Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes a file descriptor leak in the media backend (bsc#1116995) ----------------------------------------- Patch: SUSE-2019-2748 Released: Mon Nov 4 15:43:07 2019 Summary: Security update for python Severity: moderate References: 1149955,1153238,CVE-2019-16056,CVE-2019-16935 Description: This update for python fixes the following issues: Security issue fixed: - CVE-2019-16056: Fixed a parser issue in the email module (bsc#1149955). - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). ----------------------------------------- Patch: SUSE-2019-2887 Released: Mon Nov 4 17:31:49 2019 Summary: Recommended update for apparmor Severity: moderate References: 1139870 Description: This update for apparmor provides the following fix: - Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure apparmor does not generate profiles for programs marked as not having their own profiles. (bsc#1139870) ----------------------------------------- Patch: SUSE-2019-2941 Released: Tue Nov 12 10:03:32 2019 Summary: Security update for libseccomp Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 Description: This update for libseccomp fixes the following issues: Update to new upstream release 2.4.1: * Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. Updated to 2.4.0 (bsc#1128828 CVE-2019-9893): * Update the syscall table for Linux v5.0-rc5 * Added support for the SCMP_ACT_KILL_PROCESS action * Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute * Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension * Added support for the parisc and parisc64 architectures * Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) * Return -EDOM on an endian mismatch when adding an architecture to a filter * Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() * Fix PFC generation when a syscall is prioritized, but no rule exists * Numerous fixes to the seccomp-bpf filter generation code * Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 * Numerous tests added to the included test suite, coverage now at ~92% * Update our Travis CI configuration to use Ubuntu 16.04 * Numerous documentation fixes and updates Update to release 2.3.3: * Updated the syscall table for Linux v4.15-rc7 Update to release 2.3.2: * Achieved full compliance with the CII Best Practices program * Added Travis CI builds to the GitHub repository * Added code coverage reporting with the '--enable-code-coverage' configure flag and added Coveralls to the GitHub repository * Updated the syscall tables to match Linux v4.10-rc6+ * Support for building with Python v3.x * Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true * Several small documentation fixes - ignore make check error for ppc64/ppc64le, bypass bsc#1142614 ----------------------------------------- Patch: SUSE-2019-2967 Released: Wed Nov 13 14:18:47 2019 Summary: Recommended update for lvm2 Severity: moderate References: 1145231,1151295 Description: This update for lvm2 fixes the following issues: - Declares the 'dir' configuration property in lvm.conf as 'advanced' to make it clear that this option could cause harm if it is not edited carefully (bsc#1151295) - Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231) ----------------------------------------- Patch: SUSE-2019-3003 Released: Tue Nov 19 10:12:33 2019 Summary: Recommended update for procps Severity: moderate References: 1153386,SLE-10396 Description: This update for procps provides the following fixes: - Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396) - Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386) ----------------------------------------- Patch: SUSE-2019-3006 Released: Tue Nov 19 10:14:11 2019 Summary: Recommended update for openssh Severity: moderate References: 1139089,1150574 Description: This update for openssh contains the following fixes: - Allow 'ssh-keygen -A' on startup only if SSHD_AUTO_KEYGEN='yes' in /etc/sysconfig/ssh. (bsc#1139089) - Attempt to preserve the permissions of any existing known_hosts file when modified by ssh-keygen (for instance, with -R). (bsc#1139089) ----------------------------------------- Patch: SUSE-2019-3050 Released: Mon Nov 25 17:26:54 2019 Summary: Security update for sqlite3 Severity: important References: 1155787,CVE-2017-2518 Description: This update for sqlite3 fixes the following issues: - CVE-2017-2518: Fixed a use-after-free vulnerability which could have led to buffer overflow via a crafted SQL statement (bsc#1155787). ----------------------------------------- Patch: SUSE-2019-3064 Released: Mon Nov 25 18:44:36 2019 Summary: Security update for cpio Severity: moderate References: 1155199,CVE-2019-14866 Description: This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------- Patch: SUSE-2019-3085 Released: Thu Nov 28 10:01:53 2019 Summary: Security update for libxml2 Severity: low References: 1123919 Description: This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------- Patch: SUSE-2019-3094 Released: Thu Nov 28 16:47:52 2019 Summary: Security update for ncurses Severity: moderate References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595 Description: This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). ----------------------------------------- Patch: SUSE-2019-3132 Released: Tue Dec 3 10:52:14 2019 Summary: Recommended update for update-alternatives Severity: moderate References: 1154043 Description: This update for update-alternatives fixes the following issues: - Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043) ----------------------------------------- Patch: SUSE-2019-3183 Released: Thu Dec 5 11:43:25 2019 Summary: Security update for permissions Severity: moderate References: 1047247,1093414,1097665,1150734,1157198,CVE-2019-3688,CVE-2019-3690 Description: This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). Other issue addressed: - Corrected a badly constracted file which could have allowed treating of the shell environment as permissions files (bsc#1097665,bsc#1047247). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------- Patch: SUSE-2019-3307 Released: Mon Dec 16 14:51:03 2019 Summary: Security update for libssh Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------- Patch: SUSE-2019-3312 Released: Mon Dec 16 15:46:23 2019 Summary: Recommended update for dracut Severity: moderate References: 1154043 Description: This update for dracut fixes the following issues: - Suppress error in '%post' when 'vconsole.conf' is not present. (bsc#1154043) ----------------------------------------- Patch: SUSE-2019-3333 Released: Wed Dec 18 14:15:07 2019 Summary: Recommended update for yast2-packager Severity: moderate References: 1152482 Description: This update for yast2-packager fixes the following issues: - Aligned the language of the license text shown with the selected language. (bsc#1152482) ----------------------------------------- Patch: SUSE-2019-3342 Released: Thu Dec 19 11:04:35 2019 Summary: Recommended update for elfutils Severity: moderate References: 1151577 Description: This update for elfutils fixes the following issues: - Add require of 'libebl1' for 'libelf1'. (bsc#1151577) ----------------------------------------- Patch: SUSE-2019-3364 Released: Thu Dec 19 19:20:52 2019 Summary: Recommended update for ncurses Severity: moderate References: 1158586,1159162 Description: This update for ncurses fixes the following issues: - Work around a bug of old upstream gen-pkgconfig (bsc#1159162) - Remove doubled library path options (bsc#1159162) - Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162) - Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162) - Do not mix include directories of different ncurses ABI (bsc#1158586) ----------------------------------------- Patch: SUSE-2020-28 Released: Tue Jan 7 15:10:53 2020 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1158809,CVE-2019-1551 Description: This update for openssl-1_0_0 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). ----------------------------------------- Patch: SUSE-2020-79 Released: Mon Jan 13 10:37:34 2020 Summary: Security update for libzypp Severity: moderate References: 1158763,CVE-2019-18900 Description: This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). ----------------------------------------- Patch: SUSE-2020-102 Released: Tue Jan 14 16:25:22 2020 Summary: Security update for man Severity: moderate References: 1159105 Description: This update for man fixes the following issues: - Skip using 'safe-rm' in cron job below cache directory (bsc#1159105). ----------------------------------------- Patch: SUSE-2020-106 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Severity: important References: 1155338,1155339 Description: This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) ----------------------------------------- Patch: SUSE-2020-131 Released: Mon Jan 20 09:21:41 2020 Summary: Security update for libssh Severity: important References: 1158095,CVE-2019-14889 Description: This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------- Patch: SUSE-2020-141 Released: Mon Jan 20 11:47:57 2020 Summary: Recommended update for autoyast2 Severity: moderate References: 1155576,1156567,1156905,1159157 Description: This update for autoyast2 fixes the following issues: - Warn the user if no partition has been found due the given 'skip_list' list. (bsc#1155576) - Add YaST-AutoInstSchema 'firstboot.rnc' to the desktop file to avoid error on profile validation during checking autoyast custom scripts. (bsc#1156905) - Consider extended partitions when trying to figure out whether the partitioning layout described in the profile fits. (bsc#1156567). - Report XML parsing errors instead of just crashing. (bsc#1159157) ----------------------------------------- Patch: SUSE-2020-308 Released: Mon Feb 3 17:21:38 2020 Summary: Recommended update for lvm2 Severity: moderate References: 1150021,1155668 Description: This update for lvm2 fixes the following issues: - Fix LVM Metadata Error: Error writing device at 4096 length 512 (bsc#1150021). - Fix seeing a 90 Second delay on shutdown and reboot (bsc#1155668). ----------------------------------------- Patch: SUSE-2020-313 Released: Tue Feb 4 13:13:43 2020 Summary: Recommended update for yast2-pkg-bindings Severity: moderate References: 1132650,1157202,1158247,1159120 Description: This update for yast2-pkg-bindings fixes the following issues: - There was an issue on 1 GB RAM systems, where the installer freezed during system role selection (bsc#1132650) - Fixes an issue with displayed product names (bsc#1157202) ----------------------------------------- Patch: SUSE-2020-345 Released: Thu Feb 6 13:08:40 2020 Summary: Recommended update for suse-module-tools Severity: moderate References: 1132798,1142152 Description: This update for suse-module-tools fixes the following issues: Update to version 12.10: - Fix papr_scm dependency. (bsc#1142152, ltc#176292, FATE#327775) Update to version 12.9: - Add modprobe.conf.s390x. (bsc#1132798) Update to version 12.8: - Add dependency of 'papr_scm' on 'libnvdimm' in the initrd image. (bsc#1142152, ltc#176292, FATE#327775) - Load 'fbcon' module together with 'virtio_gpu' on s390. (bsc#1132798) ----------------------------------------- Patch: SUSE-2020-351 Released: Thu Feb 6 15:25:45 2020 Summary: Security update for wicked Severity: important References: 1142214,1160903,1160904,1160905,1160906,CVE-2019-18902,CVE-2019-18903,CVE-2020-7216,CVE-2020-7217 Description: This update for wicked fixes the following issues: Security issues fixed: - CVE-2019-18902: Fixed a use-after-free when receiving invalid DHCP6 client options (bsc#1160903). - CVE-2019-18903: Fixed a use-after-free when receiving invalid DHCP6 IA_PD option (bsc#1160904). - CVE-2020-7216: Fixed a potential denial of service via a memory leak when processing packets with missing message type option in DHCP4 (bsc#1160905). - CVE-2020-7217: Fixed a memory leak in DHCP4 fsm when processing packets for other client ids (bsc#1160906). Non-security issue fixed: - dhcp4: Fixed an intermittent hang during network setup by cleaning up the defer timer pointer (bsc#1142214). ----------------------------------------- Patch: SUSE-2020-353 Released: Thu Feb 6 17:34:41 2020 Summary: Security update for systemd Severity: important References: 1106383,1127557,1133495,1139459,1140631,1150595,1151377,1151506,1154043,1154948,1155574,1156482,1159814,1162108,CVE-2020-1712 Description: This update for systemd provides the following fixes: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948) - Fix warnings thrown during package installation (bsc#1154043) - Fix for systemctl hanging by restart. (bsc#1139459) - man: mention that alias names are only effective after 'systemctl enable'. (bsc#1151377) - ask-password: improve log message when inotify limit is reached. (bsc#1155574) - udevd: wait for workers to finish when exiting. (bsc#1106383) - core: fragments of masked units ought not be considered for NeedDaemonReload. (bsc#1156482) - udev: fix 'NULL' deref when executing rules. (bsc#1151506) - Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814) ----------------------------------------- Patch: SUSE-2020-360 Released: Fri Feb 7 10:44:17 2020 Summary: Security update for e2fsprogs Severity: moderate References: 1160571,CVE-2019-5188 Description: This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------- Patch: SUSE-2020-382 Released: Fri Feb 14 12:03:57 2020 Summary: Recommended update for lvm2 Severity: important References: 1163526 Description: This update for lvm2 fixes the following issues: - Revert MD devices detection patches which caused a regression, where some volume groups couldn't be activated (bsc#1163526) ----------------------------------------- Patch: SUSE-2020-404 Released: Wed Feb 19 09:05:47 2020 Summary: Recommended update for p11-kit Severity: moderate References: 1154871 Description: This update for p11-kit fixes the following issues: - Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871) ----------------------------------------- Patch: SUSE-2020-409 Released: Wed Feb 19 09:33:27 2020 Summary: Security update for sudo Severity: important References: 1162202,1162675,CVE-2019-18634 Description: This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------- Patch: SUSE-2020-561 Released: Mon Mar 2 17:24:59 2020 Summary: Recommended update for elfutils Severity: moderate References: 1110929,1157578 Description: This update for elfutils fixes the following issues: - Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578) - Fix for '.ko' file corruption in debug info. (bsc#1110929) ----------------------------------------- Patch: SUSE-2020-571 Released: Tue Mar 3 13:23:35 2020 Summary: Recommended update for cyrus-sasl Severity: moderate References: 1162518 Description: This update for cyrus-sasl fixes the following issues: - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) ----------------------------------------- Patch: SUSE-2020-596 Released: Thu Mar 5 15:23:51 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1010996,1071152,1071390,1082318,1100415,1154871,1160160 Description: This update for ca-certificates-mozilla fixes the following issues: The following non-security bugs were fixed: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email Added certificates: - Entrust Root Certification Authority - G4 - Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). - Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415). - Use %license instead of %doc (bsc#1082318). - Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996). ----------------------------------------- Patch: SUSE-2020-603 Released: Fri Mar 6 11:00:57 2020 Summary: Recommended update for permissions Severity: moderate References: 1123886,1160594,1160764,1161779,1163922,CVE-2020-8013 Description: This update for permissions fixes the following issues: - CVE-2020-8013: Fixed an improper check which could have allowed the setting of unintented setuid bits (bsc#1163922). - Fixed handling of relative directory symlinks in chkstat. - Whitelisted postgres sticky directories (bsc#1123886). - Fixed regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594) - Fixed capability handling when doing multiple permission changes at once (bsc#1161779) ----------------------------------------- Patch: SUSE-2020-638 Released: Wed Mar 11 12:20:45 2020 Summary: Recommended update for autoyast2 Severity: moderate References: 1164105 Description: This update for autoyast2 fixes the following issue: - Wait for a working network before starting the AutoYast init scripts. (bsc#1164105) This fix will avoid to start the network related AutoYast init script before the availability of a working network ----------------------------------------- Patch: SUSE-2020-652 Released: Thu Mar 12 09:53:23 2020 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1165915,1165919,1166301 Description: This update for ca-certificates-mozilla fixes the following issues: This reverts a previous change to the generated pem structure, as it require a p11-kit tools update installed first, which can not always ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919) ----------------------------------------- Patch: SUSE-2020-663 Released: Thu Mar 12 17:31:31 2020 Summary: Recommended update for suse-build-key Severity: moderate References: 1166334 Description: This update for suse-build-key fixes the following issues: - created a new security_at_suse.de key for email communication (bsc#1166334) ----------------------------------------- Patch: SUSE-2020-664 Released: Thu Mar 12 22:50:57 2020 Summary: Recommended update for wicked Severity: important References: 1165180 Description: This update for wicked fixes the following issues: - Fix the package using old/wrong pattern for libzypp in package libwicked. (bsc#1165180) ----------------------------------------- Patch: SUSE-2020-691 Released: Fri Mar 13 17:09:52 2020 Summary: Recommended update for dracut Severity: moderate References: 1160318,1164076 Description: This update for dracut fixes the following issues: - 01fips: Handle loading SHA1 kernel modules on machines without AVX (bsc#1160318) - 01fips: Use correct kernel image name for more platforms (bsc#1164076) ----------------------------------------- Patch: SUSE-2020-786 Released: Wed Mar 25 06:47:18 2020 Summary: Recommended update for p11-kit Severity: moderate References: 1165915,1165919 Description: This update for p11-kit fixes the following issues: - tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919) ----------------------------------------- Patch: SUSE-2020-822 Released: Tue Mar 31 13:06:24 2020 Summary: Recommended update for pam Severity: moderate References: 1166510 Description: This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------- Patch: SUSE-2020-832 Released: Tue Mar 31 16:15:59 2020 Summary: Security update for glibc Severity: important References: 1149332,1157893,1158996,1165784,1167631,CVE-2020-10029,CVE-2020-1751,CVE-2020-1752 Description: This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). - CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784). - Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834) - Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226) ----------------------------------------- Patch: SUSE-2020-915 Released: Fri Apr 3 13:15:11 2020 Summary: Recommended update for openldap2 Severity: moderate References: 1168195 Description: This update for openldap2 fixes the following issue: - The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195) ----------------------------------------- Patch: SUSE-2020-952 Released: Wed Apr 8 09:39:33 2020 Summary: Recommended update for cryptsetup Severity: moderate References: 1165580 Description: This update for cryptsetup fixes the following issues: - Update from version 2.0.5 to version 2.0.6 (jsc#SLE-5911, bsc#1165580): * Fix support of larger metadata areas in LUKS2 header. This release properly supports all specified metadata areas, as documented in LUKS2 format description (see docs/on-disk-format-luks2.pdf in archive). Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. * If AEAD (authenticated encryption) is used, cryptsetup now tries to check if the requested AEAD algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the CONFIG_CRYPTO_USER_API_AEAD option enabled. Note that kernel user crypto API options (CONFIG_CRYPTO_USER_API and CONFIG_CRYPTO_USER_API_SKCIPHER) are already mandatory for LUKS2. * Fix setting of integrity no-journal flag. Now you can store this flag to metadata using --persistent option. * Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. * Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. * Fix checking of hash algorithms availability for PBKDF early. Previously LUKS2 format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. * Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in LUKS1/2 devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 The support for Adiantum will be merged in Linux kernel 4.21. For more info see the paper https://eprint.iacr.org/2018/720. ----------------------------------------- Patch: SUSE-2020-964 Released: Wed Apr 8 16:23:38 2020 Summary: Recommended update for e2fsprogs Severity: moderate References: 1160979 Description: This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------- Patch: SUSE-2020-968 Released: Thu Apr 9 11:42:14 2020 Summary: Security update for libssh Severity: moderate References: 1168699,CVE-2020-1730 Description: This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------- Patch: SUSE-2020-394 Released: Tue Apr 14 17:25:16 2020 Summary: Security update for gcc9 Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847 Description: This update for gcc9 fixes the following issues: The GNU Compiler Collection is shipped in version 9. A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html The compilers have been added to the SUSE Linux Enterprise Toolchain Module. To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set. For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------- Patch: SUSE-2020-990 Released: Tue Apr 14 18:30:16 2020 Summary: Recommended update for autoyast2 Severity: moderate References: 1164105,1167596 Description: This update for autoyast2 fixes the following issues: - Fix for start network before AutoYaST in order to provide a working network. (bsc#1164105) - Clone system: add not used devices to the skip list. (bsc#1167596) ----------------------------------------- Version 12.5-Build4.64 2020-04-20T19:31:46 ----------------------------------------- Patch: SUSE-2020-1040 Released: Mon Apr 20 15:22:46 2020 Summary: Recommended update for patterns-sles Severity: low References: 1156012 Description: This update for patterns-sles fixes the following problem: - The 'hwcrypto' pattern was only installable on s390x, on other architectures openssl-ibmca was not filtered out. (bsc#1156012) ----------------------------------------- Version 12.5-Build4.66 2020-04-28T19:59:14 ----------------------------------------- Patch: SUSE-2020-1128 Released: Tue Apr 28 08:51:10 2020 Summary: Recommended update for yast2-installation Severity: important References: 1169017 Description: This update for yast2-installation fixes the following issues: - Fix for detecting and configuring network with firstboot. (bsc#1169017) ----------------------------------------- Version 12.5-Build4.69 2020-05-05T19:10:36 ----------------------------------------- Patch: SUSE-2020-1168 Released: Mon May 4 14:06:46 2020 Summary: Recommended update for libgcrypt Severity: moderate References: 1162879 Description: This update for libgcrypt fixes the following issues: - FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879) ----------------------------------------- Patch: SUSE-2020-1169 Released: Mon May 4 14:07:49 2020 Summary: Recommended update for glibc Severity: moderate References: 1162721 Description: This update for glibc fixes the following issues: - fork: Remove bogus parent PID assertions to avoid hangs (bsc#1162721) ----------------------------------------- Patch: SUSE-2020-1193 Released: Tue May 5 16:26:05 2020 Summary: Security update for openldap2 Severity: important References: 1170771,CVE-2020-12243 Description: This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------- Version 12.5-Build4.72 2020-05-14T19:17:10 ----------------------------------------- Patch: SUSE-2020-1270 Released: Wed May 13 12:05:24 2020 Summary: Recommended update for dracut Severity: moderate References: 1169030 Description: This update for dracut fixes the following issue: - Solve bringing up network interface prematurely. (bsc#1169030) ----------------------------------------- Version 12.5-Build4.72 2020-06-16T17:34:37 ----------------------------------------- Patch: SUSE-2020-1577 Released: Tue Jun 9 14:19:21 2020 Summary: Recommended update for openslp Severity: moderate References: 1117969,1136136 Description: This update for openslp fixes the following issues: - Use tcp connects to talk with other directory agents (DAs) (bsc#1117969) - Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136) ----------------------------------------- Version 12.5-Build4.73 2024-05-07T09:00:18 ----------------------------------------- Patch: SUSE-2020-1312 Released: Mon May 18 10:36:15 2020 Summary: Recommended update for timezone Severity: moderate References: 1169582 Description: This update for timezone fixes the following issues: - timezone update 2020a (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------- Patch: SUSE-2020-1325 Released: Mon May 18 11:50:19 2020 Summary: Recommended update for coreutils Severity: moderate References: 1156276 Description: This update for coreutils fixes the following issues: -Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276) ----------------------------------------- Patch: SUSE-2020-1329 Released: Mon May 18 17:17:54 2020 Summary: Recommended update for gcc9 Severity: moderate References: 1149995,1152590,1167898 Description: This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------- Patch: SUSE-2020-1408 Released: Mon May 25 16:40:20 2020 Summary: Recommended update for zlib Severity: moderate References: 1138793,1166260 Description: This update for zlib fixes the following issues: - Includes the last fixes from IBM for bsc#1166260 IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793 The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------- Patch: SUSE-2020-1489 Released: Wed May 27 18:29:21 2020 Summary: Recommended update for timezone Severity: moderate References: 1172055 Description: This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------- Patch: SUSE-2020-1490 Released: Wed May 27 18:30:36 2020 Summary: Recommended update for glibc Severity: moderate References: 1162930 Description: This update for glibc fixes the following issue: - nptl: wait for pending setxid request also in detached thread (bsc#1162930) ----------------------------------------- Patch: SUSE-2020-1491 Released: Wed May 27 18:31:36 2020 Summary: Recommended update for groff Severity: low References: 1055985 Description: This update for groff fixes the following issues: - removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985) moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf to groff-doc package - removed broken /usr/share/groff/1.22.2/current symlink (bsc#1055985) moved /usr/share/doc/packages/groff/pdf/mom-pdf.pdf to groff-doc package ----------------------------------------- Patch: SUSE-2020-1550 Released: Mon Jun 8 09:29:49 2020 Summary: Security update for vim Severity: moderate References: 1172031,1172225,CVE-2019-20807 Description: This update for vim fixes the following issues: - CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225 and bsc#1172031). ----------------------------------------- Patch: SUSE-2020-1570 Released: Tue Jun 9 11:15:13 2020 Summary: Security update for ruby2.1 Severity: important References: 1043983,1048072,1055265,1056286,1056782,1058754,1058755,1058757,1062452,1069607,1069632,1073002,1078782,1082007,1082008,1082009,1082010,1082011,1082014,1082058,1087433,1087434,1087436,1087437,1087440,1087441,1112530,1112532,1130611,1130617,1130620,1130622,1130623,1130627,1152990,1152992,1152994,1152995,1171517,1172275,CVE-2015-9096,CVE-2016-2339,CVE-2016-7798,CVE-2017-0898,CVE-2017-0899,CVE-2017-0900,CVE-2017-0901,CVE-2017-0902,CVE-2017-0903,CVE-2017-10784,CVE-2017-14033,CVE-2017-14064,CVE-2017-17405,CVE-2017-17742,CVE-2017-17790,CVE-2017-9228,CVE-2017-9229,CVE-2018-1000073,CVE-2018-1000074,CVE-2018-1000075,CVE-2018-1000076,CVE-2018-1000077,CVE-2018-1000078,CVE-2018-1000079,CVE-2018-16395,CVE-2018-16396,CVE-2018-6914,CVE-2018-8777,CVE-2018-8778,CVE-2018-8779,CVE-2018-8780,CVE-2019-15845,CVE-2019-16201,CVE-2019-16254,CVE-2019-16255,CVE-2019-8320,CVE-2019-8321,CVE-2019-8322,CVE-2019-8323,CVE-2019-8324,CVE-2019-8325,CVE-2020-10663 Description: This update for ruby2.1 fixes the following issues: Security issues fixed: - CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983). - CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265). - CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755). - CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286). - CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286). - CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286). - CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286). - CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452). - CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607). - CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632). - CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754). - CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757). - CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782). - CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002). - CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434). - CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782). - CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441). - CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436). - CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433). - CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440). - CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437). - CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530). - CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532). - CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007). - CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008). - CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014). - CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009). - CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010). - CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011). - CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058). - CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627). - CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623). - CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622). - CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620). - CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617). - CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611). - CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995). - CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992). - CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990). - CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517). Non-security issue fixed: - Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072). Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275) ----------------------------------------- Patch: SUSE-2020-1598 Released: Wed Jun 10 10:52:04 2020 Summary: Recommended update for audit Severity: important References: 1156159,1172295 Description: This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------- Patch: SUSE-2020-1612 Released: Fri Jun 12 09:43:17 2020 Summary: Security update for adns Severity: important References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109 Description: This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). ----------------------------------------- Patch: SUSE-2020-1662 Released: Thu Jun 18 11:13:05 2020 Summary: Security update for perl Severity: important References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 Description: This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------- Patch: SUSE-2020-1672 Released: Thu Jun 18 13:41:30 2020 Summary: Security update for dbus-1 Severity: important References: 1137832,1140091,CVE-2019-12749 Description: This update for dbus-1 fixes the following issues: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------- Patch: SUSE-2020-1688 Released: Fri Jun 19 11:02:27 2020 Summary: Recommended update for dracut Severity: important References: 1171370 Description: This update for dracut fixes the following issue: - modules.d: fix udev rules detection of multipath devices. (bsc#1171370) ----------------------------------------- Patch: SUSE-2020-1734 Released: Wed Jun 24 09:43:55 2020 Summary: Security update for curl Severity: important References: 1173027,CVE-2020-8177 Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------- Patch: SUSE-2020-1796 Released: Mon Jun 29 13:27:56 2020 Summary: Security update for unzip Severity: moderate References: 1110194,CVE-2018-18384 Description: This update for unzip fixes the following issues: - CVE-2018-18384: Fixed a buffer overflow when listing files (bsc#1110194) ----------------------------------------- Patch: SUSE-2020-1828 Released: Thu Jul 2 13:07:28 2020 Summary: Security update for systemd Severity: moderate References: 1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386 Description: This update for systemd fixes the following issues: - CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436). - Renamed the persistent link for ATA devices (bsc#1164538) - shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) - tmpfiles: removed unnecessary assert (bsc#1171145) - pid1: by default make user units inherit their umask from the user manager (bsc#1162698) - manager: fixed job mode when signalled to shutdown etc (bsc#1161262) - coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622) - udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) ----------------------------------------- Patch: SUSE-2020-1846 Released: Mon Jul 6 12:22:17 2020 Summary: Recommended update for yast2-ruby-bindings Severity: important References: 1172275,1172848 Description: This update for yast2-ruby-bindings fixes the following issues: - Fixed a Ruby error when the appliance gets configured during an installation, which led to a crash (bsc#1172848) - Fixed an error where yast2 --ncureses crashed due to an update of the Ruby interpreter (bsc#1172275) ----------------------------------------- Patch: SUSE-2020-2059 Released: Tue Jul 28 11:32:56 2020 Summary: Recommended update for grep Severity: moderate References: 1163834 Description: This update for grep fixes the following issues: Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834) ----------------------------------------- Patch: SUSE-2020-2092 Released: Thu Jul 30 14:55:46 2020 Summary: Recommended update for glibc Severity: moderate References: 1171878,1172085,1173593 Description: This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files (bsc#1171878, BZ #23178) - nscd: bump GC cycle during cache pruning (bsc#1171878, BZ #26130) - Correct locking and cancellation cleanup in syslog functions (bsc#1172085, BZ #26100) ----------------------------------------- Patch: SUSE-2020-2136 Released: Wed Aug 5 17:55:42 2020 Summary: Recommended update for yast2-bootloader Severity: moderate References: 1172720 Description: This update for yast2-bootloader fixes the following issues: - Fixes an issue where the pmbr setup was accidentally applied to non-GPT formatted disks, which led to an error during installation (bsc#1172720) ----------------------------------------- Patch: SUSE-2020-2229 Released: Thu Aug 13 10:14:37 2020 Summary: Recommended update for util-linux Severity: moderate References: 1149911,1151708,1168235,1168389 Description: This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------- Patch: SUSE-2020-2287 Released: Thu Aug 20 16:07:37 2020 Summary: Recommended update for grep Severity: moderate References: 1174080 Description: This update for grep fixes the following issues: - Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080) ----------------------------------------- Patch: SUSE-2020-2410 Released: Tue Sep 1 13:15:48 2020 Summary: Recommended update for pam Severity: low References: 1173593 Description: This update of pam fixes the following issue: - On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com a pam version with a higher release number than the last update of pam was delivered. This update releases pam with a higher release number to align it with this media. (bsc#1173593) ----------------------------------------- Patch: SUSE-2020-2428 Released: Tue Sep 1 22:07:35 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1174673 Description: This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: - AddTrust External CA Root - AddTrust Class 1 CA Root - LuxTrust Global Root 2 - Staat der Nederlanden Root CA - G2 - Symantec Class 1 Public Primary Certification Authority - G4 - Symantec Class 2 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: - certSIGN Root CA G2 - e-Szigno Root CA 2017 - Microsoft ECC Root Certificate Authority 2017 - Microsoft RSA Root Certificate Authority 2017 ----------------------------------------- Patch: SUSE-2020-2444 Released: Wed Sep 2 09:32:43 2020 Summary: Security update for curl Severity: moderate References: 1175109,CVE-2020-8231 Description: This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------- Patch: SUSE-2020-2547 Released: Fri Sep 4 18:17:13 2020 Summary: Recommended update for zlib Severity: moderate References: 1174551,1174736 Description: This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------- Patch: SUSE-2020-2555 Released: Mon Sep 7 14:30:36 2020 Summary: Recommended update for systemd Severity: moderate References: 1169488,1173227 Description: This update for systemd fixes the following issues: - Fix inconsistent file modes for some ghost files. (bsc#1173227) - Fix for an issue where nfs-server clone causes cluster node to hang on reboot. (bsc#1169488) ----------------------------------------- Patch: SUSE-2020-2587 Released: Wed Sep 9 22:03:04 2020 Summary: Recommended update for procps Severity: moderate References: 1174660 Description: This update for procps fixes the following issues: - Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660) ----------------------------------------- Patch: SUSE-2020-2609 Released: Fri Sep 11 10:58:59 2020 Summary: Security update for libxml2 Severity: moderate References: 1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595 Description: This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). - Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021). ----------------------------------------- Patch: SUSE-2020-2652 Released: Wed Sep 16 14:43:23 2020 Summary: Recommended update for zlib Severity: moderate References: 1175811,1175830,1175831 Description: This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------- Patch: SUSE-2020-2660 Released: Wed Sep 16 16:15:10 2020 Summary: Security update for libsolv Severity: moderate References: 1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 Description: This update for libsolv fixes the following issues: This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products. libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). ----------------------------------------- Patch: SUSE-2020-2687 Released: Mon Sep 21 10:54:58 2020 Summary: Security update for less Severity: moderate References: 921719,CVE-2014-9488 Description: This update for less fixes the following issues: Security issue fixed: - CVE-2014-9488: Malformed UTF-8 data could have caused an out of bounds read in the UTF-8 decoding routines, causing an invalid read access (bsc#921719). ----------------------------------------- Patch: SUSE-2020-2806 Released: Wed Sep 30 14:36:08 2020 Summary: Security update for tar Severity: moderate References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923 Description: This update for tar fixes the following issues: Security issues fixed: - CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496). - CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610). ----------------------------------------- Patch: SUSE-2020-2897 Released: Tue Oct 13 14:00:25 2020 Summary: Recommended update for suse-build-key Severity: moderate References: 1170347,1176759 Description: This update for suse-build-key fixes the following issues: - This update extends the suse build key (bsc#1176759) - The SUSE container key is different from the build key. (PM-1845 bsc#1170347) ----------------------------------------- Patch: SUSE-2020-2900 Released: Tue Oct 13 14:20:15 2020 Summary: Security update for libproxy Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 Description: This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------- Patch: SUSE-2020-2940 Released: Thu Oct 15 17:52:14 2020 Summary: Recommended update for autoyast2 Severity: moderate References: 1175624,1175714 Description: This update for autoyast2 fixes the following issues: - Enable encryption for RAIDs (bsc#1175624) ----------------------------------------- Patch: SUSE-2020-2959 Released: Tue Oct 20 12:33:48 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Patch: SUSE-2020-2964 Released: Tue Oct 20 13:26:50 2020 Summary: Recommended update for yast2-network Severity: moderate References: 1149234 Description: This update for yast2-network fixes the following issues: - Apply udev rule from AY profile according to device's mac value when permanent_mac is missing in list of the device's options. (bsc#1149234) ----------------------------------------- Patch: SUSE-2020-3056 Released: Wed Oct 28 06:10:04 2020 Summary: Recommended update for wicked Severity: moderate References: 1160939,1168155,1171234,1172082,1174099,959556 Description: This update for wicked fixes the following issues: - Fix to avoid incomplete ifdown/timeout on route deletion error. (bsc#1174099) - Allow 'linuxrc' to send 'RFC2132' without providing the MAC address. (jsc#SLE-15770) - Fixes to ifreload on port changes. (bsc#1168155, bsc#1172082) - Fix schema to use correct 'hwaddr_policy' property. (bsc#1171234) - Enable IPv6 on ports when 'nsna_ping' linkwatch is used. (bsc#959556) - Implement support for RFC7217. (jsc#SLE-6960) - Fix for schema to avoid not applying 'rto_min' including new time format. (bsc#1160939) ----------------------------------------- Patch: SUSE-2020-3100 Released: Thu Oct 29 19:34:18 2020 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------- Patch: SUSE-2020-3139 Released: Tue Nov 3 13:18:28 2020 Summary: Recommended update for timezone Severity: important References: 1177460,1178346,1178350,1178353 Description: This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. - Fiji starts DST later than usual, on 2020-12-20. ----------------------------------------- Patch: SUSE-2020-3146 Released: Wed Nov 4 08:38:54 2020 Summary: Recommended update for openssl-1_0_0 Severity: moderate References: 1155346,1176029,1177479,1177575,1177673,1177793 Description: This update for openssl-1_0_0 fixes the following issues: Various changes required for FIPS 140-2 certification (jsc#SLE-10541) - FIPS: Use SHA-2 in the RSA pairwise consistency check (bsc#1155346) - FIPS: Add shared secret KAT to FIPS DH selftest (bsc#1176029) - FIPS: Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1176029 bsc#1177479 bsc#1177575 bsc#1177673 bsc#1177793) ----------------------------------------- Patch: SUSE-2020-3156 Released: Wed Nov 4 15:21:49 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1177864 Description: This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------- Patch: SUSE-2020-3263 Released: Tue Nov 10 09:48:14 2020 Summary: Security update for gcc10 Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 Description: This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html ----------------------------------------- Patch: SUSE-2020-3346 Released: Mon Nov 16 17:44:39 2020 Summary: Recommended update for zypper Severity: moderate References: 1169947,1178038 Description: This update for zypper fixes the following issues: - Fixed an issue, where zypper crashed when the system language is set to Spanish and the user tried to patch their system with 'zypper patch --category security' (bsc#1178038) - Fixed a typo in man page (bsc#1169947) ----------------------------------------- Patch: SUSE-2020-3363 Released: Wed Nov 18 08:24:36 2020 Summary: Recommended update for yast2-ruby-bindings Severity: moderate References: 1174198 Description: This update for yast2-ruby-bindings fixes the following issues: - Fixed an issue that caused yast2 network settings to hang (bsc#1174198) ----------------------------------------- Patch: SUSE-2020-3489 Released: Mon Nov 23 14:07:31 2020 Summary: Recommended update for systemd Severity: moderate References: 1083571,1139459,1176513,1176800,1177458,1177510 Description: This update for systemd fixes the following issues: - Create systemd-remote user only if journal-remote is included with the package (bsc#1177458) - Fixed a buffer overflow in systemd ask-password (bsc#1177510) - Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses the 'bg' option while the NFS server is not reachable (bsc#1176513) - Fixed an issue with the try-restart command, where services won't restart (bsc#1139459) Exclusively for SUSE Linux Enterprise 12 SP5: - cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842) ----------------------------------------- Patch: SUSE-2020-3569 Released: Mon Nov 30 17:13:16 2020 Summary: Recommended update for pam Severity: moderate References: 1178727 Description: This update for pam fixes the following issue: - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) ----------------------------------------- Patch: SUSE-2020-3732 Released: Wed Dec 9 18:18:03 2020 Summary: Security update for openssl-1_0_0 Severity: important References: 1179491,CVE-2020-1971 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------- Patch: SUSE-2020-3739 Released: Thu Dec 10 09:17:34 2020 Summary: Security update for curl Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 Description: This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------- Patch: SUSE-2020-3746 Released: Thu Dec 10 12:39:59 2020 Summary: Recommended update for dracut Severity: moderate References: 1169997,996146 Description: This update for dracut fixes the following issues: - Fix for error handling and downgrade module load failure to a warning as it is not fatal at all. (bsc#1169997) - Implement network setup on 'infiniband' devices. (bsc#996146) ----------------------------------------- Patch: SUSE-2020-3794 Released: Mon Dec 14 17:40:20 2020 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1174215,1178925,1178966 Description: This update for libzypp, zypper fixes the following issues: Changes in zypper: - Fix typo in `list-patches` help. (bsc#1178925) The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`. Changes in libzypp: - Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966) - Remove from the logs the credentials available from the authorization header. (bsc#1174215) The authorization header may include base64 encoded credentials which could be restored from the log file. The credentials are now stripped from the log. ----------------------------------------- Patch: SUSE-2020-3852 Released: Wed Dec 16 12:27:02 2020 Summary: Recommended update for util-linux Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 Description: This update for util-linux fixes the following issues: - Do not trigger CDROM autoclose. (bsc#1084671) - Try to autoconfigure broken serial lines. - Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514) - Build with libudev support to support non-root users. (bsc#1169006) - Aavoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to CIFS with mount –a. (SG#57988, bsc#1174942) ----------------------------------------- Patch: SUSE-2020-3874 Released: Fri Dec 18 14:19:41 2020 Summary: Recommended update for parted Severity: moderate References: 1137259 Description: This update for parted fixes the following issue: - Do not probe the partitions ending with `_part`. (bsc#1137259) ----------------------------------------- Patch: SUSE-2021-26 Released: Tue Jan 5 14:18:00 2021 Summary: Recommended update for libxml2 Severity: moderate References: 1178823 Description: This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------- Patch: SUSE-2021-136 Released: Fri Jan 15 10:33:38 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------- Patch: SUSE-2021-161 Released: Mon Jan 18 20:03:25 2021 Summary: Recommended update for libnl3 Severity: low References: 1025043 Description: This update for libnl3 fixes the following issues: - IPv6 privacy extension of NetworkManager was not working. (bsc#1025043) ----------------------------------------- Patch: SUSE-2021-225 Released: Tue Jan 26 19:20:09 2021 Summary: Security update for sudo Severity: important References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156 Description: This update for sudo fixes the following issues: - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156] - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239] - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240] - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687] ----------------------------------------- Patch: SUSE-2021-244 Released: Fri Jan 29 09:46:42 2021 Summary: Recommended update for openssl-1_0_0 Severity: moderate References: 1180777,1180959 Description: This update for openssl-1_0_0 fixes the following issues: - Add declaration of BN_secure_new() function needed by other packages. (bsc#1180777) - Add FIPS elliptic curve key check necessary for FIPS 140-2 certification. (bsc#1180959) ----------------------------------------- Patch: SUSE-2021-279 Released: Tue Feb 2 09:43:53 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------- Patch: SUSE-2021-349 Released: Tue Feb 9 11:11:14 2021 Summary: Recommended update for sudo Severity: moderate References: 1176473 Description: This update for sudo fixes the following issues: - Restore 'sudo ldap' behavior to ignore expire dates when 'SUDOERS_TIMED' option is not set in ldap. (bsc#1176473) ----------------------------------------- Patch: SUSE-2021-356 Released: Wed Feb 10 09:07:57 2021 Summary: Recommended update for curl Severity: moderate References: 1177976 Description: This update for curl fixes the following issues: - Fix for SFTP uploads when it results in empty uploaded files. (bsc#1177976) ----------------------------------------- Patch: SUSE-2021-358 Released: Wed Feb 10 10:43:22 2021 Summary: Recommended update for systemd Severity: moderate References: 1141597,1174436,1179363,1179824,1180020,1180596,1180885 Description: This update for systemd fixes the following issues: - Import commit 4eae068097b42f2fd2a942e637e91ba3c12b37af 386e85dcd3 core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596) 7be6e949dc udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885) 3bce298616 core: fix memory leak on reloadbsc#1180020) b24b36d76c journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824) 703c08e0ae udev: Fix sound.target dependency (bsc#1179363) 07dc6d987d rules: enable hardware-related targets also for user instances 5cfed8b620 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope 2710a4be38 core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436) d3b81a8940 core: make sure RequestStop signal is send directed bbe11f8400 time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Import commit 4eae068097b42f2fd2a942e637e91ba3c12b37af 386e85dcd3 core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596) 7be6e949dc udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885) 3bce298616 core: fix memory leak on reload (bsc#1180020) b24b36d76c journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824) 703c08e0ae udev: Fix sound.target dependency (bsc#1179363) 07dc6d987d rules: enable hardware-related targets also for user instances 5cfed8b620 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope 2710a4be38 core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436) d3b81a8940 core: make sure RequestStop signal is send directed bbe11f8400 time-util: treat /etc/localtime missing as UTC (bsc#1141597) ----------------------------------------- Patch: SUSE-2021-491 Released: Wed Feb 17 08:38:21 2021 Summary: Security update for screen Severity: important References: 1182092,CVE-2021-26937 Description: This update for screen fixes the following issues: - CVE-2021-26937: Fixed double width combining char handling that could lead to a denial of service or code execution (bsc#1182092). ----------------------------------------- Patch: SUSE-2021-555 Released: Tue Feb 23 11:15:43 2021 Summary: Recommended update for sudo Severity: moderate References: 1181371 Description: This update for sudo fixes the following issue: - Fix a special handling of `ipa_hostname` that was lost in sudo 1.8.24. (bsc#1181371) We now include the long and short hostname in sudo parser container. ----------------------------------------- Patch: SUSE-2021-588 Released: Thu Feb 25 06:10:02 2021 Summary: Recommended update for file Severity: moderate References: 1182138 Description: This update for file fixes the following issues: - Fixed an issue when file is used with a string started with '80'. (bsc#1182138) ----------------------------------------- Patch: SUSE-2021-608 Released: Thu Feb 25 21:03:59 2021 Summary: Security update for glibc Severity: moderate References: 1180038,1181365,1181505,1182117,CVE-2019-25013,CVE-2021-3326 Description: This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) - powerpc: Add support for POWER10 (bsc#1181365) ----------------------------------------- Patch: SUSE-2021-718 Released: Mon Mar 8 11:47:29 2021 Summary: Recommended update for dracut Severity: critical References: 996146 Description: This update for dracut fixes the following issues: - Support network setup on infiniband devices (bsc#996146) ----------------------------------------- Patch: SUSE-2021-725 Released: Mon Mar 8 16:47:37 2021 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------- Patch: SUSE-2021-765 Released: Thu Mar 11 13:54:18 2021 Summary: Recommended update for gzip Severity: moderate References: 1180713 Description: This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------- Patch: SUSE-2021-796 Released: Tue Mar 16 10:28:14 2021 Summary: Recommended update for zlib Severity: moderate References: 1176201 Description: This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------- Patch: SUSE-2021-932 Released: Wed Mar 24 12:13:01 2021 Summary: Security update for nghttp2 Severity: important References: 1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514,CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080 Description: This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358). - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182). - CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639). - CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514). Bug fixes and enhancements: - Packages must not mark license files as %doc (bsc#1082318) - Typo in description of libnghttp2_asio1 (bsc#962914) - Fixed mistake in spec file (bsc#1125689) - Fixed build issue with boost 1.70.0 (bsc#1134616) - Fixed build issue with GCC 6 (bsc#964140) - Feature: Add W&S module (FATE#326776, bsc#1112438) ----------------------------------------- Patch: SUSE-2021-975 Released: Mon Mar 29 19:31:45 2021 Summary: Security update for tar Severity: low References: 1181131,CVE-2021-20193 Description: This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) ----------------------------------------- Patch: SUSE-2021-1003 Released: Thu Apr 1 15:06:58 2021 Summary: Recommended update for libcap Severity: moderate References: 1180073 Description: This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------- Patch: SUSE-2021-1165 Released: Tue Apr 13 14:03:17 2021 Summary: Security update for glibc Severity: important References: 1178386,1179694,1179721,1184034,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573 Description: This update for glibc fixes the following issues: - CVE-2020-27618: Accept redundant shift sequences in IBM1364 (bsc#1178386) - CVE-2020-29562: Fix incorrect UCS4 inner loop bounds (bsc#1179694) - CVE-2020-29573: Harden printf against non-normal long double values (bsc#1179721) - Check vector support in memmove ifunc-selector (bsc#1184034) ----------------------------------------- Patch: SUSE-2021-1246 Released: Fri Apr 16 15:14:59 2021 Summary: Recommended update for systemd Severity: important References: 1178219,1180020,1180083,1183094,1183790 Description: This update for systemd fixes the following issues: - Fixed an issue, where Restart=on-abort was not respected based on the exit status of the main process (bsc#1183790) - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. - Fixed an error when building systemd systemd-mini, caused by a change in systemd-rpm-macros (bsc#1183094) - Added a requirement for aaa_base >= 13.2 to stay compatible (bsc#1180083) - Fixed a memory leak in systemctl daemon-reload (bsc#1180020) ----------------------------------------- Patch: SUSE-2021-1274 Released: Tue Apr 20 14:29:52 2021 Summary: Security update for sudo Severity: important References: 1183936,CVE-2021-3156 Description: This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) ----------------------------------------- Patch: SUSE-2021-1290 Released: Wed Apr 21 14:03:11 2021 Summary: Recommended update for gzip Severity: moderate References: 1177047 Description: This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------- Patch: SUSE-2021-1336 Released: Tue Apr 27 17:24:06 2021 Summary: Recommended update for libcap Severity: critical References: 1184434,1184690 Description: This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs'. (bsc#1184690, bsc#1184434) ----------------------------------------- Patch: SUSE-2021-1396 Released: Wed Apr 28 09:23:39 2021 Summary: Security update for curl Severity: moderate References: 1183933,CVE-2021-22876 Description: This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). ----------------------------------------- Patch: SUSE-2021-1524 Released: Wed May 5 18:25:25 2021 Summary: Security update for libxml2 Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 Description: This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------- Patch: SUSE-2021-1541 Released: Thu May 6 17:09:04 2021 Summary: Recommended update for bash Severity: moderate References: 1177369 Description: This update for bash fixes the following issues: - Fixed a bug where the 'tailf' command destroyed the terminal/console settings (bsc1177369) ----------------------------------------- Patch: SUSE-2021-1546 Released: Mon May 10 09:55:50 2021 Summary: Recommended update for dracut Severity: moderate References: 1178219 Description: This update for dracut fixes the following issues: - Fix by adding timeout to umount calls. (bsc#1178219) ----------------------------------------- Patch: SUSE-2021-1633 Released: Wed May 19 09:56:05 2021 Summary: Recommended update for yast2-pkg-bindings Severity: moderate References: 1185240 Description: This update for yast2-pkg-bindings fixes the following issues: - Ensure that the installer is updated with the latest packages from the installer updates repository. (bsc#1185240) ----------------------------------------- Patch: SUSE-2021-1658 Released: Wed May 19 18:20:42 2021 Summary: Security update for libxml2 Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 Description: This update for libxml2 fixes the following issues: Security issues fixed: CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------- Patch: SUSE-2021-1667 Released: Thu May 20 09:34:34 2021 Summary: Recommended update for audit Severity: moderate References: 1179515,1184362 Description: This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515, bsc#1184362) ----------------------------------------- Patch: SUSE-2021-1683 Released: Fri May 21 15:38:24 2021 Summary: Recommended update for systemd Severity: moderate References: 1178561,1184967,1185046,1185331 Description: This update for systemd fixes the following issues: systemctl: add --value option execute: make sure to call into PAM after initializing resource limits. (bsc#1184967) rlimit-util: introduce setrlimit_closest_all() system-conf: drop reference to ShutdownWatchdogUsec= core: rename ShutdownWatchdogSec to RebootWatchdogSec. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: set execute bits. (bsc#1178561) udev: rework network device renaming. Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available'' ----------------------------------------- Patch: SUSE-2021-1763 Released: Wed May 26 12:31:57 2021 Summary: Security update for curl Severity: moderate References: 1186114,CVE-2021-22898 Description: This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------- Patch: SUSE-2021-1796 Released: Fri May 28 09:40:02 2021 Summary: Recommended update for gcc10 Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016,1185337 Description: This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) - Fixed build failure in SLE-12 due to bogus 'rpmlint'. (bsc#1185337) ----------------------------------------- Patch: SUSE-2021-2016 Released: Fri Jun 18 09:39:25 2021 Summary: Security update for libxml2 Severity: moderate References: 1186015,CVE-2021-3541 Description: This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack that could bypass all existing protection mechanisms (bsc#1186015). ----------------------------------------- Patch: SUSE-2021-2086 Released: Fri Jun 18 17:28:57 2021 Summary: Recommended update for pam Severity: important References: 1181443,1185562 Description: This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------- Patch: SUSE-2021-2156 Released: Thu Jun 24 15:39:39 2021 Summary: Security update for libgcrypt Severity: important References: 1187212,CVE-2021-33560 Description: This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------- Patch: SUSE-2021-2180 Released: Mon Jun 28 17:40:39 2021 Summary: Security update for libsolv Severity: important References: 1161510,1186229,CVE-2019-20387,CVE-2021-3200 Description: This update for libsolv fixes the following issues: Security issues fixed: - CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510) - CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229) Other issues fixed: - backport support for blacklisted packages to support ptf packages and retracted patches - fix ruleinfo of complex dependencies returning the wrong origin - fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason - fix add_complex_recommends() selecting conflicted packages in rare cases - fix potential segfault in resolve_jobrules - fix solv_zchunk decoding error if large chunks are used ----------------------------------------- Patch: SUSE-2021-2280 Released: Fri Jul 9 16:29:17 2021 Summary: Security update for permissions Severity: moderate References: 1047247,1050467,1093414,1097665,1123886,1150734,1155939,1157198,1160594,1160764,1161779,1163922,1171883,1182899,CVE-2019-3688,CVE-2019-3690,CVE-2020-8013 Description: This update for permissions fixes the following issues: - Fork package for 12-SP5 (bsc#1155939) - make btmp root:utmp (bsc#1050467, bsc#1182899) - pcp: remove no longer needed / conflicting entries (bsc#1171883). Fixes a potential security issue. - do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922) - fix handling of relative directory symlinks in chkstat - whitelist postgres sticky directories (bsc#1123886) - fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) - fix capability handling when doing multiple permission changes at once (bsc#1161779, - fix invalid free() when permfiles points to argv (bsc#1157198) - the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247, bsc#1097665) - fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688) - fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690) ----------------------------------------- Patch: SUSE-2021-2318 Released: Wed Jul 14 16:00:57 2021 Summary: Recommended update for dracut Severity: moderate References: 1187115 Description: This update for dracut fixes the following issues: - Remove references to INITRD_MODULES from man pages. (bsc#1187115) ----------------------------------------- Patch: SUSE-2021-2405 Released: Tue Jul 20 14:21:55 2021 Summary: Security update for systemd Severity: moderate References: 1184761,1185807,1188063,CVE-2021-33910 Description: This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Fixed a regression with hostnamectl and timedatectl (bsc#1184761) - Fixed permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------- Patch: SUSE-2021-2424 Released: Wed Jul 21 11:25:39 2021 Summary: Security update for dbus-1 Severity: important References: 1172505,1187105,CVE-2020-12049,CVE-2020-35512 Description: This update for dbus-1 fixes the following issues: - CVE-2020-35512: users with the same numeric UID could lead to use-after-free and undefined behaviour (bsc#1187105) - CVE-2020-12049: truncated messages lead to resource exhaustion (bsc#1172505) ----------------------------------------- Patch: SUSE-2021-2462 Released: Fri Jul 23 11:23:22 2021 Summary: Security update for curl Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 Description: This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------- Patch: SUSE-2021-2480 Released: Tue Jul 27 13:47:22 2021 Summary: Security update for glibc Severity: moderate References: 1027496,1131330,1187911,CVE-2016-10228,CVE-2021-35942 Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2021-35942: wordexp: Fixed handle overflow in positional parameter number (bsc#1187911) - CVE-2016-10228: Rewrite iconv option parsing (bsc#1027496) Other fixes: - Fixed race in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------- Patch: SUSE-2021-2572 Released: Thu Jul 29 14:20:58 2021 Summary: Recommended update for timezone Severity: moderate References: 1188127 Description: This update for timezone fixes the following issues: - From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127). ----------------------------------------- Patch: SUSE-2021-2578 Released: Sun Aug 1 15:54:42 2021 Summary: Recommended update for openldap2 Severity: moderate References: 1187784 Description: This update for openldap2 rebuilds openldap2 against a symbol versioned enabled openssl 1.0 library. This is an enablemend for migrations to openssl 1.1.1 which will enable TLS 1.3 support. ----------------------------------------- Patch: SUSE-2021-2686 Released: Sat Aug 14 03:58:36 2021 Summary: Security update for cpio Severity: important References: 1189206,CVE-2021-38185 Description: This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------- Patch: SUSE-2021-2767 Released: Tue Aug 17 17:29:14 2021 Summary: Recommended update for cpio Severity: critical References: 1189465 Description: This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------- Patch: SUSE-2021-2779 Released: Thu Aug 19 16:08:35 2021 Summary: Recommended update for cpio Severity: critical References: 1189465,CVE-2021-38185 Description: This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------- Patch: SUSE-2021-2808 Released: Mon Aug 23 12:09:10 2021 Summary: Security update for cpio Severity: important References: 1189465,CVE-2021-38185 Description: This update for cpio fixes the following issues: - A patch previously applied to remedy CVE-2021-38185 introduced a regression that had the potential to cause a segmentation fault in cpio. [bsc#1189465] ----------------------------------------- Patch: SUSE-2021-2826 Released: Tue Aug 24 16:16:02 2021 Summary: Security update for openssl-1_0_0 Severity: important References: 1189521,CVE-2021-3712 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------- Patch: SUSE-2021-2859 Released: Fri Aug 27 13:57:36 2021 Summary: Recommended update for bzip2 Severity: moderate References: 1188891 Description: This update for bzip2 fixes the following issues: - Disable a optimization that caused crashes with libarchive due to uninitialized memory. (bsc#1188891) - Fixed bashisms in bzgrep and bznew ----------------------------------------- Patch: SUSE-2021-2903 Released: Wed Sep 1 13:09:42 2021 Summary: Recommended update for cracklib Severity: moderate References: 1188698 Description: This update for cracklib fixes the following issue: - Provide 'cracklib-dict-small' to SUSE Linux Enterprise Server 12-SP5 (bsc#1188698) ----------------------------------------- Patch: SUSE-2021-2930 Released: Thu Sep 2 14:48:43 2021 Summary: Security update for file Severity: important References: 1154661,CVE-2019-18218 Description: This update for file fixes the following issues: - CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661). ----------------------------------------- Patch: SUSE-2021-2936 Released: Thu Sep 2 21:14:49 2021 Summary: Recommended update for zypper Severity: low References: 1187466 Description: This update for zypper fixes the following issues: - Fix for man: point out more clearly that patches update affected packages to the latest available version. (bsc#1187466) ----------------------------------------- Patch: SUSE-2021-2995 Released: Thu Sep 9 14:35:53 2021 Summary: Security update for openssl-1_0_0 Severity: low References: 1189521,CVE-2021-3712 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------- Patch: SUSE-2021-3051 Released: Thu Sep 16 08:59:46 2021 Summary: Recommended update for lvm2 Severity: moderate References: 1188202 Description: This update for lvm2 fixes the following issues: - Update from version 2.02.180 to 2.02.188 (bsc#1188202) - Fix problem with unbound variable usage within fsadm. - Avoid removing LVs on error path of lvconvert during creation volumes. - Fix crashing lvdisplay when thin volume was waiting for merge. - Support option '--errorwhenfull' when converting volume to thin-pool. - Improve thin-performance profile support conversion to thin-pool. - Support resize of cached volumes. - Allocation prints better error when metadata cannot fit on a single PV. - Pvmove can better resolve full thin-pool tree move. - Limit pool metadata spare to 16GiB. - Improves conversion and allocation of pool metadata. - Support thin pool metadata 15.88GiB, adds 64MiB, thin_pool_crop_metadata=0. - Enhance lvdisplay to report raid available/partial. - Enhance error handling for fsadm and handle correct fsck result. - Stop logging rename errors from persistent filter. - Dmeventd lvm plugin ignores higher reserved_stack lvm.conf values. - Support using BLKZEROOUT for clearing devices. - Support interruption when wipping LVs. - Add configure '--enable-editline' support as an alternative to readline. - Zero pool metadata on allocation (disable with allocation/zero_metadata=0). - Failure in zeroing or wiping will fail command (bypass with -Zn, -Wn). - Fix support for 'lvconvert --repair' used by foreign apps (i.e. Docker). - Support interruption for bcache waiting. - Fix bcache when device has too many failing writes. - Fix bcache waiting for IO completion with failing disks. - Configure use own python path name order to prefer using python3. - Enhance reporting and error handling when creating thin volumes. - Use revert_lv() on reload error path after vg_revert(). - Improve estimation of needed extents when creating thin-pool. - Use extra 1% when resizing thin-pool metadata LV with --use-policy. - Enhance '--use-policy' percentage rounding. - Switch code base to use flexible array syntax. - Preserve uint32_t for seqno handling. - Switch from mmap to plain read when loading regular files. - Fix running out of free buffers for async writing for larger writes. - Fix conversion to raid from striped lagging type. - Fix conversion to 'mirrored' mirror log with larger regionsize. - Avoid running cache input arg validation when creating vdo pool. - Prevent raid reshaping of stacked volumes. - Ensure minimum required region size on striped RaidLV creation. - Fix resize of thin-pool with data and metadata of different segtype. - Fix splitting mirror leg in cluster. - Fix activation order when removing merged snapshot. - Add support for DM_DEVICE_GET_TARGET_VERSION into device_mapper. - Add lvextend-raid.sh to check on RaidLV extensions synchronization. - Fix lvmetad shutdown and avoid lenghty timeouts when rebooting system. - Prevent creating VGs with PVs with different logical block sizes. - Pvmove runs in exclusively activating mode for exclusively active LVs. - Activate thin-pool layered volume as 'read-only' device. - Ignore crypto devices with UUID signature CRYPT-SUBDEV. - Enhance validation for thin and cache pool conversion and swapping. - Fixed activation on boot - lvm2 no longer activates incomplete VGs. - Improve internal removal of cached devices. - Synchronize with udev when dropping snapshot. - Add missing device synchronization point before removing pvmove node. - Correctly set read_ahead for LVs when pvmove is finished. - Fix metadata writes from corrupting with large physical block size. - Report no_discard_passdown for cache LVs with lvs -o+kernel_discards. - Prevent shared active mirror LVs with lvmlockd. - Fix change of monitoring in clustered volumes. - Improve -lXXX%VG modifier which improves cache segment estimation. - Add synchronization with udev before removing cached devices. - Fix missing growth of _pmspare volume when extending _tmeta volume. - Automatically grow thin metadata, when thin data gets too big. - Add support for vgsplit with cached devices. - Fix signal delivery checking race in libdaemon (lvmetad). - Add missing Before=shutdown.target to LVM2 services to fix shutdown ordering. - Fix (de)activation of RaidLVs with visible SubLVs - Change scan_lvs default to 0 so LVs are not scanned for PVs. - Add scan_lvs config setting to control if lvm scans LVs for PVs. - Fix missing proper initialization of pv_list struct when adding pv. - Avoid disabling lvmetad when repair does nothing. - Fix component detection for md version 0.90. - Use sync io if async io_setup fails, or use_aio=0 is set in config. - Avoid opening devices to get block size by using existing open fd. - Fix possible write race between last metadata block and the first extent. - Fix filtering of md 1.0 devices so they are not seen as duplicate PVs. - Fix lvconvert striped/raid0/raid0_meta -> raid6 regression. - Add After=rbdmap.service to {lvm2-activation-net,blk-availability}.service. - Fix pvs with lvmetad to avoid too many open files from filter reads. - Fix pvscan --cache to avoid too many open files from filter reads. - Reduce max concurrent aios to avoid EMFILE with many devices. - Fix lvconvert conversion attempts to linear. - Fix lvconvert raid0/raid0_meta -> striped regression. - Fix lvconvert --splitmirror for mirror type (2.02.178). - Do not pair cache policy and cache metadata format. - Fix mirrors honoring read_only_volume_list. - Reject conversions on raid1 LVs with split tracked SubLVs. - Reject conversions on raid1 split tracked SubLVs. - Fix dmstats list failing when no regions exist. - Reject conversions of LVs under snapshot. - Limit suggested options on incorrect option for lvconvert subcommand. - Add dm_tree_node_add_thin_pool_target_v1 with crop_metadata support. - Add support for VDO in blkdeactivate script. - Try to remove all created devices on dm preload tree error path. - Fix dm_list iterators with gcc 10 optimization (-ftree-pta). - Dmeventd handles timer without looping on short intervals. - Add support for DM_DEVICE_GET_TARGET_VERSION. - Add debug of dmsetup udevcomplete with hexa print DM_COOKIE_COMPLETED. - Fix versioning of dm_stats_create_region and dm_stats_create_region. - Parsing of cache status understand no_discard_passdown. - Ensure migration_threshold for cache is at least 8 chunks. - Enhance ioctl flattening and add parameters only when needed. - Add DM_DEVICE_ARM_POLL for API completeness matching kernel. - Do not add parameters for RESUME with DM_DEVICE_CREATE dm task. - Fix dmstats report printing no output. - Add hot fix to avoiding locking collision when monitoring thin-pools. - Add vdo plugin for monitoring VDO devices. - Relevant changes for 'lvm.conf' - [value change] global/cache_check_executable: 'autodetect' to '/usr/sbin/cache_check' - [value change] global/cache_dump_executable = 'autodetect' to '/usr/sbin/cache_dump' - [value change] global/cache_repair_executable: 'autodetect' to '/usr/sbin/cache_repair' - [value change] global/cache_check_options: [ '-q' ] to [ '-q', '--clear-needs-check-flag' ] - [value change] dmeventd/executable: '' to '/usr/sbin/dmeventd' - [item add] devices/scan_lvs = 0. - [item add] allocation/thin_pool_crop_metadata = 0 - [item add] allocation/zero_metadata = 1 - [item add] global/fsadm_executable = '/usr/sbin/fsadm' - [item add] global/io_memory_size = 8192 - [item add] log/debug_classes: add 'io' - [item add] dmeventd/raid_library = 'libdevmapper-event-lvm2raid.so' - [item add] add section tags - [no support] global/fallback_to_lvm1 - [no support] global/format - [no support] detect_internal_vg_cache_corruption = 0 ----------------------------------------- Patch: SUSE-2021-3215 Released: Thu Sep 23 16:26:31 2021 Summary: Security update for sqlite3 Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2016-6153,CVE-2017-10989,CVE-2017-2518,CVE-2018-20346,CVE-2018-8740,CVE-2019-16168,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2019-8457,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 Description: This update for sqlite3 fixes the following issues: sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032). The following CVEs have been fixed in upstream releases up to this point, but were not mentioned in the change log so far: * bsc#1173641, CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization * bsc#1164719, CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator * bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error * bsc#1160438, CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input * bsc#1160309, CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference * bsc#1159850, CVE-2019-19924: improper error handling in sqlite3WindowRewrite() * bsc#1159847, CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive * bsc#1159715, CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c * bsc#1159491, CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference * bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name * bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns * bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements * bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service * bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage * bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability * bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names * CVE-2020-13434 bsc#1172115: integer overflow in sqlite3_str_vappendf * CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow * CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed to one of its shadow tables * CVE-2020-13632 bsc#1172240: NULL pointer dereference via crafted matchinfo() query * CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------- Patch: SUSE-2021-3230 Released: Mon Sep 27 11:19:10 2021 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1190858 Description: This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in SUSE Linux Enterprise 12 and older. (bsc#1190858) ----------------------------------------- Patch: SUSE-2021-3290 Released: Wed Oct 6 16:44:45 2021 Summary: Security update for glibc Severity: moderate References: 1186489,CVE-2021-33574 Description: This update for glibc fixes the following issues: - CVE-2021-33574: Fixed a use-after-free possibility in mq_notify() (bsc#1186489) ----------------------------------------- Patch: SUSE-2021-3320 Released: Wed Oct 6 19:31:52 2021 Summary: Recommended update for less Severity: low References: 1190552 Description: This update for less fixes the following issues: - Add missing runtime dependency on package 'which', that is used by lessopen.sh (bsc#1190552) ----------------------------------------- Patch: SUSE-2021-3329 Released: Mon Oct 11 15:31:42 2021 Summary: Recommended update for gcc11 Severity: moderate References: 1187153,1187273,1188623 Description: This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided in the Toolchain module, and updated compiler base libraries (libgcc_s1, libstdc++6 and others) are being provided in the regular SUSE Linux Enterprise Server repositories. Changes done in GCC11 are documented on: https://gcc.gnu.org/gcc-11/changes.html This update ships the C, C++, Objective C, D, Fortran, GO, and ADA compiler. To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' ----------------------------------------- Patch: SUSE-2021-3332 Released: Mon Oct 11 17:02:35 2021 Summary: Security update for curl Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 Description: This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------- Patch: SUSE-2021-3341 Released: Tue Oct 12 11:07:42 2021 Summary: Recommended update for dracut Severity: moderate References: 1187470,1187774,1188376,1188378,1189545 Description: This update for dracut fixes the following issues: - Fix for dependency loop when starting emergency shell. (bsc#1188376) - Fix for emergency shell when it is failed to start. (bsc#1188378) - Fix obsolete reference to 96insmodpost in manpage. (bsc#1187774) - Fix usage information for -f parameter. (bsc#1187470) - Fix ordering cycle that caused boot hang. (bsc#1189545) ----------------------------------------- Patch: SUSE-2021-3452 Released: Mon Oct 18 09:28:59 2021 Summary: Security update for iproute2 Severity: moderate References: 1085669,1171452,CVE-2019-20795 Description: This update for iproute2 fixes the following issues: - CVE-2019-20795: Fixed a use-after-free vulnerability in get_netnsid_from_name. (bsc#1171452) ----------------------------------------- Patch: SUSE-2021-3475 Released: Wed Oct 20 08:41:48 2021 Summary: Security update for util-linux Severity: moderate References: 1178236,1188921,CVE-2021-37600 Description: This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) ----------------------------------------- Patch: SUSE-2021-3491 Released: Wed Oct 20 16:37:15 2021 Summary: Security update for ncurses Severity: moderate References: 1190793,CVE-2021-39537 Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------- Patch: SUSE-2021-3503 Released: Fri Oct 22 15:17:33 2021 Summary: Recommended update for libsolv, libzypp, zypper Severity: moderate References: 1179847,1186503,1187760,1190530,1191286 Description: This update for libsolv, libzypp, zypper fixes the following issues: - Turn on rich dependency handling needed for ptf support. (bsc#1190530) - Rebuild all caches to make sure rich dependency handling is enabled. (bsc#1190530) - Fix solver jobs for PTFs. (bsc#1186503) - Add support for PTFs. (jsc#SLE-17973, jsc#SLE-17974) - Identify well-known category names for better sorting. (bsc#1179847) - Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760) - Don't probe for plaindir repo if URL schema is plugin. (bsc#1191286) ----------------------------------------- Patch: SUSE-2021-3504 Released: Fri Oct 22 15:39:31 2021 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) ----------------------------------------- Patch: SUSE-2021-3518 Released: Tue Oct 26 15:21:16 2021 Summary: Recommended update for cjose, cyrus-sasl, flac, libarchive, libesmtp, libevent, libgit2, libgt, liboauth, librdkafka, libserv, libssh2_org, openslp, xmlsec1 Severity: moderate References: 1187784 Description: This update of cjose, cyrus-sasl, flac, libarchive, libesmtp, libevent, libgit2, libgt, liboauth, librdkafka, libserv, libssh2_org, openslp and xmlsec1 rebuilds the packages with a symbol versioned openssl, to allow later migration to a TLS 1.3 enabled openssl 1.1.1. This update contains no other functional changes. ----------------------------------------- Patch: SUSE-2021-3611 Released: Thu Nov 4 11:14:44 2021 Summary: Security update for systemd Severity: moderate References: 1171962,1180225,1188018,1188063,1188291,1189480,1191399,CVE-2021-33910 Description: This update for systemd fixes the following issues: - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - Add timestamp to D-Bus events to improve traceability. (jsc#SLE-21894) - busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225, jsc#SLE-21894) - sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (bsc#1191399) - basic/unit-name: do not use strdupa() on a path (bsc#1188063, CVE-2021-33910) - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018) - units: make fsck/grows/makefs/makeswap units conflict against shutdown.target - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480) - Avoid the error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291) - Allow systemd sysusers config files to be overriden during system installation (bsc#1171962) ----------------------------------------- Patch: SUSE-2021-3652 Released: Wed Nov 10 17:40:12 2021 Summary: Security update for pcre Severity: moderate References: 1025709,1030066,1030803,1030805,1030807,1172973,1172974,CVE-2017-6004,CVE-2017-7186,CVE-2017-7244,CVE-2017-7245,CVE-2017-7246,CVE-2019-20838,CVE-2020-14155 Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973). - CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807). - CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805). - CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803). - CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066). - CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709). ----------------------------------------- Patch: SUSE-2021-3664 Released: Tue Nov 16 10:14:26 2021 Summary: Recommended update for pam Severity: moderate References: Description: This update for pam fixes the following issues: - pam_cracklib: backported code to check whether the password contains a substring of of the user's name of at least characters length in some form from SLE-15. (jsc#SLE-22182) ----------------------------------------- Patch: SUSE-2021-3819 Released: Wed Dec 1 09:33:38 2021 Summary: Optional update for cracklib Severity: low References: 1191736 Description: This optional update for cracklib fixes the following issue: - Execute the test while building the package. (bsc#1191736) ----------------------------------------- Patch: SUSE-2021-3837 Released: Wed Dec 1 16:07:04 2021 Summary: Security update for ruby2.1 Severity: important References: 1177125,1188160,1188161,1190375,CVE-2020-25613,CVE-2021-31799,CVE-2021-31810,CVE-2021-32066 Description: This update for ruby2.1 fixes the following issues: - CVE-2020-25613: Fixed potential HTTP request smuggling in WEBrick (bsc#1177125). - CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375). - CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161). - CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160). ----------------------------------------- Patch: SUSE-2021-3878 Released: Thu Dec 2 09:13:51 2021 Summary: Security update for gmp Severity: moderate References: 1192717,CVE-2021-43618 Description: This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------- Patch: SUSE-2021-3882 Released: Thu Dec 2 11:46:25 2021 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: Update timezone to 2021e (bsc#1177460) - Palestine will fall back 10-29 (not 10-30) at 01:00 - Fiji suspends DST for the 2021/2022 season - 'zic -r' marks unspecified timestamps with '-00' - Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers - Refresh timezone info for china ----------------------------------------- Patch: SUSE-2021-3889 Released: Fri Dec 3 10:19:22 2021 Summary: Recommended update for permissions Severity: moderate References: 1191194 Description: This update for permissions fixes the following issues: Update to version 20170707: * add capability for prometheus-blackbox_exporter (bsc#1191194) ----------------------------------------- Patch: SUSE-2021-3894 Released: Fri Dec 3 10:46:06 2021 Summary: Recommended update for bzip2 Severity: low References: 1191648 Description: This update for bzip2 fixes the following issues: - Enables build time tests of bzip2. (bsc#1191648) ----------------------------------------- Patch: SUSE-2021-3931 Released: Mon Dec 6 11:17:00 2021 Summary: Recommended update for curl Severity: moderate References: 1192790 Description: This update for curl fixes the following issues: - Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790) ----------------------------------------- Patch: SUSE-2021-3965 Released: Tue Dec 7 10:08:23 2021 Summary: Recommended update for nghttp2 Severity: moderate References: 1192681 Description: This update for nghttp2 fixes the following issue: - libnghttp2-devel was missing from the SDK. (bsc#1192681) ----------------------------------------- Patch: SUSE-2021-3966 Released: Tue Dec 7 15:12:55 2021 Summary: Recommended update for suse-module-tools Severity: moderate References: 1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922 Description: This update for suse-module-tools fixes the following issues: Update to version 12.11: Import kernel scriptlets from kernel-source * rpm-script: fix bad exit status in OpenQA (bsc#1191922) * cert-script: Deal with existing $cert.delete file (bsc#1191804). * cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480). * cert-script: Only print mokutil output in verbose mode. * inkmp-script(postun): don't pass existing files to weak-modules2 (bsc#1191200) * kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260) * rpm-script: link config also into /boot (bsc#1189879) * Import kernel scriptlets from kernel-source. (bsc#1189841, bsc#1190598) * Provide 'suse-kernel-rpm-scriptlets' ----------------------------------------- Patch: SUSE-2021-4006 Released: Mon Dec 13 11:22:59 2021 Summary: Recommended update for zlib Severity: moderate References: 1192688 Description: This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------- Patch: SUSE-2021-4108 Released: Fri Dec 17 06:08:28 2021 Summary: Recommended update for openssl-1_0_0 Severity: moderate References: 1180995,1190885 Description: This update for openssl-1_0_0 fixes the following issues: - Fix parameters by name ffdheXXXX and modp_XXXX sometimes result in 'not found' (bsc#1190885) - Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameter (bsc#1180995) ----------------------------------------- Patch: SUSE-2021-4140 Released: Tue Dec 21 17:04:37 2021 Summary: Recommended update for bash Severity: moderate References: 1192785 Description: This update for bash fixes the following issues: - Fixed and issue when 'setuid' causing permission denied on 'popen'. (bsc#1192785) ----------------------------------------- Patch: SUSE-2021-4196 Released: Wed Dec 29 05:34:15 2021 Summary: Recommended update for yast2, yast2-installation and yast2-update Severity: important References: 1085212,1089647,1173133,1180142,1186371 Description: This update for yast2, yast2-installation and yast2-update fixes the following issues: yast2: - Command line interface: Do not start an UI while evaluating current language settings (bsc#1173133) - Fix creating snapshots after installation or offline upgrade (bsc#1180142) - Display error message in case of issues when reading/writing snapshots number (bsc#1180142) - `save_y2logs` to save kernel messages and udev log (bsc#1089647, bsc#1085212) yast2-installation: - Ensure correct alignment when shrinking a PReP partition (bsc#1186371) - Display error message in case of issues when creating a snapshot after installing or before upgrading the system (bsc#1180142) yast2-update: - Fix creating snapshots after installation or offline upgrade (bsc#1180142) - Display error message in case of issues when creating a snapshot after installing or before upgrading the system (bsc#1180142) ----------------------------------------- Patch: SUSE-2021-4199 Released: Thu Dec 30 05:41:45 2021 Summary: Recommended update for curl Severity: moderate References: 1193483 Description: This update for curl fixes the following issues: - libcurl-devel: Add an explicit dependency on libnghttp2-devel since its not autodetected (bsc#1193483) ----------------------------------------- Patch: SUSE-2022-3 Released: Mon Jan 3 08:27:47 2022 Summary: Recommended update for libgcrypt Severity: moderate References: 1193480 Description: This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------- Patch: SUSE-2022-85 Released: Mon Jan 17 09:23:21 2022 Summary: Recommended update for patterns-sles Severity: moderate References: Description: This update for patterns-sles fixes the following issues: - Include newly added libopenssl-1_1-hmac for openssl 1.1 (jsc#SLE-23033) ----------------------------------------- Patch: SUSE-2022-179 Released: Tue Jan 25 14:18:44 2022 Summary: Security update for expat Severity: important References: 1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827 Description: This update for expat fixes the following issues: - CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251). - CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362). - CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474). - CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476). - CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477). - CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478). - CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479). - CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480). ----------------------------------------- Patch: SUSE-2022-315 Released: Thu Feb 3 10:06:41 2022 Summary: Recommended update for wicked Severity: moderate References: 1029961,1057592,1156920,1160654,1177215,1178357,1181163,1181186,1181812,1182227,1183407,1183495,1188019,1189560,1192164,1192311,1192353,1194392,954329 Description: This update for wicked fixes the following issues: - Fix device rename issue when done via Yast2 (bsc#1194392) - Prepare RPM packaging for migration of dbus configuration files from /etc to /usr, however this change does not affect SUSE Linux Enterprise 12 (bsc#1183407,jsc#SLE-9750) - Prepare RPM packaging for merging of /bin and /usr/bin directories, however this merge does not affect SUSE Linux Enterprise 12 (bsc#1029961) - Parse sysctl files in the correct order (bsc#1181186) - Fix sysctl values for loopback device (bsc#1181163, bsc#1178357) - Add option for dhcp4 to set route pref-src to dhcp IP (bsc#1192353) - Cleanup warnings, time calculations and add dhcp fixes to reduce resource usage (bsc#1188019) - Avoid sysfs attribute read error when the kernel has already deleted the TUN/TAP interface (bsc#1192311) - Fix warning in `ifstatus` about unexpected interface flag combination (bsc#1192164) - Fix `ifstatus` not to show link as 'up' when interface is not running - Make firewalld zone assignment permanent (bsc#1189560) - Cleanup and improve ifconfig and ifpolicy access utilities - Initial fixes for dracut integration and improved option handling (bsc#1182227) - Fix `nanny` to identify node owner exit condition - Using wicked without nanny is no longer supported and use-nanny=false configuration option was removed - Add `ethtool --get-permanent-address` option in the client - Fix `ifup` to refresh link state of network interface after being unenslaved from an unconfigured master (bsc#954329) - Prevent re-trigger Duplicate Address Detection on address updates when is not needed (bsc#1177215) - Fix Network Information Service configuration (bsc#1181812) - Reconnect on unexpected wpa_supplicant restart (bsc#1183495) - Migrate wireless to wpa-supplicant v1 DBus interface (bsc#1156920) - Support multiple wireless networks configurations per interface - Show wireless connection status and scan-results (bsc#1160654) - Fix eap-tls,ttls cetificate handling and fix open vs. shared wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592) - Updated `man ifcfg-wireless` manual pages ----------------------------------------- Patch: SUSE-2022-323 Released: Thu Feb 3 16:53:34 2022 Summary: Security update for samba Severity: critical References: 1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048,CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336 Description: This update contains a major security update for Samba. samba has received security fixes: - CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services (bsc#1195048); samba was updated to version 4.15.4; (jsc#SLE-23330); + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bso#13979); (bsc#1139519); + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bso#14842); (bsc#1191227); - Build samba with embedded talloc, pytalloc, pytalloc-util, tdb, pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries. The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and their manpages in /usr/lib[64]/samba/man This avoids removing old functionality. samba was updated to 4.15.4: * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set 'client max protocol' to NT1 before calling the 'Reconnecting with SMB1 for workgroup listing' path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * 'smbd --build-options' no longer works without an smb.conf file; (bso#14945); - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba sssd was updated: - Build with the newer samba versions; (jsc#SLE-23330); - Fix a dependency loop by moving internal libraries to sssd-common package; (bsc#1182058); p11-kit was updated: Update to 0.23.2; (jsc#SLE-23330); * Fix forking issues with libffi * Fix various crashes in corner cases * Updated translations * Build fixes - Fix multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361): - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993) ca-certificates was updated: - p11-kit 0.23.1 supports pem-directory-hash. (jsc#SLE-23330) This update also ships: - libnettle 3.1 and gnutls 3.4.17 as parallel libraries to meet the requires of the newer samba. apparmor was updated: - Update samba apparmor profiles for samba 4.15 (jsc#SLE-23330); yast2-samba-client was updated: - With latest versions of samba (>=4.15.0) calling 'net ads lookup' with '-U%' fails; (boo#1193533). - yast-samba-client fails to join if /etc/samba/smb.conf or /etc/krb5.conf don't exist; (bsc#1089938) - Do not stop nmbd while nmbstatus is running, it is not necessary anymore; (bsc#1158916); ----------------------------------------- Patch: SUSE-2022-441 Released: Wed Feb 16 14:21:59 2022 Summary: Security update for glibc Severity: important References: 1191835,1192620,1193478,1194640,1194768,1194770,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 Description: glibc was updated to fix the following issues: Security issues fixed: - CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640) - CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770) Bugs fixed: - Make endian-conversion macros always return correct types (bsc#1193478, BZ #16458) - Allow dlopen of filter object to work (bsc#1192620, BZ #16272) - x86: fix stack alignment in cancelable syscall stub (bsc#1191835) ----------------------------------------- Patch: SUSE-2022-495 Released: Fri Feb 18 10:40:22 2022 Summary: Security update for expat Severity: important References: 1195054,1195217,CVE-2022-23852,CVE-2022-23990 Description: This update for expat fixes the following issues: - CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054). - CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217). ----------------------------------------- Patch: SUSE-2022-517 Released: Fri Feb 18 12:44:17 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1193296 Description: This update for openldap2 fixes the following issues: - Resolve double free in sssvlv overlay (bsc#1193296). ----------------------------------------- Patch: SUSE-2022-521 Released: Fri Feb 18 12:46:15 2022 Summary: Recommended update for coreutils Severity: moderate References: 1190354 Description: This update for coreutils fixes the following issues: - Remove problematic special leaf optimization cases for XFS that can lead to du crashes. (bsc#1190354) ----------------------------------------- Patch: SUSE-2022-673 Released: Wed Mar 2 13:19:54 2022 Summary: Recommended update for sudo Severity: moderate References: 1181703 Description: This update for sudo fixes the following issues: - Add support in the LDAP filter for negated users (jsc#SLE-20068) - Restrict use of sudo -U other -l to people who have permission to run commands as that user (bsc#1181703, jsc#SLE-22569) ----------------------------------------- Patch: SUSE-2022-693 Released: Thu Mar 3 16:04:04 2022 Summary: Security update for cyrus-sasl Severity: important References: 1196036,CVE-2022-24407 Description: This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). ----------------------------------------- Patch: SUSE-2022-698 Released: Thu Mar 3 16:35:26 2022 Summary: Security update for expat Severity: important References: 1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 Description: This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------- Patch: SUSE-2022-785 Released: Thu Mar 10 09:53:23 2022 Summary: Recommended update for suse-build-key Severity: moderate References: 1194845,1196494,1196495 Description: This update for suse-build-key fixes the following issues: - Extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc - Added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494) - Extended expiry of SUSE SLES11 key (bsc#1194845) - Added SUSE Contaner signing key in PEM format for use e.g. by cosign. - SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495) - Removed old security key. ----------------------------------------- Patch: SUSE-2022-842 Released: Tue Mar 15 11:32:49 2022 Summary: Security update for expat Severity: important References: 1196025,1196784,CVE-2022-25236 Description: This update for expat fixes the following issues: - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). ----------------------------------------- Patch: SUSE-2022-857 Released: Tue Mar 15 19:33:24 2022 Summary: Security update for openssl-1_0_0 Severity: important References: 1196249,1196877,CVE-2022-0778 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877). - Allow CRYPTO_THREADID_set_callback to be called with NULL parameter (bsc#1196249). ----------------------------------------- Patch: SUSE-2022-883 Released: Wed Mar 16 16:29:20 2022 Summary: Recommended update for patterns-sles Severity: moderate References: 1196307 Description: This update for patterns-sles fixes the following issues: - In the FIPS pattern downgrade the requires of libopenssl-1_1-hmac to recommends to avoid explicit pulling in perhaps unneeded openssl 1.1.1 (bsc#1196307) ----------------------------------------- Patch: SUSE-2022-1019 Released: Tue Mar 29 13:21:17 2022 Summary: Recommended update for pcre Severity: low References: 1196187 Description: This update for pcre fixes the following issue: - Add devel package to HA channels. (bsc#1196187) ----------------------------------------- Patch: SUSE-2022-1023 Released: Tue Mar 29 15:34:47 2022 Summary: Security update for zlib Severity: important References: 1197459,CVE-2018-25032 Description: This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------- Patch: SUSE-2022-1067 Released: Thu Mar 31 12:55:00 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1195628,1196107 Description: This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] ----------------------------------------- Patch: SUSE-2022-1104 Released: Mon Apr 4 17:48:11 2022 Summary: Recommended update for util-linux Severity: important References: 1172427,1194642 Description: This update for util-linux fixes the following issues: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) - Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642) - Warn if uuidd lock state is not usable. (bsc#1194642) - Fix 'su -s' bash completion. (bsc#1172427) ----------------------------------------- Patch: SUSE-2022-1117 Released: Tue Apr 5 18:32:13 2022 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: - timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data ----------------------------------------- Patch: SUSE-2022-1140 Released: Fri Apr 8 16:30:48 2022 Summary: Security update for python Severity: moderate References: 1187784,1194146,1195396,CVE-2021-4189,CVE-2022-0391 Description: This update for python rebuilds python against a symbol versioned openssl 1.0.2 to allow usage with openssl 1.1.1. Also the following security issues are fixed: - CVE-2022-0391: Fixed sanitizing URLs containing ASCII newline and tabs in urlparse (bsc#1195396). - CVE-2021-4189: Make ftplib not trust the PASV response (bsc#1194146). ----------------------------------------- Patch: SUSE-2022-1160 Released: Tue Apr 12 14:49:18 2022 Summary: Security update for xz Severity: important References: 1198062,CVE-2022-1271 Description: This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------- Patch: SUSE-2022-1169 Released: Tue Apr 12 18:19:42 2022 Summary: Recommended update for systemd Severity: moderate References: 1180225,1190984,1191502,1193841,1195529,1195899 Description: This update for systemd fixes the following issues: - Core: make sure we always free the list of changes - Install: correctly report symlink creations - Core: make sure we generate a nicer error when a linked unit is attempted to be enabled - Install: unify checking whether operations may be applied to a unit file in a new function - Install: fix errno handling - Allow 'edit' and 'cat' on unloaded units - Don't open /var journals in volatile mode when runtime_journal==NULL - udev: handle duplicate device ID (bsc#1195529) - man: tweak description of auto/noauto (bsc#1191502) - systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871) - systemctl: exit with 1 if no unit files found (bsc#1193841) - umount: show correct error message - core/umount: fix unitialized fields in MountPoint - umount: Add more asserts and remove some unused arguments, fix memory leak - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861) ----------------------------------------- Patch: SUSE-2022-1178 Released: Wed Apr 13 15:44:35 2022 Summary: Recommended update for ca-certificates, p11-kit Severity: moderate References: 1196443,1196812 Description: This update for ca-certificates, p11-kit fixes the following issues: Changes in p11-kit: - call update-ca-certificates in post to make sure certs are regenerated even if ca-certificates was installed before p11-kit for whatever reason (bsc#1196443) - make sure p11-kit components have matching versions (bsc#1196812) Changes in ca-certificates: - Require p11-kit-tools > 0.23.1 as older versions don't support pem-directory-hash (bsc#1196443, bsc#1196812) ----------------------------------------- Patch: SUSE-2022-1209 Released: Thu Apr 14 13:30:22 2022 Summary: Recommended update for libsolv, libzypp Severity: moderate References: 1189622,1194848,1195485,184501 Description: This update for libsolv, libzypp fixes the following issues: - fix memory leaks in SWIG generated code - fix misparsing with libxml2 - try to keep packages from a cycle close togther in the transaction order (bsc#1189622) - fix split provides not working if the update includes a forbidden vendor change (bsc#1195485) - fix segfault on conflict resolution when using bindings - do not replace noarch problem rules with arch dependent one in problem reporting - fix and simplify pool_vendor2mask implementation - Hint on ptf resolver conflicts (bsc#1194848) - Fix package signature check (bsc#184501) Pay attention that header and payload are secured by a valid. signature and report more detailed which signature is missing. - Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output. ----------------------------------------- Patch: SUSE-2022-1272 Released: Wed Apr 20 09:07:17 2022 Summary: Security update for gzip Severity: important References: 1198062,CVE-2022-1271 Description: This update for gzip fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------- Patch: SUSE-2022-1282 Released: Wed Apr 20 12:28:40 2022 Summary: Recommended update for bash Severity: moderate References: 1197674 Description: This update for bash fixes the following issues: - Fix memory leak in array asignment (bsc#1197674) ----------------------------------------- Patch: SUSE-2022-1308 Released: Fri Apr 22 16:07:40 2022 Summary: Security update for libxml2 Severity: important References: 1196490,CVE-2022-23308 Description: This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490) ----------------------------------------- Patch: SUSE-2022-1650 Released: Thu May 12 17:14:05 2022 Summary: Security update for gzip Severity: important References: CVE-2022-1271 Description: This update for gzip fixes the following issues: - CVE-2022-1271: Add hardening for zgrep. (bsc#1198062) ----------------------------------------- Patch: SUSE-2022-1680 Released: Mon May 16 11:09:42 2022 Summary: Security update for curl Severity: moderate References: 1198614,1198766,CVE-2022-22576,CVE-2022-27776 Description: This update for curl fixes the following issues: - CVE-2022-27776: Fixed Auth/cookie leak on redirect (bsc#1198766) - CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614) ----------------------------------------- Patch: SUSE-2022-1682 Released: Mon May 16 11:10:34 2022 Summary: Recommended update for systemd Severity: low References: 1199273 Description: This update for systemd syncs internal package requirements, but has otherwise no code or functional changes compared to the last update. (bsc#1199273) ----------------------------------------- Patch: SUSE-2022-1695 Released: Tue May 17 09:14:13 2022 Summary: Security update for e2fsprogs Severity: important References: 1198446,CVE-2022-1304 Description: This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------- Patch: SUSE-2022-1701 Released: Tue May 17 12:10:11 2022 Summary: Recommended update for augeas Severity: moderate References: 1197443 Description: This update for augeas fixes the following issues: - Fix handling of keywords in new sysctl.conf (bsc#1197443) ----------------------------------------- Patch: SUSE-2022-1771 Released: Fri May 20 15:01:22 2022 Summary: Security update for openldap2 Severity: important References: 1198383,1199240,CVE-2022-29155 Description: This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). - Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383). ----------------------------------------- Patch: SUSE-2022-1805 Released: Mon May 23 11:06:28 2022 Summary: Security update for curl Severity: important References: 1199223,1199224,CVE-2022-27781,CVE-2022-27782 Description: This update for curl fixes the following issues: - CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223) - CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224) ----------------------------------------- Patch: SUSE-2022-1833 Released: Tue May 24 15:14:20 2022 Summary: Security update for libxml2 Severity: important References: 1069689,1199132,CVE-2017-16932,CVE-2022-29824 Description: This update for libxml2 fixes the following issues: - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132). - CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689). ----------------------------------------- Patch: SUSE-2022-1877 Released: Mon May 30 00:12:34 2022 Summary: Recommended update for audit Severity: moderate References: 1196645 Description: This update for audit fixes the following issues: - Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) ----------------------------------------- Patch: SUSE-2022-1926 Released: Thu Jun 2 16:06:59 2022 Summary: Recommended update for gcc11 Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 Description: This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * Fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * Fixes issue with debug dumping together with -o /dev/null * Fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------- Patch: SUSE-2022-2048 Released: Mon Jun 13 09:21:27 2022 Summary: Recommended update for zypper Severity: moderate References: 1196317,1198139 Description: This update for zypper fixes the following issues: - Improve return codes. (bsc#1198139) - info: Fix SEGV with not installed PTFs. (bsc#1196317) ----------------------------------------- Patch: SUSE-2022-2106 Released: Thu Jun 16 15:23:17 2022 Summary: Security update for openssl-1_0_0 Severity: important References: 1199166,CVE-2022-1292 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). ----------------------------------------- Patch: SUSE-2022-2181 Released: Fri Jun 24 14:28:53 2022 Summary: Security update for openssl Severity: moderate References: 1200550,CVE-2022-2068 Description: This update for openssl fixes the following issues: - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------- Patch: SUSE-2022-2248 Released: Mon Jul 4 08:51:26 2022 Summary: Security update for python Severity: important References: 1198511,CVE-2015-20107 Description: This update for python fixes the following issues: - CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511). ----------------------------------------- Patch: SUSE-2022-2288 Released: Wed Jul 6 12:55:49 2022 Summary: Security update for curl Severity: important References: 1200735,1200737,CVE-2022-32206,CVE-2022-32208 Description: This update for curl fixes the following issues: - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------- Patch: SUSE-2022-2334 Released: Fri Jul 8 10:12:23 2022 Summary: Security update for pcre Severity: important References: 1199232,CVE-2022-1586 Description: This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------- Patch: SUSE-2022-2381 Released: Wed Jul 13 10:47:00 2022 Summary: Recommended update for dracut Severity: moderate References: 1199453 Description: This update for dracut fixes the following issues: - Fix kernel name parsing in purge-kernels script (bsc#1199453) - Fix versioning so it gets installed when upgrading from older products (eg. from SLE-12.3) ----------------------------------------- Patch: SUSE-2022-2529 Released: Fri Jul 22 13:09:00 2022 Summary: Security update for gpg2 Severity: important References: 1201225,CVE-2022-34903 Description: This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225). ----------------------------------------- Patch: SUSE-2022-2542 Released: Mon Jul 25 08:24:50 2022 Summary: Recommended update for less Severity: important References: 1200738 Description: This update for less fixes the following issues: - Fix startup terminal initialization (bsc#1200738) ----------------------------------------- Patch: SUSE-2022-2627 Released: Tue Aug 2 12:20:36 2022 Summary: Recommended update for apparmor Severity: important References: 1195463,1196850 Description: This update for apparmor fixes the following issues: - Add new rule to fix reported 'DENIED' audit records with Apparmor profile 'usr.sbin.smbd' (bsc#1196850) - Add new rule to allow reading of openssl.cnf (bsc#1195463) ----------------------------------------- Patch: SUSE-2022-2689 Released: Fri Aug 5 15:45:57 2022 Summary: Security update for dpkg Severity: low References: 1199944,CVE-2022-1664 Description: This update for dpkg fixes the following issues: - CVE-2022-1664: Fixed directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944). ----------------------------------------- Patch: SUSE-2022-2718 Released: Tue Aug 9 12:54:54 2022 Summary: Security update for ncurses Severity: moderate References: 1198627,CVE-2022-29458 Description: This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------- Patch: SUSE-2022-2733 Released: Wed Aug 10 04:27:45 2022 Summary: Feature update for which Severity: moderate References: 1082318 Description: This feature update for which fixes the following issues: Update which to version 2.21 (jsc#SLE-24668, jsc#SLE-24667): - Upgraded code from bash to version 4.3 (now uses eaccess). - Fixed a bug related to getgroups / sysconfig that caused Which not to see more than 64 groups for a single user - Build system maintenance - Package license file correctly in the RPM (bsc#1082318) - Update project and source URL to GNU project - Correct usage of info scriplets ----------------------------------------- Patch: SUSE-2022-2847 Released: Thu Aug 18 16:30:39 2022 Summary: Security update for zlib Severity: important References: 1202175,CVE-2022-37434 Description: This update for zlib fixes the following issues: - CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175). ----------------------------------------- Patch: SUSE-2022-2871 Released: Tue Aug 23 09:26:32 2022 Summary: Security update for p11-kit Severity: moderate References: 1180065,CVE-2020-29362 Description: This update for p11-kit fixes the following issues: - CVE-2020-29362: Fixed a 4 byte overread that could lead to crashes (bsc#1180065) ----------------------------------------- Patch: SUSE-2022-2897 Released: Thu Aug 25 16:26:46 2022 Summary: Recommended update for systemd-presets-branding-SLE Severity: moderate References: Description: This update for systemd-presets-branding-SLE fixes the following issues: - Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312) ----------------------------------------- Patch: SUSE-2022-2907 Released: Fri Aug 26 05:32:06 2022 Summary: Recommended update for openldap2 Severity: moderate References: 1198341 Description: This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------- Patch: SUSE-2022-2930 Released: Mon Aug 29 11:23:42 2022 Summary: Recommended update for timezone Severity: important References: 1202310 Description: This update for timezone fixes the following issue: - Reflect new Chile DST change (bsc#1202310) ----------------------------------------- Patch: SUSE-2022-2981 Released: Thu Sep 1 12:33:06 2022 Summary: Recommended update for util-linux Severity: moderate References: 1197178,1198731,1200842 Description: This update for util-linux fixes the following issues: - su: Change owner and mode for pty (bsc#1200842) - agetty: Resolve tty name even if stdin is specified (bsc#1197178) - libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731) - mesg: use only stat() to get the current terminal status (bsc#1200842) ----------------------------------------- Patch: SUSE-2022-3001 Released: Fri Sep 2 13:29:23 2022 Summary: Security update for json-c Severity: important References: 1171479,CVE-2020-12762 Description: This update for json-c fixes the following issues: - CVE-2020-12762: Fixed an integer overflow that could lead to memory corruption via a large JSON file (bsc#1171479). Non-security fixes: - Updated to version 0.12.1 (jsc#PED-1778). ----------------------------------------- Patch: SUSE-2022-3005 Released: Fri Sep 2 15:02:47 2022 Summary: Security update for curl Severity: low References: 1202593,CVE-2022-35252 Description: This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593). ----------------------------------------- Patch: SUSE-2022-3105 Released: Tue Sep 6 10:57:34 2022 Summary: Recommended update for keyutils Severity: moderate References: 1201929 Description: This update for keyutils fixes the following issues: - Apply default TTL to DNS records from getaddrinfo() (bsc#1201929) ----------------------------------------- Patch: SUSE-2022-3112 Released: Tue Sep 6 13:09:49 2022 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1181994,1188006,1199079,1202868 Description: This update for ca-certificates-mozilla fixes the following issues: Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) - Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Removed: - Hellenic Academic and Research Institutions RootCA 2011 Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) - Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA - Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added CAs: - HARICA Client ECC Root CA 2021 - HARICA Client RSA Root CA 2021 - HARICA TLS ECC Root CA 2021 - HARICA TLS RSA Root CA 2021 - TunTrust Root CA Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CAs: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------- Patch: SUSE-2022-3208 Released: Thu Sep 8 12:28:09 2022 Summary: Security update for libnl3 Severity: moderate References: 1020123,CVE-2017-0386 Description: This update for libnl3 fixes the following issues: - CVE-2017-0386: Fixed an issue that could enable a local malicious application to execute arbitrary code within the context of a different process. This only affects setups were libnl is passed untrusted arguments. (bsc#1020123) ----------------------------------------- Patch: SUSE-2022-3382 Released: Mon Sep 26 12:34:19 2022 Summary: Security update for permissions Severity: moderate References: 1050467,1191194,1203018,CVE-2022-31252 Description: This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). - Add capability for prometheus-blackbox_exporter (bsc#1191194). - Make btmp root:utmp (bsc#1050467). ----------------------------------------- Patch: SUSE-2022-3386 Released: Mon Sep 26 12:41:51 2022 Summary: Security update for unzip Severity: moderate References: 1196177,1196180,CVE-2022-0529,CVE-2022-0530 Description: This update for unzip fixes the following issues: - CVE-2022-0530: Fixed SIGSEGV during the conversion of an utf-8 string to a local string (bsc#1196177). - CVE-2022-0529: Fixed heap out-of-bound writes and reads during conversion of wide string to local string (bsc#1196180). ----------------------------------------- Patch: SUSE-2022-3389 Released: Mon Sep 26 12:52:13 2022 Summary: Recommended update for libgcrypt Severity: moderate References: 1200095 Description: This update for libgcrypt fixes the following issues: - FIPS: Auto-initialize drbg if needed. (bsc#1200095) ----------------------------------------- Patch: SUSE-2022-3401 Released: Mon Sep 26 17:18:52 2022 Summary: Security update for sqlite3 Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 Description: This update for sqlite3 fixes the following issues: Security issues fixed: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). sqlite3 was update to 3.39.3: * Use a statement journal on DML statement affecting two or more database rows if the statement makes use of a SQL functions that might abort. * Use a mutex to protect the PRAGMA temp_store_directory and PRAGMA data_store_directory statements, even though they are decremented and documented as not being threadsafe. Update to 3.39.2: * Fix a performance regression in the query planner associated with rearranging the order of FROM clause terms in the presences of a LEFT JOIN. * Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and 1345947, forum post 3607259d3c, and other minor problems discovered by internal testing. [boo#1201783] Update to 3.39.1: * Fix an incorrect result from a query that uses a view that contains a compound SELECT in which only one arm contains a RIGHT JOIN and where the view is not the first FROM clause term of the query that contains the view * Fix a long-standing problem with ALTER TABLE RENAME that can only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set to a very small value. * Fix a long-standing problem in FTS3 that can only arise when compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time option. * Fix the initial-prefix optimization for the REGEXP extension so that it works correctly even if the prefix contains characters that require a 3-byte UTF8 encoding. * Enhance the sqlite_stmt virtual table so that it buffers all of its output. Update to 3.39.0: * Add (long overdue) support for RIGHT and FULL OUTER JOIN * Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT FROM that are equivalent to IS and IS NOT, respective, for compatibility with PostgreSQL and SQL standards * Add a new return code (value '3') from the sqlite3_vtab_distinct() interface that indicates a query that has both DISTINCT and ORDER BY clauses * Added the sqlite3_db_name() interface * The unix os interface resolves all symbolic links in database filenames to create a canonical name for the database before the file is opened * Defer materializing views until the materialization is actually needed, thus avoiding unnecessary work if the materialization turns out to never be used * The HAVING clause of a SELECT statement is now allowed on any aggregate query, even queries that do not have a GROUP BY clause * Many microoptimizations collectively reduce CPU cycles by about 2.3%. Update to 3.38.5: * Fix a blunder in the CLI of the 3.38.4 release Update to 3.38.4: * fix a byte-code problem in the Bloom filter pull-down optimization added by release 3.38.0 in which an error in the byte code causes the byte code engine to enter an infinite loop when the pull-down optimization encounters a NULL key Update to 3.38.3: * Fix a case of the query planner be overly aggressive with optimizing automatic-index and Bloom-filter construction, using inappropriate ON clause terms to restrict the size of the automatic-index or Bloom filter, and resulting in missing rows in the output. * Other minor patches. See the timeline for details. Update to 3.38.2: * Fix a problem with the Bloom filter optimization that might cause an incorrect answer when doing a LEFT JOIN with a WHERE clause constraint that says that one of the columns on the right table of the LEFT JOIN is NULL. * Other minor patches. - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). Update to 3.38.1: * Fix problems with the new Bloom filter optimization that might cause some obscure queries to get an incorrect answer. * Fix the localtime modifier of the date and time functions so that it preserves fractional seconds. * Fix the sqlite_offset SQL function so that it works correctly even in corner cases such as when the argument is a virtual column or the column of a view. * Fix row value IN operator constraints on virtual tables so that they work correctly even if the virtual table implementation relies on bytecode to filter rows that do not satisfy the constraint. * Other minor fixes to assert() statements, test cases, and documentation. See the source code timeline for details. Update to 3.38.0 * Add the -> and ->> operators for easier processing of JSON * The JSON functions are now built-ins * Enhancements to date and time functions * Rename the printf() SQL function to format() for better compatibility, with alias for backwards compatibility. * Add the sqlite3_error_offset() interface for helping localize an SQL error to a specific character in the input SQL text * Enhance the interface to virtual tables * CLI columnar output modes are enhanced to correctly handle tabs and newlines embedded in text, and add options like '--wrap N', '--wordwrap on', and '--quote' to the columnar output modes. * Query planner enhancements using a Bloom filter to speed up large analytic queries, and a balanced merge tree to evaluate UNION or UNION ALL compound SELECT statements that have an ORDER BY clause. * The ALTER TABLE statement is changed to silently ignores entries in the sqlite_schema table that do not parse when PRAGMA writable_schema=ON Update to 3.37.2: * Fix a bug introduced in version 3.35.0 (2021-03-12) that can cause database corruption if a SAVEPOINT is rolled back while in PRAGMA temp_store=MEMORY mode, and other changes are made, and then the outer transaction commits * Fix a long-standing problem with ON DELETE CASCADE and ON UPDATE CASCADE in which a cache of the bytecode used to implement the cascading change was not being reset following a local DDL change Update to 3.37.1: * Fix a bug introduced by the UPSERT enhancements of version 3.35.0 that can cause incorrect byte-code to be generated for some obscure but valid SQL, possibly resulting in a NULL- pointer dereference. * Fix an OOB read that can occur in FTS5 when reading corrupt database files. * Improved robustness of the --safe option in the CLI. * Other minor fixes to assert() statements and test cases. Update to 3.37.0: * STRICT tables provide a prescriptive style of data type management, for developers who prefer that kind of thing. * When adding columns that contain a CHECK constraint or a generated column containing a NOT NULL constraint, the ALTER TABLE ADD COLUMN now checks new constraints against preexisting rows in the database and will only proceed if no constraints are violated. * Added the PRAGMA table_list statement. * Add the .connection command, allowing the CLI to keep multiple database connections open at the same time. * Add the --safe command-line option that disables dot-commands and SQL statements that might cause side-effects that extend beyond the single database file named on the command-line. * CLI: Performance improvements when reading SQL statements that span many lines. * Added the sqlite3_autovacuum_pages() interface. * The sqlite3_deserialize() does not and has never worked for the TEMP database. That limitation is now noted in the documentation. * The query planner now omits ORDER BY clauses on subqueries and views if removing those clauses does not change the semantics of the query. * The generate_series table-valued function extension is modified so that the first parameter ('START') is now required. This is done as a way to demonstrate how to write table-valued functions with required parameters. The legacy behavior is available using the -DZERO_ARGUMENT_GENERATE_SERIES compile-time option. * Added new sqlite3_changes64() and sqlite3_total_changes64() interfaces. * Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2(). * Use less memory to hold the database schema. * bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert extension when a column has no collating sequence. ----------------------------------------- Patch: SUSE-2022-3466 Released: Thu Sep 29 11:43:25 2022 Summary: Security update for expat Severity: important References: 1203438,CVE-2022-40674 Description: This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------- Patch: SUSE-2022-3526 Released: Wed Oct 5 12:38:20 2022 Summary: Recommended update for yast2-storage Severity: moderate References: 1197208 Description: This update for yast2-storage fixes the following issues: - Partitioner: PVs are not wrongly removed when resizing a VG (bsc#1197208) ----------------------------------------- Patch: SUSE-2022-3553 Released: Mon Oct 10 13:34:24 2022 Summary: Security update for python Severity: important References: 1202624,CVE-2021-28861 Description: This update for python fixes the following issues: - CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624). ----------------------------------------- Patch: SUSE-2022-3681 Released: Fri Oct 21 10:46:51 2022 Summary: Security update for libksba Severity: critical References: 1204357,CVE-2022-3515 Description: This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------- Patch: SUSE-2022-3717 Released: Tue Oct 25 10:17:36 2022 Summary: Security update for libxml2 Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 Description: This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------- Patch: SUSE-2022-3769 Released: Wed Oct 26 12:17:10 2022 Summary: Security update for curl Severity: important References: 1204383,CVE-2022-32221 Description: This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------- Patch: SUSE-2022-3789 Released: Thu Oct 27 04:41:50 2022 Summary: Recommended update for permissions Severity: important References: 1203911 Description: This update for permissions fixes the following issues: - Fix regression introduced by backport of security fix (bsc#1203911) ----------------------------------------- Patch: SUSE-2022-3815 Released: Mon Oct 31 09:46:15 2022 Summary: Recommended update for sudo Severity: moderate References: 1177578,1201462 Description: This update for sudo fixes the following issues: - Ignore entries when converting LDAP to sudoers. Prevents empty host list being treated as 'ALL' wildcard (bsc#1201462) - Removed redundant and confusing 'secure_path' settings in sudo-sudoers file (bsc#1177578) ----------------------------------------- Patch: SUSE-2022-3817 Released: Mon Oct 31 12:05:29 2022 Summary: Security update for libtasn1 Severity: critical References: 1204690,CVE-2021-46848 Description: This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690). ----------------------------------------- Patch: SUSE-2022-3874 Released: Fri Nov 4 15:06:57 2022 Summary: Security update for expat Severity: important References: 1204708,CVE-2022-43680 Description: This update for expat fixes the following issues: - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708). ----------------------------------------- Patch: SUSE-2022-3903 Released: Tue Nov 8 10:51:02 2022 Summary: Recommended update for openssl-1_0_0 Severity: moderate References: 1180995 Description: This update for openssl-1_0_0 fixes the following issues: - Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995) ----------------------------------------- Patch: SUSE-2022-3939 Released: Thu Nov 10 14:32:05 2022 Summary: Security update for rpm Severity: moderate References: 1183543,1183545,1183632,1183659,1185299,996280,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 Description: This update for rpm fixes the following issues: - Fixed PGP parsing bugs (bsc#1185299). - Fixed various format handling bugs (bsc#996280). - CVE-2021-3421: Fixed vulnerability where unsigned headers could be injected into the rpm database (bsc#1183543). - CVE-2021-20271: Fixed vulnerability where a corrupted rpm could corrupt the rpm database (bsc#1183545). - CVE-2021-20266: Fixed missing bounds check in hdrblobInit (bsc#1183632). Bugfixes: - Fixed deadlock when multiple rpm processes tried to acquire the database lock (bsc#1183659). ----------------------------------------- Patch: SUSE-2022-3942 Released: Thu Nov 10 15:58:47 2022 Summary: Security update for glibc Severity: moderate References: 1193625,1196852,CVE-2015-8985 Description: This update for glibc fixes the following issues: - CVE-2015-8985: Fixed assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625) - x86: fix stack alignment in pthread_cond_[timed]wait (bsc#1196852) - Recognize ppc64p7 arch to build for power7 ----------------------------------------- Patch: SUSE-2022-3962 Released: Mon Nov 14 07:34:23 2022 Summary: Recommended update for zlib Severity: important References: 1203652 Description: This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------- Patch: SUSE-2022-3980 Released: Tue Nov 15 11:16:52 2022 Summary: Recommended update for util-linux Severity: important References: 1081947,1201354 Description: This update for util-linux fixes the following issues: - Integrate pam_keyinit PAM module (bsc#1201354, bsc#1081947) ----------------------------------------- Patch: SUSE-2022-4065 Released: Fri Nov 18 10:40:05 2022 Summary: Recommended update for timezone Severity: important References: 1177460,1202324,1204649,1205156 Description: This update for timezone fixes the following issues: Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156): - Mexico will no longer observe DST except near the US border - Chihuahua moves to year-round -06 on 2022-10-30 - Fiji no longer observes DST - In vanguard form, GMT is now a Zone and Etc/GMT a link - zic now supports links to links, and vanguard form uses this - Simplify four Ontario zones - Fix a Y2438 bug when reading TZif data - Enable 64-bit time_t on 32-bit glibc platforms - Omit large-file support when no longer needed - Jordan and Syria switch from +02/+03 with DST to year-round +03 - Palestine transitions are now Saturdays at 02:00 - Simplify three Ukraine zones into one - Work around awk bug - Improve tzselect on intercontinental Zones - Chile's DST is delayed by a week in September 2022 (bsc#1202324) - Iran no longer observes DST after 2022 - Rename Europe/Kiev to Europe/Kyiv - New `zic -R` command option - Vanguard form now uses %z ----------------------------------------- Patch: SUSE-2022-4237 Released: Fri Nov 25 18:20:52 2022 Summary: Recommended update for openldap2 Severity: low References: 1203320 Description: This update for openldap2 fixes the following issues: - Resolve broken symlinks in documentation (bsc#1203320) ----------------------------------------- Patch: SUSE-2022-4245 Released: Mon Nov 28 10:53:20 2022 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Toolchain Module. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------- Patch: SUSE-2022-4275 Released: Tue Nov 29 15:33:58 2022 Summary: Security update for python Severity: important References: 1202666,1205244,CVE-2022-45061 Description: This update for python fixes the following issues: - CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244). The following non-security bug was fixed: - Making compileall.py compliant with year 2038, backport of fix to Python 2.7 (bsc#1202666, gh#python/cpython#79171). ----------------------------------------- Patch: SUSE-2022-4279 Released: Tue Nov 29 15:44:34 2022 Summary: Security update for systemd Severity: moderate References: 1197244,1198507,1204968,CVE-2022-3821 Description: This update for systemd fixes the following issues: - CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968). - Import commit 417bb0944e035969594fff83a3ab9c2ca9a56234 * 20743c1a44 logind: fix crash in logind on user-specified message string * b971b5f085 tmpfiles: check the directory we were supposed to create, not its parent * 2850271ea6 stat-util: replace is_dir() + is_dir_fd() by single is_dir_full() call * 3d3bd5fc8d systemd --user: call pam_loginuid when creating user@.service (#3120) (bsc#1198507) * 4b56c3540a parse-util: introduce pid_is_valid() * aa811a4c0c systemd-detect-virt: refine hypervisor detection (#7171) (bsc#1197244) ----------------------------------------- Patch: SUSE-2022-4280 Released: Tue Nov 29 15:45:03 2022 Summary: Security update for sudo Severity: important References: 1197998,1203201,1204986,CVE-2022-43995 Description: This update for sudo fixes the following issues: Security fixes: - CVE-2022-43995: Fixed a potential heap-based buffer over-read when entering a password of seven characters or fewer and using the crypt() password backend (bsc#1204986). Other: - Make sure SIGCHLD is not ignored when sudo is executed; fixes race condition (bsc#1203201). - Change sudo-ldap schema from ASCII to UTF8 (bsc#1197998). ----------------------------------------- Patch: SUSE-2022-4289 Released: Tue Nov 29 15:58:57 2022 Summary: Security update for libdb-4_8 Severity: low References: 1174414,CVE-2019-2708 Description: This update for libdb-4_8 fixes the following issues: - CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414). ----------------------------------------- Patch: SUSE-2022-4295 Released: Tue Nov 29 16:02:13 2022 Summary: Security update for dbus-1 Severity: moderate References: 1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012 Description: This update for dbus-1 fixes the following issues: - CVE-2022-42010: Fixed a potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed use-after-free and possible memory corruption via a message in non-native endianness with out-of-band Unix file descriptors (bsc#1204113). - Disable assertions to prevent unexpected DDoS attacks (bsc#1087072). ----------------------------------------- Patch: SUSE-2022-4342 Released: Wed Dec 7 12:55:54 2022 Summary: Feature update for wicked Severity: moderate References: 1181429,1184124,1186787,1187655,1189560,1192508,1194392,1198894,1200505,1201053,876845,877776,885007,896188,988954 Description: This update for wicked fixes the following issues: - auto6: Fix to apply DNS from RA rdnss after ifdown/ifup (bsc#1181429) - build: Ensure binaries are Position Independent Executable (PIE) (bsc#1184124) - client: Add release options to ifdown/ifreload (jsc#SLE-25048, jsc#SLE-10249) - client: Fix memory access violation (SEGV) on empty xpath results - compat-suse: Match read order of sysctl.d '/etc' vs. '/run' with systemd-sysctl and remove obsolete (sle11/sysconfig) lines about ifup-sysctl from ifsysctl.5. - compat-suse: Fix reading of sysctl variable 'addr_gen_mode' - dbus: Clear string array before append - dhcp4: Fix issues in reuse of last lease (bsc#1187655) - dhcp6: Add option to refresh lease (jsc#SLE-24310, jsc#SLE-9492, jsc#SLE-24307) - dhcp6: Consider ppp interfaces supported - dhcp6: Ignore lease release status - dhcp6: Remove address before release - firewall-ext: No config change on ifdown (bsc#1201053, bsc#1189560) - redfish: Add initial support to decode the SMBIOS Management Controller Host Interface (Type 42) (jsc#SLE-24286, jsc#SLE-17762) - socket: Fix memory access violation (SEGV) on heavy socket restart errors (bsc#1192508) - systemd: Remove systemd-udev-settle dependency (bsc#1186787) - team: Fix to configure port priority in teamd (bsc#1200505) - wireless: Add support for WPA3 and PMF (bsc#1198894) - wireless: Fix memory access violation (SEGV) on supplicant restart - wireless: Fix to not expect colons in 64byte long wpa-psk hex hash string - wireless: Remove libiw dependencies - xml-schema: Reference counting fix to not crash at exit on schema errors - Removed obsolete patch included in the main sources (bsc#1194392) ----------------------------------------- Patch: SUSE-2022-4357 Released: Thu Dec 8 10:18:07 2022 Summary: Recommended update for tar Severity: moderate References: 1200657,1203600 Description: This update for tar fixes the following issues: - Fix unexpected inconsistency when making directory (bsc#1203600) - Fix race condition while creating intermediate subdirectories (bsc#1200657) ----------------------------------------- Patch: SUSE-2022-4449 Released: Tue Dec 13 10:35:19 2022 Summary: Recommended update for libzypp Severity: moderate References: 1204548 Description: This update for libzypp fixes the following issues: Update to version 16.22.5: - properly reset range requests (bsc#1204548) ----------------------------------------- Patch: SUSE-2022-4598 Released: Wed Dec 21 10:13:33 2022 Summary: Security update for curl Severity: moderate References: 1206309,CVE-2022-43552 Description: This update for curl fixes the following issues: - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). ----------------------------------------- Patch: SUSE-2022-4603 Released: Wed Dec 21 13:49:42 2022 Summary: Security update for sqlite3 Severity: moderate References: 1206337,CVE-2022-46908 Description: This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------- Patch: SUSE-2022-4619 Released: Tue Dec 27 05:16:39 2022 Summary: Security update for vim Severity: moderate References: 1070955,1173256,1174564,1176549,1182324,1190533,1190570,1191770,1191893,1192167,1192478,1192481,1192902,1192903,1192904,1193294,1193298,1193466,1193905,1194093,1194216,1194217,1194388,1194556,1194872,1194885,1195004,1195066,1195126,1195202,1195203,1195332,1195354,1195356,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012,1200270,1200697,1200698,1200700,1200701,1200732,1200884,1200902,1200903,1200904,1201132,1201133,1201134,1201135,1201136,1201150,1201151,1201152,1201153,1201154,1201155,1201249,1201356,1201359,1201363,1201620,1201863,1202046,1202049,1202050,1202051,1202414,1202420,1202421,1202511,1202512,1202515,1202552,1202599,1202687,1202689,1202862,1202962,1203110,1203152,1203155,1203194,1203272,1203508,1203509,1203796,1203797,1203799,1203820,1203924,1204779,CVE-2009-0316,CVE-2016-1248,CVE-2017-17087,CVE-2017-5953,CVE-2017-6349,CVE-2017-6350,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1720,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927,CVE-2022-1968,CVE-2022-2124,CVE-2022-2125,CVE-2022-2126,CVE-2022-2129,CVE-2022-2175,CVE-2022-2182,CVE-2022-2183,CVE-2022-2206,CVE-2022-2207,CVE-2022-2208,CVE-2022-2210,CVE-2022-2231,CVE-2022-2257,CVE-2022-2264,CVE-2022-2284,CVE-2022-2285,CVE-2022-2286,CVE-2022-2287,CVE-2022-2304,CVE-2022-2343,CVE-2022-2344,CVE-2022-2345,CVE-2022-2522,CVE-2022-2571,CVE-2022-2580,CVE-2022-2581,CVE-2022-2598,CVE-2022-2816,CVE-2022-2817,CVE-2022-2819,CVE-2022-2845,CVE-2022-2849,CVE-2022-2862,CVE-2022-2874,CVE-2022-2889,CVE-2022-2923,CVE-2022-2946,CVE-2022-2980,CVE-2022-2982,CVE-2022-3016,CVE-2022-3037,CVE-2022-3099,CVE-2022-3134,CVE-2022-3153,CVE-2022-3234,CVE-2022-3235,CVE-2022-3278,CVE-2022-3296,CVE-2022-3297,CVE-2022-3324,CVE-2022-3352,CVE-2022-3705 Description: This update for vim fixes the following issues: Updated to version 9.0.0814: * Fixing bsc#1192478 VUL-1: CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow * Fixing bsc#1203508 VUL-0: CVE-2022-3234: vim: Heap-based Buffer Overflow prior to 9.0.0483. * Fixing bsc#1203509 VUL-1: CVE-2022-3235: vim: Use After Free in GitHub prior to 9.0.0490. * Fixing bsc#1203820 VUL-0: CVE-2022-3324: vim: Stack-based Buffer Overflow in prior to 9.0.0598. * Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c * Fixing bsc#1203152 VUL-1: CVE-2022-2982: vim: use after free in qf_fill_buffer() * Fixing bsc#1203796 VUL-1: CVE-2022-3296: vim: stack out of bounds read in ex_finally() in ex_eval.c * Fixing bsc#1203797 VUL-1: CVE-2022-3297: vim: use-after-free in process_next_cpt_value() at insexpand.c * Fixing bsc#1203110 VUL-1: CVE-2022-3099: vim: Use After Free in ex_docmd.c * Fixing bsc#1203194 VUL-1: CVE-2022-3134: vim: use after free in do_tag() * Fixing bsc#1203272 VUL-1: CVE-2022-3153: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404. * Fixing bsc#1203799 VUL-1: CVE-2022-3278: vim: NULL pointer dereference in eval_next_non_blank() in eval.c * Fixing bsc#1203924 VUL-1: CVE-2022-3352: vim: vim: use after free * Fixing bsc#1203155 VUL-1: CVE-2022-2980: vim: null pointer dereference in do_mouse() * Fixing bsc#1202962 VUL-1: CVE-2022-3037: vim: Use After Free in vim prior to 9.0.0321 * Fixing bsc#1200884 Vim: Error on startup * Fixing bsc#1200902 VUL-0: CVE-2022-2183: vim: Out-of-bounds Read through get_lisp_indent() Mon 13:32 * Fixing bsc#1200903 VUL-0: CVE-2022-2182: vim: Heap-based Buffer Overflow through parse_cmd_address() Tue 08:37 * Fixing bsc#1200904 VUL-0: CVE-2022-2175: vim: Buffer Over-read through cmdline_insert_reg() Tue 08:37 * Fixing bsc#1201249 VUL-0: CVE-2022-2304: vim: stack buffer overflow in spell_dump_compl() * Fixing bsc#1201356 VUL-1: CVE-2022-2343: vim: Heap-based Buffer Overflow in GitHub repository vim prior to 9.0.0044 * Fixing bsc#1201359 VUL-1: CVE-2022-2344: vim: Another Heap-based Buffer Overflow vim prior to 9.0.0045 * Fixing bsc#1201363 VUL-1: CVE-2022-2345: vim: Use After Free in GitHub repository vim prior to 9.0.0046. * Fixing bsc#1201620 vim: SLE-15-SP4-Full-x86_64-GM-Media1 and vim-plugin-tlib-1.27-bp154.2.18.noarch issue * Fixing bsc#1202414 VUL-1: CVE-2022-2819: vim: Heap-based Buffer Overflow in compile_lock_unlock() * Fixing bsc#1202552 VUL-1: CVE-2022-2874: vim: NULL Pointer Dereference in generate_loadvar() * Fixing bsc#1200270 VUL-1: CVE-2022-1968: vim: use after free in utf_ptr2char * Fixing bsc#1200697 VUL-1: CVE-2022-2124: vim: out of bounds read in current_quote() * Fixing bsc#1200698 VUL-1: CVE-2022-2125: vim: out of bounds read in get_lisp_indent() * Fixing bsc#1200700 VUL-1: CVE-2022-2126: vim: out of bounds read in suggest_trie_walk() * Fixing bsc#1200701 VUL-1: CVE-2022-2129: vim: out of bounds write in vim_regsub_both() * Fixing bsc#1200732 VUL-1: CVE-2022-1720: vim: out of bounds read in grab_file_name() * Fixing bsc#1201132 VUL-1: CVE-2022-2264: vim: out of bounds read in inc() * Fixing bsc#1201133 VUL-1: CVE-2022-2284: vim: out of bounds read in utfc_ptr2len() * Fixing bsc#1201134 VUL-1: CVE-2022-2285: vim: negative size passed to memmove() due to integer overflow * Fixing bsc#1201135 VUL-1: CVE-2022-2286: vim: out of bounds read in ins_bytes() * Fixing bsc#1201136 VUL-1: CVE-2022-2287: vim: out of bounds read in suggest_trie_walk() * Fixing bsc#1201150 VUL-1: CVE-2022-2231: vim: null pointer dereference skipwhite() * Fixing bsc#1201151 VUL-1: CVE-2022-2210: vim: out of bounds read in ml_append_int() * Fixing bsc#1201152 VUL-1: CVE-2022-2208: vim: null pointer dereference in diff_check() * Fixing bsc#1201153 VUL-1: CVE-2022-2207: vim: out of bounds read in ins_bs() * Fixing bsc#1201154 VUL-1: CVE-2022-2257: vim: out of bounds read in msg_outtrans_special() * Fixing bsc#1201155 VUL-1: CVE-2022-2206: vim: out of bounds read in msg_outtrans_attr() * Fixing bsc#1201863 VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand * Fixing bsc#1202046 VUL-1: CVE-2022-2571: vim: Heap-based Buffer Overflow related to ins_comp_get_next_word_or_line() * Fixing bsc#1202049 VUL-1: CVE-2022-2580: vim: Heap-based Buffer Overflow related to eval_string() * Fixing bsc#1202050 VUL-1: CVE-2022-2581: vim: Out-of-bounds Read related to cstrchr() * Fixing bsc#1202051 VUL-1: CVE-2022-2598: vim: Undefined Behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput() * Fixing bsc#1202420 VUL-1: CVE-2022-2817: vim: Use After Free in f_assert_fails() * Fixing bsc#1202421 VUL-1: CVE-2022-2816: vim: Out-of-bounds Read in check_vim9_unlet() * Fixing bsc#1202511 VUL-1: CVE-2022-2862: vim: use-after-free in compile_nested_function() * Fixing bsc#1202512 VUL-1: CVE-2022-2849: vim: Invalid memory access related to mb_ptr2len() * Fixing bsc#1202515 VUL-1: CVE-2022-2845: vim: Buffer Over-read related to display_dollar() * Fixing bsc#1202599 VUL-1: CVE-2022-2889: vim: use-after-free in find_var_also_in_script() in evalvars.c * Fixing bsc#1202687 VUL-1: CVE-2022-2923: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240 * Fixing bsc#1202689 VUL-1: CVE-2022-2946: vim: use after free in function vim_vsnprintf_typval * Fixing bsc#1202862 VUL-1: CVE-2022-3016: vim: Use After Free in vim prior to 9.0.0285 Mon 12:00 * Fixing bsc#1191770 VUL-0: CVE-2021-3875: vim: heap-based buffer overflow * Fixing bsc#1192167 VUL-0: CVE-2021-3903: vim: heap-based buffer overflow * Fixing bsc#1192902 VUL-0: CVE-2021-3968: vim: vim is vulnerable to Heap-based Buffer Overflow * Fixing bsc#1192903 VUL-0: CVE-2021-3973: vim: vim is vulnerable to Heap-based Buffer Overflow * Fixing bsc#1192904 VUL-0: CVE-2021-3974: vim: vim is vulnerable to Use After Free * Fixing bsc#1193466 VUL-1: CVE-2021-4069: vim: use-after-free in ex_open() in src/ex_docmd.c * Fixing bsc#1193905 VUL-0: CVE-2021-4136: vim: vim is vulnerable to Heap-based Buffer Overflow * Fixing bsc#1194093 VUL-1: CVE-2021-4166: vim: vim is vulnerable to Out-of-bounds Read * Fixing bsc#1194216 VUL-1: CVE-2021-4193: vim: vulnerable to Out-of-bounds Read * Fixing bsc#1194217 VUL-0: CVE-2021-4192: vim: vulnerable to Use After Free * Fixing bsc#1194872 VUL-0: CVE-2022-0261: vim: Heap-based Buffer Overflow in vim prior to 8.2. * Fixing bsc#1194885 VUL-0: CVE-2022-0213: vim: vim is vulnerable to Heap-based Buffer Overflow * Fixing bsc#1195004 VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in vim prior to 8.2. * Fixing bsc#1195203 VUL-0: CVE-2022-0359: vim: heap-based buffer overflow in init_ccline() in ex_getln.c * Fixing bsc#1195354 VUL-0: CVE-2022-0407: vim: Heap-based Buffer Overflow in Conda vim prior to 8.2. * Fixing bsc#1198596 VUL-0: CVE-2022-1381: vim: global heap buffer overflow in skip_range * Fixing bsc#1199331 VUL-0: CVE-2022-1616: vim: Use after free in append_command * Fixing bsc#1199333 VUL-0: CVE-2022-1619: vim: Heap-based Buffer Overflow in function cmdline_erase_chars * Fixing bsc#1199334 VUL-0: CVE-2022-1620: vim: NULL Pointer Dereference in function vim_regexec_string * Fixing bsc#1199747 VUL-0: CVE-2022-1796: vim: Use After in find_pattern_in_path * Fixing bsc#1200010 VUL-0: CVE-2022-1897: vim: Out-of-bounds Write in vim * Fixing bsc#1200011 VUL-0: CVE-2022-1898: vim: Use After Free in vim prior to 8.2 * Fixing bsc#1200012 VUL-0: CVE-2022-1927: vim: Buffer Over-read in vim prior to 8.2 * Fixing bsc#1070955 VUL-1: CVE-2017-17087: vim: Sets the group ownership of a .swp file to the editor's primary group, which allows local users to obtain sensitive information * Fixing bsc#1194388 VUL-1: CVE-2022-0128: vim: vim is vulnerable to Out-of-bounds Read * Fixing bsc#1195332 VUL-1: CVE-2022-0392: vim: Heap-based Buffer Overflow in vim prior to 8.2 * Fixing bsc#1196361 VUL-1: CVE-2022-0696: vim: NULL Pointer Dereference in vim prior to 8.2 * Fixing bsc#1198748 VUL-1: CVE-2022-1420: vim: Out-of-range Pointer Offset * Fixing bsc#1199651 VUL-1: CVE-2022-1735: vim: heap buffer overflow * Fixing bsc#1199655 VUL-1: CVE-2022-1733: vim: Heap-based Buffer Overflow in cindent.c * Fixing bsc#1199693 VUL-1: CVE-2022-1771: vim: stack exhaustion in vim prior to 8.2. * Fixing bsc#1199745 VUL-1: CVE-2022-1785: vim: Out-of-bounds Write * Fixing bsc#1199936 VUL-1: CVE-2022-1851: vim: out of bounds read * Fixing bsc#1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in vim prior to 8.2. * Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in normal.c * Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in win_redr_status() drawscreen.c * Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to Heap-based Buffer Overflow * Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow * Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to Heap-based Buffer Overflow * Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting could lead to Heap Buffer Overflow * Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c * Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read * Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service. * Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim prior to 8.2. * Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7() * Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim prior to 8.2. * Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c ----------------------------------------- Patch: SUSE-2022-4625 Released: Tue Dec 27 09:47:49 2022 Summary: Security update for ca-certificates-mozilla Severity: important References: 1206212,1206622 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 ----------------------------------------- Patch: SUSE-2022-4627 Released: Tue Dec 27 15:05:41 2022 Summary: Security update for systemd Severity: important References: 1204423,1205000,CVE-2022-4415 Description: This update for systemd fixes the following issues: - CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000). Bug fixes: - Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423). ----------------------------------------- Patch: SUSE-2023-26 Released: Thu Jan 5 09:53:29 2023 Summary: Recommended update for timezone Severity: moderate References: 1177460 Description: This update for timezone fixes the following issues: Version update from 2022f to 2022g (bsc#1177460): - In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga. - Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time. - Changes for pre-1996 northern Canada - Update to past DST transition in Colombia (1993), Singapore (1981) - 'timegm' is now supported by default ----------------------------------------- Patch: SUSE-2023-31 Released: Thu Jan 5 13:33:52 2023 Summary: Security update for libksba Severity: moderate References: 1206579,CVE-2022-47629 Description: This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------- Patch: SUSE-2023-43 Released: Mon Jan 9 10:29:55 2023 Summary: Recommended update for YaST Severity: moderate References: 1152913,1204530 Description: This update for YaST fixes the following issues: yast2-cluster: - Set crypto_hash as 'sha1' and set crypto_cipher as 'aes256' (bsc#1204530) - Set transport as 'udpu' when detect in cloud - Set default values for mcastaddr/mcastport/bindnedaddr when cluster firstly configured - Set focus on 'Generate Auth Key File' when secauth is true - Implement ValidateSecurity method - Set focus on 'memberaddr add' when using udpu yast2-registration: - Fix crash of autoyast config dialog (bsc#1152913) ----------------------------------------- Patch: SUSE-2023-58 Released: Tue Jan 10 09:15:27 2023 Summary: Security update for systemd Severity: moderate References: 1181636,1205000,CVE-2022-4415 Description: This update for systemd fixes the following issues: Fixing the following issues: - units: restore RemainAfterExit=yes in systemd-vconsole-setup.service - vconsole-setup: don't concat strv if we don't need to (i.e. not in debug log mode) - vconsole-setup: add more log messages - units: restore Before dependencies for systemd-vconsole-setup.service - vconsole-setup: add lots of debug messages - Add enable_disable() helper - vconsole: correct kernel command line namespace - vconsole: Don't do static installation under sysinit.target - vconsole: use KD_FONT_OP_GET/SET to handle copying (bsc#1181636) - vconsole: updates of keyboard/font loading functions - vconsole: Add generic is_*() functions - vconsole: add two new toggle functions, remove old enable/disable ones - vconsole: copy font to 63 consoles instead of 15 - vconsole: add log_oom() where appropriate - vconsole-setup: Store fonts on heap (#3268) - errno-util: add new errno_or_else() helper The following fix is now integrated upstream: - CVE-2022-4415: coredump: do not allow user to access coredumps with changed uid/gid/capabilities (bsc#1205000). ----------------------------------------- Patch: SUSE-2023-85 Released: Thu Jan 12 20:01:48 2023 Summary: Recommended update for util-linux Severity: moderate References: 1194038 Description: This update for util-linux fixes the following issues: - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). ----------------------------------------- Patch: SUSE-2023-117 Released: Fri Jan 20 10:26:45 2023 Summary: Security update for sudo Severity: important References: 1206170,1207082,CVE-2023-22809 Description: This update for sudo fixes the following issues: - CVE-2023-22809: Fixed an arbitrary file write issue that could be exploited by users with sudoedit permissions (bsc#1207082). Other fixes: - Fixed a potential crash while using the sssd plugin (bsc#1206170). ----------------------------------------- Patch: SUSE-2023-180 Released: Thu Jan 26 21:55:09 2023 Summary: Recommended update for tar Severity: low References: 1202436 Description: This update for tar fixes the following issue: - Fix hang when unpacking test tarball (bsc#1202436) ----------------------------------------- Patch: SUSE-2023-189 Released: Fri Jan 27 12:07:53 2023 Summary: Recommended update for zlib Severity: important References: 1203652 Description: This update for zlib fixes the following issues: - Follow up fix for bug bsc#1203652 due to libxml2 issue ----------------------------------------- Patch: SUSE-2023-208 Released: Mon Jan 30 14:03:24 2023 Summary: Recommended update for dbus-1 Severity: important References: 1193780 Description: This update for dbus-1 fixes the following issues: - Fix IO lock contention, causing timeouts. (bsc#1193780) ----------------------------------------- Patch: SUSE-2023-209 Released: Mon Jan 30 17:24:59 2023 Summary: Security update for vim Severity: important References: 1204779,1205797,1206028,1206071,1206072,1206075,1206077,1206866,1206867,1206868,1207162,1207396,CVE-2022-3491,CVE-2022-3520,CVE-2022-3591,CVE-2022-3705,CVE-2022-4141,CVE-2022-4292,CVE-2022-4293,CVE-2023-0049,CVE-2023-0051,CVE-2023-0054,CVE-2023-0288,CVE-2023-0433 Description: This update for vim fixes the following issues: - Updated to version 9.0.1234: - CVE-2023-0433: Fixed an out of bounds memory access that could cause a crash (bsc#1207396). - CVE-2023-0288: Fixed an out of bounds memory access that could cause a crash (bsc#1207162). - CVE-2023-0054: Fixed an out of bounds memory write that could cause a crash or memory corruption (bsc#1206868). - CVE-2023-0051: Fixed an out of bounds memory access that could cause a crash (bsc#1206867). - CVE-2023-0049: Fixed an out of bounds memory access that could cause a crash (bsc#1206866). - CVE-2022-3491: Fixed an out of bounds memory access that could cause a crash (bsc#1206028). - CVE-2022-3520: Fixed an out of bounds memory access that could cause a crash (bsc#1206071). - CVE-2022-3591: Fixed a use-after-free issue that could cause memory corruption or undefined behavior (bsc#1206072). - CVE-2022-4292: Fixed a use-after-free issue that could cause memory corruption or undefined behavior (bsc#1206075). - CVE-2022-4293: Fixed a floating point exception that could cause a crash (bsc#1206077). - CVE-2022-4141: Fixed an out of bounds memory write that could cause a crash or memory corruption (bsc#1205797). - CVE-2022-3705: Fixed an use-after-free issue that could cause a crash or memory corruption (bsc#1204779). ----------------------------------------- Patch: SUSE-2023-306 Released: Tue Feb 7 17:32:56 2023 Summary: Security update for openssl-1_0_0 Severity: important References: 1201627,1207533,1207534,1207536,CVE-2022-4304,CVE-2023-0215,CVE-2023-0286 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533). - CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536). - CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534). - testsuite: Update further expiring certificates that affect tests [bsc#1201627] ----------------------------------------- Patch: SUSE-2023-425 Released: Wed Feb 15 16:34:23 2023 Summary: Security update for curl Severity: moderate References: 1207992,CVE-2023-23916 Description: This update for curl fixes the following issues: - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------- Patch: SUSE-2023-441 Released: Fri Feb 17 09:41:04 2023 Summary: Security update for tar Severity: moderate References: 1207753,CVE-2022-48303 Description: This update for tar fixes the following issues: - CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). ----------------------------------------- Patch: SUSE-2023-627 Released: Mon Mar 6 11:25:23 2023 Summary: Recommended update for lvm2 Severity: moderate References: 1142550 Description: This update for lvm2 fixes the following issues: - Fix LVM volume groups not being cleaned up after kiwi image build (bsc#1142550) ----------------------------------------- Patch: SUSE-2023-751 Released: Thu Mar 16 07:01:48 2023 Summary: Recommended update for YaST Severity: moderate References: 1201816 Description: This update for YaST fixes the following issues: yast2-packager: - Do not fail when the installation URL contains a space (bsc#1201816) ----------------------------------------- Patch: SUSE-2023-757 Released: Thu Mar 16 11:34:18 2023 Summary: Recommended update for tar Severity: low References: 1202436 Description: This update for tar fixes the following issues: - Fix hang when unpacking test tarball (bsc#1202436) ----------------------------------------- Patch: SUSE-2023-760 Released: Thu Mar 16 11:35:26 2023 Summary: Security update for vim Severity: important References: 1207780,1208828,1208957,1208959,CVE-2023-0512,CVE-2023-1127,CVE-2023-1170,CVE-2023-1175 Description: This update for vim fixes the following issues: - CVE-2023-0512: Fixed a divide By Zero (bsc#1207780). - CVE-2023-1175: vim: an incorrect calculation of buffer size (bsc#1208957). - CVE-2023-1170: Fixed a heap-based Buffer Overflow (bsc#1208959). - CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828). Updated to version 9.0 with patch level 1386. - https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386 ----------------------------------------- Patch: SUSE-2023-865 Released: Tue Mar 21 18:34:07 2023 Summary: Security update for curl Severity: moderate References: 1209209,1209210,1209211,1209212,1209214,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 Description: This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). ----------------------------------------- Patch: SUSE-2023-1622 Released: Tue Mar 28 11:26:29 2023 Summary: Security update for systemd Severity: important References: 1206985,1208958,CVE-2023-26604 Description: This update for systemd fixes the following issues: - CVE-2023-26604: Fixed a privilege escalation via the less pager. (bsc#1208958) ----------------------------------------- Patch: SUSE-2023-1659 Released: Wed Mar 29 10:16:27 2023 Summary: Security update for sudo Severity: moderate References: 1203201,1206483,1209361,1209362,CVE-2023-28486,CVE-2023-28487 Description: This update for sudo fixes the following issue: Security fixes: - CVE-2023-28486: Fixed missing control characters escaping in log messages (bsc#1209362). - CVE-2023-28487: Fixed missing control characters escaping in sudoreplay output (bsc#1209361). Other fixes: - Fix a situation where 'sudo -U otheruser -l' would dereference a NULL pointer (bsc#1206483). - Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201). ----------------------------------------- Patch: SUSE-2023-1704 Released: Thu Mar 30 16:16:17 2023 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1202062,1209624,CVE-2023-0464 Description: This update for openssl-1_0_0 fixes the following issues: Security fixes: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). Other fixes: - Fix DH key generation in FIPS mode, add support for constant BN for DH parameters (bsc#1202062) ----------------------------------------- Patch: SUSE-2023-1806 Released: Tue Apr 11 10:14:27 2023 Summary: Recommended update for timezone Severity: important References: Description: This update for timezone fixes the following issues: - Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later. ----------------------------------------- Patch: SUSE-2023-1884 Released: Tue Apr 18 11:14:44 2023 Summary: Recommended update for dracut Severity: moderate References: 1208929 Description: This update for dracut fixes the following issues: - fix handling of omit_dracutmodules parameter (bsc#1208929) ----------------------------------------- Patch: SUSE-2023-1890 Released: Tue Apr 18 11:17:04 2023 Summary: Recommended update for yast2-transfer Severity: low References: 1208754 Description: This update for yast2-transfer fixes the following issue: - Fixed TFTP download, truncate the target when saving to an existing one (bsc#1208754) ----------------------------------------- Patch: SUSE-2023-1914 Released: Wed Apr 19 14:24:23 2023 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1209873,1209878,CVE-2023-0465,CVE-2023-0466 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878). - CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873). ----------------------------------------- Patch: SUSE-2023-1986 Released: Tue Apr 25 11:53:14 2023 Summary: Recommended update for permissions Severity: moderate References: 1160285 Description: This update for permissions fixes the following issues: * mariadb: settings for new auth_pam_tool (bsc#1160285) ----------------------------------------- Patch: SUSE-2023-2041 Released: Wed Apr 26 11:44:27 2023 Summary: Recommended update for zlib Severity: low References: 1206513 Description: This update for zlib fixes the following issues: - Add support for small windows in IBM Z hardware-accelerated deflate (bsc#1206513) ----------------------------------------- Patch: SUSE-2023-2044 Released: Wed Apr 26 14:48:10 2023 Summary: Security update for dmidecode Severity: moderate References: 1210418,CVE-2023-30630 Description: This update for dmidecode fixes the following issues: - CVE-2023-30630: Fixed potential privilege escalation vulnerability via file overwrite (bsc#1210418). ----------------------------------------- Patch: SUSE-2023-2054 Released: Thu Apr 27 11:31:36 2023 Summary: Security update for libxml2 Severity: moderate References: 1210411,1210412,CVE-2023-28484,CVE-2023-29469 Description: This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). ----------------------------------------- Patch: SUSE-2023-2067 Released: Fri Apr 28 13:54:34 2023 Summary: Security update for shadow Severity: moderate References: 1210507,CVE-2023-29383 Description: This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------- Patch: SUSE-2023-2073 Released: Fri Apr 28 17:01:37 2023 Summary: Recommended update for libseccomp Severity: moderate References: 1209407 Description: This update for libseccomp fixes the following issue: - Speed up database handling when processing many rules like in docker (bsc#1209407) ----------------------------------------- Patch: SUSE-2023-2112 Released: Fri May 5 14:34:42 2023 Summary: Security update for ncurses Severity: moderate References: 1210434,CVE-2023-29491 Description: This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------- Patch: SUSE-2023-2225 Released: Wed May 17 09:54:33 2023 Summary: Security update for curl Severity: important References: 1198608,1211230,1211231,1211232,1211233,CVE-2022-27774,CVE-2023-28319,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 Description: This update for curl adds the following feature: Update to version 8.0.1 (jsc#PED-2580) - CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230). - CVE-2023-28320: siglongjmp race condition (bsc#1211231). - CVE-2023-28321: IDN wildcard matching (bsc#1211232). - CVE-2023-28322: POST-after-PUT confusion (bsc#1211233). ----------------------------------------- Patch: SUSE-2023-2249 Released: Thu May 18 17:07:31 2023 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1203248,1203249,1208329,428822 Description: This update for libzypp, zypper fixes the following issues: - Removing a PTF without enabled repos should always fail (bsc#1203248) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Add expert (allow-*) options to all installer commands (bsc#428822) - Provide 'removeptf' command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. But you don't want the dependant packages to be removed together with the PTF, which is what the remove command would do. The removeptf command however will aim to replace the dependant packages by their official update versions. ----------------------------------------- Patch: SUSE-2023-2260 Released: Mon May 22 10:29:33 2023 Summary: Recommended update for zlib Severity: moderate References: 1210593 Description: This update for zlib fixes the following issues: - Fix crash when calling deflateBound() function (bsc#1210593) ----------------------------------------- Patch: SUSE-2023-2330 Released: Tue May 30 16:49:19 2023 Summary: Security update for openssl-1_0_0 Severity: important References: 1211430,CVE-2023-2650 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). ----------------------------------------- Patch: SUSE-2023-2362 Released: Mon Jun 5 09:21:01 2023 Summary: Recommended update for dracut Severity: moderate References: 1210910 Description: This update for dracut fixes the following issues: - Do not read /proc/modules to get the host modules (bsc#1210910) ----------------------------------------- Patch: SUSE-2023-2364 Released: Mon Jun 5 09:22:18 2023 Summary: Recommended update for util-linux Severity: moderate References: 1210164 Description: This update for util-linux fixes the following issues: - Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164) ----------------------------------------- Patch: SUSE-2023-2483 Released: Mon Jun 12 08:46:57 2023 Summary: Security update for openldap2 Severity: moderate References: 1211795,CVE-2023-2953 Description: This update for openldap2 fixes the following issues: - CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795). ----------------------------------------- Patch: SUSE-2023-2624 Released: Fri Jun 23 13:43:30 2023 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1207534,CVE-2022-4304 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). ----------------------------------------- Patch: SUSE-2023-2639 Released: Mon Jun 26 15:08:02 2023 Summary: Security update for python Severity: important References: 1208471,CVE-2023-24329 Description: This update for python fixes the following issues: - CVE-2023-24329: Fixed urllib.parse bypass when supplying a URL that starts with blank characters (bsc#1208471). ----------------------------------------- Patch: SUSE-2023-2661 Released: Tue Jun 27 20:26:07 2023 Summary: Recommended update for gcc12 Severity: moderate References: Description: This update for gcc12 fixes the following issues: Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204, containing lots of bugfixes and improvements. - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------- Patch: SUSE-2023-2764 Released: Mon Jul 3 17:57:35 2023 Summary: Security update for libcap Severity: moderate References: 1211419,CVE-2023-2603 Description: This update for libcap fixes the following issues: - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------- Patch: SUSE-2023-2771 Released: Tue Jul 4 09:48:51 2023 Summary: Recommended update for libzypp Severity: important References: 1212187 Description: This update for libzypp fixes the following issues: - curl: Trim user agent and custom header strings (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. Violation results in curl error: 92: HTTP/2 PROTOCOL_ERROR. - version 16.22.8 (0) ----------------------------------------- Patch: SUSE-2023-2864 Released: Tue Jul 18 08:17:47 2023 Summary: Recommended update for coreutils Severity: moderate References: 1212999 Description: This update for coreutils fixes the following issues: - Avoid failure in case SELinux is disabled. (bsc#1212999) ----------------------------------------- Patch: SUSE-2023-2876 Released: Wed Jul 19 09:42:54 2023 Summary: Security update for dbus-1 Severity: moderate References: 1212126,CVE-2023-34969 Description: This update for dbus-1 fixes the following issues: - CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126). ----------------------------------------- Patch: SUSE-2023-2880 Released: Wed Jul 19 10:02:41 2023 Summary: Security update for curl Severity: moderate References: 1213237,CVE-2023-32001 Description: This update for curl fixes the following issues: - CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237). ----------------------------------------- Patch: SUSE-2023-2881 Released: Wed Jul 19 11:46:56 2023 Summary: Security update for perl Severity: important References: 1210999,CVE-2023-31484 Description: This update for perl fixes the following issues: - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999). ----------------------------------------- Patch: SUSE-2023-2895 Released: Thu Jul 20 06:45:41 2023 Summary: Recommended update for wicked Severity: moderate References: 1194557,1203300,1206447,1206674,1206798,1211026 Description: This update for wicked fixes the following issues: - Update to version 0.6.73 - Fix arp notify loop and burst sending (boo#1212806) - Allow verify/notify counter and interval configuration - Handle ENOBUFS sending errors (bsc#1203300) - Improve environment variable handling - Refactor firmware extension definition - Enable, disable and revert cli commands - Fix memory leaks, add array/list utils - Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026) - Cleanup /var/run leftovers in extension scripts (bsc#1194557) - Output formatting improvements and Unicode support - bond: workaround 6.1 kernel enslave regression (bsc#1206674) - Add `wicked firmware` command to improve `ibft`,`nbft`,`redfish` firmware extension and interface handling. - Improve error handling in netif firmware discovery extension execution and extension definition overrides in the wicked-config. - Fix use-after-free in debug mode (bsc#1206447) - Replace transitional `%usrmerged` macro with regular version check (bsc#1206798) - Improve to show `no-carrier` in ifstatus output - Cleanup inclusions and update uapi header to 6.0 - Link mode nwords cleanup and new advertise mode names - Enable raw-ip support for wwan-qmi interfaces (jsc#PED-90) ----------------------------------------- Patch: SUSE-2023-2950 Released: Mon Jul 24 12:12:23 2023 Summary: Security update for openssh Severity: important References: 1213504,CVE-2023-38408 Description: This update for openssh fixes the following issues: - CVE-2023-38408: Fixed a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if those libraries were present on the victim's system and if the agent was forwarded to an attacker-controlled system. [bsc#1213504, CVE-2023-38408] ----------------------------------------- Patch: SUSE-2023-3012 Released: Fri Jul 28 14:17:47 2023 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1213487,CVE-2023-3446 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). ----------------------------------------- Patch: SUSE-2023-3175 Released: Thu Aug 3 10:56:07 2023 Summary: Recommended update for cryptsetup Severity: moderate References: 1211079 Description: This update for cryptsetup fixes the following issues: - Handle system with low memory and no swap space (bsc#1211079) ----------------------------------------- Patch: SUSE-2023-3268 Released: Thu Aug 10 16:15:38 2023 Summary: Security update for util-linux Severity: important References: 1084300,1194038,1213865,CVE-2018-7738 Description: This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions. (bsc#1213865, bsc#1084300) ----------------------------------------- Patch: SUSE-2023-3281 Released: Fri Aug 11 10:24:11 2023 Summary: Recommended update for insserv-compat Severity: moderate References: 1052837,1212955 Description: This update for insserv-compat fixes the following issues: - Remove not needed named entry from insserv.conf (bsc#1052837, bsc#1212955) ----------------------------------------- Patch: SUSE-2023-3295 Released: Fri Aug 11 13:52:50 2023 Summary: Recommended update for apparmor Severity: moderate References: 1208798,1213941 Description: This update for apparmor fixes the following issues: - Update kerberosclient and samba profile abstractions to silence verbose denials (bsc#1208798) - Explicitly prefer apache2 instead of apache2-tls13 when building apparmor (bsc#1213941) ----------------------------------------- Patch: SUSE-2023-3339 Released: Thu Aug 17 12:33:58 2023 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1213853,CVE-2023-3817 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------- Patch: SUSE-2023-3364 Released: Fri Aug 18 17:00:55 2023 Summary: Recommended update for libdb-4_8 Severity: moderate References: 1099695 Description: This update for libdb-4_8 fixes the following issues: - Fix incomplete license tag. [bsc#1099695] ----------------------------------------- Patch: SUSE-2023-3405 Released: Wed Aug 23 19:17:49 2023 Summary: Security update for ca-certificates-mozilla Severity: important References: 1214248 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------- Patch: SUSE-2023-3415 Released: Thu Aug 24 07:52:04 2023 Summary: Recommended update for wget Severity: important References: 1213898 Description: This update for wget fixes the following issues: - Set the Host header when CONNECT is used (bsc#1213898) ----------------------------------------- Patch: SUSE-2023-3431 Released: Thu Aug 24 13:53:37 2023 Summary: Security update for gawk Severity: low References: 1214025,CVE-2023-4156 Description: This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------- Patch: SUSE-2023-3463 Released: Mon Aug 28 19:15:09 2023 Summary: Security update for vim Severity: important References: 1208828,1209042,1209187,1210996,1211256,1211257,CVE-2023-1127,CVE-2023-1264,CVE-2023-1355,CVE-2023-2426,CVE-2023-2609,CVE-2023-2610 Description: This update for vim fixes the following issues: Updated to version 9.0 with patch level 1572. - CVE-2023-2426: Fixed Out-of-range Pointer Offset use (bsc#1210996). - CVE-2023-2609: Fixed NULL Pointer Dereference (bsc#1211256). - CVE-2023-2610: Fixed nteger Overflow or Wraparound (bsc#1211257). - CVE-2023-1264: Fixed NULL Pointer Dereference (bsc#1209042). - CVE-2023-1355: Fixed NULL Pointer Dereference (bsc#1209187). - CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828). ----------------------------------------- Patch: SUSE-2023-3471 Released: Tue Aug 29 10:53:48 2023 Summary: Security update for procps Severity: low References: 1214290,CVE-2023-4016 Description: This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------- Patch: SUSE-2023-3483 Released: Tue Aug 29 12:50:10 2023 Summary: Recommended update for parted Severity: low References: 1186371 Description: This update for parted fixes the following issues: - fix dm sector size (bsc#1186371) ----------------------------------------- Patch: SUSE-2023-3640 Released: Mon Sep 18 13:58:28 2023 Summary: Security update for gcc12 Severity: important References: 1214052,CVE-2023-4039 Description: This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------- Patch: SUSE-2023-3665 Released: Mon Sep 18 21:51:22 2023 Summary: Security update for libxml2 Severity: important References: 1201978,1210411,1210412,1214768,CVE-2016-3709,CVE-2023-28484,CVE-2023-29469,CVE-2023-39615 Description: This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed not deterministic hashing of empty dict strings (bsc#1210412). - CVE-2023-28484: Fixed NULL dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). - CVE-2016-3709: Fixed cross-site scripting vulnerability in libxml (bsc#1201978). ----------------------------------------- Patch: SUSE-2023-3692 Released: Tue Sep 19 22:05:52 2023 Summary: Security update for curl Severity: important References: 1215026,CVE-2023-38039 Description: This update for curl fixes the following issues: - CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026) ----------------------------------------- Patch: SUSE-2023-3730 Released: Fri Sep 22 13:34:54 2023 Summary: Security update for python Severity: important References: 1214692,CVE-2023-40217 Description: This update for python fixes the following issues: - CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692). ----------------------------------------- Patch: SUSE-2023-3842 Released: Wed Sep 27 20:03:57 2023 Summary: Security update for nghttp2 Severity: important References: 1215713,CVE-2023-35945 Description: This update for nghttp2 fixes the following issues: - CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713). ----------------------------------------- Patch: SUSE-2023-3857 Released: Thu Sep 28 10:30:13 2023 Summary: Security update for gpg2 Severity: important References: 1088255,CVE-2018-9234 Description: This update for gpg2 fixes the following issues: - CVE-2018-9234: Fixed unenforced configuration allows for apparently valid certifications actually signed by signing subkeys (bsc#1088255). ----------------------------------------- Patch: SUSE-2023-3942 Released: Tue Oct 3 17:14:40 2023 Summary: Security update for vim Severity: important References: 1210738,1211461,1214922,1214924,1214925,1215004,1215006,1215033,CVE-2023-4733,CVE-2023-4734,CVE-2023-4735,CVE-2023-4738,CVE-2023-4752,CVE-2023-4781 Description: This update for vim fixes the following issues: Security fixes: - CVE-2023-4733: Fixed use-after-free in function buflist_altfpos (bsc#1215004). - CVE-2023-4734: Fixed segmentation fault in function f_fullcommand (bsc#1214925). - CVE-2023-4735: Fixed out of bounds write in ops.c (bsc#1214924). - CVE-2023-4738: Fixed heap buffer overflow in vim_regsub_both (bsc#1214922). - CVE-2023-4752: Fixed heap use-after-free in function ins_compl_get_exp (bsc#1215006). - CVE-2023-4781: Fixed heap buffer overflow in function vim_regsub_both (bsc#1215033). Other fixes: - Calling vim on xterm leads to missing first character of the command prompt (bsc#1211461) - Rendering corruption in gvim with all 9.x versions (bsc#1210738) - Updated to version 9.0 with patch level 1894 ----------------------------------------- Patch: SUSE-2023-3974 Released: Thu Oct 5 10:38:27 2023 Summary: Recommended update for lvm2 Severity: moderate References: 1214071 Description: This update for lvm2 fixes the following issues: - blkdeactivate calls wrong mountpoint cmd (bsc#1214071) ----------------------------------------- Patch: SUSE-2023-4001 Released: Fri Oct 6 15:12:44 2023 Summary: Security update for python Severity: moderate References: 1214685,1214691,CVE-2022-48565,CVE-2022-48566 Description: This update for python fixes the following issues: - CVE-2022-48566: Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. (bsc#1214691) - CVE-2022-48565: Fixed an XXE in the plistlib module. (bsc#1214685) ----------------------------------------- Patch: SUSE-2023-4023 Released: Tue Oct 10 13:23:04 2023 Summary: Security update for shadow Severity: low References: 1214806,CVE-2023-4641 Description: This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------- Patch: SUSE-2023-4043 Released: Wed Oct 11 09:00:09 2023 Summary: Security update for curl Severity: important References: 1215888,1215889,CVE-2023-38545,CVE-2023-38546 Description: This update for curl fixes the following issues: - CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888) - CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889) ----------------------------------------- Patch: SUSE-2023-4063 Released: Thu Oct 12 10:41:20 2023 Summary: Recommended update for glibc Severity: moderate References: 1215286,1215504,CVE-2023-4813 Description: This update of glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Other issues fixed: - S390: Fix relocation of _nl_current_LC_CATETORY_used in static build (bsc#1215504, BZ #19860) - added GB18030-2022 charmap (jsc#PED-4908, BZ #30243) ----------------------------------------- Patch: SUSE-2023-4159 Released: Mon Oct 23 09:53:32 2023 Summary: Security update for suse-module-tools Severity: important References: 1187196,1205767,1210335,CVE-2023-1829,CVE-2023-23559 Description: This update for suse-module-tools fixes the following issues: - Updated to version 12.13: - CVE-2023-1829: Blacklisted the Linux kernel tcindex classifier module (bsc#1210335). - CVE-2023-23559: Blacklisted the Linux kernel RNDIS modules (bsc#1205767, jsc#PED-5731). - Disabled the isst_if_mbox_msr driver (bsc#1187196). ----------------------------------------- Patch: SUSE-2023-4199 Released: Wed Oct 25 12:01:35 2023 Summary: Security update for nghttp2 Severity: important References: 1216123,1216174,CVE-2023-44487 Description: This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------- Patch: SUSE-2023-4205 Released: Thu Oct 26 09:45:16 2023 Summary: Recommended update for patterns-sles Severity: moderate References: 1215533 Description: This update for patterns-sles fixes the following issues: - Require kmod-compat rather than kmod. It's kmod-compat that has the tools used by the kernel and scripts (bsc#1215533). ----------------------------------------- Patch: SUSE-2023-4206 Released: Thu Oct 26 09:48:23 2023 Summary: Recommended update for openslp Severity: important References: 1206153 Description: This update for openslp fixes the following issues: - Use systemctl reload for logrotate configuration (bsc#1206153) ----------------------------------------- Patch: SUSE-2023-4216 Released: Thu Oct 26 12:19:45 2023 Summary: Security update for zlib Severity: moderate References: 1216378,CVE-2023-45853 Description: This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------- Patch: SUSE-2023-4480 Released: Mon Nov 20 10:15:33 2023 Summary: Security update for gcc13 Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 Description: This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------- Patch: SUSE-2023-4505 Released: Tue Nov 21 13:30:43 2023 Summary: Security update for libxml2 Severity: moderate References: 1216129,CVE-2023-45322 Description: This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------- Patch: SUSE-2023-4523 Released: Tue Nov 21 17:50:16 2023 Summary: Security update for openssl-1_0_0 Severity: important References: 1216922,CVE-2023-5678 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------- Patch: SUSE-2023-4560 Released: Fri Nov 24 17:08:26 2023 Summary: Security update for vim Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 Description: This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) ----------------------------------------- Patch: SUSE-2023-4576 Released: Mon Nov 27 09:29:46 2023 Summary: Security update for sqlite3 Severity: important References: 1210660,CVE-2023-2137 Description: This update for sqlite3 fixes the following issues: - CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660). ----------------------------------------- Patch: SUSE-2023-4653 Released: Wed Dec 6 11:34:32 2023 Summary: Security update for curl Severity: moderate References: 1217573,1217574,CVE-2023-46218,CVE-2023-46219 Description: This update for curl fixes the following issues: - CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573). - CVE-2023-46219: HSTS long file name clears contents (bsc#1217574). ----------------------------------------- Patch: SUSE-2023-4717 Released: Tue Dec 12 04:59:05 2023 Summary: Recommended update for libzypp Severity: moderate References: 1216064 Description: This update for libzypp fixes the following issues: - Fixed handling of unmounting media. It mitigates the mount change during a package installation, for examlple a nfs.service restart that forcefully unmounts the media being accessed (bsc#1216064) - Don't download sqlite metadata that is not needed ----------------------------------------- Patch: SUSE-2023-4889 Released: Mon Dec 18 10:24:14 2023 Summary: Recommended update for pam Severity: low References: 1215594 Description: This update for pam fixes the following issue: - Add no_pass_expiry option to ignore password expiration (bsc#1215594) ----------------------------------------- Patch: SUSE-2023-4892 Released: Mon Dec 18 16:33:21 2023 Summary: Security update for ncurses Severity: moderate References: 1218014,CVE-2023-50495 Description: This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) ----------------------------------------- Patch: SUSE-2023-4903 Released: Tue Dec 19 13:23:20 2023 Summary: Security update for openssh Severity: important References: 1201750,1217950,CVE-2023-48795 Description: This update for openssh fixes the following issues: - CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950). ----------------------------------------- Patch: SUSE-2023-4964 Released: Fri Dec 22 14:38:31 2023 Summary: Recommended update for curl Severity: important References: 1216987 Description: This update for curl fixes the following issues: - libssh: Implement SFTP packet size limit (bsc#1216987) ----------------------------------------- Patch: SUSE-2023-4977 Released: Wed Dec 27 10:35:46 2023 Summary: Recommended update for procps Severity: moderate References: 1216825 Description: This update for procps fixes the following issue: - Avoid SIGSEGV in case of sending SIGTERM to a top command running in batch mode (bsc#1216825) ----------------------------------------- Patch: SUSE-2024-13 Released: Tue Jan 2 16:28:08 2024 Summary: Recommended update for wget Severity: moderate References: 1217717 Description: This update for wget fixes the following issue: - Fixed the failure to detect SSL handshake timeout [bsc#1217717] ----------------------------------------- Patch: SUSE-2024-71 Released: Wed Jan 10 09:38:09 2024 Summary: Security update for tar Severity: low References: 1217969,CVE-2023-39804 Description: This update for tar fixes the following issues: - CVE-2023-39804: Incorrectly handled extension attributes in PAX archives can lead to a crash (bsc#1217969) ----------------------------------------- Patch: SUSE-2024-74 Released: Wed Jan 10 10:17:47 2024 Summary: Recommended update for libzypp, zypper Severity: moderate References: 1217948 Description: This update for libzypp, zypper fixes the following issues: - Touch /run/reboot-needed if a patch suggesting a reboot was installed (bsc#1217948) - Backport needs-rebooting command from Code15 (bsc#1217948) ----------------------------------------- Patch: SUSE-2024-101 Released: Mon Jan 15 07:13:00 2024 Summary: Recommended update for suseconnect-ng Severity: moderate References: 1161891,1170267,1174657,1188646,1194989,1195003,1195220,1195729,1196076,1196326,1197398,1198625,1200803,1200994,1202705,1203341,1204821,1207876,1211588,1212799,1214781,1217317 Description: This update fixes the following issues: suseconnect-ng: - Update from verions 0.0.0 to version 1.4.0 * Enable building on SLE12 SP5 (jsc#PED-3179) * Added EULA display for addons (bsc#1170267) * Fix zypper argument for auto-agreeing licenses (bsc#1214781) * Fixed 'provides' to work with yast2-registration on SLE15 SP4 (bsc#1212799) * Improve error message if product set more than once * Keep keepalive timer states when replacing SUSEConnect (bsc#1211588) * Make keepalive on SUMA systems exit without error (bsc#1207876) * Add deactivate API to ruby bindings (bsc#1202705) * Don't write system_token to service credentials files * Allow non-root users to use --version * Fix keepalive feature notice during installation * Fix requires for all RHEL clone distributions like alma and rocky * Fix System-Token support in ruby binding (bsc#1203341) * Respect the PROXY_ENABLED environment variable * Use system-wide proxy settings (bsc#1200994) * Add customer information about keepalive calls * Fixes an issue when (bsc#1196076) * Print nested zypper errors (bsc#1200803) * Fix migration json error with SMT (bsc#1198625) * Allow reloading CA certs pool (bsc#1195220) * Fix product tree traversal (bsc#1197398) * Revert 'Remove self from LD_PRELOAD (bsc#1196326) * Remove self from LD_PRELOAD (bsc#1196326) * Delegate free() calls back to Go (bsc#1195729) * Workaround system cert reloading after import (bsc#1195220) * Add -l as an alias for --list-extensions * Add --clean as an alias for --cleanup (bsc#1195003) * Add flag to import product repo keys (bsc#1174657) * Cleanup services during migration (bsc#1161891) * Allow non-root users to see usage text * Update code comments to match shim behavior. * Remove dependency on systemd * Add package search for YaST's 'Online Search' * Add CLI for zypper search-packages plugin * Add Requires that weren't explicit (bsc#1188646) * Fix list-extensions printing 'Not available' when using SCC * Write usage help to stdout like the Ruby version * Document advantage of suseconnect-ng * Add proxy auth support * Change order of usage help options to match the Ruby version * Add zypper service commands needed for registration * S390: set cpus, sockets, hypervisor and uuid hwinfo fields * Implement the system update part of registration yast2-registration: - Switch to the new SUSEConnect-ng (bsc#1212799) - Fixes an issue with SSL root CA certificates. (bsc#1195220) - Detection of base products coming from SCC (bsc#1194989, bsc#1217317) ----------------------------------------- Patch: SUSE-2024-137 Released: Thu Jan 18 09:55:34 2024 Summary: Security update for pam Severity: moderate References: 1218475,CVE-2024-22365 Description: This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). ----------------------------------------- Patch: SUSE-2024-171 Released: Mon Jan 22 15:19:39 2024 Summary: Recommended update for ca-certificates Severity: important References: 1216685 Description: This update for ca-certificates fixes the following issues: - Invoke trust with the --overwrite option when running update-ca-certificates (bsc#1216685) ----------------------------------------- Patch: SUSE-2024-174 Released: Tue Jan 23 04:59:32 2024 Summary: Recommended update for suseconnect-ng Severity: critical References: 1217961,1218364,1218649 Description: This update for suseconnect-ng contains the following fixes: - Update to version 1.6.0: * Disable EULA display for addons. (bsc#1218649 and bsc#1217961) - Update to version 1.5.0: * Configure docker credentials for registry authentication * Feature: Support usage from Agama + Cockpit for ALP Micro system registration. (bsc#1218364) * Add --json output option ----------------------------------------- Patch: SUSE-2024-181 Released: Tue Jan 23 11:28:17 2024 Summary: Recommended update for systemd Severity: moderate References: 1211576,1211725,1212207,1215241 Description: This update for systemd fixes the following issues: - man: document that PAMName= and NotifyAccess=all don't mix well - man: add brief documentation for the (sd-pam) processes created due to PAMName= - service: accept the fact that the three xyz_good() functions return ints - service: drop _pure_ decorator on static function - service: a cgroup empty notification isn't reason enough to go down (bsc#1212207) - service: add explanatory comments to control_pid_good() and cgroup_good() - service: fix main_pid_good() comment - utmp-wtmp: handle EINTR gracefully when waiting to write to tty - utmp-wtmp: fix error in case isatty() fails - sd-netlink: handle EINTR from poll() gracefully, as success - stdio-bridge: don't be bothered with EINTR - sd-bus: handle -EINTR return from bus_poll() (bsc#1215241) - libsystemd: ignore both EINTR and EAGAIN - errno-util: introduce ERRNO_IS_TRANSIENT() - man/systemd-fsck@.service: clarify passno and noauto combination in /etc/fstab (bsc#1211725) - units/initrd-parse-etc.service: Conflict with emergency.target - umount: /usr/ should never be unmounted regardless of HAVE_SPLIT_USR or not (bsc#1211576) - core/mount: Don't unmount initramfs mounts - man: describe that changing Storage= does not move existing data ----------------------------------------- Patch: SUSE-2024-248 Released: Fri Jan 26 14:09:01 2024 Summary: Security update for cpio Severity: moderate References: 1218571,CVE-2023-7207 Description: This update for cpio fixes the following issues: - CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571). ----------------------------------------- Patch: SUSE-2024-437 Released: Thu Feb 8 17:43:52 2024 Summary: Security update for python Severity: moderate References: 1210638,CVE-2023-27043 Description: This update for python fixes the following issues: - CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638). ----------------------------------------- Patch: SUSE-2024-539 Released: Tue Feb 20 16:03:49 2024 Summary: Security update for libssh Severity: important References: 1158095,1168699,1174713,1189608,1211188,1211190,1218126,1218186,1218209,CVE-2019-14889,CVE-2020-16135,CVE-2020-1730,CVE-2021-3634,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918 Description: This update for libssh fixes the following issues: Update to version 0.9.8 (jsc#PED-7719): * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes Update to version 0.9.7 * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code Update to version 0.9.6 (bsc#1189608, CVE-2021-3634) * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 Update to version 0.9.5 (bsc#1174713, CVE-2020-16135): * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) * Improve handling of library initialization (T222) * Fix parsing of subsecond times in SFTP (T219) * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN * Define version in one place (T226) * Prevent invalid free when using different C runtimes than OpenSSL (T229) * Compatibility improvements to testsuite Update to version 0.9.4: * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699) Update to version 0.9.3: * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095) * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state * SSH-01-006 General: Various unchecked Null-derefs cause DOS * SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys * SSH-01-010 SSH: Deprecated hash function in fingerprinting * SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS * SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access * SSH-01-001 State Machine: Initial machine states should be set explicitly * SSH-01-002 Kex: Differently bound macros used to iterate same array * SSH-01-005 Code-Quality: Integer sign confusion during assignments * SSH-01-008 SCP: Protocol Injection via unescaped File Names * SSH-01-009 SSH: Update documentation which RFCs are implemented * SSH-01-012 PKI: Information leak via uninitialized stack buffer Update to version 0.9.2: * Fixed libssh-config.cmake * Fixed issues with rsa algorithm negotiation (T191) * Fixed detection of OpenSSL ed25519 support (T197) Update to version 0.9.1: * Added support for Ed25519 via OpenSSL * Added support for X25519 via OpenSSL * Added support for localuser in Match keyword * Fixed Match keyword to be case sensitive * Fixed compilation with LibreSSL * Fixed error report of channel open (T75) * Fixed sftp documentation (T137) * Fixed known_hosts parsing (T156) * Fixed build issue with MinGW (T157) * Fixed build with gcc 9 (T164) * Fixed deprecation issues (T165) * Fixed known_hosts directory creation (T166) Update to verion 0.9.0: * Added support for AES-GCM * Added improved rekeying support * Added performance improvements * Disabled blowfish support by default * Fixed several ssh config parsing issues * Added support for DH Group Exchange KEX * Added support for Encrypt-then-MAC mode * Added support for parsing server side configuration file * Added support for ECDSA/Ed25519 certificates * Added FIPS 140-2 compatibility * Improved known_hosts parsing * Improved documentation * Improved OpenSSL API usage for KEX, DH, and signatures - Add libssh client and server config files ----------------------------------------- Patch: SUSE-2024-556 Released: Tue Feb 20 17:22:41 2024 Summary: Security update for libxml2 Severity: moderate References: 1219576,CVE-2024-25062 Description: This update for libxml2 fixes the following issues: - CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576). ----------------------------------------- Patch: SUSE-2024-568 Released: Wed Feb 21 07:19:20 2024 Summary: Recommended update for suseconnect-ng Severity: important References: 1219425 Description: This update for suseconnect-ng fixes the following issues: - Allow SUSEConnect on read write transactional systems (bsc#1219425) ----------------------------------------- Patch: SUSE-2024-604 Released: Fri Feb 23 09:46:05 2024 Summary: Security update for openssh Severity: important References: 1218215,1220110,CVE-2023-51385 Description: This update for openssh fixes the following issues: - CVE-2023-51385: Fixed a command injection via user name or host name metacharacters (bsc#1218215). - Remember the state of sshd service during update / removal, to allow cut-over to a different openssh package. bsc#1220110 ----------------------------------------- Patch: SUSE-2024-783 Released: Wed Mar 6 17:03:41 2024 Summary: Security update for vim Severity: important References: 1215005,1217316,1217320,1217321,1217324,1217326,1217329,1217330,1217432,1219581,CVE-2023-4750,CVE-2023-48231,CVE-2023-48232,CVE-2023-48233,CVE-2023-48234,CVE-2023-48235,CVE-2023-48236,CVE-2023-48237,CVE-2023-48706,CVE-2024-22667 Description: This update for vim fixes the following issues: - CVE-2023-48231: Fixed Use-After-Free in win_close() (bsc#1217316). - CVE-2023-48232: Fixed Floating point Exception in adjust_plines_for_skipcol() (bsc#1217320). - CVE-2023-48233: Fixed overflow with count for :s command (bsc#1217321). - CVE-2023-48234: Fixed overflow in nv_z_get_count (bsc#1217324). - CVE-2023-48235: Fixed overflow in ex address parsing (bsc#1217326). - CVE-2023-48236: Fixed overflow in get_number (bsc#1217329). - CVE-2023-48237: Fixed overflow in shift_line (bsc#1217330). - CVE-2023-48706: Fixed heap-use-after-free in ex_substitute (bsc#1217432). - CVE-2024-22667: Fixed stack-based buffer overflow in did_set_langmap function in map.c (bsc#1219581). - CVE-2023-4750: Fixed heap use-after-free in function bt_quickfix (bsc#1215005). Updated to version 9.1 with patch level 0111: https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111 ----------------------------------------- Patch: SUSE-2024-791 Released: Thu Mar 7 09:53:45 2024 Summary: Recommended update for timezone Severity: moderate References: Description: This update for timezone fixes the following issues: - Update to version 2024a - Kazakhstan unifies on UTC+5 - Palestine springs forward a week later than previously predicted in 2024 and 2025 - Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00 not 00:00 - From 1947 through 1949, Toronto's transitions occurred at 02:00 not 00:00 - In 1911 Miquelon adopted standard time on June 15, not May 15 - The FROM and TO columns of Rule lines can no longer be 'minimum' - localtime no longer mishandle some timestamps - strftime %s now uses tm_gmtoff if available - Ittoqqortoormiit, Greenland changes time zones on 2024-03-31 - Vostok, Antarctica changed time zones on 2023-12-18 - Casey, Antarctica changed time zones five times since 2020 - Code and data fixes for Palestine timestamps starting in 2072 - A new data file zonenow.tab for timestamps starting now - Much of Greenland changed its standard time from -03 to -02 on 2023-03-25 - localtime.c no longer mishandles TZif files that contain a single transition into a DST regime - tzselect no longer creates temporary files - tzselect no longer mishandles the following: * Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. * TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/ * ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments * Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension * zic no longer mishandles data for Palestine after the year 2075 ----------------------------------------- Patch: SUSE-2024-797 Released: Thu Mar 7 10:34:35 2024 Summary: Security update for sudo Severity: important References: 1219026,1220389,CVE-2023-42465 Description: This update for sudo fixes the following issues: - CVE-2023-42465: Try to make sudo less vulnerable to ROWHAMMER attacks (bsc#1219026). ----------------------------------------- Patch: SUSE-2024-814 Released: Fri Mar 8 09:31:47 2024 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1219243,CVE-2024-0727 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). ----------------------------------------- Patch: SUSE-2024-825 Released: Mon Mar 11 14:14:35 2024 Summary: Security update for cpio Severity: moderate References: 1218571,1219238,CVE-2023-7207 Description: This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238) ----------------------------------------- Patch: SUSE-2024-843 Released: Tue Mar 12 09:12:42 2024 Summary: Recommended update for libzypp Severity: moderate References: 1219442 Description: This update for libzypp fixes the following issues: - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - Update to version 16.22.12 ----------------------------------------- Patch: SUSE-2024-890 Released: Thu Mar 14 13:31:22 2024 Summary: Security update for sudo Severity: important References: 1221134,1221151,CVE-2023-42465 Description: This update for sudo fixes the following issues: - CVE-2023-42465: Fixed issues introduced by first patches (bsc#1221151, bsc#1221134). ----------------------------------------- Patch: SUSE-2024-897 Released: Thu Mar 14 15:54:58 2024 Summary: Recommended update for wicked Severity: moderate References: 1215692,1218926,1218927,1219265,1219751 Description: This update for wicked fixes the following issues: - ifreload: VLAN changes require device deletion (bsc#1218927) - ifcheck: fix config changed check (bsc#1218926) - client: fix exit code for no-carrier status (bsc#1219265) - dhcp6: omit the SO_REUSEPORT option (bsc#1215692) - duid: fix comment for v6time - rtnl: fix peer address parsing for non ptp-interfaces - system-updater: Parse updater format from XML configuration to ensure install calls can run - team: add new options like link_watch_policy (jsc#PED-7183) - Fix memory leaks in dbus variant destroy and fsm free - xpath: allow underscore in node identifier - vxlan: don't format unknown rtnl attrs (bsc#1219751) ----------------------------------------- Patch: SUSE-2024-913 Released: Mon Mar 18 06:38:50 2024 Summary: Recommended update for shadow Severity: important References: 1188307 Description: This update for shadow fixes the following issues: - Fix passwd segfault when nsswitch.conf defines 'files compat' (bsc#1188307) ----------------------------------------- Patch: SUSE-2024-945 Released: Wed Mar 20 09:16:15 2024 Summary: Recommended update for suseconnect-ng Severity: important References: 1220679 Description: This update for suseconnect-ng fixes the following issues: - Allow '--rollback' flag to run on readonly filesystem (bsc#1220679) - Update to version 1.7.0 ----------------------------------------- Patch: SUSE-2024-996 Released: Tue Mar 26 10:44:23 2024 Summary: Recommended update for krb5 Severity: moderate References: Description: This update for krb5 fixes the following issues: This update updates krb5 to 1.16.3 (jsc#PED-7884). Most relevant changes: * Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks. * Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements. ----------------------------------------- Patch: SUSE-2024-1062 Released: Thu Mar 28 15:56:18 2024 Summary: Recommended update for openssh Severity: moderate References: 1220110 Description: This update of openssh fixes the following issue: - remember the active state of the sshd service, so a seamless transition to openssh8.4 is possible. (bsc#1220110) ----------------------------------------- Patch: SUSE-2024-1123 Released: Mon Apr 8 07:06:16 2024 Summary: Recommended update for wicked Severity: important References: 1220996,1221194,1221358 Description: This update for wicked fixes the following issues: - Fix fallback-lease drop in addrconf (bsc#1220996) - Use upstream `nvme nbft show` (bsc#1221358) - Hide secrets in debug log (bsc#1221194) ----------------------------------------- Patch: SUSE-2024-1132 Released: Mon Apr 8 11:28:25 2024 Summary: Security update for ncurses Severity: moderate References: 1220061,CVE-2023-45918 Description: This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------- Patch: SUSE-2024-1148 Released: Mon Apr 8 11:35:26 2024 Summary: Security update for krb5 Severity: important References: 1220770,1220771,CVE-2024-26458,CVE-2024-26461 Description: This update for krb5 fixes the following issues: - CVE-2024-26458: Fixed a memory leak in pmap_rmt.c (bsc#1220770) - CVE-2024-26461: Fixed a memory leak in k5sealv3.c (bsc#1220771) ----------------------------------------- Patch: SUSE-2024-1150 Released: Mon Apr 8 11:35:53 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221667,CVE-2024-2004,CVE-2024-2398 Description: This update for curl fixes the following issues: - CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) - CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ----------------------------------------- Patch: SUSE-2024-1156 Released: Mon Apr 8 13:21:47 2024 Summary: Security update for nghttp2 Severity: important References: 1221399,CVE-2024-28182 Description: This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) ----------------------------------------- Patch: SUSE-2024-1171 Released: Tue Apr 9 09:51:49 2024 Summary: Security update for util-linux Severity: important References: 1221831,CVE-2024-28085 Description: This update for util-linux fixes the following issues: - CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831) ----------------------------------------- Patch: SUSE-2024-1189 Released: Wed Apr 10 03:28:05 2024 Summary: Security update for less Severity: important References: 1219901,CVE-2022-48624 Description: This update for less fixes the following issues: - CVE-2022-48624: Fixed LESSCLOSE handling in less that does not quote shell metacharacters (bsc#1219901). ----------------------------------------- Patch: SUSE-2024-1334 Released: Thu Apr 18 14:44:04 2024 Summary: Recommended update for wicked Severity: moderate References: 1222105 Description: This update for wicked fixes the following issues: - Do not convert sec to msec twice (bsc#1222105) ----------------------------------------- Patch: SUSE-2024-1399 Released: Tue Apr 23 13:59:37 2024 Summary: Recommended update for systemd Severity: important References: 1220285 Description: This update for systemd fixes the following issues: - util: improve comments why we ignore EACCES and EPERM - util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed - namespace: don't fail on masked mounts (bsc#1220285) - man: Document ranges for distributions config files and local config files - Recommend drop-ins over modifications to the main config file - man: reword the description of 'main conf file' - man: rework section about configuration file precedence - man: document paths under /usr/local in standard-conf.xml ----------------------------------------- Patch: SUSE-2024-1455 Released: Fri Apr 26 18:17:43 2024 Summary: Recommended update for vim Severity: moderate References: 1220763 Description: This update for vim fixes the following issues: - Updated version with patch level 0330, fixes the following problems * vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1 (bsc#1220763) - Update spec.skeleton to use autosetup in place of setup macro. - for the complete list of changes see https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330 ----------------------------------------- Patch: SUSE-2024-1456 Released: Mon Apr 29 07:45:59 2024 Summary: Recommended update for krb5 Severity: important References: 1223122 Description: This update for krb5 fixes the following issues: - Fix warning executing %postun scriptlet (bsc#1223122) ----------------------------------------- Version 12.5-Build4.74 2024-05-08T09:00:18 ----------------------------------------- Patch: SUSE-2024-1550 Released: Tue May 7 16:23:48 2024 Summary: Security update for less Severity: important References: 1222849,CVE-2024-32487 Description: This update for less fixes the following issues: - CVE-2024-32487: Fixed mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849) ----------------------------------------- Version 12.5-Build4.79 2024-05-19T09:00:19 ----------------------------------------- Patch: SUSE-2024-1667 Released: Thu May 16 08:45:51 2024 Summary: Security update for python Severity: moderate References: 1214675,1219306,1219559,1220970,1222537,CVE-2022-48560,CVE-2023-27043,CVE-2023-52425 Description: This update for python fixes the following issues: - CVE-2023-52425: Fixed using the system libexpat (bsc#1219559). - CVE-2023-27043: Modifed fix for unicode string handling in email.utils.parseaddr() (bsc#1222537). - CVE-2022-48560: Fixed use-after-free in Python via heappushpop in heapq (bsc#1214675). Bug fixes: - Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306). - Build with -std=gnu89 to build correctly with gcc14 (bsc#1220970). - Switch from %patchN style to the %patch -P N one. ----------------------------------------- Patch: SUSE-2024-1675 Released: Fri May 17 09:52:43 2024 Summary: Security update for glibc Severity: important References: 1222992,1223423,1223424,1223425,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602 Description: This update for glibc fixes the following issues: - nscd: Fixed use-after-free in addgetnetgrentX (BZ #23520) - CVE-2024-33599: nscd: Fixed Stack-based buffer overflow in netgroup cache (bsc#1223423, BZ #31677) - CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bsc#1223424, BZ #31678) - CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424, BZ #31678) - CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, bsc#1223425, BZ #31680) - CVE-2024-33602; Use time_t for return type of addgetnetgrentX (bsc#1223425) - CVE-2024-2961: iconv: ISO-2022-CN-EXT: Fixed out-of-bound writes when writing escape sequence (bsc#1222992) ----------------------------------------- Version 12.5-Build4.80 2024-05-21T09:00:19 ----------------------------------------- Patch: SUSE-2024-1702 Released: Mon May 20 20:09:05 2024 Summary: Security update for krb5 Severity: moderate References: 1189929,CVE-2021-37750 Description: This update for krb5 fixes the following issues: Fixed inside previous release (v1.16.3-46.3.1): - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacked a server field (bsc#1189929). ----------------------------------------- Version 12.5-Build4.84 2024-05-29T18:11:42 ----------------------------------------- Patch: SUSE-2024-1824 Released: Wed May 29 10:43:14 2024 Summary: Recommended update for wicked Severity: important References: 1205604,1218926,1219108,1224100 Description: This update for wicked fixes the following issues: - client: fix ifreload to pull UP ports/links again when the config of their master/lower changed (bsc#1224100) - Update to version 0.6.75: - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings - cleanup: fix overflow warnings in a socket testcase on i586 - ifcheck: report new and deleted configs as changed (bsc#1218926) - man: improve ARP configuration options in the wicked-config.5 - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108) - cleanup: fix interface dependencies and shutdown order (bsc#1205604) - Remove port arrays from bond,team,bridge,ovs-bridge (redundant) and consistently use config and state info attached to the port interface as in rtnetlink(7). - Cleanup ifcfg parsing, schema configuration and service properties - Migrate ports in xml config and policies already applied in nanny - Remove 'missed config' generation from finite state machine, which is completed while parsing the config or while xml config migration. - Issue a warning when 'lower' interface (e.g. eth0) config is missed while parsing config depending on it (e.g. eth0.42 vlan). - Resolve ovs master to the effective bridge in config and wickedd - Implement netif-check-state require checks using system relations from wickedd/kernel instead of config relations for ifdown and add linkDown and deleteDevice checks to all master and lower references. - Add a `wicked --dry-run …` option to show the system/config interface hierarchies as notice with +/- marked interfaces to setup and/or shutdown. ----------------------------------------- Patch: SUSE-2024-1839 Released: Wed May 29 14:55:52 2024 Summary: Recommended update for suseconnect-ng Severity: important References: 1220679,1223107 Description: This update for suseconnect-ng fixes the following issues: - Version update * Fix certificate import for Yast when using a registration proxy with self-signed SSL certificate (bsc#1223107) * Allow '--rollback' flag to run on readonly filesystem (bsc#1220679) ----------------------------------------- Version 12.5-Build4.86 2024-06-02T09:00:19 ----------------------------------------- Patch: SUSE-2024-1844 Released: Wed May 29 21:40:41 2024 Summary: Security update for python Severity: moderate References: 1221854,CVE-2024-0450 Description: This update for python fixes the following issues: - CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854). ----------------------------------------- Patch: SUSE-2024-1878 Released: Fri May 31 06:48:55 2024 Summary: Recommended update for fdupes Severity: moderate References: 1200381 Description: This update for fdupes fixes the following issues: - Fix a race condition that could be exploited to delete arbitrary files (bsc#1200381) ----------------------------------------- Version 12.5-Build4.88 2024-06-11T09:00:19 ----------------------------------------- Patch: SUSE-2024-1960 Released: Mon Jun 10 12:53:00 2024 Summary: Recommended update for openldap2 Severity: moderate References: 1217985,1220787 Description: This update for openldap2 fixes the following issue: - Increase DH param minimums to 2048 bits (bsc#1220787) - Null pointer deref in referrals as part of ldap_chain_response() (bsc#1217985) ----------------------------------------- Version 12.5-Build4.91 2024-06-19T11:23:36 ----------------------------------------- Patch: SUSE-2024-2080 Released: Wed Jun 19 07:03:55 2024 Summary: Security update for libzypp, zypper Severity: moderate References: 1050625,1177583,1223971,CVE-2017-9271 Description: This update for libzypp, zypper fixes the following issues: - CVE-2017-9271: Fixed proxy credentials written to log files (bsc#1050625). The following non-security bugs were fixed: - clean: Do not report an error if no repos are defined at all (bsc#1223971) ----------------------------------------- Version 12.5-Build4.92 2024-06-20T09:00:21 ----------------------------------------- Patch: SUSE-2024-2087 Released: Wed Jun 19 11:50:01 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1188441,1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 Description: This update for gcc13 fixes the following issues: - Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. - Fixed unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Fix libgccjit-devel dependency, a newer shared library is OK. - Fix libgccjit dependency, the corresponding compiler isn't required. - Remove crypt and crypt_r interceptors in sanitizer. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Includes fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Includes fix for building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] ----------------------------------------- Version 12.5-Build4.93 2024-06-23T09:00:21 ----------------------------------------- Patch: SUSE-2024-2154 Released: Fri Jun 21 16:15:09 2024 Summary: Security update for wget Severity: moderate References: 1226419,CVE-2024-38428 Description: This update for wget fixes the following issues: - CVE-2024-38428: Fix mishandled semicolons in the userinfo subcomponent of a URI. (bsc#1226419) ----------------------------------------- Version 12.5-Build4.94 2024-06-24T14:08:03 ----------------------------------------- Patch: SUSE-2024-2175 Released: Mon Jun 24 08:03:39 2024 Summary: Recommended update for wicked Severity: important References: 1218668 Description: This update for wicked fixes the following issues: - Fix VLANs/bonds randomly not coming up after reboot or wicked restart (bsc#1218668) ----------------------------------------- Version 12.5-Build4.96 2024-06-26T09:00:22 ----------------------------------------- Patch: SUSE-2024-2213 Released: Tue Jun 25 17:11:09 2024 Summary: Recommended update for util-linux Severity: important References: 1215918 Description: This update for util-linux fixes the following issue: - fix Xen virtualization type misidentification (bsc#1215918) ----------------------------------------- Version 12.5-Build4.98 2024-07-03T14:51:38 ----------------------------------------- Patch: SUSE-2024-2288 Released: Wed Jul 3 08:26:46 2024 Summary: Security update for libxml2 Severity: low References: 1224282,CVE-2024-34459 Description: This update for libxml2 fixes the following issues: - CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282). ----------------------------------------- Version 12.5-Build4.99 2024-07-04T16:21:51 ----------------------------------------- Patch: SUSE-2024-2300 Released: Thu Jul 4 11:03:50 2024 Summary: Security update for krb5 Severity: important References: 1227186,1227187,CVE-2024-37370,CVE-2024-37371 Description: This update for krb5 fixes the following issues: - CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186). - CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187). ----------------------------------------- Version 12.5-Build4.102 2024-07-22T09:00:21 ----------------------------------------- Patch: SUSE-2024-2569 Released: Mon Jul 22 08:08:28 2024 Summary: Recommended update for zypper Severity: important References: 1224771 Description: This update for zypper fixes the following issues: - Show rpm install size before installing (bsc#1224771) ----------------------------------------- Version 12.5-Build4.104 2024-07-24T09:00:19 ----------------------------------------- Patch: SUSE-2024-2603 Released: Tue Jul 23 12:37:14 2024 Summary: Security update for shadow Severity: important References: 916845,CVE-2013-4235 Description: This update for shadow fixes the following issues: - CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845). ----------------------------------------- Version 12.5-Build4.106 2024-07-31T15:33:10 ----------------------------------------- Patch: SUSE-2024-2673 Released: Wed Jul 31 06:56:40 2024 Summary: Recommended update for wicked Severity: important References: 1225976,1226125,1226664 Description: This update for wicked fixes the following issues: - Update to version 0.6.76 - compat-suse: warn user and create missing parent config of infiniband children - client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125) - ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976) - wireless: add frequency-list in station mode (jsc#PED-8715) - client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664) - man: add supported bonding options to ifcfg-bonding(5) man page - arputil: Document minimal interval for getopts - man: (re)generate man pages from md sources - client: warn on interface wait time reached - compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces - compat-suse: fix infiniband and infiniband child type detection from ifname ----------------------------------------- Version 12.5-Build4.109 2024-08-06T09:00:22 ----------------------------------------- Patch: SUSE-2024-2743 Released: Mon Aug 5 17:49:08 2024 Summary: Recommended update for suseconnect-ng Severity: important References: 1219004,1223107,1226128 Description: This update for suseconnect-ng fixes the following issues: - Version update * Added uname as collector * Added SAP workload detection * Added detection of container runtimes * Multiple fixes on ARM64 detection * Use `read_values` for the CPU collector on Z * Fixed data collection for ppc64le * Grab the home directory from /etc/passwd if needed (bsc#1226128) * Added uname as collector * Added SAP workload detection * Added detection of container runtimes * Multiple fixes on ARM64 detection * Use `read_values` for the CPU collector on Z * Fixed data collection for ppc64le * Grab the home directory from /etc/passwd if needed (bsc#1226128) * Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) * Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens (bsc#1219004) * Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report (jsc#PED-7982) (jsc#PED-8018) * Add support for third party packages in SUSEConnect * Refactor existing system information collection implementation self-signed SSL certificate (bsc#1223107) ----------------------------------------- Version 12.5-Build4.110 2024-08-07T09:00:23 ----------------------------------------- Patch: SUSE-2024-2767 Released: Tue Aug 6 10:55:19 2024 Summary: Security update for ca-certificates-mozilla Severity: important References: 1220356,1227525 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020 - Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3 ----------------------------------------- Version 12.5-Build4.111 2024-08-08T18:03:39 ----------------------------------------- Patch: SUSE-2024-2805 Released: Wed Aug 7 09:48:45 2024 Summary: Security update for shadow Severity: moderate References: 916845,CVE-2013-4235 Description: This update for shadow fixes the following issues: - CVE-2013-4235: Fixed TOCTOU race condition (bsc#916845) ----------------------------------------- Version 12.5-Build4.116 2024-08-16T15:13:01 ----------------------------------------- Patch: SUSE-2024-2938 Released: Thu Aug 15 17:49:05 2024 Summary: Security update for curl Severity: moderate References: 1228535,CVE-2024-7264 Description: This update for curl fixes the following issues: - CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535) ----------------------------------------- Version 12.5-Build4.119 2024-08-20T09:00:23 ----------------------------------------- Patch: SUSE-2024-2965 Released: Mon Aug 19 15:32:07 2024 Summary: Recommended update for util-linux Severity: important References: 1222285 Description: This update for util-linux fixes the following issues: - Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285). - fix Xen virtualization type misidentification. ----------------------------------------- Version 12.5-Build4.120 2024-08-20T15:49:49 ----------------------------------------- Patch: SUSE-2024-2972 Released: Tue Aug 20 08:14:12 2024 Summary: Recommended update for systemd Severity: moderate References: 1226095 Description: This update for systemd fixes the following issues: - Dynamically allocate the receive buffer (bsc#1226095) ----------------------------------------- Version 12.5-Build4.121 2024-08-21T09:00:26 ----------------------------------------- Patch: SUSE-2024-2989 Released: Tue Aug 20 16:17:10 2024 Summary: Security update for openssl-1_0_0 Severity: moderate References: 1227138,1227227,1228291,CVE-2024-5535 Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138, bsc#1227227) ----------------------------------------- Version 12.5-Build4.122 2024-08-26T09:00:23 ----------------------------------------- Patch: SUSE-2024-3004 Released: Fri Aug 23 13:27:40 2024 Summary: Security update for expat Severity: moderate References: 1219559,1221563,CVE-2023-52425 Description: This update for expat fixes the following issues: - CVE-2023-52425: denial of service (resource consumption) caused by processing large tokens (bsc#1219559) ----------------------------------------- Version 12.5-Build4.124 2024-08-26T17:14:28 ----------------------------------------- Patch: SUSE-2024-3011 Released: Mon Aug 26 13:15:05 2024 Summary: Recommended update for suse-build-key Severity: moderate References: 1229339 Description: This update for suse-build-key fixes the following issue: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028 (bsc#1229339). ----------------------------------------- Version 12.5-Build4.125 2024-09-03T09:00:24 ----------------------------------------- Patch: SUSE-2024-3069 Released: Mon Sep 2 14:29:49 2024 Summary: Recommended update for util-linux Severity: moderate References: 1194818 Description: This update for util-linux fixes the following issue: - agetty: Prevent login cursor escape (bsc#1194818). ----------------------------------------- Version 12.5-Build4.127 2024-09-10T10:41:40 ----------------------------------------- Patch: SUSE-2024-3182 Released: Mon Sep 9 16:41:38 2024 Summary: Security update for expat Severity: moderate References: 1229930,1229931,1229932,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492 Description: This update for expat fixes the following issues: - CVE-2024-45492: Detect integer overflow in function nextScaffoldPart. (bsc#1229932) - CVE-2024-45491: Detect integer overflow in dtdCopy. (bsc#1229931) - CVE-2024-45490: Reject negative len for XML_ParseBuffer. (bsc#1229930) ----------------------------------------- Patch: SUSE-2024-3184 Released: Tue Sep 10 07:31:28 2024 Summary: Recommended update for pam Severity: moderate References: 1194818 Description: This update for pam fixes the following issues: - Prevent cursor escape from the login prompt (bsc#1194818) ----------------------------------------- Version 12.5-Build4.128 2024-09-11T14:35:40 ----------------------------------------- Patch: SUSE-2024-3203 Released: Wed Sep 11 10:55:06 2024 Summary: Security update for curl Severity: moderate References: 1230093,CVE-2024-8096 Description: This update for curl fixes the following issues: - CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093) ----------------------------------------- Version 12.5-Build4.133 2024-09-19T16:38:53 ----------------------------------------- Patch: SUSE-2024-3327 Released: Thu Sep 19 09:36:57 2024 Summary: Recommended update for suseconnect-ng Severity: important References: 1229014,1230229 Description: This update for suseconnect-ng fixes the following issues: - Set the filesystem root on zypper when given (bsc#1230229, bsc#1229014) ----------------------------------------- Version 12.5-Build4.136 2024-09-26T15:41:12 ----------------------------------------- Patch: SUSE-2024-3448 Released: Thu Sep 26 08:48:25 2024 Summary: Recommended update for grep Severity: important References: 1227099 Description: This update for grep fixes the following issues: - Don't assume that pcre_exec that returns PCRE_ERROR_NOMATCH leaves its sub argument alone (bsc#1227099) ----------------------------------------- Version 12.5-Build4.138 2024-09-28T09:00:25 ----------------------------------------- Patch: SUSE-2024-3474 Released: Fri Sep 27 15:08:47 2024 Summary: Recommended update for curl Severity: moderate References: 1230516 Description: This update for curl fixes the following issue: - Make special characters in URL work with aws-sigv4 (bsc#1230516). ----------------------------------------- Patch: SUSE-2024-3484 Released: Fri Sep 27 19:53:39 2024 Summary: Recommended update for SLES-release Severity: moderate References: Description: This update for SLES-release provides the following fix: - Adjust the EOL date for the product. ----------------------------------------- Version 12.5-Build4.141 2024-10-11T09:00:24 ----------------------------------------- Patch: SUSE-2024-3581 Released: Thu Oct 10 08:45:01 2024 Summary: Recommended update for wicked Severity: moderate References: 1229555 Description: This update for wicked fixes the following issue: - compat-suse: fix dummy interfaces configuration with `INTERFACETYPE=dummy` (bsc#1229555). ----------------------------------------- Version 12.5-Build4.144 2024-10-22T09:00:24 ----------------------------------------- Patch: SUSE-2024-3723 Released: Fri Oct 18 09:45:27 2024 Summary: Recommended update for apparmor Severity: moderate References: 1230541 Description: This update for apparmor fixes the following issues: - apparmor: Allow ping to use IPv6 RAW sockets ( bsc#1230541 ). ----------------------------------------- Patch: SUSE-2024-3724 Released: Fri Oct 18 09:45:36 2024 Summary: Recommended update for iputils Severity: moderate References: 1017616,1057664,1065835,1072460,1082788,1196840,1199918,1199926,1199927,1221439,674304,795788,860616,860655,927831 Description: This update for iputils fixes the following issues: Update version to version s20161105 (bsc#1221439 jsc#PED-9524): - This version can use ICMP datagram sockets without CAP_NET_RAW capabilites. Full changelog: * ping: eliminate deadcode & simplify * ping: do not allow oversized packets to root * correctly initialize first hop * ping: fix ping -6 -I * arping,doc: fix documentation of -I * ping: fix error message when getting EACCES from connect() * renamed INSTALL to INSTALL.md * ping: Silence GCC warnings when building with -fstrict-aliasing * tftpd: Drop supplementary groups for root * libgcrypt: fix static linking * doc: Inserted a missing word * tracepath6: avoid redundant family variable * tracepath: borrow everything good from tracepath6 * tracepath: switch to dual-stack operation * tracepath: remove now redundant tracepath6 * docs: fix parallel build of manpages * ping: remove assignments of values that are never read * docs: remove references to ping6 and traceroute6 * ping: work with older kernels that don't support ping sockets * Revert 'ping_common.c: fix message flood when EPERM is encountered in ping' * reorder -I option parsing (bsc#1057664) * ping: also bind the ICMP socket to the specific device - tracepath6 is now symlink to tracepath. - Add fix for ICMP datagram socket ping6-Fix-device-binding.patch (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927). - Backport license information from upstream (bsc#1082788): - Fix PMTU discovery in ping6. (bsc#1072460) - Install rdisc as rdisc, do not use in.rdisc anymore (xinetd which was using in.* names is obsolete anyways) - iputils: remove man pages of unused binaries: ninfod, pg3, rdisc (rdisc is in a separate package) - Add systemd service for rarpd - mark ping also verify not caps, as these are changed by the permissions package. (bsc#1065835) - Reintroduce rarpd as subpackage - Explicitly list content in filelist as we have two subpackages now Update to version s20161105 (Changes taken from the RELNOTES file): * ping: eliminate deadcode & simplify * ping: do not allow oversized packets to root * correctly initialize first hop * ping: fix ping -6 -I * arping,doc: fix documentation of -I * ping: fix error message when getting EACCES from connect() * renamed INSTALL to INSTALL.md * (re)structured INSTALL.md and transformed into markdown; added hint that installation into prefix has to be done with DESTDIR make variable and that there's no prefix support in configure, close #21 * ping: Silence GCC warnings when building with -fstrict-aliasing * tftpd: Drop supplementary groups for root * libgcrypt: fix static linking * doc: Inserted a missing word * tracepath6: avoid redundant family variable * tracepath: borrow everything good from tracepath6 * tracepath: switch to dual-stack operation * tracepath: remove now redundant tracepath6 * docs: fix parallel build of manpages * ping: remove assignments of values that are never read * docs: remove references to ping6 and traceroute6 * ping: work with older kernels that don't support ping sockets * Revert 'ping_common.c: fix message flood when EPERM is encountered in ping' * reorder -I option parsing (bsc#1057664) * ping: also bind the ICMP socket to the specific device - tracepath6 is now symlink to tracepath. - Add ping6 symlink (bsc#1017616) - do not install rarpd and rarpd.8 manpage (comes from rarpd rpm currently) Update to version s20160308 (Changes taken from the RELNOTES file) * use syntax compatible with busybox date in Makefile * 'admin prohibited' should print !X not !S. * Makefile: use #define as in previous code changes * doc/Makefile: require bash, because we use pushd and popd * doc: don't timestamp manpages by default * ping: status() now returns received/transmitted instead of trans/recv * ping: don't mess with internals of struct msghdr * ping: ICMP error replies while errno < 0 is a hard error * ping: always use POSIX locale when parsing -i * ping: link against libm * made ping functions protocol independent * ping: perform dual-stack ping by default * ping: remove obsolete preprocessor directives * ping: avoid name clashes between IPv4 and IPv6 code * ping: merge all ping header files into a single one * ping: merge `ping6` command into `ping` * ping: refactor ping options * ping: refactor ping socket code * ping: merge IPv4 and IPv6 `pr_addr()` * ping: fix defines and libs in Makefile * ping: handle single protocol systems * iputils ping/ping6: Add a function to check if a packet is ours * ping: Add to fix compilation error. * ping6: Use GNUTLS API directly for MD5. (v2) * ping6: Use libgcrypt instead of gnutls for MD5. * Allow ping to use IPv6 addresses * ping,ping6 doc: More description on CAP_NET_RAW usage. * if IPv4 resolving fails fallback to ping6 * ping: in usage print the 'ping -6' options as well * ping: allow option -4 which forces IPv4 * combine sock and errno into a single structure * This patch allows running ping and ping6 without root privileges on * use better names for socket variables * tracepath,doc: fix corrupted tag * doc: ping: add missing options and remove ping6 * ninfod: remove unused variables * ninfod: Regenerate configure by autoconf-2.69. * ninfod: libgcrypt support. * Fix building with musl * travis.yml: install nettle-dev * Allow using nettle instead of libgcrypt for MD5 * avoid compiler warning caused by snapshot.h * make `getaddrinfo()` and `getnameinfo()` usage consistent * enable IDN by default * remove IPV4_TARGETS and IPV6_TARGETS * Use svg instead of png to get better image quality * spec: Configure before building ninfod. * spec: Fix date in %changelog. - Use Provides: for old /{,s}bin utils to satisfy reverse dependencies. - Install utilities to /bin and /sbin until reverse dependencies are properly fixed. - Do not install tftp and traceroute to avoid conflicts with the tftp and traceroute packages. Stick to what iputils used to provide in the past. - Install tracepath to /usr/bin. (bsc#795788) Update to version s20150815 * use syntax compatible with busybox date in Makefile * Makefile: use #define as in previous code changes * ping: status() now returns received/transmitted instead of trans/recv * ping: don't mess with internals of struct msghdr * tracepath,doc: fix corrupted tag * made ping functions protocol independent * Allow ping to use IPv6 addresses * if IPv4 resolving fails fallback to ping6 * ping: in usage print the 'ping -6' options as well * ping: allow option -4 which forces IPv4 * combine sock and errno into a single structure * This patch allows running ping and ping6 without root privileges on * use better names for socket variables * travis.yml: install nettle-dev * Allow using nettle instead of libgcrypt for MD5 * avoid compiler warning caused by snapshot.h * make `getaddrinfo()` and `getnameinfo()` usage consistent * enable IDN by default * ping: perform dual-stack ping by default * remove IPV4_TARGETS and IPV6_TARGETS * ping: remove obsolete preprocessor directives * ping: avoid name clashes between IPv4 and IPv6 code * ping: merge all ping header files into a single one * ping: merge `ping6` command into `ping` * ping: refactor ping options * ping: refactor ping socket code * ping: merge IPv4 and IPv6 `pr_addr()` * Use svg instead of png to get better image quality * iputils ping/ping6: Add a function to check if a packet is ours * ping: Add to fix compilation error. * ping6: Use GNUTLS API directly for MD5. (v2) * ping6: Use libgcrypt instead of gnutls for MD5. * ninfod: Regenerate configure by autoconf-2.69. * ninfod: libgcrypt support. * spec: Configure before building ninfod. * spec: Fix date in %changelog. * make,spec: Add rpm target. * ping,ping6 doc: More description on CAP_NET_RAW usage. - Fixed ping segfaults (bsc#860616,bsc#860655) ----------------------------------------- Version 12.5-Build4.146 2024-10-29T09:00:24 ----------------------------------------- Patch: SUSE-2024-3761 Released: Mon Oct 28 10:22:23 2024 Summary: Recommended update for gcc13 Severity: moderate References: 1231833 Description: This update for gcc13 fixes the following issues: - Fixed parsing tzdata 2024b [gcc#116657]