SUSE Container Update Advisory: suse/ltss/sle12.5/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:4514-1 Container Tags : suse/ltss/sle12.5/sles12sp5:8.5.7 , suse/ltss/sle12.5/sles12sp5:latest Container Release : 8.5.7 Severity : critical Type : security References : 1000396 1000662 1001299 1003714 1005544 1008325 1009745 1009966 1010675 1010675 1010845 1010996 1010996 1013286 1013930 1014151 1014873 1015565 1017497 1019276 1020108 1020143 1024989 1025709 1025743 1026567 1027496 1027925 1028305 1028410 1029561 1029961 1030066 1030472 1030476 1030621 1030803 1030805 1030807 1032445 1033084 1033085 1033087 1033088 1033089 1033090 1034563 1035062 1035371 1035818 1036304 1036659 1036736 1036895 1037824 1038189 1038444 1038549 1038984 1038984 1039063 1039063 1039064 1039064 1039066 1039066 1039069 1039069 1039661 1039661 1039941 1040613 1040621 1042326 1042781 1043059 1043218 1043237 1043333 1043333 1043580 1044232 1044337 1044887 1044894 1045735 1045735 1045735 1045943 1046417 1046607 1046659 1046853 1046853 1046858 1046858 1047008 1047178 1047233 1047236 1047240 1047247 1047785 1047785 1047964 1047965 1048315 1049344 1049577 1049825 1049825 1050467 1050467 1050625 1051626 1052182 1052837 1053409 1053671 1054088 1054671 1055920 1056126 1056127 1056127 1056128 1056128 1056129 1056129 1056131 1056131 1056132 1056132 1056136 1056136 1056437 1057188 1057452 1057634 1057640 1057721 1057724 1058695 1058722 1058783 1059065 1059723 1061384 1061667 1062561 1062591 1062592 1063269 1064455 1064455 1064455 1064999 1067605 1068565 1068565 1068708 1068967 1069689 1069934 1070851 1070878 1070958 1071152 1071152 1071390 1071390 1071466 1073879 1074621 1074687 1075449 1075978 1076192 1076415 1076810 1076832 1076909 1077635 1077692 1077993 1078806 1078813 1079334 1079674 1079991 1080078 1081947 1082022 1082216 1082216 1082216 1082233 1082233 1082233 1082234 1082234 1082234 1082318 1082318 1082318 1083189 1083290 1083571 1083671 1083946 1084300 1084671 1084671 1084812 1084812 1084842 1084934 1085003 1085512 1085664 1086247 1086602 1087550 1087550 1087930 1088255 1088279 1088524 1088601 1088639 1088705 1089884 1089938 1090766 1090766 1090766 1091624 1092100 1092100 1092100 1092413 1093414 1094121 1094222 1095148 1095969 1096282 1096282 1096282 1096718 1096718 1096745 1096803 1096974 1096984 1097410 1097410 1097410 1097665 1098535 1099847 1099982 1100028 1100078 1100396 1100415 1100415 1101349 1102046 1102145 1102310 1102429 1102564 1102840 1104780 1105166 1105435 1106014 1106383 1106390 1107067 1107430 1109877 1109893 1110146 1110542 1110661 1110929 1111319 1111973 1112209 1112438 1112723 1112726 1112911 1113100 1113117 1113296 1113534 1113652 1113742 1114592 1114674 1115020 1115500 1115929 1116544 1116995 1117355 1117951 1117993 1118364 1119496 1120629 1120629 1120630 1120630 1120631 1120631 1121446 1121450 1121753 1122729 1123685 1123886 1123919 1124847 1125007 1125535 1125689 1126117 1126118 1126119 1126613 1127080 1127155 1127155 1127223 1127308 1127557 1128246 1128383 1128574 1130324 1131291 1131330 1131823 1131823 1131830 1131994 1132678 1133495 1134226 1134550 1134616 1135254 1135709 1136298 1137977 1137977 1138731 1138793 1139083 1139083 1139459 1139459 1139519 1139937 1140039 1140631 1141093 1141597 1141897 1142649 1142654 1144169 1145521 1145716 1146182 1146184 1146415 1148517 1148987 1149127 1149145 1149332 1149429 1149911 1149995 1150003 1150250 1150595 1150734 1151377 1151506 1151577 1151708 1152101 1152590 1153386 1153557 1154036 1154037 1154043 1154247 1154256 1154661 1154871 1154948 1155199 1155338 1155339 1155346 1155574 1155939 1156159 1156276 1156482 1157198 1157315 1157578 1157794 1157893 1157960 1158095 1158095 1158095 1158586 1158763 1158809 1158916 1158996 1159162 1159814 1159928 1160039 1160160 1160285 1160571 1160594 1160764 1160979 1161262 1161436 1161510 1161517 1161521 1161779 1162108 1162698 1162721 1162879 1162930 1163834 1163922 1164538 1165633 1165784 1165915 1165919 1166260 1166301 1166334 1166510 1167622 1167631 1167898 1168235 1168389 1168699 1168699 1169006 1169488 1169947 1170347 1170601 1171145 1171863 1171864 1171866 1171878 1171883 1171962 1172021 1172042 1172085 1172265 1172295 1172427 1172798 1172846 1172973 1172974 1173027 1173227 1173474 1173475 1173593 1173593 1173972 1174080 1174215 1174436 1174551 1174660 1174673 1174713 1174736 1174753 1174817 1174942 1175109 1175168 1175514 1175623 1175811 1175830 1175831 1176029 1176123 1176179 1176201 1176410 1176513 1176759 1176800 1177143 1177369 1177458 1177479 1177510 1177575 1177583 1177673 1177793 1177864 1177976 1178038 1178219 1178236 1178386 1178554 1178561 1178577 1178624 1178675 1178727 1178823 1178825 1178925 1178966 1179363 1179398 1179399 1179491 1179515 1179593 1179694 1179721 1179824 1179847 1180020 1180020 1180038 1180064 1180065 1180073 1180083 1180225 1180225 1180596 1180777 1180885 1180959 1180995 1180995 1181358 1181365 1181443 1181505 1181636 1181994 1182016 1182058 1182117 1182138 1182331 1182333 1182899 1183094 1183543 1183545 1183632 1183659 1183790 1183933 1184034 1184362 1184434 1184690 1184761 1184967 1185046 1185299 1185331 1185337 1185408 1185408 1185409 1185409 1185410 1185410 1185562 1185698 1185807 1186015 1186114 1186229 1186489 1186503 1186827 1187153 1187212 1187273 1187466 1187760 1187784 1187784 1187911 1188006 1188018 1188063 1188063 1188217 1188218 1188219 1188220 1188291 1188307 1188441 1188623 1188698 1188891 1188921 1189206 1189465 1189465 1189465 1189480 1189521 1189521 1189608 1189622 1189738 1189738 1189738 1189929 1190354 1190373 1190374 1190530 1190793 1190858 1190885 1190984 1191194 1191194 1191227 1191286 1191399 1191502 1191648 1191736 1191835 1192620 1192681 1192684 1192688 1192717 1192785 1192790 1192951 1193296 1193478 1193480 1193483 1193533 1193625 1193659 1193690 1193841 1194038 1194038 1194251 1194362 1194474 1194476 1194477 1194478 1194479 1194480 1194640 1194642 1194768 1194770 1194818 1194818 1194845 1194848 1194859 1195048 1195054 1195217 1195283 1195485 1195529 1195628 1195899 1196025 1196025 1196026 1196036 1196107 1196168 1196169 1196171 1196187 1196249 1196317 1196443 1196490 1196494 1196495 1196645 1196784 1196812 1196852 1196861 1196877 1197065 1197178 1197244 1197443 1197459 1197674 1198062 1198139 1198341 1198383 1198446 1198507 1198608 1198614 1198627 1198731 1198766 1199079 1199132 1199166 1199223 1199224 1199232 1199240 1199273 1200095 1200550 1200735 1200737 1200842 1201225 1201354 1201627 1201929 1201978 1201978 1202062 1202175 1202593 1202868 1203018 1203248 1203249 1203320 1203438 1203652 1203652 1203911 1204357 1204366 1204367 1204383 1204423 1204548 1204690 1204708 1204968 1205000 1205000 1206212 1206309 1206480 1206513 1206579 1206622 1206684 1206985 1207533 1207534 1207534 1207536 1207992 1208329 1208958 1209209 1209210 1209211 1209212 1209214 1209624 1209873 1209878 1210164 1210411 1210411 1210412 1210412 1210434 1210507 1210557 1210593 1210959 1210999 1211188 1211190 1211230 1211231 1211232 1211233 1211419 1211427 1211430 1211576 1211725 1211795 1212101 1212187 1212207 1212955 1212999 1213237 1213487 1213853 1213865 1213915 1214052 1214052 1214248 1214290 1214460 1214768 1214806 1214934 1215026 1215241 1215286 1215427 1215504 1215594 1215713 1215888 1215889 1215918 1216064 1216123 1216129 1216174 1216378 1216664 1216685 1216825 1216922 1216987 1217450 1217573 1217574 1217667 1217948 1217985 1218014 1218126 1218186 1218209 1218475 1218492 1218571 1218571 1219031 1219238 1219243 1219442 1219520 1219559 1219576 1219855 1220061 1220285 1220356 1220716 1220724 1220770 1220771 1220787 1221239 1221399 1221563 1221665 1221667 1221831 1222285 1222992 1223122 1223423 1223424 1223425 1223971 1224282 1224771 1226095 1227138 1227186 1227187 1227227 1227525 1228291 1228535 1229339 1229930 1229931 1229932 1230093 184501 408814 428822 556664 658010 661410 829717 888308 888534 889138 889990 892431 894610 896202 896435 898003 899524 899871 900275 900276 901202 901845 902367 905483 906574 906574 906803 907074 907456 908128 908516 910252 910252 910253 910253 910904 911228 911662 912922 913650 913651 916845 916845 917152 917169 918089 918090 919274 920057 920057 920386 922534 924525 924687 924960 924960 926412 926826 927993 928292 928740 929919 930176 931932 932232 932894 933029 933288 933288 933878 933878 934689 934920 936050 936227 936227 937823 938343 939392 939460 940315 941234 941922 942865 942865 943457 943457 944903 945842 945899 952151 952347 953130 953532 953659 953831 953831 954002 954661 955382 955753 957566 957566 957567 957567 957598 957598 957600 957600 959693 960820 960837 960837 962765 962914 963448 964063 964140 964468 965322 965780 965902 966220 966514 967082 967728 967838 968771 969569 970260 970882 971741 971741 972127 972127 973042 979261 979441 979629 979906 980391 981114 981616 983206 983215 983216 984906 985657 986783 986935 987887 988311 992966 994157 994794 996280 996511 999735 CVE-2009-5155 CVE-2012-6702 CVE-2013-4235 CVE-2013-4235 CVE-2013-6435 CVE-2014-3591 CVE-2014-3710 CVE-2014-8116 CVE-2014-8116 CVE-2014-8117 CVE-2014-8117 CVE-2014-8118 CVE-2014-8964 CVE-2014-8964 CVE-2014-9087 CVE-2014-9112 CVE-2014-9447 CVE-2014-9620 CVE-2014-9621 CVE-2014-9653 CVE-2015-0837 CVE-2015-1283 CVE-2015-1606 CVE-2015-1607 CVE-2015-2325 CVE-2015-2325 CVE-2015-2327 CVE-2015-2327 CVE-2015-2328 CVE-2015-2328 CVE-2015-3210 CVE-2015-3210 CVE-2015-3217 CVE-2015-3217 CVE-2015-3238 CVE-2015-5073 CVE-2015-5073 CVE-2015-5180 CVE-2015-5186 CVE-2015-5276 CVE-2015-7511 CVE-2015-8380 CVE-2015-8380 CVE-2015-8381 CVE-2015-8381 CVE-2015-8382 CVE-2015-8382 CVE-2015-8383 CVE-2015-8383 CVE-2015-8384 CVE-2015-8384 CVE-2015-8385 CVE-2015-8385 CVE-2015-8386 CVE-2015-8386 CVE-2015-8387 CVE-2015-8387 CVE-2015-8388 CVE-2015-8388 CVE-2015-8389 CVE-2015-8389 CVE-2015-8390 CVE-2015-8390 CVE-2015-8391 CVE-2015-8391 CVE-2015-8392 CVE-2015-8392 CVE-2015-8393 CVE-2015-8393 CVE-2015-8394 CVE-2015-8394 CVE-2015-8395 CVE-2015-8395 CVE-2015-8853 CVE-2015-8985 CVE-2016-0634 CVE-2016-0718 CVE-2016-10228 CVE-2016-10254 CVE-2016-10255 CVE-2016-10739 CVE-2016-1238 CVE-2016-1283 CVE-2016-1283 CVE-2016-1544 CVE-2016-1839 CVE-2016-2037 CVE-2016-2381 CVE-2016-3189 CVE-2016-3191 CVE-2016-3191 CVE-2016-3709 CVE-2016-3709 CVE-2016-4574 CVE-2016-4579 CVE-2016-4658 CVE-2016-5131 CVE-2016-5300 CVE-2016-6185 CVE-2016-6313 CVE-2016-6318 CVE-2016-7543 CVE-2016-9063 CVE-2016-9318 CVE-2016-9318 CVE-2016-9401 CVE-2016-9597 CVE-2017-0663 CVE-2017-10684 CVE-2017-10684 CVE-2017-10685 CVE-2017-10685 CVE-2017-11112 CVE-2017-11113 CVE-2017-12837 CVE-2017-12883 CVE-2017-13728 CVE-2017-13728 CVE-2017-13729 CVE-2017-13729 CVE-2017-13730 CVE-2017-13730 CVE-2017-13731 CVE-2017-13731 CVE-2017-13732 CVE-2017-13732 CVE-2017-13733 CVE-2017-13733 CVE-2017-13734 CVE-2017-15412 CVE-2017-16932 CVE-2017-18258 CVE-2017-5130 CVE-2017-5969 CVE-2017-6004 CVE-2017-6512 CVE-2017-6891 CVE-2017-7186 CVE-2017-7244 CVE-2017-7245 CVE-2017-7246 CVE-2017-7375 CVE-2017-7376 CVE-2017-7435 CVE-2017-7436 CVE-2017-7436 CVE-2017-7500 CVE-2017-7500 CVE-2017-7501 CVE-2017-7501 CVE-2017-7526 CVE-2017-7607 CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2017-8872 CVE-2017-9047 CVE-2017-9047 CVE-2017-9048 CVE-2017-9048 CVE-2017-9049 CVE-2017-9049 CVE-2017-9050 CVE-2017-9050 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 CVE-2017-9233 CVE-2017-9269 CVE-2017-9269 CVE-2017-9271 CVE-2017-9526 CVE-2018-0495 CVE-2018-0495 CVE-2018-0495 CVE-2018-0734 CVE-2018-1000168 CVE-2018-1000654 CVE-2018-10360 CVE-2018-10754 CVE-2018-1122 CVE-2018-1122 CVE-2018-1122 CVE-2018-1123 CVE-2018-1123 CVE-2018-1123 CVE-2018-1124 CVE-2018-1124 CVE-2018-1124 CVE-2018-1125 CVE-2018-1125 CVE-2018-1125 CVE-2018-1126 CVE-2018-1126 CVE-2018-1126 CVE-2018-12015 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-16062 CVE-2018-16403 CVE-2018-18310 CVE-2018-18311 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20532 CVE-2018-20532 CVE-2018-20533 CVE-2018-20533 CVE-2018-20534 CVE-2018-20534 CVE-2018-20843 CVE-2018-25032 CVE-2018-5407 CVE-2018-6003 CVE-2018-6797 CVE-2018-6797 CVE-2018-6797 CVE-2018-6798 CVE-2018-6798 CVE-2018-6798 CVE-2018-6913 CVE-2018-6913 CVE-2018-6913 CVE-2018-7685 CVE-2018-7738 CVE-2018-9234 CVE-2018-9251 CVE-2019-12900 CVE-2019-12900 CVE-2019-13050 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1559 CVE-2019-1563 CVE-2019-15847 CVE-2019-15903 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18900 CVE-2019-19956 CVE-2019-20386 CVE-2019-20387 CVE-2019-20388 CVE-2019-20838 CVE-2019-25013 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9924 CVE-2020-10029 CVE-2020-10543 CVE-2020-10878 CVE-2020-11080 CVE-2020-12723 CVE-2020-13844 CVE-2020-14155 CVE-2020-16135 CVE-2020-1712 CVE-2020-1730 CVE-2020-1730 CVE-2020-1751 CVE-2020-1752 CVE-2020-1971 CVE-2020-24977 CVE-2020-25219 CVE-2020-26154 CVE-2020-27618 CVE-2020-29361 CVE-2020-29362 CVE-2020-29562 CVE-2020-29573 CVE-2020-7595 CVE-2020-8013 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-20266 CVE-2021-20271 CVE-2021-20316 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23840 CVE-2021-23841 CVE-2021-3200 CVE-2021-3326 CVE-2021-33560 CVE-2021-33574 CVE-2021-33910 CVE-2021-33910 CVE-2021-3421 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3537 CVE-2021-3541 CVE-2021-35942 CVE-2021-3634 CVE-2021-3712 CVE-2021-3712 CVE-2021-37600 CVE-2021-37750 CVE-2021-38185 CVE-2021-38185 CVE-2021-38185 CVE-2021-39537 CVE-2021-3999 CVE-2021-43566 CVE-2021-43618 CVE-2021-44141 CVE-2021-44142 CVE-2021-45960 CVE-2021-46143 CVE-2021-46848 CVE-2022-0336 CVE-2022-0778 CVE-2022-1271 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586 CVE-2022-2068 CVE-2022-22576 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-27774 CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-29155 CVE-2022-29458 CVE-2022-29824 CVE-2022-31252 CVE-2022-32206 CVE-2022-32208 CVE-2022-32221 CVE-2022-34903 CVE-2022-3515 CVE-2022-35252 CVE-2022-37434 CVE-2022-3821 CVE-2022-40303 CVE-2022-40304 CVE-2022-40674 CVE-2022-4304 CVE-2022-4304 CVE-2022-43552 CVE-2022-43680 CVE-2022-4415 CVE-2022-4415 CVE-2022-47629 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-1667 CVE-2023-2283 CVE-2023-23916 CVE-2023-2603 CVE-2023-2650 CVE-2023-26604 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-28319 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 CVE-2023-28484 CVE-2023-28484 CVE-2023-29383 CVE-2023-29469 CVE-2023-29469 CVE-2023-29491 CVE-2023-2953 CVE-2023-31484 CVE-2023-32001 CVE-2023-3446 CVE-2023-35945 CVE-2023-38039 CVE-2023-3817 CVE-2023-38545 CVE-2023-38546 CVE-2023-39615 CVE-2023-4016 CVE-2023-4039 CVE-2023-4039 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-45918 CVE-2023-46218 CVE-2023-46219 CVE-2023-4641 CVE-2023-4813 CVE-2023-48795 CVE-2023-50495 CVE-2023-52425 CVE-2023-5678 CVE-2023-6004 CVE-2023-6918 CVE-2023-7207 CVE-2023-7207 CVE-2024-0727 CVE-2024-2004 CVE-2024-22365 CVE-2024-2398 CVE-2024-25062 CVE-2024-26458 CVE-2024-26461 CVE-2024-28085 CVE-2024-28182 CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 CVE-2024-34459 CVE-2024-37370 CVE-2024-37371 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-5535 CVE-2024-7264 CVE-2024-8096 SLE-10396 SLE-7257 ----------------------------------------------------------------- The container suse/ltss/sle12.5/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:85-1 Released: Tue Nov 4 16:29:29 2014 Summary: Recommended update for dirmngr Type: recommended Severity: moderate References: 901845 This update for dirmngr fixes a segmentation fault at start up. (bnc#901845) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2014:66-1 Released: Thu Nov 6 06:23:15 2014 Summary: Recommended update for gcc48 Type: recommended Severity: moderate References: 899871 This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:97-1 Released: Fri Nov 28 10:20:32 2014 Summary: Security update for file Type: security Severity: moderate References: 888308,902367,CVE-2014-3710 file was updated to fix one security issue. This security issue was fixed: - Out-of-bounds read in elf note headers (CVE-2014-3710). This non-security issues was fixed: - Correctly identify GDBM files created by libgdbm4 (bnc#888308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:113-1 Released: Tue Dec 2 18:17:57 2014 Summary: Security update for cpio Type: security Severity: moderate References: 658010,907456,CVE-2014-9112 This cpio security update fixes the following buffer overflow issue and two non security issues: - fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112) - prevent cpio from extracting over a symlink (bnc#658010) - fix a truncation check in mt ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:16-1 Released: Thu Dec 11 09:25:27 2014 Summary: Security update for libksba Type: security Severity: moderate References: 907074,CVE-2014-9087 This libksba update fixes the following security issue: - bnc#907074: buffer overflow in OID processing (CVE-2014-9087) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2014:126-1 Released: Fri Dec 19 20:16:00 2014 Summary: Security update for file Type: security Severity: moderate References: 910252,910253,CVE-2014-8116,CVE-2014-8117 This file update fixes the following security issues: - bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116) - bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:50-1 Released: Thu Jan 15 16:33:18 2015 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 888534 The system root SSL certificates were updated to match Mozilla NSS 2.2. Some removed/disabled 1024 bit certificates were temporarily reenabled/readded, as openssl and gnutls have a different handling of intermediates than mozilla nss and would otherwise not recognize SSL certificates from commonly used sites like Amazon. Updated to 2.2 (bnc#888534) - The following CAs were added: + COMODO_RSA_Certification_Authority codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth + USERTrust_ECC_Certification_Authority codeSigning emailProtection serverAuth + USERTrust_RSA_Certification_Authority codeSigning emailProtection serverAuth + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal - The following CAs were changed: + Equifax_Secure_eBusiness_CA_1 remote code signing and https trust, leave email trust + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 only trust emailProtection - Updated to 2.1 (bnc#888534) - The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA - The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 - The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado Temporary reenable some root ca trusts, as openssl/gnutls have trouble using intermediates as root CA. - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - ValiCert Class 1 VA - ValiCert Class 2 VA - RSA Root Certificate 1 - Entrust.net Secure Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:40-1 Released: Thu Jan 15 18:35:11 2015 Summary: Security update for rpm Type: security Severity: important References: 892431,906803,908128,911228,CVE-2013-6435,CVE-2014-8118 This rpm update fixes the following security and non-security issues: - bnc#908128: Check for bad invalid name sizes (CVE-2014-8118) - bnc#906803: Create files with mode 0 (CVE-2013-6435) - bnc#892431: Honor --noglob in install mode - bnc#911228: Fix noglob patch, it broke files with space. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:76-1 Released: Fri Jan 30 15:01:03 2015 Summary: Security update for elfutils Type: security Severity: moderate References: 911662,CVE-2014-9447 elfutils was updated to fix one security issue. This security issue was fixed: - Directory traversal vulnerability in the read_long_names function (CVE-2014-9447). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:121-1 Released: Tue Feb 3 16:30:16 2015 Summary: Recommended update for pam Type: recommended Severity: low References: 912922 This update for pam fixes updating of NIS passwords. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:275-1 Released: Wed Mar 18 18:21:44 2015 Summary: Recommended update for procps Type: recommended Severity: low References: 901202,908516 This update for procps provides the following fixes: - Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202) - Fix handling of arguments to -s option in free(1). (bsc#908516) - Correct package name in descriptions: procps, not props. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:296-1 Released: Thu Jun 11 15:46:59 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919,CVE-2014-3591 This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591) FIPS 140-2 related changes: * The library performs its self-tests when the module is complete (the -hmac file is also installed). * Added a NIST 800-90a compliant DRBG. * Change DSA key generation to be FIPS 186-4 compliant. * Change RSA key generation to be FIPS 186-4 compliant. * Enable HW support in fips mode (bnc#896435) * Make DSA selftest use 2048 bit keys (bnc#898003) * Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202) * Various CAVS testing improvements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:361-1 Released: Wed Jul 15 08:26:27 2015 Summary: Recommended update for gcc48, libffi48, libgcj48 Type: recommended Severity: moderate References: 889990,917169,919274,922534,924525,924687,927993,930176,934689 The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements. It includes various bug fixes found by our customers: * Fixes bogus integer overflow in constant expression. [bnc#934689] * Fixes ICE with atomics on aarch64. [bnc#930176] * Includes fix for -imacros bug. [bnc#917169] * Includes fix for incorrect -Warray-bounds warnings. [bnc#919274] * Includes updated -mhotpatch for s390x. [bnc#924525] * Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687] * Includes patches to allow building against ISL 0.14. * Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990] * Fix a reload issue on S390 (GCC PR66306). * Avoid accessing invalid memory when passing aggregates by value. [bnc#922534] ----------------------------------------------------------------- Advisory ID: SUSE-OU-2015:422-1 Released: Tue Jul 28 06:25:51 2015 Summary: The Toolchain module containing GCC 5.2 Type: optional Severity: low References: 926412,936050,937823 This update contains the release of the new SUSE Linux Enterprise Toolchain module. Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes. This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes. Following features have been added to binutils: * IBM zSeries z13 hardware support (fate#318036, bnc#936050). * various IBM Power8 improvements (fate#318238, bnc#926412). * AVX512 support on the Intel EM64T platform (fate#318520). The GNU Debugger gdb was updated to version 7.9.1 bringing various features and lots of bugfixes. Also IBM zSeries z13 hardware support has been added to gdb. (fate#318039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:500-1 Released: Mon Aug 17 11:36:33 2015 Summary: Security update for libgcrypt Type: security Severity: moderate References: 920057,938343,CVE-2015-0837 This update fixes the following issues: Security: * Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057) Bugfixes: * don't drop privileges when locking secure memory (bsc#938343) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:530-1 Released: Wed Aug 26 03:07:07 2015 Summary: Recommended update for sed Type: recommended Severity: low References: 933029 This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin). The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:568-1 Released: Wed Sep 16 13:30:12 2015 Summary: Recommended update for grep Type: recommended Severity: low References: 920386 This update for grep fixes undefined behaviour with -P and non-utf-8 data. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:922-1 Released: Tue Dec 22 08:44:25 2015 Summary: Security update for gpg2 Type: security Severity: moderate References: 918089,918090,952347,955753,CVE-2015-1606,CVE-2015-1607 The gpg2 package was updated to fix the following security and non security issues: - CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089). - CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090). - bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2015:869-1 Released: Wed Dec 23 10:01:16 2015 Summary: Recommended update for libksba Type: security Severity: moderate References: 926826 The libksba package was updated to fix the following security issues: - Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2015:862-1 Released: Wed Dec 23 17:40:51 2015 Summary: Recommended update for acl Type: recommended Severity: moderate References: 945899 This update for acl provides the following fixes: - Fix segmentation fault of getfacl -e on overly long group name. - Make sure that acl_from_text() always sets errno when it fails. - Fix memory and resource leaks in getfacl. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:46-1 Released: Fri Jan 8 12:37:34 2016 Summary: Recommended update for gcr, gnome-keyring, libgcrypt, libsecret Type: recommended Severity: moderate References: 932232 This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode. The various GNOME libraries and tool have been changed to use the default libgcrypt allocators. GNOME keyring was changed not to use MD5 anymore. libgcrypt was adjusted to free the DRBG on exit to avoid crashes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:371-1 Released: Thu Mar 3 15:58:18 2016 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 960820 This update for insserv-compat fixes the name of the ntpd service. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:462-1 Released: Wed Mar 16 18:17:59 2016 Summary: Recommended update for libcap Type: recommended Severity: low References: 967838 This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:543-1 Released: Fri Apr 1 18:44:16 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 970882 This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:565-1 Released: Wed Apr 6 16:26:42 2016 Summary: Security update for gcc5 Type: security Severity: moderate References: 939460,945842,952151,953831,954002,955382,962765,964468,966220,968771,CVE-2015-5276 The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements. The following security issue has been fixed: - Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842) The following non-security issues have been fixed: - Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220) - Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468) - Fix HTM built-ins on PowerPC. (bsc#955382) - Fix libgo certificate lookup. (bsc#953831) - Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460) - Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002) - Revert accidental libffi ABI breakage on aarch64. (bsc#968771) - On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586. - Add experimental File System TS library. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:587-1 Released: Fri Apr 8 17:06:56 2016 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 973042 The root SSL certificate store ca-certificates-mozilla was updated to version 2.7 of the Mozilla NSS equivalent. (bsc#973042) - Newly added CAs: * CA WoSign ECC Root * Certification Authority of WoSign * Certification Authority of WoSign G2 * Certinomis - Root CA * Certum Trusted Network CA 2 * CFCA EV ROOT * COMODO RSA Certification Authority * DigiCert Assured ID Root G2 * DigiCert Assured ID Root G3 * DigiCert Global Root G2 * DigiCert Global Root G3 * DigiCert Trusted Root G4 * Entrust Root Certification Authority - EC1 * Entrust Root Certification Authority - G2 * GlobalSign * IdenTrust Commercial Root CA 1 * IdenTrust Public Sector Root CA 1 * OISTE WISeKey Global Root GB CA * QuoVadis Root CA 1 G3 * QuoVadis Root CA 2 G3 * QuoVadis Root CA 3 G3 * Staat der Nederlanden EV Root CA * Staat der Nederlanden Root CA - G3 * S-TRUST Universal Root CA * SZAFIR ROOT CA2 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * USERTrust ECC Certification Authority * USERTrust RSA Certification Authority * 沃通根证书 - Removed CAs: * AOL CA * A Trust nQual 03 * Buypass Class 3 CA 1 * CA Disig * Digital Signature Trust Co Global CA 1 * Digital Signature Trust Co Global CA 3 * E Guven Kok Elektronik Sertifika Hizmet Saglayicisi * NetLock Expressz (Class C) Tanusitvanykiado * NetLock Kozjegyzoi (Class A) Tanusitvanykiado * NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado * NetLock Uzleti (Class B) Tanusitvanykiado * SG TRUST SERVICES RACINE * Staat der Nederlanden Root CA * TC TrustCenter Class 2 CA II * TC TrustCenter Universal CA I * TDC Internet Root CA * UTN DATACorp SGC Root CA * Verisign Class 1 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * Verisign Class 3 Public Primary Certification Authority - G2 - Removed server trust from: * AC Raíz Certicámara S.A. * ComSign Secured CA * NetLock Uzleti (Class B) Tanusitvanykiado * NetLock Business (Class B) Root * NetLock Expressz (Class C) Tanusitvanykiado * TC TrustCenter Class 3 CA II * TURKTRUST Certificate Services Provider Root 1 * TURKTRUST Certificate Services Provider Root 2 * Equifax Secure Global eBusiness CA-1 * Verisign Class 4 Public Primary Certification Authority G3 - Enable server trust for: * Actalis Authentication Root CA ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:636-1 Released: Mon Apr 18 09:18:19 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 965902,CVE-2015-7511 libgcrypt was updated to fix one security issue. This security issue was fixed: - CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:643-1 Released: Tue Apr 19 09:23:39 2016 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 970260 This update for bzip2 fixes the following issues: - Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:835-1 Released: Wed May 25 18:27:30 2016 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 979629 This update for libgcrypt fixes the following issue: - Fix failing reboot after installing fips pattern (bsc#979629) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:898-1 Released: Tue Jun 7 09:48:12 2016 Summary: Security update for expat Type: security Severity: important References: 979441,980391,CVE-2015-1283,CVE-2016-0718 This update for expat fixes the following issues: Security issue fixed: - CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441) - CVE-2015-1283: Fix multiple integer overflows. (bnc#980391) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:900-1 Released: Tue Jun 7 10:58:37 2016 Summary: Security update for libksba Type: security Severity: moderate References: 979261,979906,CVE-2016-4574,CVE-2016-4579 This update for libksba fixes the following issues: - CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl() - CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261) Also adding reliability fixes from v1.3.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:987-1 Released: Wed Jun 22 14:32:18 2016 Summary: Recommended update for procps Type: recommended Severity: low References: 981616 This update for procps fixes the following issues: - Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1028-1 Released: Thu Jul 7 11:50:47 2016 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 986935 This update for findutils fixes the following issues: - find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1205-1 Released: Thu Aug 11 15:02:18 2016 Summary: Recommended update for rpm Type: recommended Severity: low References: 829717,894610,940315,953532,965322,967728 This update for rpm provides the following fixes: - Add is_opensuse and leap_version macros to suse_macros. (bsc#940315) - Add option to make postinstall scriptlet errors fatal. (bsc#967728) - Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322) - Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1247-1 Released: Fri Aug 19 12:58:39 2016 Summary: Security update for cracklib Type: security Severity: moderate References: 992966,CVE-2016-6318 This update for cracklib fixes the following issues: - Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1326-1 Released: Thu Sep 8 11:37:44 2016 Summary: Security update for perl Type: security Severity: moderate References: 928292,932894,967082,984906,987887,988311,CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 This update for Perl fixes the following issues: - CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311) - CVE-2016-1238: Searching current directory for optional modules. (bsc#987887) - CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc) - CVE-2016-2381: Environment dup handling bug. (bsc#967082) - 'Insecure dependency in require' error in taint mode. (bsc#984906) - Memory leak in 'use utf8' handling. (bsc#928292) - Missing lock prototype to the debugger. (bsc#932894) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2016:1358-1 Released: Thu Sep 15 20:54:21 2016 Summary: Optional update for gcc6 Type: optional Severity: low References: 983206 This update ships the GNU Compiler Collection (GCC) in version 6.2. This update is shipped in two parts: - SUSE Linux Enterprise Server 12 and Desktop: The runtime libraries libgcc_s1, libstdc++6, libatomic1, libgomp1, libitm1 and some others can now be used by GCC 6 built binaries. - SUSE Linux Enterprise 12 Toolchain Module: The Toolchain module received the GCC 6 compiler suite with this update. Changes: - The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98. Generic Optimization improvements: - UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays. - Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly. - Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization. - Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined. - Various Link-time optimization improvements. - Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters. - Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification. C language specific improvements: - Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers. - Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings, - Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code. - The C and C++ compilers now offer suggestions for misspelled field names. - New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall. - The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file. C improvements: - It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects. - A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions. C++ improvements: - The default mode has been changed to -std=gnu++14. - C++ Concepts are now supported when compiling with -fconcepts. - -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location. - G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions. - G++ now allows constant evaluation for all non-type template arguments. - G++ now supports C++ Transactional Memory when compiling with -fgnu-tm. libstdc++ improvements: - Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland. - Experimental support for C++17. - An experimental implementation of the File System TS. - Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You. - Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit. Fortran improvements: - Fortran 2008 SUBMODULE support. - Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support. - Improved support for Fortran 2003 deferred-length character variables. - Improved support for OpenMP and OpenACC. - The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0. - The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind. - The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default. Architecture improvements: - AArch64 received a lot of improvements. IA-32/x86-64 improvements: - GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ. - Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx. - x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment. - Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly. - Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options. PowerPC / PowerPC64 / RS6000 improvements: - PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point. - Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities. - New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions. - Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later. - All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers. - Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed. - GCC on PowerPC now supports the standard lround function. - The 'q', 'S', 'T', and 't' asm-constraints have been removed. - The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed. S/390, System z, IBM z Systems improvements: - Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions. - Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning. - The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.) - Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included. - The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect. - The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions. - -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used. - Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900. An even more detailed list of features can be found at: https://gcc.gnu.org/gcc-6/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1370-1 Released: Wed Sep 21 12:58:14 2016 Summary: Security update for libgcrypt Type: security Severity: moderate References: 994157,CVE-2016-6313 This update for libgcrypt fixes the following issues: - RNG prediction vulnerability (bsc#994157, CVE-2016-6313) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1744-1 Released: Fri Dec 2 11:42:41 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2016:1827-1 Released: Thu Dec 15 12:41:10 2016 Summary: Security update for pcre Type: security Severity: moderate References: 906574,924960,933288,933878,936227,942865,957566,957567,957598,957600,960837,971741,972127,CVE-2014-8964,CVE-2015-2325,CVE-2015-2327,CVE-2015-2328,CVE-2015-3210,CVE-2015-3217,CVE-2015-5073,CVE-2015-8380,CVE-2015-8381,CVE-2015-8382,CVE-2015-8383,CVE-2015-8384,CVE-2015-8385,CVE-2015-8386,CVE-2015-8387,CVE-2015-8388,CVE-2015-8389,CVE-2015-8390,CVE-2015-8391,CVE-2015-8392,CVE-2015-8393,CVE-2015-8394,CVE-2015-8395,CVE-2016-1283,CVE-2016-3191 This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed: - CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574). - CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960). - CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288) - CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878). - CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227). - bsc#942865: heap overflow in compile_regex() - CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566). - CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567). - bsc#957598: Various security issues - CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598). - CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598). - CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598). - CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598). - CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598). - CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598). - CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598). - CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598). - CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598). - CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598). - CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598). - CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598). - CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598). - CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598). - CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598). - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600). - CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837). - CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741). These non-security issues were fixed: - JIT compiler improvements - performance improvements - The Unicode data tables have been updated to Unicode 7.0.0. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1841-1 Released: Fri Dec 16 14:57:16 2016 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1014151 This update for suse-build-key extends the lifetime of the build@suse.de GPG key that is signing the SUSE Linux Enterprise 12 repositories. (bsc#1014151) UID: pub 2048R/39DB7C82 2013-01-31 [expires: 2020-12-06] uid SuSE Package Signing Key ----------------------------------------------------------------- Advisory ID: SUSE-RU-2016:1863-1 Released: Wed Dec 21 10:41:35 2016 Summary: Recommended updated for pth Type: recommended Severity: low References: 1013286 This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:32-1 Released: Mon Jan 9 11:50:42 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 994794 This update for dirmngr enables support for daemon mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:185-1 Released: Thu Feb 2 18:22:37 2017 Summary: Security update for cpio Type: security Severity: moderate References: 1020108,963448,CVE-2016-2037 This update for cpio fixes two issues. This security issue was fixed: - CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448). This non-security issue was fixed: - bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:192-1 Released: Fri Feb 3 18:46:05 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1005544,1010675,1013930,1014873,1017497,CVE-2016-4658,CVE-2016-9318,CVE-2016-9597 This update for libxml2 fixes the following issues: * CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544] * Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873] * CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497). For CVE-2016-9318 we decided not to ship a fix since it can break existing setups. Please take appropriate actions if you parse untrusted XML files and use the new -noxxe flag if possible (bnc#1010675, bnc#1013930). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:212-1 Released: Wed Feb 8 13:07:24 2017 Summary: Security update for expat Type: security Severity: moderate References: 983215,983216,CVE-2012-6702,CVE-2016-5300 This update for expat fixes the following security issues: - CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215) - CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:261-1 Released: Mon Feb 20 11:00:28 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1019276 This update for dirmngr fixes the following issues: - Properly initialize the dirmngr tmpfilesd files right away and not just during reboot - Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276) - Proprely require logrotate as we need it for the dirmngr configs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:439-1 Released: Tue Mar 21 10:48:47 2017 Summary: Recommended update for netcfg Type: recommended Severity: low References: 1028305,959693 This update for netcfg provides the following fixes: - Update script to generate services to use UTF8 by default. (bsc#1028305) - Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:580-1 Released: Wed Apr 12 23:58:47 2017 Summary: Recommended update for cpio Type: recommended Severity: important References: 1028410 This update for cpio fixes the following issues: - A regression caused cpio to crash for tar and ustar archive types [bsc#1028410] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:732-1 Released: Wed May 10 14:03:43 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1030621 This update for procps fixes the following issues: - Command w(1) with option -n doesn't work. (bsc#1030621) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:735-1 Released: Wed May 10 15:43:46 2017 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1036736,986783 This update for gpg2 provides the following fixes: - Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736) - Initialize the trustdb before import attempt. (bsc#986783) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:794-1 Released: Tue May 16 15:41:09 2017 Summary: Security update for bash Type: security Severity: moderate References: 1010845,1035371,CVE-2016-9401 This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops. Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:865-1 Released: Wed May 24 16:23:20 2017 Summary: Security update for pam Type: security Severity: moderate References: 1015565,1037824,934920,CVE-2015-3238 This update for pam fixes the following issues: - CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920). - log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565). - If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565) - Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:891-1 Released: Tue May 30 22:28:21 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,981114,CVE-2016-1839,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 This update for libxml2 fixes the following issues: - CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064) - CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066) - CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661) - CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:918-1 Released: Tue Jun 6 12:35:44 2017 Summary: Recommended update for libsemanage, selinux-policy Type: recommended Severity: moderate References: 1020143,1032445,1035818,1038189 This update for libsemanage, selinux-policy fixes the following issues: - Limit to policy version 29 by default. - Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:939-1 Released: Mon Jun 12 10:56:22 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1039063,1039064,1039066,1039069,1039661,CVE-2017-9047,CVE-2017-9048,CVE-2017-9049,CVE-2017-9050 This update for libxml2 fixes the following security issues: * CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661) * CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066) * CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063) * CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:959-1 Released: Wed Jun 14 14:38:11 2017 Summary: Recommended update for gcc5 Type: recommended Severity: low References: 1043580 This update for gcc5 fixes the version of libffi in its pkg-config configuration file. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:985-1 Released: Mon Jun 19 14:57:41 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1042326,931932,CVE-2017-9526 This update for libgcrypt fixes the following issues: - CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326) - Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1036-1 Released: Mon Jun 26 08:12:24 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1024989,1044337,CVE-2017-0663,CVE-2017-5969 This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337) * CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1040-1 Released: Mon Jun 26 13:22:26 2017 Summary: Recommended update for libsemanage, policycoreutils Type: recommended Severity: low References: 1043237 This update for libsemanage, policycoreutils fixes the following issue: - Show version numbers of modules where they are available (bsc#1043237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1082-1 Released: Fri Jun 30 10:54:06 2017 Summary: Recommended update for dirmngr Type: recommended Severity: low References: 1045943 This update for dirmngr provides the following fix: - Change logrotate from Requires to Recommends (bsc#1045943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1086-1 Released: Fri Jun 30 15:36:17 2017 Summary: Security update for libxml2 Type: security Severity: moderate References: 1044887,1044894,CVE-2017-7375,CVE-2017-7376 This update for libxml2 fixes the following issues: Security issues fixed: * CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887) * CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1116-1 Released: Thu Jul 6 11:37:18 2017 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1046607,CVE-2017-7526 This update for libgcrypt fixes the following issues: - CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1119-1 Released: Fri Jul 7 11:23:20 2017 Summary: Recommended update for ncurses Type: security Severity: important References: 1000662,1046853,1046858,CVE-2017-10684,CVE-2017-10685 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858) - CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853) Bugfixes: - Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1222-1 Released: Wed Jul 26 17:15:18 2017 Summary: Recommended update for procps Type: recommended Severity: low References: 1034563,1039941 This update for procps provides the following fixes: - Make pmap handle LazyFree in /proc/smaps (bsc#1034563) - Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941) - Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1279-1 Released: Mon Aug 7 14:46:40 2017 Summary: Security update for ncurses Type: security Severity: moderate References: 1046853,1046858,1047964,1047965,1049344,CVE-2017-10684,CVE-2017-10685,CVE-2017-11112,CVE-2017-11113 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964) - CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965) - CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1326-1 Released: Fri Aug 11 16:59:04 2017 Summary: Security update for libxml2 Type: security Severity: low References: 1038444,CVE-2017-8872 This update for libxml2 fixes the following issues: Security issues fixed: - CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1330-1 Released: Mon Aug 14 18:41:29 2017 Summary: Recommended update for sed Type: recommended Severity: low References: 954661 This update for sed provides the following fixes: - Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2017:1333-1 Released: Tue Aug 15 17:59:30 2017 Summary: Optional update for libverto Type: optional Severity: low References: 1029561 This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1347-1 Released: Fri Aug 18 11:03:57 2017 Summary: Recommended update for procps Type: recommended Severity: important References: 1053409 This update for procps fixes the following issues: - Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1349-1 Released: Fri Aug 18 12:31:07 2017 Summary: Recommended update for lua51 Type: recommended Severity: low References: 1051626 This update for lua51 provides the following fixes: - Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1390-1 Released: Fri Aug 25 15:14:27 2017 Summary: Security update for libzypp Type: security Severity: important References: 1009745,1036659,1038984,1043218,1045735,1046417,1047785,1048315,CVE-2017-7435,CVE-2017-7436,CVE-2017-9269 The Software Update Stack was updated to receive fixes and enhancements. libzypp: - CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984) - Fix gpg-pubkey release (creation time) computation. (bsc#1036659) - Update lsof blacklist. (bsc#1046417) - Re-probe on refresh if the repository type changes. (bsc#1048315) - Propagate proper error code to DownloadProgressReport. (bsc#1047785) - Allow to trigger an appdata refresh unconditionally. (bsc#1009745) - Support custom repo variables defined in /etc/zypp/vars.d. yast2-pkg-bindings: - Do not crash when the repository URL is not defined. (bsc#1043218) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1419-1 Released: Wed Aug 30 15:38:22 2017 Summary: Security update for expat Type: security Severity: moderate References: 1047236,1047240,CVE-2016-9063,CVE-2017-9233 This update for expat fixes the following issues: - CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240) - CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1447-1 Released: Mon Sep 4 15:38:20 2017 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1008325,1038984,1045735,1047785,1054088,1054671,1055920,CVE-2017-7436 The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Adapt to work with GnuPG 2.1.23. (bsc#1054088) - Support signing with subkeys. (bsc#1008325) - Enhance sort order for media.1/products. (bsc#1054671) zypper: - Also show a gpg key's subkeys. (bsc#1008325) - Improve signature check callback messages. (bsc#1045735) - Add options to tune the GPG check settings. (bsc#1045735) - Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436) - Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1450-1 Released: Mon Sep 4 16:36:07 2017 Summary: Recommended update for insserv-compat Type: recommended Severity: low References: 1035062,944903 This update for insserv-compat fixes the following issues: - Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062) - Fix directory argument parsing. (bsc#944903) - Add perl(Getopt::Long) to list of requirements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1453-1 Released: Mon Sep 4 21:23:50 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1043333,1046659,1047008 This update for libgcrypt fixes the following issues: - libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333) - Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer - fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659) - dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1796-1 Released: Fri Oct 27 21:25:06 2017 Summary: Recommended update for pcre Type: recommended Severity: moderate References: 1058722 This update for pcre fixes the following issues: - Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1881-1 Released: Wed Nov 22 16:29:58 2017 Summary: Security update for file Type: security Severity: moderate References: 1009966,1063269,910252,910253,913650,913651,917152,996511,CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621,CVE-2014-9653 The GNU file utility was updated to version 5.22. Security issues fixed: - CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650) - CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651) - CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152) - CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253) - CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253) Version update to file version 5.22 * add indirect relative for TIFF/Exif * restructure elf note printing to avoid repeated messages * add note limit, suggested by Alexander Cherepanov * Bail out on partial pread()'s (Alexander Cherepanov) * Fix incorrect bounds check in file_printable (Alexander Cherepanov) * PR/405: ignore SIGPIPE from uncompress programs * change printable -> file_printable and use it in more places for safety * in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name. Version update to file version 5.21 * there was an incorrect free in magic_load_buffers() * there was an out of bounds read for some pascal strings * there was a memory leak in magic lists * don't interpret strings printed from files using the current locale, convert them to ascii format first. * there was an out of bounds read in elf note reads Update to file version 5.20 * recognize encrypted CDF documents * add magic_load_buffers from Brooks Davis * add thumbs.db support Additional non-security bug fixes: * Fixed a memory corruption during rpmbuild (bsc#1063269) * Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511) * file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2017:1903-1 Released: Fri Nov 24 16:19:37 2017 Summary: Security update for perl Type: security Severity: moderate References: 1047178,1057721,1057724,999735,CVE-2017-12837,CVE-2017-12883,CVE-2017-6512 This update for perl fixes the following issues: Security issues fixed: - CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724) - CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721) - CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178) Bug fixes: - backport set_capture_string changes from upstream (bsc#999735) - reformat baselibs.conf as source validator workaround ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1916-1 Released: Fri Nov 24 20:15:01 2017 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1043333,1059723 This update for libgcrypt provides the following fix: - Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1917-1 Released: Mon Nov 27 13:32:07 2017 Summary: Optional update for gcc7 Type: recommended Severity: low References: 1056437,1062591,1062592 The GNU Compiler GCC 7 is being added to the Toolchain Module by this update. New features: - Support for specific IBM Power9 processor instructions. - Support for specific IBM zSeries z14 processor instructions. - New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support. The update also supplies gcc7 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 7, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 7 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-7/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1965-1 Released: Thu Nov 30 12:48:45 2017 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1047233,1053671,1057188,1057634,1058695,1058783,1059065,1061384,1062561,1064999,661410 The Software Update Stack was updated to receive fixes and enhancements. libsolv: - Many fixes and improvements for cleandeps. - Always create dup rules for 'distupgrade' jobs. - Use recommends also for ordering packages. - Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065) - Expose solver_get_recommendations() in bindings. - Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations(). - Support 'without' and 'unless' dependencies. - Use same heuristic as upstream to determine source RPMs. - Fix memory leak in bindings. - Add pool_best_solvables() function. - Fix 64bit integer parsing from RPM headers. - Enable bzip2 and xz/lzma compression support. - Enable complex/rich dependencies on distributions with RPM 4.13+. libzypp: - Fix media handling in presence of a repo path prefix. (bsc#1062561) - Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561) - Remove unused legacy notify-message script. (bsc#1058783) - Support multiple product licenses in repomd. (fate#322276) - Propagate 'rpm --import' errors. (bsc#1057188) - Fix typos in zypp.conf. zypper: - Locale: Fix possible segmentation fault. (bsc#1064999) - Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384) - Unify '(add|modify)(repo|service)' property related arguments. - Fixed 'add' commands supporting to set only a subset of properties. - Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671) - Fix missing package names in installation report. (bsc#1058695) - Differ between unsupported and packages with unknown support status. (bsc#1057634) - Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:1968-1 Released: Thu Nov 30 19:49:33 2017 Summary: Recommended update for coreutils Type: recommended Severity: low References: 1026567,1043059,965780 This update for coreutils provides the following fixes: - Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567) - Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059) - Significantly speed up df(1) for huge mount lists. (bsc#965780) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2017:2021-1 Released: Fri Dec 8 10:11:04 2017 Summary: Recommended update for file Type: recommended Severity: moderate References: 1070878,1070958 This update for file fixes detection of JPEG files. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:4-1 Released: Tue Jan 2 15:58:20 2018 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1057640,1067605,1068708,1071466,969569 The Software Update Stack was updated to receive fixes and enhancements. libzypp: - Don't store duplicated locks. (bsc#969569) - Fix default for solver.allowNameChange. (bsc#1071466) - Don't filter procs with a different mnt namespace. (bsc#1068708) - Support repo variables in an URIs host:port component. (bsc#1057640, bsc#1067605) zypper: - Update manpage regarding custom repository variable fixes. (bsc#1057640, bsc#1067605) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:86-1 Released: Wed Jan 17 09:38:17 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2017-13728: Fix infinite loop in the next_char function in comp_scan.c (bsc#1056136). - CVE-2017-13730: Fix illegal address access in the function _nc_read_entry_source() (bsc#1056131). - CVE-2017-13733: Fix illegal address access in the fmt_entry function (bsc#1056127). - CVE-2017-13729: Fix illegal address access in the _nc_save_str (bsc#1056132). - CVE-2017-13732: Fix illegal address access in the function dump_uses() (bsc#1056128). - CVE-2017-13731: Fix illegal address access in the function postprocess_termcap() (bsc#1056129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:209-1 Released: Tue Jan 30 10:53:43 2018 Summary: Security update for ncurses Type: security Severity: moderate References: 1056126,1056127,1056128,1056129,1056131,1056132,1056136,CVE-2017-13728,CVE-2017-13729,CVE-2017-13730,CVE-2017-13731,CVE-2017-13732,CVE-2017-13733,CVE-2017-13734 This update for ncurses fixes several issues. These security issues were fixed: - CVE-2017-13734: Prevent illegal address access in the _nc_safe_strcat function in strings.c that might have lead to a remote denial of service attack (bsc#1056126). - CVE-2017-13733: Prevent illegal address access in the fmt_entry function in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056127). - CVE-2017-13732: Prevent illegal address access in the function dump_uses() in progs/dump_entry.c that might have lead to a remote denial of service attack (bsc#1056128). - CVE-2017-13731: Prevent illegal address access in the function postprocess_termcap() in parse_entry.c that might have lead to a remote denial of service attack (bsc#1056129). - CVE-2017-13730: Prevent illegal address access in the function _nc_read_entry_source() in progs/tic.c that might have lead to a remote denial of service attack (bsc#1056131). - CVE-2017-13729: Prevent illegal address access in the _nc_save_str function in alloc_entry.c that might have lead to a remote denial of service attack (bsc#1056132). - CVE-2017-13728: Prevent infinite loop in the next_char function in comp_scan.c that might have lead to a remote denial of service attack (bsc#1056136). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:214-1 Released: Tue Jan 30 14:37:42 2018 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1076832,CVE-2018-6003 This update for libtasn1 fixes one issue. This security issue was fixed: - CVE-2018-6003: Prevent a stack exhaustion in _asn1_decode_simple_ber (lib/decoding.c) when decoding BER encoded structure allowed for DoS (bsc#1076832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:265-1 Released: Tue Feb 6 14:58:28 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390 This update for ca-certificates-mozilla fixes the following issues: The system SSL root certificate store was updated to Mozilla certificate version 2.22 from January 2018. (bsc#1071152 bsc#1071390 bsc#1010996) We removed the old 1024 bit legacy CAs that were temporary left in to allow in-chain root certificates as openssl is now able to handle it. Further changes coming from Mozilla: - New Root CAs added: * Amazon Root CA 1: (email protection, server auth) * Amazon Root CA 2: (email protection, server auth) * Amazon Root CA 3: (email protection, server auth) * Amazon Root CA 4: (email protection, server auth) * Certplus Root CA G1: (email protection, server auth) * Certplus Root CA G2: (email protection, server auth) * D-TRUST Root CA 3 2013: (email protection) * GDCA TrustAUTH R5 ROOT: (server auth) * Hellenic Academic and Research Institutions ECC RootCA 2015: (email protection, server auth) * Hellenic Academic and Research Institutions RootCA 2015: (email protection, server auth) * ISRG Root X1: (server auth) * LuxTrust Global Root 2: (server auth) * OpenTrust Root CA G1: (email protection, server auth) * OpenTrust Root CA G2: (email protection, server auth) * OpenTrust Root CA G3: (email protection, server auth) * SSL.com EV Root Certification Authority ECC: (server auth) * SSL.com EV Root Certification Authority RSA R2: (server auth) * SSL.com Root Certification Authority ECC: (email protection, server auth) * SSL.com Root Certification Authority RSA: (email protection, server auth) * Symantec Class 1 Public Primary Certification Authority - G4: (email protection) * Symantec Class 1 Public Primary Certification Authority - G6: (email protection) * Symantec Class 2 Public Primary Certification Authority - G4: (email protection) * Symantec Class 2 Public Primary Certification Authority - G6: (email protection) * TrustCor ECA-1: (email protection, server auth) * TrustCor RootCert CA-1: (email protection, server auth) * TrustCor RootCert CA-2: (email protection, server auth) * TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1: (server auth) - Removed root CAs: * AddTrust Public Services Root * AddTrust Public CA Root * AddTrust Qualified CA Root * ApplicationCA - Japanese Government * Buypass Class 2 CA 1 * CA Disig Root R1 * CA WoSign ECC Root * Certification Authority of WoSign G2 * Certinomis - Autorité Racine * Certum Root CA * China Internet Network Information Center EV Certificates Root * CNNIC ROOT * Comodo Secure Services root * Comodo Trusted Services root * ComSign Secured CA * EBG Elektronik Sertifika Hizmet Sağlayıcısı * Equifax Secure CA * Equifax Secure eBusiness CA 1 * Equifax Secure Global eBusiness CA * GeoTrust Global CA 2 * IGC/A * Juur-SK * Microsec e-Szigno Root CA * PSCProcert * Root CA Generalitat Valenciana * RSA Security 2048 v3 * Security Communication EV RootCA1 * Sonera Class 1 Root CA * StartCom Certification Authority * StartCom Certification Authority G2 * S-TRUST Authentication and Encryption Root CA 2005 PN * Swisscom Root CA 1 * Swisscom Root EV CA 2 * TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı * TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 * UTN USERFirst Hardware Root CA * UTN USERFirst Object Root CA * VeriSign Class 3 Secure Server CA - G2 * Verisign Class 1 Public Primary Certification Authority * Verisign Class 2 Public Primary Certification Authority - G2 * Verisign Class 3 Public Primary Certification Authority * WellsSecure Public Root Certificate Authority * Certification Authority of WoSign * WoSign China - Removed Code Signing rights from a lot of CAs (not listed here). - Removed Server Auth rights from: * AddTrust Low-Value Services Root * Camerfirma Chambers of Commerce Root * Camerfirma Global Chambersign Root * Swisscom Root CA 2 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:276-1 Released: Thu Feb 8 17:47:43 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1077993,1078806,1078813,CVE-2016-5131,CVE-2017-15412,CVE-2017-5130 This update for libxml2 fixes one issue. This security issue was fixed: - CVE-2017-15412: Prevent use after free when calling XPath extension functions that allowed remote attackers to cause DoS or potentially RCE (bsc#1077993) - CVE-2016-5131: Use-after-free vulnerability in libxml2 allowed remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. (bsc#1078813) - CVE-2017-5130: Fixed a potential remote buffer overflow in function xmlMemoryStrdup() (bsc#1078806) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:291-1 Released: Mon Feb 12 11:50:39 2018 Summary: Recommended update for bash Type: recommended Severity: low References: 1057452,1076909 This update for bash provides the following fix: - Allow process group assignment on all kernel versions to fix the usage of debug traps. (bsc#1057452) - Fix a crash when filesystem is full. (bsc#1076909) - Enable multi-byte characters by default. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:472-1 Released: Thu Mar 15 10:47:40 2018 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: low References: 1074687,1075449,1076415,1079334,953130 This update for libsolv, libzypp and zypper provides the following fixes: libsolv: - Fix a bug that could make fileconflict detection very slow in some cases. (bnc#953130) - Add new configuration options: ENABLE_RPMDB_LIBRPM and ENABLE_RPMPKG_LIBRPM. - Add a new function to change the whatprovides data: pool_set_whatprovides. - Significant improvements in the selection code. libzypp: - Make sure deleted keys are also removed from rpmdb. (bsc#1075449) - plugin: Don't reject header values containing ':'. (bsc#1074687) - RpmDb::checkPackage: Fix parsing localized rpm output. (bsc#1076415) zypper: - Do not recommend cron as it is not a direct dependency of zypper. (bsc#1079334) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:560-1 Released: Wed Mar 28 16:39:25 2018 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1082022,1085512 This update for suse-build-key fixes the following issues: - The lifetime of the SUSE Linux Enterprise 11 signing key was extended (bsc#1085512) - A new security@suse.de E-Mail key was added (bsc#1082022) pub rsa4096/0x21FE92322BA9E067 2018-03-15 [SC] [expires: 2020-03-14] Key fingerprint = EC7C 5EAB 2C34 09A6 4F3B BE6E 21FE 9232 2BA9 E067 uid SUSE Security Team uid SUSE Security Team sub rsa4096/0xFF97314EC1E11A0E 2018-03-15 [E] [expires: 2020-03-14] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:586-1 Released: Wed Apr 4 11:51:00 2018 Summary: Recommended update for aaa_base Type: recommended Severity: low References: 1025743,1036895,1038549,1049577,1052182,1079674 This update for aaa_base provides the following fixes: - Support changing PS1 even for mksh and user root. (bsc#1036895) - Unset unused variables on profile files. (bsc#1049577) - Unset id in csh.cshrc instead of profile.csh. (bsc#1049577) - Allow that personal ~/.bashrc is read again. (bsc#1052182) - Avoid that IFS becomes global in _ls ksh shell function. (bsc#1079674, bsc#1025743) - Replace 'cat > file' by 'mv -f ... file' in pre/post to fix issues with clients having these files mmapped. (bsc#1038549) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:730-1 Released: Wed Apr 25 14:14:41 2018 Summary: Security update for perl Type: security Severity: moderate References: 1082216,1082233,1082234,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 This update for perl fixes the following issues: Security issues fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:736-1 Released: Wed Apr 25 14:23:49 2018 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1075978,1077635,1079991,1082318,1086602 This update for libsolv, libzypp provides the following fixes: Changes in libsolv: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Also make use of suggests for ordering packages. (bsc#1077635) - Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978) - Use license tag instead of doc in the spec file. (bsc#1082318) Changes in libzypp: - Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602) - Fix a memory leak in Digest.cc. (bsc#1075978) - Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:779-1 Released: Wed May 2 22:16:26 2018 Summary: Recommended update for rpm Type: recommended Severity: low References: 1003714,1027925,1069934 This update for rpm provides the following fixes: - Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925) - Add %sle_version macro to suse_macros. (bsc#1003714) - Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively. - Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'. - Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument. - Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:797-1 Released: Mon May 7 07:07:38 2018 Summary: Recommended update for gcc7 Type: recommended Severity: important References: 1061667,1068967,1074621,1083290,1083946,1084812,1087550,1087930 This update for gcc7 to 7.3 release fixes the following issues: - Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812). - The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946] - Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621] - Update includes a fix for chromium build failure. [bsc#1083290] - Various AArch64 compile fixes are included: * Picks fix to no longer enable -mpc-relative-literal-loads by default with --enable-fix-cortex-a53-843419. * Enable --enable-fix-cortex-a53-843419 for aarch64. [bsc#1084812] [bsc#1087930] * Enable --enable-fix-cortex-a53-835769 for aarch64. * Contains fix for PR82445 which is about a RPI1 bootloader miscompile. [bsc#1061667] * Fixed bogus stack probe instruction on ARM. [bsc#1068967] - Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550] - Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:971-1 Released: Wed May 23 16:45:19 2018 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1088524 This update for aaa_base fixes a regression which was introduced within the latest maintenance update cycle, where customized profiles were not sourced properly. (bsc#1088524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:977-1 Released: Wed May 23 17:14:16 2018 Summary: Security update for bash Type: security Severity: moderate References: 1000396,1001299,1086247,CVE-2016-0634,CVE-2016-7543 This update for bash fixes the following issues: Security issues fixed: - CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299) - CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396) Non-security issues fixed: - Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1028-1 Released: Tue Jun 5 13:20:44 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1089884 This update for pam fixes the following issues: - Fix order of accessed configuration files in man page. (bsc#1089884) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1082-1 Released: Thu Jun 7 12:58:56 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1073879,1080078,964063 This update for rpm fixes the following issues: - Backport support for no_recompute_build_ids macro. (bsc#964063) - Fix code execution when evaluating common python-related macros. (bsc#1080078) Additionally, this update adds python3-rpm to the SUSE Linux Enterprise Server. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1141-1 Released: Fri Jun 15 13:41:08 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1242-1 Released: Thu Jun 28 13:44:16 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1328-1 Released: Tue Jul 17 08:07:57 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1413-1 Released: Fri Jul 27 12:41:13 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1450-1 Released: Mon Jul 30 10:10:45 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1610-1 Released: Thu Aug 16 14:04:25 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1636-1 Released: Thu Aug 16 15:30:11 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1643-1 Released: Thu Aug 16 17:41:07 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store. Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1689-1 Released: Mon Aug 20 09:02:24 2018 Summary: Recommended update for pam Type: recommended Severity: low References: 1096282 This update for pam provides the following fix: - Added /etc/security/limits.d to the pam package. (bsc#1096282) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1695-1 Released: Mon Aug 20 09:19:20 2018 Summary: Security update for perl Type: security Severity: important References: 1068565,1082216,1082233,1082234,1096718,CVE-2018-12015,CVE-2018-6797,CVE-2018-6798,CVE-2018-6913 This update for perl fixes the following issues: These security issue were fixed: - CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216). - CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233). - CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234). - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) This non-security issue was fixed: - fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1763-1 Released: Mon Aug 27 09:30:15 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - Removed server auth from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Removed CAs - ComSign CA - Added new CAs - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1969-1 Released: Mon Sep 24 08:06:42 2018 Summary: Security update for libzypp, zypper Type: security Severity: important References: 1036304,1045735,1049825,1070851,1076192,1088705,1091624,1092413,1096803,1099847,1100028,1101349,1102429,CVE-2017-9269,CVE-2018-7685 This update for libzypp, zypper fixes the following issues: Update libzypp to version 16.17.20: Security issues fixed: - PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45: Security issues fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2018:2036-1 Released: Wed Sep 26 11:56:30 2018 Summary: Initial release of kubic-locale-archive Type: optional Severity: low References: This update provides kubic-locale-archive for the codestream. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2181-1 Released: Tue Oct 9 11:08:20 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1088601,1102046,1105166,CVE-2017-18258,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279). - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166). - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046). - CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2196-1 Released: Thu Oct 11 07:45:16 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Toolchain Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2217-1 Released: Fri Oct 12 15:07:24 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1094121,1107430 This update for bash provides the following fixes: - Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121) - Fix mis-matching of null string with '*' pattern. (bsc#1107430) - Fix a crash when the lastpipe option is enabled. - Fix a typo that was preventing the `compat42' shopt option from working as intended. - Help the shell to process any pending traps at redirection. - Fix a crashe due to incorrect conversion from an indexed to associative array. - Avoid the expansion of escape sequences in HOSTNAME in prompt. - Avoid `xtrace' attack over $PS4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2373-1 Released: Mon Oct 22 14:43:47 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1077692,943457,CVE-2017-7500,CVE-2017-7501 This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This non-security issue was fixed: - Use ksym-provides tool [bsc#1077692] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2475-1 Released: Thu Oct 25 16:56:24 2018 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1099982,1109877,408814,556664,939392 This update for libzypp fixes the following issues: - Add filesize check for downloads with known size (bsc#408814) - Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664) - Fix blocking wait for finished child process (bsc#1109877) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2488-1 Released: Fri Oct 26 12:39:59 2018 Summary: Recommended update for cpio Type: recommended Severity: low References: 1076810,889138 This update for cpio provides the following fix: - Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2525-1 Released: Tue Oct 30 09:22:45 2018 Summary: Recommended update for bash Type: recommended Severity: important References: 1113117 This update for bash fixes the following issues: Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2551-1 Released: Fri Nov 2 10:42:16 2018 Summary: Recommended update for container-suseconnect, skopeo, umoci Type: recommended Severity: important References: 1083189,953831 This releases container-suseconnect, skopeo and umoci to the SUSE Linux Enterprise 12 codestream as a build dependency only. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2593-1 Released: Wed Nov 7 11:04:00 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1095148,1113100 This update for rpm fixes the following issues: - Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100) - Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2702-1 Released: Mon Nov 19 11:02:01 2018 Summary: Recommended update for base-container-licenses, sles12sp4-image Type: recommended Severity: moderate References: 1083671,1085664,1098535,1102145 This update for base-container-licenses, sles12sp4-image fixes the following issues: Initial delivery of the SUSE Linux Enterprise Server 12 SP4 images. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2766-1 Released: Fri Nov 23 17:07:27 2018 Summary: Security update for rpm Type: security Severity: important References: 943457,CVE-2017-7500,CVE-2017-7501 This update for rpm fixes the following issues: These security issues were fixed: - CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457). - CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457) This is a reissue of the above security fixes for SUSE Linux Enterprise 12 GA, SP1 and SP2 LTSS, they have already been released for SUSE Linux Enterprise Server 12 SP3. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1697-1 Released: Fri Nov 23 17:08:32 2018 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1064455,1090766,1097410,CVE-2018-0495 This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410). The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455). - Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1696-1 Released: Mon Nov 26 17:46:39 2018 Summary: Security update for procps Type: security Severity: moderate References: 1092100,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2811-1 Released: Thu Nov 29 11:24:19 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1040613,1095969,1102310 This update for aaa_base provides the following fixes: - Get mixed use case of service wrapper script straight. (bsc#1040613) - Fix an error at login if java system directory is empty. (bsc#1102310) - Add a test for xdgdir/applications before adding data directory (bsc#1095969) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2824-1 Released: Mon Dec 3 15:34:09 2018 Summary: Security update for ncurses Type: security Severity: important References: 1115929,CVE-2018-19211 This update for ncurses fixes the following issue: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2842-1 Released: Wed Dec 5 10:00:35 2018 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1044232 This update for suse-build-key fixes the following issues: - Install the PTF key also to /usr/lib/rpm/gnupg/keys/ so it can exists also on systems where documentation is not installed. (bsc#1044232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2846-1 Released: Wed Dec 5 12:50:41 2018 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1100078,1112209,1113534,1113652,1113742,CVE-2018-0734,CVE-2018-5407 This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534). - Add missing timing side channel patch for DSA signature generation (bsc#1113742). Non-security issues fixed: - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:3029-1 Released: Fri Dec 21 17:34:05 2018 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1117355 This update for libgcrypt provides the following fix: - Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:43-1 Released: Tue Jan 8 13:07:17 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - quote: Escape literal backslashes (bsc#953659). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:109-1 Released: Wed Jan 16 15:58:55 2019 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1119496 This update for container-suseconnect fixes the following issues: container-suseconnect was updated to 2.0.0 (bsc#1119496): - Added command line interface - Added `ADDITIONAL_MODULES` capability to enable further extension modules during image build and run - Added documentation about how to build docker images on non SLE distributions - Improve documentation to clarify how container-suseconnect works in a Dockerfile - Improve error handling on non SLE hosts - Fix bug which makes container-suseconnect work on SLE15 based distributions ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:143-1 Released: Tue Jan 22 14:21:55 2019 Summary: Recommended update for ncurses Type: recommended Severity: important References: 1121450 This update for ncurses fixes the following issues: - ncurses applications freezing (bsc#1121450) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:149-1 Released: Wed Jan 23 17:58:18 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:434-1 Released: Tue Feb 19 12:19:02 2019 Summary: Recommended update for libsemanage Type: recommended Severity: moderate References: 1115500 This update for libsemanage provides the following fix: - Prevent an error message when reading module version if the directory does not exist. (bsc#1115500) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:450-1 Released: Wed Feb 20 16:42:38 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following security issues: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). (These issues were previously released for SUSE Linux Enterprise 12 SP3 and SP4.) Also the following non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:563-1 Released: Wed Mar 6 17:20:15 2019 Summary: Security update for audit Type: security Severity: moderate References: 1042781,1085003,1125535,941922,CVE-2015-5186 This update for audit fixes the following issues: Audit on SUSE Linux Enterprise 12 SP4 was updated to 2.8.1 to bring new features and bugfixes. (bsc#1125535 FATE#326346) * Many features were added to auparse_normalize * cli option added to auditd and audispd for setting config dir * In auditd, restore the umask after creating a log file * Option added to auditd for skipping email verification The full changelog can be found here: http://people.redhat.com/sgrubb/audit/ChangeLog - Change openldap dependency to client only (bsc#1085003) Minor security issue fixed: - CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:572-1 Released: Fri Mar 8 09:24:21 2019 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1117951,1127080,CVE-2019-1559 This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951) - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:838-1 Released: Tue Apr 2 09:52:06 2019 Summary: Security update for bash Type: security Severity: important References: 1130324,CVE-2019-9924 This update for bash fixes the following issues: Security issue fixed: - CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:839-1 Released: Tue Apr 2 13:13:21 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360). - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1102-1 Released: Tue Apr 30 12:07:42 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1110661,1122729,1127223,1127308,1128574,1131994,CVE-2009-5155,CVE-2016-10739,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: regex: fix read overrun (bsc#1127308, BZ #24114) - CVE-2016-10739: Fully parse IPv4 address strings (bsc#1122729, BZ #20018) - CVE-2009-5155: ERE '0|()0|\1|0' causes regexec undefined behavior (bsc#1127223, BZ #18986) Non-security issues fixed: - Enable TLE only if GLIBC_ELISION_ENABLE=yes is defined (bsc#1131994, fate#322271) - Add more checks for valid ld.so.cache file (bsc#1110661, BZ #18093) - Added cfi information for start routines in order to stop unwinding (bsc#1128574) - ja_JP locale: Add entry for the new Japanese era (bsc#1100396, fate#325570, BZ #22964) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1379-1 Released: Wed May 29 15:07:04 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1040621,1105435,CVE-2017-6891,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issues fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). - CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1431-1 Released: Wed Jun 5 16:50:13 2019 Summary: Recommended update for xz Type: recommended Severity: moderate References: 1135709 This update for xz does only update the license: - Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1516-1 Released: Mon Jun 17 11:04:15 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - e2fsck: Check and fix tails of all bitmap blocks. (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1716-1 Released: Thu Jun 27 13:15:38 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1132678,941234,CVE-2015-5180 This update for glibc fixes the following issues: Security issue fixed: - CVE-2015-5180: Fixed a NULL pointer dereference with internal QTYPE (bsc#941234). Feature work: - IBM zSeries arch13 hardware support in glibc added (fate#327072, bsc#1132678) Other issue addressed: - Fixed a concurrency issue with ldconfig (bsc#1117993). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1733-1 Released: Wed Jul 3 13:54:39 2019 Summary: Security update for elfutils Type: security Severity: low References: 1030472,1030476,1033084,1033085,1033087,1033088,1033089,1033090,1106390,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2016-10254,CVE-2016-10255,CVE-2017-7607,CVE-2017-7608,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067). - CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472). - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007). - CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476). - CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685). - CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390). - CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088). - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090). - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084). - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085). - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087). - CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723). - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089). - CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973). - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1834-1 Released: Fri Jul 12 17:55:14 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1844-1 Released: Mon Jul 15 07:13:09 2019 Summary: Recommended update for pam Type: recommended Severity: low References: 1116544 This update for pam fixes the following issues: - restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1896-1 Released: Thu Jul 18 16:26:45 2019 Summary: Security update for libxml2 Type: security Severity: moderate References: 1010675,1110146,1126613,CVE-2016-9318 This update for libxml2 fixes the following issues: Issue fixed: - Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1955-1 Released: Tue Jul 23 11:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,985657,CVE-2016-3189,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1972-1 Released: Thu Jul 25 15:00:03 2019 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1109893,1110542,1111319,1112911,1113296,1120629,1120630,1120631,1127155,1131823,1134226,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libsolv, libzypp and zypper fixes the following issues: libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). libzypp received following fixes: - Fixes a bug where locking the kernel was not possible (bsc#1113296) zypper received following fixes: - Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226) - Improved the displaying of locks (bsc#1112911) - Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542) - zypper will now always warn when no repositories are defined (bsc#1109893) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2013-1 Released: Mon Jul 29 15:42:41 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2120-1 Released: Wed Aug 14 11:17:39 2019 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1136298,SLE-7257 This update for pam fixes the following issues: - Enable pam_userdb.so (SLE-7257,bsc#1136298) - Upgraded pam_userdb to 1.3.1. (bsc#1136298) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2240-1 Released: Wed Aug 28 14:57:51 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: - Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169) - Removed Root CAs: - Certinomis - Root CA - Added root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2264-1 Released: Mon Sep 2 09:07:12 2019 Summary: Security update for perl Type: security Severity: important References: 1114674,CVE-2018-18311 This update for perl fixes the following issues: Security issue fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2440-1 Released: Mon Sep 23 17:15:13 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issue fixed: - CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2480-1 Released: Fri Sep 27 13:12:08 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093) Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2504-1 Released: Tue Oct 1 13:07:07 2019 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1131291,1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_0_0 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) In addition fixed invalid curve attacks by validating that an EC point lies on the curve (bsc#1131291). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2510-1 Released: Tue Oct 1 17:37:12 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2677-1 Released: Tue Oct 15 21:07:14 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2818-1 Released: Tue Oct 29 17:22:01 2019 Summary: Recommended update for zypper and libzypp Type: recommended Severity: important References: 1049825,1116995,1140039,1145521,1146415,1153557 This update for zypper and libzypp fixes the following issues: Package: zypper - Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521) - Rephrased the file conflicts check summary (bsc#1140039) - Fixes an issue where the bash completion was wrongly expanded (bsc#1049825) Package: libzypp - Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes a file descriptor leak in the media backend (bsc#1116995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3003-1 Released: Tue Nov 19 10:12:33 2019 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1153386,SLE-10396 This update for procps provides the following fixes: - Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396) - Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3064-1 Released: Mon Nov 25 18:44:36 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3085-1 Released: Thu Nov 28 10:01:53 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3094-1 Released: Thu Nov 28 16:47:52 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1131830,1134550,1154036,1154037,CVE-2018-10754,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830). - CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037). Bug fixes: - Fixed ppc64le build configuration (bsc#1134550). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3307-1 Released: Mon Dec 16 14:51:03 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3342-1 Released: Thu Dec 19 11:04:35 2019 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1151577 This update for elfutils fixes the following issues: - Add require of 'libebl1' for 'libelf1'. (bsc#1151577) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3364-1 Released: Thu Dec 19 19:20:52 2019 Summary: Recommended update for ncurses Type: recommended Severity: moderate References: 1158586,1159162 This update for ncurses fixes the following issues: - Work around a bug of old upstream gen-pkgconfig (bsc#1159162) - Remove doubled library path options (bsc#1159162) - Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162) - Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162) - Do not mix include directories of different ncurses ABI (bsc#1158586) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:28-1 Released: Tue Jan 7 15:10:53 2020 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1158809,CVE-2019-1551 This update for openssl-1_0_0 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:106-1 Released: Wed Jan 15 12:50:55 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1155338,1155339 This update for libgcrypt fixes the following issues: - Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode - Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:131-1 Released: Mon Jan 20 09:21:41 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:227-1 Released: Fri Jan 24 09:24:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1084934,1115020,1118364,1128246,1149127,1157794,910904 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127) - Update logic for JRE_HOME variable. (bsc#1128246) - Restore old position of ssh/sudo source of profile. (bsc#1118364) - Revert 'Avoid NAT on Bridges. Bridges are L2 devices, really.' (bsc#1115020) - Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:353-1 Released: Thu Feb 6 17:34:41 2020 Summary: Security update for systemd Type: security Severity: important References: 1106383,1127557,1133495,1139459,1140631,1150595,1151377,1151506,1154043,1154948,1155574,1156482,1159814,1162108,CVE-2020-1712 This update for systemd provides the following fixes: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948) - Fix warnings thrown during package installation (bsc#1154043) - Fix for systemctl hanging by restart. (bsc#1139459) - man: mention that alias names are only effective after 'systemctl enable'. (bsc#1151377) - ask-password: improve log message when inotify limit is reached. (bsc#1155574) - udevd: wait for workers to finish when exiting. (bsc#1106383) - core: fragments of masked units ought not be considered for NeedDaemonReload. (bsc#1156482) - udev: fix 'NULL' deref when executing rules. (bsc#1151506) - Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:360-1 Released: Fri Feb 7 10:44:17 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:561-1 Released: Mon Mar 2 17:24:59 2020 Summary: Recommended update for elfutils Type: recommended Severity: moderate References: 1110929,1157578 This update for elfutils fixes the following issues: - Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578) - Fix for '.ko' file corruption in debug info. (bsc#1110929) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:596-1 Released: Thu Mar 5 15:23:51 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1010996,1071152,1071390,1082318,1100415,1154871,1160160 This update for ca-certificates-mozilla fixes the following issues: The following non-security bugs were fixed: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email Added certificates: - Entrust Root Certification Authority - G4 - Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). - Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415). - Use %license instead of %doc (bsc#1082318). - Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:652-1 Released: Thu Mar 12 09:53:23 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1165915,1165919,1166301 This update for ca-certificates-mozilla fixes the following issues: This reverts a previous change to the generated pem structure, as it require a p11-kit tools update installed first, which can not always ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:663-1 Released: Thu Mar 12 17:31:31 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1166334 This update for suse-build-key fixes the following issues: - created a new security_at_suse.de key for email communication (bsc#1166334) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:832-1 Released: Tue Mar 31 16:15:59 2020 Summary: Security update for glibc Type: security Severity: important References: 1149332,1157893,1158996,1165784,1167631,CVE-2020-10029,CVE-2020-1751,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). - CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784). - Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834) - Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:859-1 Released: Fri Apr 3 08:59:06 2020 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1138731,1154247,1157960 This update for container-suseconnect fixes the following issues: - Fix usage with RMT and SMT. (bsc#1157960) - Parse the /etc/products.d/*.prod files. - Fix function comments based on best practices from Effective Go. (bsc#1138731) - Implement interacting with SCC behind proxy and SMT. (bsc#1154247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:964-1 Released: Wed Apr 8 16:23:38 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:968-1 Released: Thu Apr 9 11:42:14 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:394-1 Released: Tue Apr 14 17:25:16 2020 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847 This update for gcc9 fixes the following issues: The GNU Compiler Collection is shipped in version 9. A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html The compilers have been added to the SUSE Linux Enterprise Toolchain Module. To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set. For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1168-1 Released: Mon May 4 14:06:46 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1162879 This update for libgcrypt fixes the following issues: - FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1169-1 Released: Mon May 4 14:07:49 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162721 This update for glibc fixes the following issues: - fork: Remove bogus parent PID assertions to avoid hangs (bsc#1162721) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1325-1 Released: Mon May 18 11:50:19 2020 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1156276 This update for coreutils fixes the following issues: -Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1329-1 Released: Mon May 18 17:17:54 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:822-1 Released: Fri May 22 10:59:33 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb to a separate package pam-extra (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1408-1 Released: Mon May 25 16:40:20 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Includes the last fixes from IBM for bsc#1166260 IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793 The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1412-1 Released: Tue May 26 08:20:51 2020 Summary: Recommended update for base-container-licenses, sles12sp5-image Type: recommended Severity: moderate References: 1172042 This update for base-container-licenses, sles12sp5-image fixes the following issues: Changes in base-container-licenses: - Also build for aarch64 (bsc#1172042) - Ignore base-container-licenses in pre_checkin.sh already - Update list based on current package list Changes in sles12sp5-image: - Also build for aarch64 (bsc#1172042) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1490-1 Released: Wed May 27 18:30:36 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issue: - nptl: wait for pending setxid request also in detached thread (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1598-1 Released: Wed Jun 10 10:52:04 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1612-1 Released: Fri Jun 12 09:43:17 2020 Summary: Security update for adns Type: security Severity: important References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109 This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1662-1 Released: Thu Jun 18 11:13:05 2020 Summary: Security update for perl Type: security Severity: important References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1734-1 Released: Wed Jun 24 09:43:55 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1828-1 Released: Thu Jul 2 13:07:28 2020 Summary: Security update for systemd Type: security Severity: moderate References: 1084671,1154256,1157315,1161262,1161436,1162698,1164538,1165633,1167622,1171145,CVE-2019-20386 This update for systemd fixes the following issues: - CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436). - Renamed the persistent link for ATA devices (bsc#1164538) - shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) - tmpfiles: removed unnecessary assert (bsc#1171145) - pid1: by default make user units inherit their umask from the user manager (bsc#1162698) - manager: fixed job mode when signalled to shutdown etc (bsc#1161262) - coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622) - udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2059-1 Released: Tue Jul 28 11:32:56 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1163834 This update for grep fixes the following issues: Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2092-1 Released: Thu Jul 30 14:55:46 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1171878,1172085,1173593 This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files (bsc#1171878, BZ #23178) - nscd: bump GC cycle during cache pruning (bsc#1171878, BZ #26130) - Correct locking and cancellation cleanup in syslog functions (bsc#1172085, BZ #26100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2125-1 Released: Wed Aug 5 09:26:38 2020 Summary: Recommended update for cloud-regionsrv-client Type: recommended Severity: moderate References: 1173474,1173475 This update for cloud-regionsrv-client fixes the following issues: - Introduce containerbuild-regionsrv service to allow container building tools to access required data for accessing Public Cloud RMTs (bsc#1173474, bsc#1173475) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2229-1 Released: Thu Aug 13 10:14:37 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1149911,1151708,1168235,1168389 This update for util-linux fixes the following issues: - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2287-1 Released: Thu Aug 20 16:07:37 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1174080 This update for grep fixes the following issues: - Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2410-1 Released: Tue Sep 1 13:15:48 2020 Summary: Recommended update for pam Type: recommended Severity: low References: 1173593 This update of pam fixes the following issue: - On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com a pam version with a higher release number than the last update of pam was delivered. This update releases pam with a higher release number to align it with this media. (bsc#1173593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2428-1 Released: Tue Sep 1 22:07:35 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1174673 This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: - AddTrust External CA Root - AddTrust Class 1 CA Root - LuxTrust Global Root 2 - Staat der Nederlanden Root CA - G2 - Symantec Class 1 Public Primary Certification Authority - G4 - Symantec Class 2 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: - certSIGN Root CA G2 - e-Szigno Root CA 2017 - Microsoft ECC Root Certificate Authority 2017 - Microsoft RSA Root Certificate Authority 2017 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2444-1 Released: Wed Sep 2 09:32:43 2020 Summary: Security update for curl Type: security Severity: moderate References: 1175109,CVE-2020-8231 This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2547-1 Released: Fri Sep 4 18:17:13 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1174551,1174736 This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2555-1 Released: Mon Sep 7 14:30:36 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1169488,1173227 This update for systemd fixes the following issues: - Fix inconsistent file modes for some ghost files. (bsc#1173227) - Fix for an issue where nfs-server clone causes cluster node to hang on reboot. (bsc#1169488) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2587-1 Released: Wed Sep 9 22:03:04 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1174660 This update for procps fixes the following issues: - Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2609-1 Released: Fri Sep 11 10:58:59 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,1172021,1176179,CVE-2019-19956,CVE-2019-20388,CVE-2020-24977,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). - Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2652-1 Released: Wed Sep 16 14:43:23 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1175811,1175830,1175831 This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2660-1 Released: Wed Sep 16 16:15:10 2020 Summary: Security update for libsolv Type: security Severity: moderate References: 1120629,1120630,1120631,1127155,1131823,1137977,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libsolv fixes the following issues: This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products. libsolv was updated to version 0.6.36 fixes the following issues: Security issues fixed: - CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629). - CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630). - CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631). Non-security issues fixed: - Made cleandeps jobs on patterns work (bsc#1137977). - Fixed an issue multiversion packages that obsolete their own name (bsc#1127155). - Keep consistent package name if there are multiple alternatives (bsc#1131823). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:79-1 Released: Wed Sep 16 16:17:11 2020 Summary: Security update for libzypp Type: security Severity: moderate References: 1158763,CVE-2019-18900 This update for libzypp fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2897-1 Released: Tue Oct 13 14:00:25 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1170347,1176759 This update for suse-build-key fixes the following issues: - This update extends the suse build key (bsc#1176759) - The SUSE container key is different from the build key. (PM-1845 bsc#1170347) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2900-1 Released: Tue Oct 13 14:20:15 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2959-1 Released: Tue Oct 20 12:33:48 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3146-1 Released: Wed Nov 4 08:38:54 2020 Summary: Recommended update for openssl-1_0_0 Type: recommended Severity: moderate References: 1155346,1176029,1177479,1177575,1177673,1177793 This update for openssl-1_0_0 fixes the following issues: Various changes required for FIPS 140-2 certification (jsc#SLE-10541) - FIPS: Use SHA-2 in the RSA pairwise consistency check (bsc#1155346) - FIPS: Add shared secret KAT to FIPS DH selftest (bsc#1176029) - FIPS: Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1176029 bsc#1177479 bsc#1177575 bsc#1177673 bsc#1177793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3156-1 Released: Wed Nov 4 15:21:49 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3263-1 Released: Tue Nov 10 09:48:14 2020 Summary: Security update for gcc10 Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3346-1 Released: Mon Nov 16 17:44:39 2020 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1169947,1178038 This update for zypper fixes the following issues: - Fixed an issue, where zypper crashed when the system language is set to Spanish and the user tried to patch their system with 'zypper patch --category security' (bsc#1178038) - Fixed a typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3489-1 Released: Mon Nov 23 14:07:31 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1083571,1139459,1176513,1176800,1177458,1177510 This update for systemd fixes the following issues: - Create systemd-remote user only if journal-remote is included with the package (bsc#1177458) - Fixed a buffer overflow in systemd ask-password (bsc#1177510) - Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses the 'bg' option while the NFS server is not reachable (bsc#1176513) - Fixed an issue with the try-restart command, where services won't restart (bsc#1139459) Exclusively for SUSE Linux Enterprise 12 SP5: - cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3569-1 Released: Mon Nov 30 17:13:16 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1178727 This update for pam fixes the following issue: - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3732-1 Released: Wed Dec 9 18:18:03 2020 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_0_0 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3739-1 Released: Thu Dec 10 09:17:34 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3794-1 Released: Mon Dec 14 17:40:20 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1174215,1178925,1178966 This update for libzypp, zypper fixes the following issues: Changes in zypper: - Fix typo in `list-patches` help. (bsc#1178925) The options for selecting issues matching the specified string is `--issue[=STRING]`, not `--issues[=STRING]`. Changes in libzypp: - Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966) - Remove from the logs the credentials available from the authorization header. (bsc#1174215) The authorization header may include base64 encoded credentials which could be restored from the log file. The credentials are now stripped from the log. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3852-1 Released: Wed Dec 16 12:27:02 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issues: - Do not trigger CDROM autoclose. (bsc#1084671) - Try to autoconfigure broken serial lines. - Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514) - Build with libudev support to support non-root users. (bsc#1169006) - Aavoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to CIFS with mount –a. (SG#57988, bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:26-1 Released: Tue Jan 5 14:18:00 2021 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:244-1 Released: Fri Jan 29 09:46:42 2021 Summary: Recommended update for openssl-1_0_0 Type: recommended Severity: moderate References: 1180777,1180959 This update for openssl-1_0_0 fixes the following issues: - Add declaration of BN_secure_new() function needed by other packages. (bsc#1180777) - Add FIPS elliptic curve key check necessary for FIPS 140-2 certification. (bsc#1180959) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:356-1 Released: Wed Feb 10 09:07:57 2021 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1177976 This update for curl fixes the following issues: - Fix for SFTP uploads when it results in empty uploaded files. (bsc#1177976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:358-1 Released: Wed Feb 10 10:43:22 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1179363,1179824,1180020,1180596,1180885 This update for systemd fixes the following issues: - Import commit 4eae068097b42f2fd2a942e637e91ba3c12b37af 386e85dcd3 core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596) 7be6e949dc udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885) 3bce298616 core: fix memory leak on reloadbsc#1180020) b24b36d76c journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824) 703c08e0ae udev: Fix sound.target dependency (bsc#1179363) 07dc6d987d rules: enable hardware-related targets also for user instances 5cfed8b620 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope 2710a4be38 core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436) d3b81a8940 core: make sure RequestStop signal is send directed bbe11f8400 time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Import commit 4eae068097b42f2fd2a942e637e91ba3c12b37af 386e85dcd3 core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596) 7be6e949dc udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885) 3bce298616 core: fix memory leak on reload (bsc#1180020) b24b36d76c journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824) 703c08e0ae udev: Fix sound.target dependency (bsc#1179363) 07dc6d987d rules: enable hardware-related targets also for user instances 5cfed8b620 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope 2710a4be38 core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436) d3b81a8940 core: make sure RequestStop signal is send directed bbe11f8400 time-util: treat /etc/localtime missing as UTC (bsc#1141597) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:588-1 Released: Thu Feb 25 06:10:02 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1182138 This update for file fixes the following issues: - Fixed an issue when file is used with a string started with '80'. (bsc#1182138) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:608-1 Released: Thu Feb 25 21:03:59 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1180038,1181365,1181505,1182117,CVE-2019-25013,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) - powerpc: Add support for POWER10 (bsc#1181365) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:725-1 Released: Mon Mar 8 16:47:37 2021 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_0_0 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:796-1 Released: Tue Mar 16 10:28:14 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:932-1 Released: Wed Mar 24 12:13:01 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514,CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358). - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182). - CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639). - CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514). Bug fixes and enhancements: - Packages must not mark license files as %doc (bsc#1082318) - Typo in description of libnghttp2_asio1 (bsc#962914) - Fixed mistake in spec file (bsc#1125689) - Fixed build issue with boost 1.70.0 (bsc#1134616) - Fixed build issue with GCC 6 (bsc#964140) - Feature: Add W&S module (FATE#326776, bsc#1112438) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1003-1 Released: Thu Apr 1 15:06:58 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1165-1 Released: Tue Apr 13 14:03:17 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1184034,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573 This update for glibc fixes the following issues: - CVE-2020-27618: Accept redundant shift sequences in IBM1364 (bsc#1178386) - CVE-2020-29562: Fix incorrect UCS4 inner loop bounds (bsc#1179694) - CVE-2020-29573: Harden printf against non-normal long double values (bsc#1179721) - Check vector support in memmove ifunc-selector (bsc#1184034) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1246-1 Released: Fri Apr 16 15:14:59 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178219,1180020,1180083,1183094,1183790 This update for systemd fixes the following issues: - Fixed an issue, where Restart=on-abort was not respected based on the exit status of the main process (bsc#1183790) - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. - Fixed an error when building systemd systemd-mini, caused by a change in systemd-rpm-macros (bsc#1183094) - Added a requirement for aaa_base >= 13.2 to stay compatible (bsc#1180083) - Fixed a memory leak in systemctl daemon-reload (bsc#1180020) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1336-1 Released: Tue Apr 27 17:24:06 2021 Summary: Recommended update for libcap Type: recommended Severity: critical References: 1184434,1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs'. (bsc#1184690, bsc#1184434) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1396-1 Released: Wed Apr 28 09:23:39 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,CVE-2021-22876 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1524-1 Released: Wed May 5 18:25:25 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1541-1 Released: Thu May 6 17:09:04 2021 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1177369 This update for bash fixes the following issues: - Fixed a bug where the 'tailf' command destroyed the terminal/console settings (bsc1177369) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1658-1 Released: Wed May 19 18:20:42 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: Security issues fixed: CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1667-1 Released: Thu May 20 09:34:34 2021 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515,1184362 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515, bsc#1184362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1683-1 Released: Fri May 21 15:38:24 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178561,1184967,1185046,1185331 This update for systemd fixes the following issues: systemctl: add --value option execute: make sure to call into PAM after initializing resource limits. (bsc#1184967) rlimit-util: introduce setrlimit_closest_all() system-conf: drop reference to ShutdownWatchdogUsec= core: rename ShutdownWatchdogSec to RebootWatchdogSec. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: set execute bits. (bsc#1178561) udev: rework network device renaming. Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available'' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1763-1 Released: Wed May 26 12:31:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1796-1 Released: Fri May 28 09:40:02 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016,1185337 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) - Fixed build failure in SLE-12 due to bogus 'rpmlint'. (bsc#1185337) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2016-1 Released: Fri Jun 18 09:39:25 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack that could bypass all existing protection mechanisms (bsc#1186015). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2086-1 Released: Fri Jun 18 17:28:57 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2156-1 Released: Thu Jun 24 15:39:39 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2180-1 Released: Mon Jun 28 17:40:39 2021 Summary: Security update for libsolv Type: security Severity: important References: 1161510,1186229,CVE-2019-20387,CVE-2021-3200 This update for libsolv fixes the following issues: Security issues fixed: - CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510) - CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229) Other issues fixed: - backport support for blacklisted packages to support ptf packages and retracted patches - fix ruleinfo of complex dependencies returning the wrong origin - fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason - fix add_complex_recommends() selecting conflicted packages in rare cases - fix potential segfault in resolve_jobrules - fix solv_zchunk decoding error if large chunks are used ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2280-1 Released: Fri Jul 9 16:29:17 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1047247,1050467,1093414,1097665,1123886,1150734,1155939,1157198,1160594,1160764,1161779,1163922,1171883,1182899,CVE-2019-3688,CVE-2019-3690,CVE-2020-8013 This update for permissions fixes the following issues: - Fork package for 12-SP5 (bsc#1155939) - make btmp root:utmp (bsc#1050467, bsc#1182899) - pcp: remove no longer needed / conflicting entries (bsc#1171883). Fixes a potential security issue. - do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922) - fix handling of relative directory symlinks in chkstat - whitelist postgres sticky directories (bsc#1123886) - fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594) - fix capability handling when doing multiple permission changes at once (bsc#1161779, - fix invalid free() when permfiles points to argv (bsc#1157198) - the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247, bsc#1097665) - fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688) - fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2405-1 Released: Tue Jul 20 14:21:55 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184761,1185807,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Fixed a regression with hostnamectl and timedatectl (bsc#1184761) - Fixed permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2462-1 Released: Fri Jul 23 11:23:22 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2480-1 Released: Tue Jul 27 13:47:22 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1027496,1131330,1187911,CVE-2016-10228,CVE-2021-35942 This update for glibc fixes the following issues: Security issues fixed: - CVE-2021-35942: wordexp: Fixed handle overflow in positional parameter number (bsc#1187911) - CVE-2016-10228: Rewrite iconv option parsing (bsc#1027496) Other fixes: - Fixed race in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2578-1 Released: Sun Aug 1 15:54:42 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1187784 This update for openldap2 rebuilds openldap2 against a symbol versioned enabled openssl 1.0 library. This is an enablemend for migrations to openssl 1.1.1 which will enable TLS 1.3 support. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2686-1 Released: Sat Aug 14 03:58:36 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2767-1 Released: Tue Aug 17 17:29:14 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2779-1 Released: Thu Aug 19 16:08:35 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2808-1 Released: Mon Aug 23 12:09:10 2021 Summary: Security update for cpio Type: security Severity: important References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A patch previously applied to remedy CVE-2021-38185 introduced a regression that had the potential to cause a segmentation fault in cpio. [bsc#1189465] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2826-1 Released: Tue Aug 24 16:16:02 2021 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1189521,CVE-2021-3712 This update for openssl-1_0_0 fixes the following issues: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2859-1 Released: Fri Aug 27 13:57:36 2021 Summary: Recommended update for bzip2 Type: recommended Severity: moderate References: 1188891 This update for bzip2 fixes the following issues: - Disable a optimization that caused crashes with libarchive due to uninitialized memory. (bsc#1188891) - Fixed bashisms in bzgrep and bznew ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2903-1 Released: Wed Sep 1 13:09:42 2021 Summary: Recommended update for cracklib Type: recommended Severity: moderate References: 1188698 This update for cracklib fixes the following issue: - Provide 'cracklib-dict-small' to SUSE Linux Enterprise Server 12-SP5 (bsc#1188698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2930-1 Released: Thu Sep 2 14:48:43 2021 Summary: Security update for file Type: security Severity: important References: 1154661,CVE-2019-18218 This update for file fixes the following issues: - CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2936-1 Released: Thu Sep 2 21:14:49 2021 Summary: Recommended update for zypper Type: recommended Severity: low References: 1187466 This update for zypper fixes the following issues: - Fix for man: point out more clearly that patches update affected packages to the latest available version. (bsc#1187466) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2995-1 Released: Thu Sep 9 14:35:53 2021 Summary: Security update for openssl-1_0_0 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_0_0 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3016-1 Released: Mon Sep 13 08:46:07 2021 Summary: Create update the package in the update channels Type: recommended Severity: important References: 1189738 Create update to release base-container-licenses to fix bsc#1189738 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3041-1 Released: Wed Sep 15 09:47:47 2021 Summary: Create update the package in the update channels Type: recommended Severity: important References: 1189738 Create update to release base-container-licenses to fix bsc#1189738 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3147-1 Released: Mon Sep 20 11:09:04 2021 Summary: Create update the package in the update channels Type: recommended Severity: important References: 1189738 Create update to release base-container-licenses to fix bsc#1189738 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3230-1 Released: Mon Sep 27 11:19:10 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1190858 This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in SUSE Linux Enterprise 12 and older. (bsc#1190858) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3290-1 Released: Wed Oct 6 16:44:45 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,CVE-2021-33574 This update for glibc fixes the following issues: - CVE-2021-33574: Fixed a use-after-free possibility in mq_notify() (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3329-1 Released: Mon Oct 11 15:31:42 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided in the Toolchain module, and updated compiler base libraries (libgcc_s1, libstdc++6 and others) are being provided in the regular SUSE Linux Enterprise Server repositories. Changes done in GCC11 are documented on: https://gcc.gnu.org/gcc-11/changes.html This update ships the C, C++, Objective C, D, Fortran, GO, and ADA compiler. To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3332-1 Released: Mon Oct 11 17:02:35 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3475-1 Released: Wed Oct 20 08:41:48 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3491-1 Released: Wed Oct 20 16:37:15 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3503-1 Released: Fri Oct 22 15:17:33 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1186503,1187760,1190530,1191286 This update for libsolv, libzypp, zypper fixes the following issues: - Turn on rich dependency handling needed for ptf support. (bsc#1190530) - Rebuild all caches to make sure rich dependency handling is enabled. (bsc#1190530) - Fix solver jobs for PTFs. (bsc#1186503) - Add support for PTFs. (jsc#SLE-17973, jsc#SLE-17974) - Identify well-known category names for better sorting. (bsc#1179847) - Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760) - Don't probe for plaindir repo if URL schema is plugin. (bsc#1191286) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3504-1 Released: Fri Oct 22 15:39:31 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3518-1 Released: Tue Oct 26 15:21:16 2021 Summary: Recommended update for cjose, cyrus-sasl, flac, libarchive, libesmtp, libevent, libgit2, libgt, liboauth, librdkafka, libserv, libssh2_org, openslp, xmlsec1 Type: recommended Severity: moderate References: 1187784 This update of cjose, cyrus-sasl, flac, libarchive, libesmtp, libevent, libgit2, libgt, liboauth, librdkafka, libserv, libssh2_org, openslp and xmlsec1 rebuilds the packages with a symbol versioned openssl, to allow later migration to a TLS 1.3 enabled openssl 1.1.1. This update contains no other functional changes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3611-1 Released: Thu Nov 4 11:14:44 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1171962,1180225,1188018,1188063,1188291,1189480,1191399,CVE-2021-33910 This update for systemd fixes the following issues: - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - Add timestamp to D-Bus events to improve traceability. (jsc#SLE-21894) - busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225, jsc#SLE-21894) - sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (bsc#1191399) - basic/unit-name: do not use strdupa() on a path (bsc#1188063, CVE-2021-33910) - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018) - units: make fsck/grows/makefs/makeswap units conflict against shutdown.target - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480) - Avoid the error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291) - Allow systemd sysusers config files to be overriden during system installation (bsc#1171962) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3652-1 Released: Wed Nov 10 17:40:12 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1025709,1030066,1030803,1030805,1030807,1172973,1172974,CVE-2017-6004,CVE-2017-7186,CVE-2017-7244,CVE-2017-7245,CVE-2017-7246,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973). - CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807). - CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805). - CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803). - CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066). - CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3664-1 Released: Tue Nov 16 10:14:26 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - pam_cracklib: backported code to check whether the password contains a substring of of the user's name of at least characters length in some form from SLE-15. (jsc#SLE-22182) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:3819-1 Released: Wed Dec 1 09:33:38 2021 Summary: Optional update for cracklib Type: optional Severity: low References: 1191736 This optional update for cracklib fixes the following issue: - Execute the test while building the package. (bsc#1191736) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3878-1 Released: Thu Dec 2 09:13:51 2021 Summary: Security update for gmp Type: security Severity: moderate References: 1192717,CVE-2021-43618 This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3889-1 Released: Fri Dec 3 10:19:22 2021 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1191194 This update for permissions fixes the following issues: Update to version 20170707: * add capability for prometheus-blackbox_exporter (bsc#1191194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3894-1 Released: Fri Dec 3 10:46:06 2021 Summary: Recommended update for bzip2 Type: recommended Severity: low References: 1191648 This update for bzip2 fixes the following issues: - Enables build time tests of bzip2. (bsc#1191648) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3931-1 Released: Mon Dec 6 11:17:00 2021 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1192790 This update for curl fixes the following issues: - Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3965-1 Released: Tue Dec 7 10:08:23 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1192681 This update for nghttp2 fixes the following issue: - libnghttp2-devel was missing from the SDK. (bsc#1192681) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4006-1 Released: Mon Dec 13 11:22:59 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1192688 This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4108-1 Released: Fri Dec 17 06:08:28 2021 Summary: Recommended update for openssl-1_0_0 Type: recommended Severity: moderate References: 1180995,1190885 This update for openssl-1_0_0 fixes the following issues: - Fix parameters by name ffdheXXXX and modp_XXXX sometimes result in 'not found' (bsc#1190885) - Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameter (bsc#1180995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4140-1 Released: Tue Dec 21 17:04:37 2021 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1192785 This update for bash fixes the following issues: - Fixed and issue when 'setuid' causing permission denied on 'popen'. (bsc#1192785) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4199-1 Released: Thu Dec 30 05:41:45 2021 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1193483 This update for curl fixes the following issues: - libcurl-devel: Add an explicit dependency on libnghttp2-devel since its not autodetected (bsc#1193483) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3-1 Released: Mon Jan 3 08:27:47 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1193480 This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:179-1 Released: Tue Jan 25 14:18:44 2022 Summary: Security update for expat Type: security Severity: important References: 1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827 This update for expat fixes the following issues: - CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251). - CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362). - CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474). - CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476). - CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477). - CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478). - CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479). - CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:323-1 Released: Thu Feb 3 16:53:34 2022 Summary: Security update for samba Type: security Severity: critical References: 1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048,CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336 This update contains a major security update for Samba. samba has received security fixes: - CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share (bsc#1193690); - CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution (bsc#1194859); - CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services (bsc#1195048); samba was updated to version 4.15.4; (jsc#SLE-23330); + CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bso#13979); (bsc#1139519); + CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bso#14842); (bsc#1191227); - Build samba with embedded talloc, pytalloc, pytalloc-util, tdb, pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries. The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and their manpages in /usr/lib[64]/samba/man This avoids removing old functionality. samba was updated to 4.15.4: * Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928); * Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932); * kill_tcp_connections does not work; (bso#14934); * Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935); * smbclient -L doesn't set 'client max protocol' to NT1 before calling the 'Reconnecting with SMB1 for workgroup listing' path; (bso#14939); * Cross device copy of the crossrename module always fails; (bso#14940); * symlinkat function from VFS cap module always fails with an error; (bso#14941); * Fix possible fsp pointer deference; (bso#14942); * Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944); * 'smbd --build-options' no longer works without an smb.conf file; (bso#14945); - Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel. - Rename package samba-core-devel to samba-devel - Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba sssd was updated: - Build with the newer samba versions; (jsc#SLE-23330); - Fix a dependency loop by moving internal libraries to sssd-common package; (bsc#1182058); p11-kit was updated: Update to 0.23.2; (jsc#SLE-23330); * Fix forking issues with libffi * Fix various crashes in corner cases * Updated translations * Build fixes - Fix multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361): - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993) ca-certificates was updated: - p11-kit 0.23.1 supports pem-directory-hash. (jsc#SLE-23330) This update also ships: - libnettle 3.1 and gnutls 3.4.17 as parallel libraries to meet the requires of the newer samba. apparmor was updated: - Update samba apparmor profiles for samba 4.15 (jsc#SLE-23330); yast2-samba-client was updated: - With latest versions of samba (>=4.15.0) calling 'net ads lookup' with '-U%' fails; (boo#1193533). - yast-samba-client fails to join if /etc/samba/smb.conf or /etc/krb5.conf don't exist; (bsc#1089938) - Do not stop nmbd while nmbstatus is running, it is not necessary anymore; (bsc#1158916); ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:441-1 Released: Wed Feb 16 14:21:59 2022 Summary: Security update for glibc Type: security Severity: important References: 1191835,1192620,1193478,1194640,1194768,1194770,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 glibc was updated to fix the following issues: Security issues fixed: - CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640) - CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770) Bugs fixed: - Make endian-conversion macros always return correct types (bsc#1193478, BZ #16458) - Allow dlopen of filter object to work (bsc#1192620, BZ #16272) - x86: fix stack alignment in cancelable syscall stub (bsc#1191835) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:495-1 Released: Fri Feb 18 10:40:22 2022 Summary: Security update for expat Type: security Severity: important References: 1195054,1195217,CVE-2022-23852,CVE-2022-23990 This update for expat fixes the following issues: - CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054). - CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:517-1 Released: Fri Feb 18 12:44:17 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1193296 This update for openldap2 fixes the following issues: - Resolve double free in sssvlv overlay (bsc#1193296). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:521-1 Released: Fri Feb 18 12:46:15 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1190354 This update for coreutils fixes the following issues: - Remove problematic special leaf optimization cases for XFS that can lead to du crashes. (bsc#1190354) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:693-1 Released: Thu Mar 3 16:04:04 2022 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1196036,CVE-2022-24407 This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:698-1 Released: Thu Mar 3 16:35:26 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:785-1 Released: Thu Mar 10 09:53:23 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1194845,1196494,1196495 This update for suse-build-key fixes the following issues: - Extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc - Added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494) - Extended expiry of SUSE SLES11 key (bsc#1194845) - Added SUSE Contaner signing key in PEM format for use e.g. by cosign. - SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495) - Removed old security key. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:842-1 Released: Tue Mar 15 11:32:49 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196784,CVE-2022-25236 This update for expat fixes the following issues: - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:857-1 Released: Tue Mar 15 19:33:24 2022 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1196249,1196877,CVE-2022-0778 This update for openssl-1_0_0 fixes the following issues: - CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877). - Allow CRYPTO_THREADID_set_callback to be called with NULL parameter (bsc#1196249). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1019-1 Released: Tue Mar 29 13:21:17 2022 Summary: Recommended update for pcre Type: recommended Severity: low References: 1196187 This update for pcre fixes the following issue: - Add devel package to HA channels. (bsc#1196187) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1023-1 Released: Tue Mar 29 15:34:47 2022 Summary: Security update for zlib Type: security Severity: important References: 1197459,CVE-2018-25032 This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1067-1 Released: Thu Mar 31 12:55:00 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1195628,1196107 This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1104-1 Released: Mon Apr 4 17:48:11 2022 Summary: Recommended update for util-linux Type: recommended Severity: important References: 1172427,1194642 This update for util-linux fixes the following issues: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) - Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642) - Warn if uuidd lock state is not usable. (bsc#1194642) - Fix 'su -s' bash completion. (bsc#1172427) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1160-1 Released: Tue Apr 12 14:49:18 2022 Summary: Security update for xz Type: security Severity: important References: 1198062,CVE-2022-1271 This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1169-1 Released: Tue Apr 12 18:19:42 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1180225,1190984,1191502,1193841,1195529,1195899 This update for systemd fixes the following issues: - Core: make sure we always free the list of changes - Install: correctly report symlink creations - Core: make sure we generate a nicer error when a linked unit is attempted to be enabled - Install: unify checking whether operations may be applied to a unit file in a new function - Install: fix errno handling - Allow 'edit' and 'cat' on unloaded units - Don't open /var journals in volatile mode when runtime_journal==NULL - udev: handle duplicate device ID (bsc#1195529) - man: tweak description of auto/noauto (bsc#1191502) - systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871) - systemctl: exit with 1 if no unit files found (bsc#1193841) - umount: show correct error message - core/umount: fix unitialized fields in MountPoint - umount: Add more asserts and remove some unused arguments, fix memory leak - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1178-1 Released: Wed Apr 13 15:44:35 2022 Summary: Recommended update for ca-certificates, p11-kit Type: recommended Severity: moderate References: 1196443,1196812 This update for ca-certificates, p11-kit fixes the following issues: Changes in p11-kit: - call update-ca-certificates in post to make sure certs are regenerated even if ca-certificates was installed before p11-kit for whatever reason (bsc#1196443) - make sure p11-kit components have matching versions (bsc#1196812) Changes in ca-certificates: - Require p11-kit-tools > 0.23.1 as older versions don't support pem-directory-hash (bsc#1196443, bsc#1196812) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1209-1 Released: Thu Apr 14 13:30:22 2022 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1189622,1194848,1195485,184501 This update for libsolv, libzypp fixes the following issues: - fix memory leaks in SWIG generated code - fix misparsing with libxml2 - try to keep packages from a cycle close togther in the transaction order (bsc#1189622) - fix split provides not working if the update includes a forbidden vendor change (bsc#1195485) - fix segfault on conflict resolution when using bindings - do not replace noarch problem rules with arch dependent one in problem reporting - fix and simplify pool_vendor2mask implementation - Hint on ptf resolver conflicts (bsc#1194848) - Fix package signature check (bsc#184501) Pay attention that header and payload are secured by a valid. signature and report more detailed which signature is missing. - Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1282-1 Released: Wed Apr 20 12:28:40 2022 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1197674 This update for bash fixes the following issues: - Fix memory leak in array asignment (bsc#1197674) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1308-1 Released: Fri Apr 22 16:07:40 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1196490,CVE-2022-23308 This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1680-1 Released: Mon May 16 11:09:42 2022 Summary: Security update for curl Type: security Severity: moderate References: 1198614,1198766,CVE-2022-22576,CVE-2022-27776 This update for curl fixes the following issues: - CVE-2022-27776: Fixed Auth/cookie leak on redirect (bsc#1198766) - CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1682-1 Released: Mon May 16 11:10:34 2022 Summary: Recommended update for systemd Type: recommended Severity: low References: 1199273 This update for systemd syncs internal package requirements, but has otherwise no code or functional changes compared to the last update. (bsc#1199273) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1695-1 Released: Tue May 17 09:14:13 2022 Summary: Security update for e2fsprogs Type: security Severity: important References: 1198446,CVE-2022-1304 This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1701-1 Released: Tue May 17 12:10:11 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate References: 1197443 This update for augeas fixes the following issues: - Fix handling of keywords in new sysctl.conf (bsc#1197443) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1771-1 Released: Fri May 20 15:01:22 2022 Summary: Security update for openldap2 Type: security Severity: important References: 1198383,1199240,CVE-2022-29155 This update for openldap2 fixes the following issues: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). - Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1805-1 Released: Mon May 23 11:06:28 2022 Summary: Security update for curl Type: security Severity: important References: 1199223,1199224,CVE-2022-27781,CVE-2022-27782 This update for curl fixes the following issues: - CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223) - CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1833-1 Released: Tue May 24 15:14:20 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1069689,1199132,CVE-2017-16932,CVE-2022-29824 This update for libxml2 fixes the following issues: - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132). - CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1877-1 Released: Mon May 30 00:12:34 2022 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1196645 This update for audit fixes the following issues: - Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1926-1 Released: Thu Jun 2 16:06:59 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * Fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * Fixes issue with debug dumping together with -o /dev/null * Fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2048-1 Released: Mon Jun 13 09:21:27 2022 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1196317,1198139 This update for zypper fixes the following issues: - Improve return codes. (bsc#1198139) - info: Fix SEGV with not installed PTFs. (bsc#1196317) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2106-1 Released: Thu Jun 16 15:23:17 2022 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1199166,CVE-2022-1292 This update for openssl-1_0_0 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2181-1 Released: Fri Jun 24 14:28:53 2022 Summary: Security update for openssl Type: security Severity: moderate References: 1200550,CVE-2022-2068 This update for openssl fixes the following issues: - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2288-1 Released: Wed Jul 6 12:55:49 2022 Summary: Security update for curl Type: security Severity: important References: 1200735,1200737,CVE-2022-32206,CVE-2022-32208 This update for curl fixes the following issues: - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2334-1 Released: Fri Jul 8 10:12:23 2022 Summary: Security update for pcre Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2529-1 Released: Fri Jul 22 13:09:00 2022 Summary: Security update for gpg2 Type: security Severity: important References: 1201225,CVE-2022-34903 This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2718-1 Released: Tue Aug 9 12:54:54 2022 Summary: Security update for ncurses Type: security Severity: moderate References: 1198627,CVE-2022-29458 This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2847-1 Released: Thu Aug 18 16:30:39 2022 Summary: Security update for zlib Type: security Severity: important References: 1202175,CVE-2022-37434 This update for zlib fixes the following issues: - CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2871-1 Released: Tue Aug 23 09:26:32 2022 Summary: Security update for p11-kit Type: security Severity: moderate References: 1180065,CVE-2020-29362 This update for p11-kit fixes the following issues: - CVE-2020-29362: Fixed a 4 byte overread that could lead to crashes (bsc#1180065) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2907-1 Released: Fri Aug 26 05:32:06 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1198341 This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2981-1 Released: Thu Sep 1 12:33:06 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1197178,1198731,1200842 This update for util-linux fixes the following issues: - su: Change owner and mode for pty (bsc#1200842) - agetty: Resolve tty name even if stdin is specified (bsc#1197178) - libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731) - mesg: use only stat() to get the current terminal status (bsc#1200842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3005-1 Released: Fri Sep 2 15:02:47 2022 Summary: Security update for curl Type: security Severity: low References: 1202593,CVE-2022-35252 This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3105-1 Released: Tue Sep 6 10:57:34 2022 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1201929 This update for keyutils fixes the following issues: - Apply default TTL to DNS records from getaddrinfo() (bsc#1201929) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3112-1 Released: Tue Sep 6 13:09:49 2022 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1181994,1188006,1199079,1202868 This update for ca-certificates-mozilla fixes the following issues: Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) - Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Removed: - Hellenic Academic and Research Institutions RootCA 2011 Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) - Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA - Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added CAs: - HARICA Client ECC Root CA 2021 - HARICA Client RSA Root CA 2021 - HARICA TLS ECC Root CA 2021 - HARICA TLS RSA Root CA 2021 - TunTrust Root CA Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CAs: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3382-1 Released: Mon Sep 26 12:34:19 2022 Summary: Security update for permissions Type: security Severity: moderate References: 1050467,1191194,1203018,CVE-2022-31252 This update for permissions fixes the following issues: - CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018). - Add capability for prometheus-blackbox_exporter (bsc#1191194). - Make btmp root:utmp (bsc#1050467). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3389-1 Released: Mon Sep 26 12:52:13 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1200095 This update for libgcrypt fixes the following issues: - FIPS: Auto-initialize drbg if needed. (bsc#1200095) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3466-1 Released: Thu Sep 29 11:43:25 2022 Summary: Security update for expat Type: security Severity: important References: 1203438,CVE-2022-40674 This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3681-1 Released: Fri Oct 21 10:46:51 2022 Summary: Security update for libksba Type: security Severity: critical References: 1204357,CVE-2022-3515 This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3717-1 Released: Tue Oct 25 10:17:36 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3769-1 Released: Wed Oct 26 12:17:10 2022 Summary: Security update for curl Type: security Severity: important References: 1204383,CVE-2022-32221 This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3789-1 Released: Thu Oct 27 04:41:50 2022 Summary: Recommended update for permissions Type: recommended Severity: important References: 1203911 This update for permissions fixes the following issues: - Fix regression introduced by backport of security fix (bsc#1203911) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3817-1 Released: Mon Oct 31 12:05:29 2022 Summary: Security update for libtasn1 Type: security Severity: critical References: 1204690,CVE-2021-46848 This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3874-1 Released: Fri Nov 4 15:06:57 2022 Summary: Security update for expat Type: security Severity: important References: 1204708,CVE-2022-43680 This update for expat fixes the following issues: - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3903-1 Released: Tue Nov 8 10:51:02 2022 Summary: Recommended update for openssl-1_0_0 Type: recommended Severity: moderate References: 1180995 This update for openssl-1_0_0 fixes the following issues: - Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3939-1 Released: Thu Nov 10 14:32:05 2022 Summary: Security update for rpm Type: security Severity: moderate References: 1183543,1183545,1183632,1183659,1185299,996280,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 This update for rpm fixes the following issues: - Fixed PGP parsing bugs (bsc#1185299). - Fixed various format handling bugs (bsc#996280). - CVE-2021-3421: Fixed vulnerability where unsigned headers could be injected into the rpm database (bsc#1183543). - CVE-2021-20271: Fixed vulnerability where a corrupted rpm could corrupt the rpm database (bsc#1183545). - CVE-2021-20266: Fixed missing bounds check in hdrblobInit (bsc#1183632). Bugfixes: - Fixed deadlock when multiple rpm processes tried to acquire the database lock (bsc#1183659). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3942-1 Released: Thu Nov 10 15:58:47 2022 Summary: Security update for glibc Type: security Severity: moderate References: 1193625,1196852,CVE-2015-8985 This update for glibc fixes the following issues: - CVE-2015-8985: Fixed assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625) - x86: fix stack alignment in pthread_cond_[timed]wait (bsc#1196852) - Recognize ppc64p7 arch to build for power7 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3962-1 Released: Mon Nov 14 07:34:23 2022 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3980-1 Released: Tue Nov 15 11:16:52 2022 Summary: Recommended update for util-linux Type: recommended Severity: important References: 1081947,1201354 This update for util-linux fixes the following issues: - Integrate pam_keyinit PAM module (bsc#1201354, bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4237-1 Released: Fri Nov 25 18:20:52 2022 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1203320 This update for openldap2 fixes the following issues: - Resolve broken symlinks in documentation (bsc#1203320) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4245-1 Released: Mon Nov 28 10:53:20 2022 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Toolchain Module. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4279-1 Released: Tue Nov 29 15:44:34 2022 Summary: Security update for systemd Type: security Severity: moderate References: 1197244,1198507,1204968,CVE-2022-3821 This update for systemd fixes the following issues: - CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968). - Import commit 417bb0944e035969594fff83a3ab9c2ca9a56234 * 20743c1a44 logind: fix crash in logind on user-specified message string * b971b5f085 tmpfiles: check the directory we were supposed to create, not its parent * 2850271ea6 stat-util: replace is_dir() + is_dir_fd() by single is_dir_full() call * 3d3bd5fc8d systemd --user: call pam_loginuid when creating user@.service (#3120) (bsc#1198507) * 4b56c3540a parse-util: introduce pid_is_valid() * aa811a4c0c systemd-detect-virt: refine hypervisor detection (#7171) (bsc#1197244) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4449-1 Released: Tue Dec 13 10:35:19 2022 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1204548 This update for libzypp fixes the following issues: Update to version 16.22.5: - properly reset range requests (bsc#1204548) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4598-1 Released: Wed Dec 21 10:13:33 2022 Summary: Security update for curl Type: security Severity: moderate References: 1206309,CVE-2022-43552 This update for curl fixes the following issues: - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4625-1 Released: Tue Dec 27 09:47:49 2022 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1206212,1206622 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4627-1 Released: Tue Dec 27 15:05:41 2022 Summary: Security update for systemd Type: security Severity: important References: 1204423,1205000,CVE-2022-4415 This update for systemd fixes the following issues: - CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000). Bug fixes: - Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:31-1 Released: Thu Jan 5 13:33:52 2023 Summary: Security update for libksba Type: security Severity: moderate References: 1206579,CVE-2022-47629 This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:58-1 Released: Tue Jan 10 09:15:27 2023 Summary: Security update for systemd Type: security Severity: moderate References: 1181636,1205000,CVE-2022-4415 This update for systemd fixes the following issues: Fixing the following issues: - units: restore RemainAfterExit=yes in systemd-vconsole-setup.service - vconsole-setup: don't concat strv if we don't need to (i.e. not in debug log mode) - vconsole-setup: add more log messages - units: restore Before dependencies for systemd-vconsole-setup.service - vconsole-setup: add lots of debug messages - Add enable_disable() helper - vconsole: correct kernel command line namespace - vconsole: Don't do static installation under sysinit.target - vconsole: use KD_FONT_OP_GET/SET to handle copying (bsc#1181636) - vconsole: updates of keyboard/font loading functions - vconsole: Add generic is_*() functions - vconsole: add two new toggle functions, remove old enable/disable ones - vconsole: copy font to 63 consoles instead of 15 - vconsole: add log_oom() where appropriate - vconsole-setup: Store fonts on heap (#3268) - errno-util: add new errno_or_else() helper The following fix is now integrated upstream: - CVE-2022-4415: coredump: do not allow user to access coredumps with changed uid/gid/capabilities (bsc#1205000). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:85-1 Released: Thu Jan 12 20:01:48 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194038 This update for util-linux fixes the following issues: - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:189-1 Released: Fri Jan 27 12:07:53 2023 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Follow up fix for bug bsc#1203652 due to libxml2 issue ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:306-1 Released: Tue Feb 7 17:32:56 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1201627,1207533,1207534,1207536,CVE-2022-4304,CVE-2023-0215,CVE-2023-0286 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533). - CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536). - CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534). - testsuite: Update further expiring certificates that affect tests [bsc#1201627] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:425-1 Released: Wed Feb 15 16:34:23 2023 Summary: Security update for curl Type: security Severity: moderate References: 1207992,CVE-2023-23916 This update for curl fixes the following issues: - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:865-1 Released: Tue Mar 21 18:34:07 2023 Summary: Security update for curl Type: security Severity: moderate References: 1209209,1209210,1209211,1209212,1209214,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1622-1 Released: Tue Mar 28 11:26:29 2023 Summary: Security update for systemd Type: security Severity: important References: 1206985,1208958,CVE-2023-26604 This update for systemd fixes the following issues: - CVE-2023-26604: Fixed a privilege escalation via the less pager. (bsc#1208958) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1704-1 Released: Thu Mar 30 16:16:17 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1202062,1209624,CVE-2023-0464 This update for openssl-1_0_0 fixes the following issues: Security fixes: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). Other fixes: - Fix DH key generation in FIPS mode, add support for constant BN for DH parameters (bsc#1202062) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1914-1 Released: Wed Apr 19 14:24:23 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1209873,1209878,CVE-2023-0465,CVE-2023-0466 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878). - CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1986-1 Released: Tue Apr 25 11:53:14 2023 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1160285 This update for permissions fixes the following issues: * mariadb: settings for new auth_pam_tool (bsc#1160285) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2041-1 Released: Wed Apr 26 11:44:27 2023 Summary: Recommended update for zlib Type: recommended Severity: low References: 1206513 This update for zlib fixes the following issues: - Add support for small windows in IBM Z hardware-accelerated deflate (bsc#1206513) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2054-1 Released: Thu Apr 27 11:31:36 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1210411,1210412,CVE-2023-28484,CVE-2023-29469 This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2067-1 Released: Fri Apr 28 13:54:34 2023 Summary: Security update for shadow Type: security Severity: moderate References: 1210507,CVE-2023-29383 This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2112-1 Released: Fri May 5 14:34:42 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1210434,CVE-2023-29491 This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2225-1 Released: Wed May 17 09:54:33 2023 Summary: Security update for curl Type: security Severity: important References: 1198608,1211230,1211231,1211232,1211233,CVE-2022-27774,CVE-2023-28319,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 This update for curl adds the following feature: Update to version 8.0.1 (jsc#PED-2580) - CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230). - CVE-2023-28320: siglongjmp race condition (bsc#1211231). - CVE-2023-28321: IDN wildcard matching (bsc#1211232). - CVE-2023-28322: POST-after-PUT confusion (bsc#1211233). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2249-1 Released: Thu May 18 17:07:31 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1203248,1203249,1208329,428822 This update for libzypp, zypper fixes the following issues: - Removing a PTF without enabled repos should always fail (bsc#1203248) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Add expert (allow-*) options to all installer commands (bsc#428822) - Provide 'removeptf' command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. But you don't want the dependant packages to be removed together with the PTF, which is what the remove command would do. The removeptf command however will aim to replace the dependant packages by their official update versions. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2260-1 Released: Mon May 22 10:29:33 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1210593 This update for zlib fixes the following issues: - Fix crash when calling deflateBound() function (bsc#1210593) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2330-1 Released: Tue May 30 16:49:19 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1211430,CVE-2023-2650 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2364-1 Released: Mon Jun 5 09:22:18 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1210164 This update for util-linux fixes the following issues: - Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2483-1 Released: Mon Jun 12 08:46:57 2023 Summary: Security update for openldap2 Type: security Severity: moderate References: 1211795,CVE-2023-2953 This update for openldap2 fixes the following issues: - CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2624-1 Released: Fri Jun 23 13:43:30 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1207534,CVE-2022-4304 This update for openssl-1_0_0 fixes the following issues: - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2661-1 Released: Tue Jun 27 20:26:07 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204, containing lots of bugfixes and improvements. - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2764-1 Released: Mon Jul 3 17:57:35 2023 Summary: Security update for libcap Type: security Severity: moderate References: 1211419,CVE-2023-2603 This update for libcap fixes the following issues: - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2771-1 Released: Tue Jul 4 09:48:51 2023 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1212187 This update for libzypp fixes the following issues: - curl: Trim user agent and custom header strings (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. Violation results in curl error: 92: HTTP/2 PROTOCOL_ERROR. - version 16.22.8 (0) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2864-1 Released: Tue Jul 18 08:17:47 2023 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1212999 This update for coreutils fixes the following issues: - Avoid failure in case SELinux is disabled. (bsc#1212999) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2880-1 Released: Wed Jul 19 10:02:41 2023 Summary: Security update for curl Type: security Severity: moderate References: 1213237,CVE-2023-32001 This update for curl fixes the following issues: - CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2881-1 Released: Wed Jul 19 11:46:56 2023 Summary: Security update for perl Type: security Severity: important References: 1210999,CVE-2023-31484 This update for perl fixes the following issues: - CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3012-1 Released: Fri Jul 28 14:17:47 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1213487,CVE-2023-3446 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3268-1 Released: Thu Aug 10 16:15:38 2023 Summary: Security update for util-linux Type: security Severity: important References: 1084300,1194038,1213865,CVE-2018-7738 This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions. (bsc#1213865, bsc#1084300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3281-1 Released: Fri Aug 11 10:24:11 2023 Summary: Recommended update for insserv-compat Type: recommended Severity: moderate References: 1052837,1212955 This update for insserv-compat fixes the following issues: - Remove not needed named entry from insserv.conf (bsc#1052837, bsc#1212955) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3339-1 Released: Thu Aug 17 12:33:58 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1213853,CVE-2023-3817 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3405-1 Released: Wed Aug 23 19:17:49 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1214248 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3471-1 Released: Tue Aug 29 10:53:48 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3640-1 Released: Mon Sep 18 13:58:28 2023 Summary: Security update for gcc12 Type: security Severity: important References: 1214052,CVE-2023-4039 This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3665-1 Released: Mon Sep 18 21:51:22 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1201978,1210411,1210412,1214768,CVE-2016-3709,CVE-2023-28484,CVE-2023-29469,CVE-2023-39615 This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed not deterministic hashing of empty dict strings (bsc#1210412). - CVE-2023-28484: Fixed NULL dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). - CVE-2016-3709: Fixed cross-site scripting vulnerability in libxml (bsc#1201978). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3692-1 Released: Tue Sep 19 22:05:52 2023 Summary: Security update for curl Type: security Severity: important References: 1215026,CVE-2023-38039 This update for curl fixes the following issues: - CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3842-1 Released: Wed Sep 27 20:03:57 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1215713,CVE-2023-35945 This update for nghttp2 fixes the following issues: - CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3857-1 Released: Thu Sep 28 10:30:13 2023 Summary: Security update for gpg2 Type: security Severity: important References: 1088255,CVE-2018-9234 This update for gpg2 fixes the following issues: - CVE-2018-9234: Fixed unenforced configuration allows for apparently valid certifications actually signed by signing subkeys (bsc#1088255). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4023-1 Released: Tue Oct 10 13:23:04 2023 Summary: Security update for shadow Type: security Severity: low References: 1214806,CVE-2023-4641 This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4043-1 Released: Wed Oct 11 09:00:09 2023 Summary: Security update for curl Type: security Severity: important References: 1215888,1215889,CVE-2023-38545,CVE-2023-38546 This update for curl fixes the following issues: - CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888) - CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4063-1 Released: Thu Oct 12 10:41:20 2023 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1215286,1215504,CVE-2023-4813 This update of glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Other issues fixed: - S390: Fix relocation of _nl_current_LC_CATETORY_used in static build (bsc#1215504, BZ #19860) - added GB18030-2022 charmap (jsc#PED-4908, BZ #30243) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4199-1 Released: Wed Oct 25 12:01:35 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4216-1 Released: Thu Oct 26 12:19:45 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4480-1 Released: Mon Nov 20 10:15:33 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4505-1 Released: Tue Nov 21 13:30:43 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4523-1 Released: Tue Nov 21 17:50:16 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4653-1 Released: Wed Dec 6 11:34:32 2023 Summary: Security update for curl Type: security Severity: moderate References: 1217573,1217574,CVE-2023-46218,CVE-2023-46219 This update for curl fixes the following issues: - CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573). - CVE-2023-46219: HSTS long file name clears contents (bsc#1217574). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4717-1 Released: Tue Dec 12 04:59:05 2023 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1216064 This update for libzypp fixes the following issues: - Fixed handling of unmounting media. It mitigates the mount change during a package installation, for examlple a nfs.service restart that forcefully unmounts the media being accessed (bsc#1216064) - Don't download sqlite metadata that is not needed ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4889-1 Released: Mon Dec 18 10:24:14 2023 Summary: Recommended update for pam Type: recommended Severity: low References: 1215594 This update for pam fixes the following issue: - Add no_pass_expiry option to ignore password expiration (bsc#1215594) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4892-1 Released: Mon Dec 18 16:33:21 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1218014,CVE-2023-50495 This update for ncurses fixes the following issues: - CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4964-1 Released: Fri Dec 22 14:38:31 2023 Summary: Recommended update for curl Type: recommended Severity: important References: 1216987 This update for curl fixes the following issues: - libssh: Implement SFTP packet size limit (bsc#1216987) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4977-1 Released: Wed Dec 27 10:35:46 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1216825 This update for procps fixes the following issue: - Avoid SIGSEGV in case of sending SIGTERM to a top command running in batch mode (bsc#1216825) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:74-1 Released: Wed Jan 10 10:17:47 2024 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1217948 This update for libzypp, zypper fixes the following issues: - Touch /run/reboot-needed if a patch suggesting a reboot was installed (bsc#1217948) - Backport needs-rebooting command from Code15 (bsc#1217948) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:137-1 Released: Thu Jan 18 09:55:34 2024 Summary: Security update for pam Type: security Severity: moderate References: 1218475,CVE-2024-22365 This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:171-1 Released: Mon Jan 22 15:19:39 2024 Summary: Recommended update for ca-certificates Type: recommended Severity: important References: 1216685 This update for ca-certificates fixes the following issues: - Invoke trust with the --overwrite option when running update-ca-certificates (bsc#1216685) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:181-1 Released: Tue Jan 23 11:28:17 2024 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1211576,1211725,1212207,1215241 This update for systemd fixes the following issues: - man: document that PAMName= and NotifyAccess=all don't mix well - man: add brief documentation for the (sd-pam) processes created due to PAMName= - service: accept the fact that the three xyz_good() functions return ints - service: drop _pure_ decorator on static function - service: a cgroup empty notification isn't reason enough to go down (bsc#1212207) - service: add explanatory comments to control_pid_good() and cgroup_good() - service: fix main_pid_good() comment - utmp-wtmp: handle EINTR gracefully when waiting to write to tty - utmp-wtmp: fix error in case isatty() fails - sd-netlink: handle EINTR from poll() gracefully, as success - stdio-bridge: don't be bothered with EINTR - sd-bus: handle -EINTR return from bus_poll() (bsc#1215241) - libsystemd: ignore both EINTR and EAGAIN - errno-util: introduce ERRNO_IS_TRANSIENT() - man/systemd-fsck@.service: clarify passno and noauto combination in /etc/fstab (bsc#1211725) - units/initrd-parse-etc.service: Conflict with emergency.target - umount: /usr/ should never be unmounted regardless of HAVE_SPLIT_USR or not (bsc#1211576) - core/mount: Don't unmount initramfs mounts - man: describe that changing Storage= does not move existing data ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:248-1 Released: Fri Jan 26 14:09:01 2024 Summary: Security update for cpio Type: security Severity: moderate References: 1218571,CVE-2023-7207 This update for cpio fixes the following issues: - CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:539-1 Released: Tue Feb 20 16:03:49 2024 Summary: Security update for libssh Type: security Severity: important References: 1158095,1168699,1174713,1189608,1211188,1211190,1218126,1218186,1218209,CVE-2019-14889,CVE-2020-16135,CVE-2020-1730,CVE-2021-3634,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918 This update for libssh fixes the following issues: Update to version 0.9.8 (jsc#PED-7719): * Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209) * Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126) * Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186) * Allow @ in usernames when parsing from URI composes Update to version 0.9.7 * Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188) * Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) * Fix several memory leaks in GSSAPI handling code Update to version 0.9.6 (bsc#1189608, CVE-2021-3634) * https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6 Update to version 0.9.5 (bsc#1174713, CVE-2020-16135): * CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232) * Improve handling of library initialization (T222) * Fix parsing of subsecond times in SFTP (T219) * Make the documentation reproducible * Remove deprecated API usage in OpenSSL * Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN * Define version in one place (T226) * Prevent invalid free when using different C runtimes than OpenSSL (T229) * Compatibility improvements to testsuite Update to version 0.9.4: * https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/ * Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699) Update to version 0.9.3: * Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095) * SSH-01-003 Client: Missing NULL check leads to crash in erroneous state * SSH-01-006 General: Various unchecked Null-derefs cause DOS * SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys * SSH-01-010 SSH: Deprecated hash function in fingerprinting * SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS * SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access * SSH-01-001 State Machine: Initial machine states should be set explicitly * SSH-01-002 Kex: Differently bound macros used to iterate same array * SSH-01-005 Code-Quality: Integer sign confusion during assignments * SSH-01-008 SCP: Protocol Injection via unescaped File Names * SSH-01-009 SSH: Update documentation which RFCs are implemented * SSH-01-012 PKI: Information leak via uninitialized stack buffer Update to version 0.9.2: * Fixed libssh-config.cmake * Fixed issues with rsa algorithm negotiation (T191) * Fixed detection of OpenSSL ed25519 support (T197) Update to version 0.9.1: * Added support for Ed25519 via OpenSSL * Added support for X25519 via OpenSSL * Added support for localuser in Match keyword * Fixed Match keyword to be case sensitive * Fixed compilation with LibreSSL * Fixed error report of channel open (T75) * Fixed sftp documentation (T137) * Fixed known_hosts parsing (T156) * Fixed build issue with MinGW (T157) * Fixed build with gcc 9 (T164) * Fixed deprecation issues (T165) * Fixed known_hosts directory creation (T166) Update to verion 0.9.0: * Added support for AES-GCM * Added improved rekeying support * Added performance improvements * Disabled blowfish support by default * Fixed several ssh config parsing issues * Added support for DH Group Exchange KEX * Added support for Encrypt-then-MAC mode * Added support for parsing server side configuration file * Added support for ECDSA/Ed25519 certificates * Added FIPS 140-2 compatibility * Improved known_hosts parsing * Improved documentation * Improved OpenSSL API usage for KEX, DH, and signatures - Add libssh client and server config files ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:814-1 Released: Fri Mar 8 09:31:47 2024 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1219243,CVE-2024-0727 This update for openssl-1_0_0 fixes the following issues: - CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:825-1 Released: Mon Mar 11 14:14:35 2024 Summary: Security update for cpio Type: security Severity: moderate References: 1218571,1219238,CVE-2023-7207 This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:843-1 Released: Tue Mar 12 09:12:42 2024 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1219442 This update for libzypp fixes the following issues: - applydeltaprm: Create target directory if it does not exist (bsc#1219442) - Update to version 16.22.12 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:913-1 Released: Mon Mar 18 06:38:50 2024 Summary: Recommended update for shadow Type: recommended Severity: important References: 1188307 This update for shadow fixes the following issues: - Fix passwd segfault when nsswitch.conf defines 'files compat' (bsc#1188307) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:996-1 Released: Tue Mar 26 10:44:23 2024 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: This update for krb5 fixes the following issues: This update updates krb5 to 1.16.3 (jsc#PED-7884). Most relevant changes: * Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks. * Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1132-1 Released: Mon Apr 8 11:28:25 2024 Summary: Security update for ncurses Type: security Severity: moderate References: 1220061,CVE-2023-45918 This update for ncurses fixes the following issues: - CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1148-1 Released: Mon Apr 8 11:35:26 2024 Summary: Security update for krb5 Type: security Severity: important References: 1220770,1220771,CVE-2024-26458,CVE-2024-26461 This update for krb5 fixes the following issues: - CVE-2024-26458: Fixed a memory leak in pmap_rmt.c (bsc#1220770) - CVE-2024-26461: Fixed a memory leak in k5sealv3.c (bsc#1220771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1150-1 Released: Mon Apr 8 11:35:53 2024 Summary: Security update for curl Type: security Severity: moderate References: 1221665,1221667,CVE-2024-2004,CVE-2024-2398 This update for curl fixes the following issues: - CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) - CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1156-1 Released: Mon Apr 8 13:21:47 2024 Summary: Security update for nghttp2 Type: security Severity: important References: 1221399,CVE-2024-28182 This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1171-1 Released: Tue Apr 9 09:51:49 2024 Summary: Security update for util-linux Type: security Severity: important References: 1221831,CVE-2024-28085 This update for util-linux fixes the following issues: - CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1399-1 Released: Tue Apr 23 13:59:37 2024 Summary: Recommended update for systemd Type: recommended Severity: important References: 1220285 This update for systemd fixes the following issues: - util: improve comments why we ignore EACCES and EPERM - util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed - namespace: don't fail on masked mounts (bsc#1220285) - man: Document ranges for distributions config files and local config files - Recommend drop-ins over modifications to the main config file - man: reword the description of 'main conf file' - man: rework section about configuration file precedence - man: document paths under /usr/local in standard-conf.xml ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1456-1 Released: Mon Apr 29 07:45:59 2024 Summary: Recommended update for krb5 Type: recommended Severity: important References: 1223122 This update for krb5 fixes the following issues: - Fix warning executing %postun scriptlet (bsc#1223122) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1662-1 Released: Wed May 15 14:49:10 2024 Summary: Recommended update for container-suseconnect Type: recommended Severity: moderate References: 1186827,1219855,1220716 This update for container-suseconnect fixes the following issues: - remove unnecessary packaging buildrequires (bsc#1220716) - update to 2.5.0: * Upgrade to go 1.21 * Allow setting of SCC credentials via environment variables * Bump github.com/urfave/cli/v2 from 2.25.7 to 2.27.1 * Use switch instead of else if construction * Add system token header to query SCC subscriptions (bsc#1219855) - update to 2.4.0 (jsc#PED-1710): * Fix docker build example for non-SLE hosts * Minor fixes to --help and README * Improve documentation when building with podman on non-SLE host * Add flag --log-credentials-errors * Add GitHub actions * Remove vendor/ dir * Cleanup tests * Update capture to the 1.0.0 release * Bump cli to 2.34.4 * Update cli to 2.23.5 * Add dependabot * Use URL.Redacted() to avoid security scanner warning * Regcode fix - strip binaries (removes 4MB/25% of the uncompressed size) (bsc#1186827) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1675-1 Released: Fri May 17 09:52:43 2024 Summary: Security update for glibc Type: security Severity: important References: 1222992,1223423,1223424,1223425,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602 This update for glibc fixes the following issues: - nscd: Fixed use-after-free in addgetnetgrentX (BZ #23520) - CVE-2024-33599: nscd: Fixed Stack-based buffer overflow in netgroup cache (bsc#1223423, BZ #31677) - CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bsc#1223424, BZ #31678) - CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424, BZ #31678) - CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, bsc#1223425, BZ #31680) - CVE-2024-33602; Use time_t for return type of addgetnetgrentX (bsc#1223425) - CVE-2024-2961: iconv: ISO-2022-CN-EXT: Fixed out-of-bound writes when writing escape sequence (bsc#1222992) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:1702-1 Released: Mon May 20 20:09:05 2024 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: Fixed inside previous release (v1.16.3-46.3.1): - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacked a server field (bsc#1189929). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:556-1 Released: Wed May 29 13:07:19 2024 Summary: Security update for libxml2 Type: security Severity: important References: 1219576,CVE-2024-25062 This update for libxml2 fixes the following issues: - CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:1960-1 Released: Mon Jun 10 12:53:00 2024 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1217985,1220787 This update for openldap2 fixes the following issue: - Increase DH param minimums to 2048 bits (bsc#1220787) - Null pointer deref in referrals as part of ldap_chain_response() (bsc#1217985) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2080-1 Released: Wed Jun 19 07:03:55 2024 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1177583,1223971,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: - CVE-2017-9271: Fixed proxy credentials written to log files (bsc#1050625). The following non-security bugs were fixed: - clean: Do not report an error if no repos are defined at all (bsc#1223971) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2087-1 Released: Wed Jun 19 11:50:01 2024 Summary: Recommended update for gcc13 Type: recommended Severity: moderate References: 1188441,1210959,1214934,1217450,1217667,1218492,1219031,1219520,1220724,1221239 This update for gcc13 fixes the following issues: - Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. - Fixed unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] - Fix libgccjit-devel dependency, a newer shared library is OK. - Fix libgccjit dependency, the corresponding compiler isn't required. - Remove crypt and crypt_r interceptors in sanitizer. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520] - Add support for -fmin-function-alignment. [bsc#1214934] - Use %{_target_cpu} to determine host and build. - Includes fix for building TVM. [bsc#1218492] - Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031] - Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959] - Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6. - Includes fix for building mariadb on i686. [bsc#1217667] - Avoid update-alternatives dependency for accelerator crosses. - Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence. - Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2213-1 Released: Tue Jun 25 17:11:09 2024 Summary: Recommended update for util-linux Type: recommended Severity: important References: 1215918 This update for util-linux fixes the following issue: - fix Xen virtualization type misidentification (bsc#1215918) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2288-1 Released: Wed Jul 3 08:26:46 2024 Summary: Security update for libxml2 Type: security Severity: low References: 1224282,CVE-2024-34459 This update for libxml2 fixes the following issues: - CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2300-1 Released: Thu Jul 4 11:03:50 2024 Summary: Security update for krb5 Type: security Severity: important References: 1227186,1227187,CVE-2024-37370,CVE-2024-37371 This update for krb5 fixes the following issues: - CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186). - CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2569-1 Released: Mon Jul 22 08:08:28 2024 Summary: Recommended update for zypper Type: recommended Severity: important References: 1224771 This update for zypper fixes the following issues: - Show rpm install size before installing (bsc#1224771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2603-1 Released: Tue Jul 23 12:37:14 2024 Summary: Security update for shadow Type: security Severity: important References: 916845,CVE-2013-4235 This update for shadow fixes the following issues: - CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2767-1 Released: Tue Aug 6 10:55:19 2024 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1220356,1227525 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020 - Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2805-1 Released: Wed Aug 7 09:48:45 2024 Summary: Security update for shadow Type: security Severity: moderate References: 916845,CVE-2013-4235 This update for shadow fixes the following issues: - CVE-2013-4235: Fixed TOCTOU race condition (bsc#916845) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2938-1 Released: Thu Aug 15 17:49:05 2024 Summary: Security update for curl Type: security Severity: moderate References: 1228535,CVE-2024-7264 This update for curl fixes the following issues: - CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2965-1 Released: Mon Aug 19 15:32:07 2024 Summary: Recommended update for util-linux Type: recommended Severity: important References: 1222285 This update for util-linux fixes the following issues: - Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285). - fix Xen virtualization type misidentification. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:2972-1 Released: Tue Aug 20 08:14:12 2024 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1226095 This update for systemd fixes the following issues: - Dynamically allocate the receive buffer (bsc#1226095) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:2989-1 Released: Tue Aug 20 16:17:10 2024 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1227138,1227227,1228291,CVE-2024-5535 This update for openssl-1_0_0 fixes the following issues: - CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138, bsc#1227227) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3004-1 Released: Fri Aug 23 13:27:40 2024 Summary: Security update for expat Type: security Severity: moderate References: 1219559,1221563,CVE-2023-52425 This update for expat fixes the following issues: - CVE-2023-52425: denial of service (resource consumption) caused by processing large tokens (bsc#1219559) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3011-1 Released: Mon Aug 26 13:15:05 2024 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1229339 This update for suse-build-key fixes the following issue: - extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028 (bsc#1229339). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3069-1 Released: Mon Sep 2 14:29:49 2024 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194818 This update for util-linux fixes the following issue: - agetty: Prevent login cursor escape (bsc#1194818). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3182-1 Released: Mon Sep 9 16:41:38 2024 Summary: Security update for expat Type: security Severity: moderate References: 1229930,1229931,1229932,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492 This update for expat fixes the following issues: - CVE-2024-45492: Detect integer overflow in function nextScaffoldPart. (bsc#1229932) - CVE-2024-45491: Detect integer overflow in dtdCopy. (bsc#1229931) - CVE-2024-45490: Reject negative len for XML_ParseBuffer. (bsc#1229930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:3184-1 Released: Tue Sep 10 07:31:28 2024 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1194818 This update for pam fixes the following issues: - Prevent cursor escape from the login prompt (bsc#1194818) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:3203-1 Released: Wed Sep 11 10:55:06 2024 Summary: Security update for curl Type: security Severity: moderate References: 1230093,CVE-2024-8096 This update for curl fixes the following issues: - CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093) The following package changes have been done: - aaa_base-13.2+git20140911.61c1681-38.22.1 added - base-container-licenses-3.0-14.4 added - bash-4.3-83.33.1 added - ca-certificates-mozilla-2.68-12.46.1 added - ca-certificates-1_201403302107-15.9.1 added - container-suseconnect-2.5.0-1.17.1 added - coreutils-8.25-13.16.1 added - cpio-2.11-36.21.1 added - cracklib-dict-small-2.9.0-8.5.1 added - cracklib-2.9.0-8.5.1 added - diffutils-3.3-5.40 added - dirmngr-1.1.1-13.1 added - file-magic-5.22-10.21.1 added - filesystem-13.1-14.15 added - fillup-1.42-270.64 added - findutils-4.5.12-7.1 added - glibc-2.22-114.34.1 added - gpg2-2.0.24-9.14.1 added - grep-2.16-4.6.1 added - info-4.13a-37.229 added - insserv-compat-0.1-14.6.1 added - krb5-1.16.3-46.15.1 added - kubic-locale-archive-2.22-4.5.3 added - libacl1-2.2.52-7.3.1 added - libadns1-1.4-103.3.1 added - libassuan0-2.1.1-3.217 added - libattr1-2.4.47-3.143 added - libaudit1-2.8.1-10.14.1 added - libaugeas0-1.10.1-4.3.2 added - libblkid1-2.33.2-4.45.2 added - libbz2-1-1.0.6-30.14.1 added - libcap-ng0-0.7.3-4.125 added - libcap2-2.26-14.9.1 added - libcom_err2-1.43.8-3.17.1 added - libcrack2-2.9.0-8.5.1 added - libcurl4-8.0.1-11.92.1 added - libdw1-0.158-7.13.3 added - libebl1-0.158-7.13.3 added - libelf1-0.158-7.13.3 added - libexpat1-2.1.0-21.37.1 added - libfdisk1-2.33.2-4.45.2 added - libffi4-5.3.1+r233831-12.1 added - libgcc_s1-13.3.0+git8781-1.13.1 added - libgcrypt20-1.6.1-16.83.1 added - libgmp10-5.1.3-4.3.1 added - libgpg-error0-1.29-1.3 added - libkeyutils1-1.5.9-5.3.1 added - libksba8-1.3.0-24.6.1 added - libldap-2_4-2-2.4.41-22.24.2 added - liblua5_1-5.1.5-8.3.1 added - liblzma5-5.0.5-6.7.1 added - libmagic1-5.22-10.21.1 added - libmodman1-2.0.1-15.75 added - libmount1-2.33.2-4.45.2 added - libncurses5-5.9-88.1 added - libncurses6-5.9-88.1 added - libnghttp2-14-1.39.2-3.18.1 added - libopenssl1_0_0-1.0.2p-3.95.1 added - libp11-kit0-0.23.2-8.10.1 added - libpcre1-8.45-8.12.1 added - libpopt0-1.16-26.128 added - libprocps3-3.3.9-11.30.1 added - libproxy1-0.4.13-18.3.1 added - libpth20-2.0.7-140.1 added - libreadline6-6.3-83.33.1 added - libsasl2-3-2.1.26-14.5.1 added - libselinux1-2.5-8.79 added - libsemanage1-2.5-9.3.1 added - libsepol1-2.5-3.143 added - libsmartcols1-2.33.2-4.45.2 added - libsolv-tools-0.6.39-2.39.2 added - libssh-config-0.9.8-3.12.2 added - libssh4-0.9.8-3.12.2 added - libstdc++6-13.3.0+git8781-1.13.1 added - libsystemd0-228-157.63.1 added - libtasn1-6-4.9-3.13.1 added - libtasn1-4.9-3.13.1 added - libudev1-228-157.63.1 added - libusb-0_1-4-0.1.13-29.13 added - libusb-1_0-0-1.0.20-5.3 added - libustr-1_0-1-1.0.4-31.197 added - libutempter0-1.1.6-5.114 added - libuuid1-2.33.2-4.45.2 added - libverto1-0.2.6-3.2.2 added - libxml2-2-2.9.4-46.75.1 added - libz1-1.2.11-11.37.1 added - libzio1-1.00-9.188 added - libzypp-16.22.13-65.3 added - ncurses-utils-5.9-88.1 added - netcfg-11.5-29.1 added - openssl-1_0_0-1.0.2p-3.95.1 added - openssl-1.0.2p-1.13 added - p11-kit-tools-0.23.2-8.10.1 added - p11-kit-0.23.2-8.10.1 added - pam-1.1.8-24.59.1 added - perl-base-5.18.2-12.26.1 added - permissions-20170707-6.16.1 added - pinentry-0.8.3-4.27 added - procps-3.3.9-11.30.1 added - rpm-4.11.2-16.26.1 added - sed-4.2.2-7.3.1 added - shadow-4.2.1-36.15.1 added - sles-release-POOL-12.5-1.171 added - sles-release-12.5-1.171 added - suse-build-key-12.0-7.19.1 added - terminfo-base-5.9-88.1 added - util-linux-2.33.2-4.45.2 added - zypper-1.13.67-21.64.1 added