----------------------------------------- Version 20240809 2024-08-11T09:00:23 ----------------------------------------- Patch: SUSE-2018-1804 Released: Fri Aug 31 13:02:24 2018 Summary: Recommended update for docker Severity: moderate References: 1065609,1073877,1099277,1100727 Description: This update for docker fixes the following issues: - Build the client binary with -buildmode=pie to fix issues on POWER. (bsc#1100727) - Fix an issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. (bsc#1099277) - Update to AppArmor patch so that signal mediation also works for signals between in-container processes. (bsc#1073877) - Do not log incorrect warnings when attempting to inject non-existent host files. (bsc#1065609) ----------------------------------------- Patch: SUSE-2018-3064 Released: Fri Dec 28 18:39:08 2018 Summary: Security update for containerd, docker and go Severity: important References: 1047218,1074971,1080978,1081495,1084533,1086185,1094680,1095817,1098017,1102522,1104821,1105000,1108038,1113313,1113978,1114209,1118897,1118898,1118899,1119634,1119706,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2018-7187 Description: This update for containerd, docker and go fixes the following issues: containerd and docker: - Add backport for building containerd (bsc#1102522, bsc#1113313) - Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. (bsc#1102522) - Enable seccomp support on SLE12 (fate#325877) - Update to containerd v1.1.1, which is the required version for the Docker v18.06.0-ce upgrade. (bsc#1102522) - Put containerd under the podruntime slice (bsc#1086185) - 3rd party registries used the default Docker certificate (bsc#1084533) - Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem. go: - golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187) - Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (boo#1119634) - Fix a regression that broke go get for import path patterns containing '...' (bsc#1119706) Additionally, the package go1.10 has been added. ----------------------------------------- Patch: SUSE-2019-286 Released: Thu Feb 7 13:45:27 2019 Summary: Security update for docker Severity: moderate References: 1001161,1112980,1115464,1118897,1118898,1118899,1118990,1121412,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875 Description: This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues: Security issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork: - CVE-2018-16873: cmd/go: remote command execution during 'go get -u' (bsc#1118897) - CVE-2018-16874: cmd/go: directory traversal in 'go get' via curly braces in import paths (bsc#1118898) - CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899) Non-security issues fixed for docker: - Disable leap based builds for kubic flavor (bsc#1121412) - Allow users to explicitly specify the NIS domainname of a container (bsc#1001161) - Update docker.service to match upstream and avoid rlimit problems (bsc#1112980) - Allow docker images larger then 23GB (bsc#1118990) - Docker version update to version 18.09.0-ce (bsc#1115464) ----------------------------------------- Patch: SUSE-2019-495 Released: Tue Feb 26 16:42:35 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc Severity: important References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues: Security issues fixed: - CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899). - CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898). - CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897). - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967). Other changes and fixes: - Update shell completion to use Group: System/Shells. - Add daemon.json file with rotation logs configuration (bsc#1114832) - Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Update go requirements to >= go1.10 - Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429). - Remove the usage of 'cp -r' to reduce noise in the build logs. ----------------------------------------- Patch: SUSE-2019-571 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 Description: This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------- Patch: SUSE-2019-1234 Released: Tue May 14 18:31:52 2019 Summary: Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork Severity: important References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Description: This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967). - CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013). - CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897). - CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898). - CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899). Other changes and bug fixes: - Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068). - Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068). - Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068). - docker-test: Improvements to test packaging (bsc#1128746). - Move daemon.json file to /etc/docker directory (bsc#1114832). - Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209). - Fix go build failures (bsc#1121397). ----------------------------------------- Patch: SUSE-2019-1562 Released: Wed Jun 19 09:16:07 2019 Summary: Security update for docker Severity: moderate References: 1096726,CVE-2018-15664 Description: This update for docker fixes the following issues: Security issue fixed: - CVE-2018-15664: Fixed an issue which could make docker cp vulnerable to symlink-exchange race attacks (bsc#1096726). ----------------------------------------- Patch: SUSE-2019-2001 Released: Fri Jul 26 18:09:41 2019 Summary: Recommended update for docker Severity: important References: 1138920 Description: This update for docker fixes the following issues: - Mark daemon.json as %config(noreplace) to not overwrite it during installation (bsc#1138920) ----------------------------------------- Patch: SUSE-2019-2005 Released: Mon Jul 29 13:02:15 2019 Summary: Recommended update for cloud-init Severity: moderate References: 1116767,1119397,1121878,1123694,1125950,1125992,1126101,1132692,1136440 Description: This update for cloud-init fixes the following issues: - Fixes a bug where only the last defined route was written to the routes configuration file (bsc#1132692) - Fixes a bug where a new network rules file for network devices didn't apply immediately (bsc#1125950) - Improved the writing of route config files to avoid issues (bsc#1125992) - Fixes a bug where OpenStack instances where not detected on VIO (bsc#1136440) - Fixes a bug where IPv4 and IPv6 were not set up as default routes (bsc#1121878) - Added a fix to prevent the resolv.conf to be empty (bsc#1119397) - Uses now the proper name to designate IPv6 addresses in ifcfg-* files (bsc#1126101) - Fixes an issue where the ifroute-eth0 file got corrupted when cloning an existing instance (bsc#1123694) Some more fixes were included within the 19.1 update of cloud-init. Please refer to the package changelog for more details. ----------------------------------------- Patch: SUSE-2019-2117 Released: Tue Aug 13 14:56:55 2019 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: important References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409,CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker: - CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409). - CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160). - Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649). runc: - Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920). - Update to runc 425e105d5a03, which is required by Docker (bsc#1139649). containerd: - CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967). - Update to containerd v1.2.6, which is required by docker (bsc#1139649). golang-github-docker-libnetwork: - Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649). ----------------------------------------- Patch: SUSE-2019-2494 Released: Mon Sep 30 16:22:20 2019 Summary: Recommended update for cloud-init Severity: important References: 1141969,1144363,1144881 Description: This update for cloud-init provides the following fixes: - Properly handle static routes. The EphemeralDHCP context manager did not parse or handle rfc3442 classless static routes which prevented reading datasource metadata in some clouds. (bsc#1141969) - The __str__ implementation no longer delivers the name of the interface, use the 'name' attribute instead to form a proper path in the sysfs tree. (bsc#1144363) - If no routes are set for a subnet but the subnet has a gateway specified, set the gateway as the default route for the interface. (bsc#1144881) ----------------------------------------- Patch: SUSE-2019-2657 Released: Mon Oct 14 17:04:07 2019 Summary: Security update for dhcp Severity: moderate References: 1089524,1134078,1136572,CVE-2019-6470 Description: This update for dhcp fixes the following issues: Secuirty issue fixed: - CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078). Bug fixes: - Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524). - Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572). ----------------------------------------- Patch: SUSE-2019-2777 Released: Thu Oct 24 16:13:20 2019 Summary: Recommended update for fipscheck Severity: moderate References: 1149792 Description: This update for fipscheck fixes the following issues: - Remove #include of unused fips.h to fix build with OpenSSL 1.1.1 (bsc#1149792) ----------------------------------------- Patch: SUSE-2019-3096 Released: Thu Nov 28 16:48:21 2019 Summary: Security update for cloud-init Severity: moderate References: 1099358,1129124,1136440,1142988,1144363,1151488,1154092,CVE-2019-0816 Description: This update for cloud-init to version 19.2 fixes the following issues: Security issue fixed: - CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124). Non-security issues fixed: - Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988). - If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488). ----------------------------------------- Patch: SUSE-2020-35 Released: Wed Jan 8 09:06:32 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: moderate References: 1122469,1143349,1150397,1152308,1153367,1158590,CVE-2019-16884 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issue fixed: - CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). Bug fixes: - Update to Docker 19.03.5-ce (bsc#1158590). - Update to Docker 19.03.3-ce (bsc#1153367). - Update to Docker 19.03.2-ce (bsc#1150397). - Fixed default installation such that --userns-remap=default works properly (bsc#1143349). - Fixed nginx blocked by apparmor (bsc#1122469). ----------------------------------------- Patch: SUSE-2020-245 Released: Tue Jan 28 09:42:30 2020 Summary: Recommended update for cloud-init Severity: moderate References: 1155376,1156139,1157894,1161132,1161133 Description: This update for cloud-init fixes the following issues: - Fixed an issue where it was not possible to add SSH keys and thus it was not possible to log into the system (bsc#1161132, bsc#1161133) - Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139) - The route's destination network will now be written in CIDR notation. This provides support for correctly recording IPv6 routes (bsc#1155376) - Many smaller fixes came with this package as well. For a full list of all changes, refer to the rpm's changes file. ----------------------------------------- Patch: SUSE-2020-751 Released: Mon Mar 23 16:32:44 2020 Summary: Security update for cloud-init Severity: moderate References: 1162936,1162937,1163178,CVE-2020-8631,CVE-2020-8632 Description: This update for cloud-init fixes the following security issues: - CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937). - CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936). ----------------------------------------- Patch: SUSE-2020-1056 Released: Tue Apr 21 16:26:22 2020 Summary: Recommended update for cloud-init Severity: important References: 1099358,1144881,1145622,1148645,1163178,1165296 Description: This update for cloud-init contains the following fixes: - Update previous patches with the following additions: + In cases where the config contains 2 or more default gateway specifications for an interface only write the first default route, log warning message about skipped routes + Avoid writing invalid route specification if neither the network nor destination is specified in the route configuration + Still need to consider the 'network' configuration uption for the v1 config implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42. + Add the default gateway to the ifroute config file when specified as part of the subnet configuration. (bsc#1165296) + Fix typo to properly extrakt provided netmask data (bsc#1163178, bsc#1165296) + Fix for default gateway and IPv6. (bsc#1144881) + Routes will be written if there is only a default gateway. (bsc#1148645) - BuildRequire pkgconfig(udev) instead of udev, which allow OS to shortcut through the -mini flavor. - Update to cloud-init 19.2. (bsc#1099358, bsc#1145622) ----------------------------------------- Patch: SUSE-2020-1294 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Severity: moderate References: 1154661,1169512,CVE-2019-18218 Description: This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------- Patch: SUSE-2020-1657 Released: Thu Jun 18 10:49:53 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: moderate References: 1172377,CVE-2020-13401 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13 - CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377). ----------------------------------------- Patch: SUSE-2020-1885 Released: Fri Jul 10 14:54:22 2020 Summary: Recommended update for cloud-init Severity: moderate References: 1170154,1171546,1171995 Description: This update for cloud-init contains the following fixes: - rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/. + Explicitly test for netconfig version 1 as well as 2. + Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995) ----------------------------------------- Patch: SUSE-2020-1954 Released: Sat Jul 18 03:07:15 2020 Summary: Recommended update for cracklib Severity: moderate References: 1172396 Description: This update for cracklib fixes the following issues: - Fixed a buffer overflow when processing long words. ----------------------------------------- Patch: SUSE-2020-2083 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Severity: moderate References: 1156913 Description: This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------- Patch: SUSE-2020-2148 Released: Thu Aug 6 13:36:17 2020 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1174673 Description: This update for ca-certificates-mozilla fixes the following issues: Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 ----------------------------------------- Patch: SUSE-2020-2983 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Severity: moderate References: 1176123 Description: This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------- Patch: SUSE-2020-3157 Released: Wed Nov 4 15:37:05 2020 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1177864 Description: This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------- Patch: SUSE-2020-3323 Released: Fri Nov 13 15:25:55 2020 Summary: Recommended update for cloud-init Severity: moderate References: 1174443,1174444,1177526 Description: This update for cloud-init contains the following fixes: + Avoid exception if no gateway information is present and warning is triggered for existing routing. (bsc#1177526) Update to version 20.2 (bsc#1174443, bsc#1174444) + doc/format: reference make-mime.py instead of an inline script (#334) + Add docs about creating parent folders (#330) [Adrian Wilkins] + DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470) + schema: ignore spurious pylint error (#332) + schema: add json schema for write_files module (#152) + BSD: find_devs_with_ refactoring (#298) [Gonéri Le Bouder] + nocloud: drop work around for Linux 2.6 (#324) [Gonéri Le Bouder] + cloudinit: drop dependencies on unittest2 and contextlib2 (#322) + distros: handle a potential mirror filtering error case (#328) + log: remove unnecessary import fallback logic (#327) + .travis.yml: don't run integration test on ubuntu/* branches (#321) + More unit test documentation (#314) + conftest: introduce disable_subp_usage autouse fixture (#304) + YAML align indent sizes for docs readability (#323) [Tak Nishigori] + network_state: add missing space to log message (#325) + tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910) + test_mounts: expand happy path test for both happy paths (#319) + cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836) + swap file 'size' being used before checked if str (#315) [Eduardo Otubo] + HACKING.rst: add pytest version gotchas section (#311) + docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers] + readme: OpenBSD is now supported (#309) [Gonéri Le Bouder] + net: ignore 'renderer' key in netplan config (#306) (LP: #1870421) + Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370) + openbsd: set_passwd should not unlock user (#289) [Gonéri Le Bouder] + tools/.github-cla-signers: add beezly as CLA signer (#301) + util: remove unnecessary lru_cache import fallback (#299) + HACKING.rst: reorganise/update CLA signature info (#297) + distros: drop leading/trailing hyphens from mirror URL labels (#296) + HACKING.rst: add note about variable annotations (#295) + CiTestCase: stop using and remove sys_exit helper (#283) + distros: replace invalid characters in mirror URLs with hyphens (#291) (LP: #1868232) + rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy] + Fix cloud-init ignoring some misdeclared mimetypes in user-data. [Kurt Garloff] + net: ubuntu focal prioritize netplan over eni even if both present (#267) (LP: #1867029) + cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292) + net/cmdline: replace type comments with annotations (#294) + HACKING.rst: add Type Annotations design section (#293) + net: introduce is_ip_address function (#288) + CiTestCase: remove now-unneeded parse_and_read helper method (#286) + .travis.yml: allow 30 minutes of inactivity in cloud tests (#287) + sources/tests/test_init: drop use of deprecated inspect.getargspec (#285) + setup.py: drop NIH check_output implementation (#282) + Identify SAP Converged Cloud as OpenStack [Silvio Knizek] + add Openbsd support (#147) [Gonéri Le Bouder] + HACKING.rst: add examples of the two test class types (#278) + VMWware: support to update guest info gc status if enabled (#261) [xiaofengw-vmware] + Add lp-to-git mapping for kgarloff (#279) + set_passwords: avoid chpasswd on BSD (#268) [Gonéri Le Bouder] + HACKING.rst: add Unit Testing design section (#277) + util: read_cc_from_cmdline handle urlencoded yaml content (#275) + distros/tests/test_init: add tests for _get_package_mirror_info (#272) + HACKING.rst: add links to new Code Review Process doc (#276) + freebsd: ensure package update works (#273) [Gonéri Le Bouder] + doc: introduce Code Review Process documentation (#160) + tools: use python3 (#274) + cc_disk_setup: fix RuntimeError (#270) (LP: #1868327) + cc_apt_configure/util: combine search_for_mirror implementations (#271) + bsd: boottime does not depend on the libc soname (#269) [Gonéri Le Bouder] + test_oracle,DataSourceOracle: sort imports (#266) + DataSourceOracle: update .network_config docstring (#257) + cloudinit/tests: remove unneeded with_logs configuration (#263) + .travis.yml: drop stale comment (#255) + .gitignore: add more common directories (#258) + ec2: render network on all NICs and add secondary IPs as static (#114) (LP: #1866930) + ec2 json validation: fix the reference to the 'merged_cfg' key (#256) [Paride Legovini] + releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini] + cloudinit: remove six from packaging/tooling (#253) + util/netbsd: drop six usage (#252) + workflows: introduce stale pull request workflow (#125) + cc_resolv_conf: introduce tests and stabilise output across Python versions (#251) + fix minor issue with resolv_conf template (#144) [andreaf74] + doc: CloudInit also support NetBSD (#250) [Gonéri Le Bouder] + Add Netbsd support (#62) [Gonéri Le Bouder] + tox.ini: avoid substition syntax that causes a traceback on xenial (#245) + Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby] + Introduce and use of a list of GitHub usernames that have signed CLA (#244) + workflows/cla.yml: use correct username for CLA check (#243) + tox.ini: use xenial version of jsonpatch in CI (#242) + workflows: CLA validation altered to fail status on pull_request (#164) + tox.ini: bump pyflakes version to 2.1.1 (#239) + cloudinit: move to pytest for running tests (#211) + instance-data: add cloud-init merged_cfg and sys_info keys to json (#214) (LP: #1865969) + ec2: Do not fallback to IMDSv1 on EC2 (#216) + instance-data: write redacted cfg to instance-data.json (#233) (LP: #1865947) + net: support network-config:disabled on the kernel commandline (#232) (LP: #1862702) + ec2: only redact token request headers in logs, avoid altering request (#230) (LP: #1865882) + docs: typo fixed: dta → data [Alexey Vazhnov] + Fixes typo on Amazon Web Services (#217) [Nick Wales] + Fix docs for OpenStack DMI Asset Tag (#228) [Mark T. Voelker] (LP: #1669875) + Add physical network type: cascading to openstack helpers (#200) [sab-systems] + tests: add focal integration tests for ubuntu (#225) - From 20.1 (first vesrion after 19.4) + ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) (LP: #1863943) + utils: use SystemRandom when generating random password. (#204) [Dimitri John Ledkov] + docs: mount_default_files is a list of 6 items, not 7 (#212) + azurecloud: fix issues with instances not starting (#205) (LP: #1861921) + unittest: fix stderr leak in cc_set_password random unittest output. (#208) + cc_disk_setup: add swap filesystem force flag (#207) + import sysvinit patches from freebsd-ports tree (#161) [Igor Galić] + docs: fix typo (#195) [Edwin Kofler] + sysconfig: distro-specific config rendering for BOOTPROTO option (#162) [Robert Schweikert] (LP: #1800854) + cloudinit: replace 'from six import X' imports (except in util.py) (#183) + run-container: use 'test -n' instead of 'test ! -z' (#202) [Paride Legovini] + net/cmdline: correctly handle static ip= config (#201) [Dimitri John Ledkov] (LP: #1861412) + Replace mock library with unittest.mock (#186) + HACKING.rst: update CLA link (#199) + Scaleway: Fix DatasourceScaleway to avoid backtrace (#128) [Louis Bouchard] + cloudinit/cmd/devel/net_convert.py: add missing space (#191) + tools/run-container: drop support for python2 (#192) [Paride Legovini] + Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789) + Make the RPM build use Python 3 (#190) [Paride Legovini] + cc_set_password: increase random pwlength from 9 to 20 (#189) (LP: #1860795) + .travis.yml: use correct Python version for xenial tests (#185) + cloudinit: remove ImportError handling for mock imports (#182) + Do not use fallocate in swap file creation on xfs. (#70) [Eduardo Otubo] (LP: #1781781) + .readthedocs.yaml: install cloud-init when building docs (#181) (LP: #1860450) + Introduce an RTD config file, and pin the Sphinx version to the RTD default (#180) + Drop most of the remaining use of six (#179) + Start removing dependency on six (#178) + Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy] + docs: add proposed SRU testing procedure (#167) + util: rename get_architecture to get_dpkg_architecture (#173) + Ensure util.get_architecture() runs only once (#172) + Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann] + freebsd: remove superflu exception mapping (#166) [Gonéri Le Bouder] + ssh_auth_key_fingerprints_disable test: fix capitalization (#165) [Paride Legovini] + util: move uptime's else branch into its own boottime function (#53) [Igor Galić] (LP: #1853160) + workflows: add contributor license agreement checker (#155) + net: fix rendering of 'static6' in network config (#77) (LP: #1850988) + Make tests work with Python 3.8 (#139) [Conrad Hoffmann] + fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74] + freebsd: fix create_group() cmd (#146) [Gonéri Le Bouder] + doc: make apt_update example consistent (#154) + doc: add modules page toc with links (#153) (LP: #1852456) + Add support for the amazon variant in cloud.cfg.tmpl (#119) [Frederick Lefebvre] + ci: remove Python 2.7 from CI runs (#137) + modules: drop cc_snap_config config module (#134) + migrate-lp-user-to-github: ensure Launchpad repo exists (#136) + docs: add initial troubleshooting to FAQ (#104) [Joshua Powers] + doc: update cc_set_hostname frequency and descrip (#109) [Joshua Powers] (LP: #1827021) + freebsd: introduce the freebsd renderer (#61) [Gonéri Le Bouder] + cc_snappy: remove deprecated module (#127) + HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130) + freebsd: cloudinit service requires devd (#132) [Gonéri Le Bouder] + cloud-init: fix capitalisation of SSH (#126) + doc: update cc_ssh clarify host and auth keys [Joshua Powers] (LP: #1827021) + ci: emit names of tests run in Travis (#120) ----------------------------------------- Patch: SUSE-2020-3608 Released: Wed Dec 2 18:16:12 2020 Summary: Recommended update for cloud-init Severity: important References: 1177526,1179150,1179151 Description: This update for cloud-init contains the following fixes: - Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151) + Properly set the password for the default user in all circumstances - Patch the full package version into the cloud-init version file - Update cloud-init-write-routes.patch (bsc#1177526) + Fix missing default route when dual stack network setup is used. Once a default route was configured for Ipv6 or IPv4 the default route configuration for the othre protocol was skipped. ----------------------------------------- Patch: SUSE-2021-435 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------- Patch: SUSE-2021-516 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Severity: moderate References: 1178801,1180401,1182168 Description: This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------- Patch: SUSE-2021-571 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1180176 Description: This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------- Patch: SUSE-2021-924 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 Description: This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------- Patch: SUSE-2021-960 Released: Mon Mar 29 11:16:28 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1181283 Description: This update for cloud-init fixes the following issues: - Does no longer include the sudoers.d directory twice (bsc#1181283) ----------------------------------------- Patch: SUSE-2021-1451 Released: Fri Apr 30 08:08:45 2021 Summary: Recommended update for dhcp Severity: moderate References: 1185157 Description: This update for dhcp fixes the following issues: - Use '/run' instead of '/var/run' for PIDFile in 'dhcrelay.service'. (bsc#1185157) ----------------------------------------- Patch: SUSE-2021-1462 Released: Fri Apr 30 14:54:23 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1181283,1184085 Description: This update for cloud-init fixes the following issues: - Fixed an issue, where the bonding options were wrongly configured in SLE and openSUSE (bsc#1184085) ----------------------------------------- Patch: SUSE-2021-1841 Released: Wed Jun 2 16:30:17 2021 Summary: Security update for dhcp Severity: important References: 1186382,CVE-2021-25217 Description: This update for dhcp fixes the following issues: - CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382) ----------------------------------------- Patch: SUSE-2021-1954 Released: Fri Jun 11 10:45:09 2021 Summary: Security update for containerd, docker, runc Severity: important References: 1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465 Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594) * Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476). * CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) * CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730). * btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081) runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962). * Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821). * Fixed /dev/null is not available (bsc#1168481). * CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405). containerd was updated to v1.4.4 * CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397). * Handle a requirement from docker (bsc#1181594). ----------------------------------------- Patch: SUSE-2021-2286 Released: Fri Jul 9 17:38:53 2021 Summary: Recommended update for dosfstools Severity: moderate References: 1172863 Description: This update for dosfstools fixes the following issue: - Fixed a bug that was causing an installation issue when trying to create an EFI partition on an NVMe-over-Fabrics device (bsc#1172863) ----------------------------------------- Patch: SUSE-2021-2412 Released: Tue Jul 20 15:25:21 2021 Summary: Security update for containerd Severity: moderate References: 1188282,CVE-2021-32760 Description: This update for containerd fixes the following issues: - CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282) ----------------------------------------- Patch: SUSE-2021-2887 Released: Tue Aug 31 13:31:19 2021 Summary: Recommended update for cloud-init Severity: moderate References: 1183939,1184758 Description: This update for cloud-init contains the following: - Change log file creation mode to 640. (bsc#1183939) - Do not write the generated password to the log file. (bsc#1184758) - Allow purging cache when Python when version change detected. ----------------------------------------- Patch: SUSE-2021-3182 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Severity: moderate References: 1189996 Description: This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------- Patch: SUSE-2021-3245 Released: Tue Sep 28 13:54:31 2021 Summary: Recommended update for docker Severity: important References: 1190670 Description: This update for docker fixes the following issues: - Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34. - Add shell requires for the *-completion subpackages. ----------------------------------------- Patch: SUSE-2021-3274 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: important References: 1190858 Description: This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------- Patch: SUSE-2021-3382 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: Description: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------- Patch: SUSE-2021-3506 Released: Mon Oct 25 10:20:22 2021 Summary: Security update for containerd, docker, runc Severity: important References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume. * Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94 * cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix 'chdir to cwd: permission denied' for some setups ----------------------------------------- Patch: SUSE-2021-3872 Released: Thu Dec 2 07:25:55 2021 Summary: Recommended update for cracklib Severity: moderate References: 1191736 Description: This update for cracklib fixes the following issues: - Enable build time tests (bsc#1191736) ----------------------------------------- Patch: SUSE-2022-84 Released: Mon Jan 17 04:40:30 2022 Summary: Recommended update for dosfstools Severity: moderate References: 1172863,1188401 Description: This update for dosfstools fixes the following issues: - To be able to create filesystems compatible with previous version, add -g command line option to mkfs (bsc#1188401) - BREAKING CHANGES: After fixing of bsc#1172863 in the last update, mkfs started to create different images than before. Applications that depend on exact FAT file format (e. g. embedded systems) may be broken in two ways: * The introduction of the alignment may create smaller images than before, with a different positions of important image elements. It can break existing software that expect images in doststools <= 4.1 style. To work around these problems, use '-a' command line argument. * The new image may contain a different geometry values. Geometry sensitive applications expecting doststools <= 4.1 style images can fails to accept different geometry values. There is no direct work around for this problem. But you can take the old image, use 'file -s $IMAGE', check its 'sectors/track' and 'heads', and use them in the newly introduced '-g' command line argument. ----------------------------------------- Patch: SUSE-2022-203 Released: Wed Jan 26 14:13:45 2022 Summary: Recommended update for cloud-init Severity: important References: 1186004 Description: This update for cloud-init fixes the following issues: - Update to version 21.2 (bsc#1186004) + Add \r\n check for SSH keys in Azure (#889) + Revert 'Add support to resize rootfs if using LVM (#721)' (#887) (LP: #1922742) + Add Vultaire as contributor (#881) [Paul Goins] + Azure: adding support for consuming userdata from IMDS (#884) [Anh Vo] + test_upgrade: modify test_upgrade_package to run for more sources (#883) + Fix chef module run failure when chef_license is set (#868) [Ben Hughes] + Azure: Retry net metadata during nic attach for non-timeout errs (#878) [aswinrajamannar] + Azure: Retrieve username and hostname from IMDS (#865) [Thomas Stringer] + Azure: eject the provisioning iso before reporting ready (#861) [Anh Vo] + Use `partprobe` to re-read partition table if available (#856) [Nicolas Bock] (LP: #1920939) + fix error on upgrade caused by new vendordata2 attributes (#869) (LP: #1922739) + add prefer_fqdn_over_hostname config option (#859) [hamalq] (LP: #1921004) + Emit dots on travis to avoid timeout (#867) + doc: Replace remaining references to user-scripts as a config module (#866) [Ryan Harper] + azure: Removing ability to invoke walinuxagent (#799) [Anh Vo] + Add Vultr support (#827) [David Dymko] + Fix unpickle for source paths missing run_dir (#863) [lucasmoura] (LP: #1899299) + sysconfig: use BONDING_MODULE_OPTS on SUSE (#831) [Jens Sandmann] + bringup_static_routes: fix gateway check (#850) [Petr Fedchenkov] + add hamalq user (#860) [hamalq] + Add support to resize rootfs if using LVM (#721) [Eduardo Otubo] (LP: #1799953) + Fix mis-detecting network configuration in initramfs cmdline (#844) (LP: #1919188) + tools/write-ssh-key-fingerprints: do not display empty header/footer (#817) [dermotbradley] + Azure helper: Ensure Azure http handler sleeps between retries (#842) [Johnson Shi] + Fix chef apt source example (#826) [timothegenzmer] + .travis.yml: generate an SSH key before running tests (#848) + write passwords only to serial console, lock down cloud-init-output.log (#847) (LP: #1918303) + Fix apt default integration test (#845) + integration_tests: bump pycloudlib dependency (#846) + Fix stack trace if vendordata_raw contained an array (#837) [eb3095] + archlinux: Fix broken locale logic (#841) [Kristian Klausen] (LP: #1402406) + Integration test for #783 (#832) + integration_tests: mount more paths IN_PLACE (#838) + Fix requiring device-number on EC2 derivatives (#836) (LP: #1917875) + Remove the vi comment from the part-handler example (#835) + net: exclude OVS internal interfaces in get_interfaces (#829) (LP: #1912844) + tox.ini: pass OS_* environment variables to integration tests (#830) + integration_tests: add OpenStack as a platform (#804) + Add flexibility to IMDS api-version (#793) [Thomas Stringer] + Fix the TestApt tests using apt-key on Xenial and Hirsute (#823) [Paride Legovini] (LP: #1916629) + doc: remove duplicate 'it' from nocloud.rst (#825) [V.I. Wood] + archlinux: Use hostnamectl to set the transient hostname (#797) [Kristian Klausen] + cc_keys_to_console.py: Add documentation for recently added config key (#824) [dermotbradley] + Update cc_set_hostname documentation (#818) [Toshi Aoyama] From 21.1 + Azure: Support for VMs without ephemeral resource disks. (#800) [Johnson Shi] (LP: #1901011) + cc_keys_to_console: add option to disable key emission (#811) [Michael Hudson-Doyle] (LP: #1915460) + integration_tests: introduce lxd_use_exec mark (#802) + azure: case-insensitive UUID to avoid new IID during kernel upgrade (#798) (LP: #1835584) + stale.yml: don't ask submitters to reopen PRs (#816) + integration_tests: fix use of SSH agent within tox (#815) + integration_tests: add UPGRADE CloudInitSource (#812) + integration_tests: use unique MAC addresses for tests (#813) + Update .gitignore (#814) + Port apt cloud_tests to integration tests (#808) + integration_tests: fix test_gh626 on LXD VMs (#809) + Fix attempting to decode binary data in test_seed_random_data test (#806) + Remove wait argument from tests with session_cloud calls (#805) + Datasource for UpCloud (#743) [Antti Myyrä] + test_gh668: fix failure on LXD VMs (#801) + openstack: read the dynamic metadata group vendor_data2.json (#777) [Andrew Bogott] (LP: #1841104) + includedir in suoders can be prefixed by 'arroba' (#783) [Jordi Massaguer Pla] + [VMware] change default max wait time to 15s (#774) [xiaofengw-vmware] + Revert integration test associated with reverted #586 (#784) + Add jordimassaguerpla as contributor (#787) [Jordi Massaguer Pla] + Add Rick Harding to CLA signers (#792) [Rick Harding] + HACKING.rst: add clarifying note to LP CLA process section (#789) + Stop linting cloud_tests (#791) + cloud-tests: update cryptography requirement (#790) [Joshua Powers] + Remove 'remove-raise-on-failure' calls from integration_tests (#788) + Use more cloud defaults in integration tests (#757) + Adding self to cla signers (#776) [Andrew Bogott] + doc: avoid two warnings (#781) [Dan Kenigsberg] + Use proper spelling for Red Hat (#778) [Dan Kenigsberg] + Add antonyc to .github-cla-signers (#747) [Anton Chaporgin] + integration_tests: log image serial if available (#772) + [VMware] Support cloudinit raw data feature (#691) [xiaofengw-vmware] + net: Fix static routes to host in eni renderer (#668) [Pavel Abalikhin] + .travis.yml: don't run cloud_tests in CI (#756) + test_upgrade: add some missing commas (#769) + cc_seed_random: update documentation and fix integration test (#771) (LP: #1911227) + Fix test gh-632 test to only run on NoCloud (#770) (LP: #1911230) + archlinux: fix package upgrade command handling (#768) [Bao Trinh] + integration_tests: add integration test for LP: #1910835 (#761) + Fix regression with handling of IMDS ssh keys (#760) [Thomas Stringer] + integration_tests: log cloud-init version in SUT (#758) + Add ajmyyra as contributor (#742) [Antti Myyrä] + net_convert: add some missing help text (#755) + Missing IPV6_AUTOCONF=no to render sysconfig dhcp6 stateful on RHEL (#753) [Eduardo Otubo] + doc: document missing IPv6 subnet types (#744) [Antti Myyrä] + Add example configuration for datasource `AliYun` (#751) [Xiaoyu Zhong] + integration_tests: add SSH key selection settings (#754) + fix a typo in man page cloud-init.1 (#752) [Amy Chen] + network-config-format-v2.rst: add Netplan Passthrough section (#750) + stale: re-enable post holidays (#749) + integration_tests: port ca_certs tests from cloud_tests (#732) + Azure: Add telemetry for poll IMDS (#741) [Johnson Shi] + doc: move testing section from HACKING to its own doc (#739) + No longer allow integration test failures on travis (#738) + stale: fix error in definition (#740) + integration_tests: set log-cli-level to INFO by default (#737) + PULL_REQUEST_TEMPLATE.md: use backticks around commit message (#736) + stale: disable check for holiday break (#735) + integration_tests: log the path we collect logs into (#733) + .travis.yml: add (most) supported Python versions to CI (#734) + integration_tests: fix IN_PLACE CLOUD_INIT_SOURCE (#731) + cc_ca_certs: add RHEL support (#633) [cawamata] + Azure: only generate config for NICs with addresses (#709) [Thomas Stringer] + doc: fix CloudStack configuration example (#707) [Olivier Lemasle] + integration_tests: restrict test_lxd_bridge appropriately (#730) + Add integration tests for CLI functionality (#729) + Integration test for gh-626 (#728) + Some test_upgrade fixes (#726) + Ensure overriding test vars with env vars works for booleans (#727) + integration_tests: port lxd_bridge test from cloud_tests (#718) + Integration test for gh-632. (#725) + Integration test for gh-671 (#724) + integration-requirements.txt: bump pycloudlib commit (#723) + Drop unnecessary shebang from cmd/main.py (#722) [Eduardo Otubo] + Integration test for LP: #1813396 and #669 (#719) + integration_tests: include timestamp in log output (#720) + integration_tests: add test for LP: #1898997 (#713) + Add integration test for power_state_change module (#717) + Update documentation for network-config-format-v2 (#701) [ggiesen] + sandbox CA Cert tests to not require ca-certificates (#715) [Eduardo Otubo] + Add upgrade integration test (#693) + Integration test for 570 (#712) + Add ability to keep snapshotted images in integration tests (#711) + Integration test for pull #586 (#706) + integration_tests: introduce skipping of tests by OS (#702) + integration_tests: introduce IntegrationInstance.restart (#708) + Add lxd-vm to list of valid integration test platforms (#705) + Adding BOOTPROTO = dhcp to render sysconfig dhcp6 stateful on RHEL (#685) [Eduardo Otubo] + Delete image snapshots created for integration tests (#682) + Parametrize ssh_keys_provided integration test (#700) [lucasmoura] + Drop use_sudo attribute on IntegrationInstance (#694) [lucasmoura] + cc_apt_configure: add riscv64 as a ports arch (#687) [Dimitri John Ledkov] + cla: add xnox (#692) [Dimitri John Ledkov] + Collect logs from integration test runs (#675) From 20.4.1 + Revert 'ssh_util: handle non-default AuthorizedKeysFile config (#586)' From 20.4 + tox: avoid tox testenv subsvars for xenial support (#684) + Ensure proper root permissions in integration tests (#664) [James Falcon] + LXD VM support in integration tests (#678) [James Falcon] + Integration test for fallocate falling back to dd (#681) [James Falcon] + .travis.yml: correctly integration test the built .deb (#683) + Ability to hot-attach NICs to preprovisioned VMs before reprovisioning (#613) [aswinrajamannar] + Support configuring SSH host certificates. (#660) [Jonathan Lung] + add integration test for LP: #1900837 (#679) + cc_resizefs on FreeBSD: Fix _can_skip_ufs_resize (#655) [Mina Galić] (LP: #1901958, #1901958) + DataSourceAzure: push dmesg log to KVP (#670) [Anh Vo] + Make mount in place for tests work (#667) [James Falcon] + integration_tests: restore emission of settings to log (#657) + DataSourceAzure: update password for defuser if exists (#671) [Anh Vo] + tox.ini: only select 'ci' marked tests for CI runs (#677) + Azure helper: Increase Azure Endpoint HTTP retries (#619) [Johnson Shi] + DataSourceAzure: send failure signal on Azure datasource failure (#594) [Johnson Shi] + test_persistence: simplify VersionIsPoppedFromState (#674) + only run a subset of integration tests in CI (#672) + cli: add + -system param to allow validating system user-data on a machine (#575) + test_persistence: add VersionIsPoppedFromState test (#673) + introduce an upgrade framework and related testing (#659) + add + -no-tty option to gpg (#669) [Till Riedel] (LP: #1813396) + Pin pycloudlib to a working commit (#666) [James Falcon] + DataSourceOpenNebula: exclude SRANDOM from context output (#665) + cloud_tests: add hirsute release definition (#662) + split integration and cloud_tests requirements (#652) + faq.rst: add warning to answer that suggests running `clean` (#661) + Fix stacktrace in DataSourceRbxCloud if no metadata disk is found (#632) [Scott Moser] + Make wakeonlan Network Config v2 setting actually work (#626) [dermotbradley] + HACKING.md: unify network-refactoring namespace (#658) [Mina Galić] + replace usage of dmidecode with kenv on FreeBSD (#621) [Mina Galić] + Prevent timeout on travis integration tests. (#651) [James Falcon] + azure: enable pushing the log to KVP from the last pushed byte (#614) [Moustafa Moustafa] + Fix launch_kwargs bug in integration tests (#654) [James Falcon] + split read_fs_info into linux & freebsd parts (#625) [Mina Galić] + PULL_REQUEST_TEMPLATE.md: expand commit message section (#642) + Make some language improvements in growpart documentation (#649) [Shane Frasier] + Revert '.travis.yml: use a known-working version of lxd (#643)' (#650) + Fix not sourcing default 50-cloud-init ENI file on Debian (#598) [WebSpider] + remove unnecessary reboot from gpart resize (#646) [Mina Galić] + cloudinit: move dmi functions out of util (#622) [Scott Moser] + integration_tests: various launch improvements (#638) + test_lp1886531: don't assume /etc/fstab exists (#639) + Remove Ubuntu restriction from PR template (#648) [James Falcon] + util: fix mounting of vfat on *BSD (#637) [Mina Galić] + conftest: improve docstring for disable_subp_usage (#644) + doc: add example query commands to debug Jinja templates (#645) + Correct documentation and testcase data for some user-data YAML (#618) [dermotbradley] + Hetzner: Fix instance_id / SMBIOS serial comparison (#640) [Markus Schade] + .travis.yml: use a known-working version of lxd (#643) + tools/build-on-freebsd: fix comment explaining purpose of the script (#635) [Mina Galić] + Hetzner: initialize instance_id from system-serial-number (#630) [Markus Schade] (LP: #1885527) + Explicit set IPV6_AUTOCONF and IPV6_FORCE_ACCEPT_RA on static6 (#634) [Eduardo Otubo] + get_interfaces: don't exclude Open vSwitch bridge/bond members (#608) [Lukas Märdian] (LP: #1898997) + Add config modules for controlling IBM PowerVM RMC. (#584) [Aman306] (LP: #1895979) + Update network config docs to clarify MAC address quoting (#623) [dermotbradley] + gentoo: fix hostname rendering when value has a comment (#611) [Manuel Aguilera] + refactor integration testing infrastructure (#610) [James Falcon] + stages: don't reset permissions of cloud-init.log every boot (#624) (LP: #1900837) + docs: Add how to use cloud-localds to boot qemu (#617) [Joshua Powers] + Drop vestigial update_resolve_conf_file function (#620) [Scott Moser] + cc_mounts: correctly fallback to dd if fallocate fails (#585) (LP: #1897099) + .travis.yml: add integration-tests to Travis matrix (#600) + ssh_util: handle non-default AuthorizedKeysFile config (#586) [Eduardo Otubo] + Multiple file fix for AuthorizedKeysFile config (#60) [Eduardo Otubo] + bddeb: new + -packaging-branch argument to pull packaging from branch (#576) [Paride Legovini] + Add more integration tests (#615) [lucasmoura] + DataSourceAzure: write marker file after report ready in preprovisioning (#590) [Johnson Shi] + integration_tests: emit settings to log during setup (#601) + integration_tests: implement citest tests run in Travis (#605) + Add Azure support to integration test framework (#604) [James Falcon] + openstack: consider product_name as valid chassis tag (#580) [Adrian Vladu] (LP: #1895976) + azure: clean up and refactor report_diagnostic_event (#563) [Johnson Shi] + net: add the ability to blacklist network interfaces based on driver during enumeration of physical network devices (#591) [Anh Vo] + integration_tests: don't error on cloud-init failure (#596) + integration_tests: improve cloud-init.log assertions (#593) + conftest.py: remove top-level import of httpretty (#599) + tox.ini: add integration-tests testenv definition (#595) + PULL_REQUEST_TEMPLATE.md: empty checkboxes need a space (#597) + add integration test for LP: #1886531 (#592) + Initial implementation of integration testing infrastructure (#581) [James Falcon] + Fix name of ntp and chrony service on CentOS and RHEL. (#589) [Scott Moser] (LP: #1897915) + Adding a PR template (#587) [James Falcon] + Azure parse_network_config uses fallback cfg when generate IMDS network cfg fails (#549) [Johnson Shi] + features: refresh docs for easier out-of-context reading (#582) + Fix typo in resolv_conf module's description (#578) [Wacław Schiller] + cc_users_groups: minor doc formatting fix (#577) + Fix typo in disk_setup module's description (#579) [Wacław Schiller] + Add vendor-data support to seedfrom parameter for NoCloud and OVF (#570) [Johann Queuniet] + boot.rst: add First Boot Determination section (#568) (LP: #1888858) + opennebula.rst: minor readability improvements (#573) [Mina Galić] + cloudinit: remove unused LOG variables (#574) + create a shutdown_command method in distro classes (#567) [Emmanuel Thomé] + user_data: remove unused constant (#566) + network: Fix type and respect name when rendering vlan in sysconfig. (#541) [Eduardo Otubo] (LP: #1788915, #1826608) + Retrieve SSH keys from IMDS first with OVF as a fallback (#509) [Thomas Stringer] + Add jqueuniet as contributor (#569) [Johann Queuniet] + distros: minor typo fix (#562) + Bump the integration-requirements versioned dependencies (#565) [Paride Legovini] + network-config-format-v1: fix typo in nameserver example (#564) [Stanislas] + Run cloud-init-local.service after the hv_kvp_daemon (#505) [Robert Schweikert] + Add method type hints for Azure helper (#540) [Johnson Shi] + systemd: add Before=shutdown.target when Conflicts=shutdown.target is used (#546) [Paride Legovini] + LXD: detach network from profile before deleting it (#542) [Paride Legovini] (LP: #1776958) + redhat spec: add missing BuildRequires (#552) [Paride Legovini] + util: remove debug statement (#556) [Joshua Powers] + Fix cloud config on chef example (#551) [lucasmoura] From 20.3 + Azure: Add netplan driver filter when using hv_netvsc driver (#539) [James Falcon] (LP: #1830740) + query: do not handle non-decodable non-gzipped content (#543) + DHCP sandboxing failing on noexec mounted /var/tmp (#521) [Eduardo Otubo] + Update the list of valid ssh keys. (#487) [Ole-Martin Bratteng] (LP: #1877869) + cmd: cloud-init query to handle compressed userdata (#516) (LP: #1889938) + Pushing cloud-init log to the KVP (#529) [Moustafa Moustafa] + Add Alpine Linux support. (#535) [dermotbradley] + Detect kernel version before swap file creation (#428) [Eduardo Otubo] + cli: add devel make-mime subcommand (#518) + user-data: only verify mime-types for TYPE_NEEDED and x-shellscript (#511) (LP: #1888822) + DataSourceOracle: retry twice (and document why we retry at all) (#536) + Refactor Azure report ready code (#468) [Johnson Shi] + tox.ini: pin correct version of httpretty in xenial{,-dev} envs (#531) + Support Oracle IMDSv2 API (#528) [James Falcon] + .travis.yml: run a doc build during CI (#534) + doc/rtd/topics/datasources/ovf.rst: fix doc8 errors (#533) + Fix 'Users and Groups' configuration documentation (#530) [sshedi] + cloudinit.distros: update docstrings of add_user and create_user (#527) + Fix headers for device types in network v2 docs (#532) [Caleb Xavier Berger] + Add AlexBaranowski as contributor (#508) [Aleksander Baranowski] + DataSourceOracle: refactor to use only OPC v1 endpoint (#493) + .github/workflows/stale.yml: s/Josh/Rick/ (#526) + Fix a typo in apt pipelining module (#525) [Xiao Liang] + test_util: parametrize devlist tests (#523) [James Falcon] + Recognize LABEL_FATBOOT labels (#513) [James Falcon] (LP: #1841466) + Handle additional identifier for SLES For HPC (#520) [Robert Schweikert] + Revert 'test-requirements.txt: pin pytest to <6 (#512)' (#515) + test-requirements.txt: pin pytest to <6 (#512) + Add 'tsanghan' as contributor (#504) [tsanghan] + fix brpm building (LP: #1886107) + Adding eandersson as a contributor (#502) [Erik Olof Gunnar Andersson] + azure: disable bouncing hostname when setting hostname fails (#494) [Anh Vo] + VMware: Support parsing DEFAULT-RUN-POST-CUST-SCRIPT (#441) [xiaofengw-vmware] + DataSourceAzure: Use ValueError when JSONDecodeError is not available (#490) [Anh Vo] + cc_ca_certs.py: fix blank line problem when removing CAs and adding new one (#483) [dermotbradley] + freebsd: py37-serial is now py37-pyserial (#492) [Gonéri Le Bouder] + ssh exit with non-zero status on disabled user (#472) [Eduardo Otubo] (LP: #1170059) + cloudinit: remove global disable of pylint W0107 and fix errors (#489) + networking: refactor wait_for_physdevs from cloudinit.net (#466) (LP: #1884626) + HACKING.rst: add pytest.param pytest gotcha (#481) + cloudinit: remove global disable of pylint W0105 and fix errors (#480) + Fix two minor warnings (#475) + test_data: fix faulty patch (#476) + cc_mounts: handle missing fstab (#484) (LP: #1886531) + LXD cloud_tests: support more lxd image formats (#482) [Paride Legovini] + Add update_etc_hosts as default module on *BSD (#479) [Adam Dobrawy] + cloudinit: fix tip-pylint failures and bump pinned pylint version (#478) + Added BirknerAlex as contributor and sorted the file (#477) [Alexander Birkner] + Update list of types of modules in cli.rst [saurabhvartak1982] + tests: use markers to configure disable_subp_usage (#473) + Add mention of vendor-data to no-cloud format documentation (#470) [Landon Kirk] + Fix broken link to OpenStack metadata service docs (#467) [Matt Riedemann] + Disable ec2 mirror for non aws instances (#390) [lucasmoura] (LP: #1456277) + cloud_tests: don't pass + -python-version to read-dependencies (#465) + networking: refactor is_physical from cloudinit.net (#457) (LP: #1884619) + Enable use of the caplog fixture in pytest tests, and add a cc_final_message test using it (#461) + RbxCloud: Add support for FreeBSD (#464) [Adam Dobrawy] + Add schema for cc_chef module (#375) [lucasmoura] (LP: #1858888) + test_util: add (partial) testing for util.mount_cb (#463) + .travis.yml: revert to installing ubuntu-dev-tools (#460) + HACKING.rst: add details of net refactor tracking (#456) + .travis.yml: rationalise installation of dependencies in host (#449) + Add dermotbradley as contributor. (#458) [dermotbradley] + net/networking: remove unused functions/methods (#453) + distros.networking: initial implementation of layout (#391) + cloud-init.service.tmpl: use 'rhel' instead of 'redhat' (#452) + Change from redhat to rhel in systemd generator tmpl (#450) [Eduardo Otubo] + Hetzner: support reading user-data that is base64 encoded. (#448) [Scott Moser] (LP: #1884071) + HACKING.rst: add strpath gotcha to testing gotchas section (#446) + cc_final_message: don't create directories when writing boot-finished (#445) (LP: #1883903) + .travis.yml: only store new schroot if something has changed (#440) + util: add ensure_dir_exists parameter to write_file (#443) + printing the error stream of the dhclient process before killing it (#369) [Moustafa Moustafa] + Fix link to the MAAS documentation (#442) [Paride Legovini] (LP: #1883666) + RPM build: disable the dynamic mirror URLs when using a proxy (#437) [Paride Legovini] + util: rename write_file's copy_mode parameter to preserve_mode (#439) + .travis.yml: use $TRAVIS_BUILD_DIR for lxd_image caching (#438) + cli.rst: alphabetise devel subcommands and add net-convert to list (#430) + Default to UTF-8 in /var/log/cloud-init.log (#427) [James Falcon] + travis: cache the chroot we use for package builds (#429) + test: fix all flake8 E126 errors (#425) [Joshua Powers] + Fixes KeyError for bridge with no 'parameters:' setting (#423) [Brian Candler] (LP: #1879673) + When tools.conf does not exist, running cmd 'vmware-toolbox-cmd config get deployPkg enable-custom-scripts', the return code will be EX_UNAVAILABLE(69), on this condition, it should not take it as error. (#413) [chengcheng-chcheng] + Document CloudStack data-server well-known hostname (#399) [Gregor Riepl] + test: move conftest.py to top-level, to cover tests/ also (#414) + Replace cc_chef is_installed with use of subp.is_exe. (#421) [Scott Moser] + Move runparts to subp. (#420) [Scott Moser] + Move subp into its own module. (#416) [Scott Moser] + readme: point at travis-ci.com (#417) [Joshua Powers] + New feature flag functionality and fix includes failing silently (#367) [James Falcon] (LP: #1734939) + Enhance poll imds logging (#365) [Moustafa Moustafa] + test: fix all flake8 E121 and E123 errors (#404) [Joshua Powers] + test: fix all flake8 E241 (#403) [Joshua Powers] + test: ignore flake8 E402 errors in main.py (#402) [Joshua Powers] + cc_grub_dpkg: determine idevs in more robust manner with grub-probe (#358) [Matthew Ruffell] (LP: #1877491) + test: fix all flake8 E741 errors (#401) [Joshua Powers] + tests: add groovy integration tests for ubuntu (#400) + Enable chef_license support for chef infra client (#389) [Bipin Bachhao] + testing: use flake8 again (#392) [Joshua Powers] + enable Puppet, Chef mcollective in default config (#385) [Mina Galić (deprecated: Igor Galić)] (LP: #1880279) + HACKING.rst: introduce .net + > Networking refactor section (#384) + Travis: do not install python3-contextlib2 (dropped dependency) (#388) [Paride Legovini] + HACKING: mention that .github-cla-signers is alpha-sorted (#380) + Add bipinbachhao as contributor (#379) [Bipin Bachhao] + cc_snap: validate that assertions property values are strings (#370) + conftest: implement partial disable_subp_usage (#371) + test_resolv_conf: refresh stale comment (#374) + cc_snap: apply validation to snap.commands properties (#364) + make finding libc platform independent (#366) [Mina Galić (deprecated: Igor Galić)] + doc/rtd/topics/faq: Updates LXD docs links to current site (#368) [TomP] + templater: drop Jinja Python 2 compatibility shim (#353) + cloudinit: minor pylint fixes (#360) + cloudinit: remove unneeded __future__ imports (#362) + migrating momousta lp user to Moustafa-Moustafa GitHub user (#361) [Moustafa Moustafa] + cloud_tests: emit dots on Travis while fetching images (#347) + Add schema to apt configure config (#357) [lucasmoura] (LP: #1858884) + conftest: add docs and tests regarding CiTestCase's subp functionality (#343) + analyze/dump: refactor shared string into variable (#350) + doc: update boot.rst with correct timing of runcmd (#351) + HACKING.rst: change contact info to Rick Harding (#359) [lucasmoura] + HACKING.rst: guide people to add themselves to the CLA file (#349) + HACKING.rst: more unit testing documentation (#354) + .travis.yml: don't run lintian during integration test package builds (#352) + Add test to ensure docs examples are valid cloud-init configs (#355) [James Falcon] (LP: #1876414) + make suse and sles support 127.0.1.1 (#336) [chengcheng-chcheng] + Create tests to validate schema examples (#348) [lucasmoura] (LP: #1876412) + analyze/dump: add support for Amazon Linux 2 log lines (#346) (LP: #1876323) + bsd: upgrade support (#305) [Gonéri Le Bouder] + Add lucasmoura as contributor (#345) [lucasmoura] + Add 'therealfalcon' as contributor (#344) [James Falcon] + Adapt the package building scripts to use Python 3 (#231) [Paride Legovini] + DataSourceEc2: use metadata's NIC ordering to determine route-metrics (#342) (LP: #1876312) + .travis.yml: introduce caching (#329) + cc_locale: introduce schema (#335) + doc/rtd/conf.py: bump copyright year to 2020 (#341) + yum_add_repo: Add Centos to the supported distro list (#340) - Fix unit test fail in TestGetPackageMirrorInfo::test_substitution. - Add patch from upstream to remove python2 compatibility so cloud-init builds fine in Tumbleweed with a recent Jinja2 version. This patch is only applied in TW. ----------------------------------------- Patch: SUSE-2022-228 Released: Mon Jan 31 06:07:52 2022 Summary: Recommended update for boost Severity: moderate References: 1194522 Description: This update for boost fixes the following issues: - Fix compilation errors (bsc#1194522) ----------------------------------------- Patch: SUSE-2022-334 Released: Fri Feb 4 09:30:58 2022 Summary: Security update for containerd, docker Severity: moderate References: 1191015,1191121,1191334,1191434,1193273,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190 Description: This update for containerd, docker fixes the following issues: - CVE-2021-41089: Fixed 'cp' can chmod host files (bsc#1191015). - CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434). - CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334). - CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121). - CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273). ----------------------------------------- Patch: SUSE-2022-548 Released: Tue Feb 22 13:48:55 2022 Summary: Recommended update for blog Severity: moderate References: 1186506,1191057 Description: This update for blog fixes the following issues: - Update to version 2.26 * On s390/x and PPC64 gcc misses unused arg0 - Update to version 2.24 * Avoid install errror due missed directory - Update to version 2.22 * Avoid KillMode=none for newer systemd version as well as rework the systemd unit files of blog (bsc#1186506) - Move to /usr for UsrMerge (bsc#1191057) - Update to version 2.21 * Merge pull request #4 from samueldr/fix/makefile Fixup Makefile for better build system support * Silent new gcc compiler ----------------------------------------- Patch: SUSE-2022-692 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Severity: moderate References: 1190447 Description: This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------- Patch: SUSE-2022-720 Released: Fri Mar 4 10:20:28 2022 Summary: Security update for containerd Severity: moderate References: 1196441,CVE-2022-23648 Description: This update for containerd fixes the following issues: - CVE-2022-23648: A specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host (bsc#1196441). ----------------------------------------- Patch: SUSE-2022-936 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Severity: moderate References: 1196275,1196406 Description: This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------- Patch: SUSE-2022-1074 Released: Fri Apr 1 13:27:00 2022 Summary: Recommended update for cloud-init Severity: moderate References: 1193531 Description: This update for cloud-init contains the following fixes: - Enable broader systemctl location. (bsc#1193531) - Remove unneeded BuildRequires on python3-nose. ----------------------------------------- Patch: SUSE-2022-1147 Released: Mon Apr 11 15:49:43 2022 Summary: Recommended update for containerd Severity: moderate References: 1195784 Description: This update of containerd fixes the following issue: - container-ctr is shipped to the PackageHub repos. ----------------------------------------- Patch: SUSE-2022-1190 Released: Wed Apr 13 20:52:23 2022 Summary: Recommended update for cloud-init Severity: important References: 1192343 Description: This update for cloud-init contains the following fixes: - Update to version 21.4 (bsc#1192343, jsc#PM-3181) + Also include VMWare functionality for (jsc#PM-3175) + Remove patches included upstream. + Forward port fixes. + Fix for VMware Test, system dependend, not properly mocked previously. + Azure: fallback nic needs to be reevaluated during reprovisioning (#1094) [Anh Vo] + azure: pps imds (#1093) [Anh Vo] + testing: Remove calls to 'install_new_cloud_init' (#1092) + Add LXD datasource (#1040) + Fix unhandled apt_configure case. (#1065) [Brett Holman] + Allow libexec for hotplug (#1088) + Add necessary mocks to test_ovf unit tests (#1087) + Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336) + distros: Remove a completed 'TODO' comment (#1086) + cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083) [dermotbradley] + Add 'install hotplug' module (SC-476) (#1069) (LP: #1946003) + hosts.alpine.tmpl: rearrange the order of short and long hostnames (#1084) [dermotbradley] + Add max version to docutils + cloudinit/dmi.py: Change warning to debug to prevent console display (#1082) [dermotbradley] + remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele Giuseppe Esposito] + Add module 'write-files-deferred' executed in stage 'final' (#916) [Lucendio] + Bump pycloudlib to fix CI (#1080) + Remove pin in dependencies for jsonschema (#1078) + Add 'Google' as possible system-product-name (#1077) [vteratipally] + Update Debian security suite for bullseye (#1076) [Johann Queuniet] + Leave the details of service management to the distro (#1074) [Andy Fiddaman] + Fix typos in setup.py (#1059) [Christian Clauss] + Update Azure _unpickle (SC-500) (#1067) (LP: #1946644) + cc_ssh.py: fix private key group owner and permissions (#1070) [Emanuele Giuseppe Esposito] + VMware: read network-config from ISO (#1066) [Thomas Weißschuh] + testing: mock sleep in gce unit tests (#1072) + CloudStack: fix data-server DNS resolution (#1004) [Olivier Lemasle] (LP: #1942232) + Fix unit test broken by pyyaml upgrade (#1071) + testing: add get_cloud function (SC-461) (#1038) + Inhibit sshd-keygen@.service if cloud-init is active (#1028) [Ryan Harper] + VMWARE: search the deployPkg plugin in multiarch dir (#1061) [xiaofengw-vmware] (LP: #1944946) + Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493) + Use specified tmp location for growpart (#1046) [jshen28] + .gitignore: ignore tags file for ctags users (#1057) [Brett Holman] + Allow comments in runcmd and report failed commands correctly (#1049) [Brett Holman] (LP: #1853146) + tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050) [Paride Legovini] + Allow disabling of network activation (SC-307) (#1048) (LP: #1938299) + renderer: convert relative imports to absolute (#1052) [Paride Legovini] + Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045) [Vlastimil Holer] + integration-requirements: bump the pycloudlib commit (#1047) [Paride Legovini] + Allow Vultr to set MTU and use as-is configs (#1037) [eb3095] + pin jsonschema in requirements.txt (#1043) + testing: remove cloud_tests (#1020) + Add andgein as contributor (#1042) [Andrew Gein] + Make wording for module frequency consistent (#1039) [Nicolas Bock] + Use ascii code for growpart (#1036) [jshen28] + Add jshen28 as contributor (#1035) [jshen28] + Skip test_cache_purged_on_version_change on Azure (#1033) + Remove invalid ssh_import_id from examples (#1031) + Cleanup Vultr support (#987) [eb3095] + docs: update cc_disk_setup for fs to raw disk (#1017) + HACKING.rst: change contact info to James Falcon (#1030) + tox: bump the pinned flake8 and pylint version (#1029) [Paride Legovini] (LP: #1944414) + Add retries to DataSourceGCE.py when connecting to GCE (#1005) [vteratipally] + Set Azure to apply networking config every BOOT (#1023) + Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603) + docs: fix typo and include sudo for report bugs commands (#1022) [Renan Rodrigo] (LP: #1940236) + VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun] + Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798) + Integration test upgrades for the 21.3-1 SRU (#1001) + Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans] + Improve ug_util.py (#1013) [Shreenidhi Shedi] + Support openEuler OS (#1012) [zhuzaifangxuele] + ssh_utils.py: ignore when sshd_config options are not key/value pairs (#1007) [Emanuele Giuseppe Esposito] + Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006) + cc_update_etc_hosts: Use the distribution-defined path for the hosts file (#983) [Andy Fiddaman] + Add CloudLinux OS support (#1003) [Alexandr Kravchenko] + puppet config: add the start_agent option (#1002) [Andrew Bogott] + Fix `make style-check` errors (#1000) [Shreenidhi Shedi] + Make cloud-id copyright year (#991) [Andrii Podanenko] + Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi] + Update ds-identify to pass shellcheck (#979) [Andrew Kutz] + Azure: Retry dhcp on timeouts when polling reprovisiondata (#998) [aswinrajamannar] + testing: Fix ssh keys integration test (#992) - From 21.3 + Azure: During primary nic detection, check interface status continuously before rebinding again (#990) [aswinrajamannar] + Fix home permissions modified by ssh module (SC-338) (#984) (LP: #1940233) + Add integration test for sensitive jinja substitution (#986) + Ignore hotplug socket when collecting logs (#985) (LP: #1940235) + testing: Add missing mocks to test_vmware.py (#982) + add Zadara Edge Cloud Platform to the supported clouds list (#963) [sarahwzadara] + testing: skip upgrade tests on LXD VMs (#980) + Only invoke hotplug socket when functionality is enabled (#952) + Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz] + cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi] + Replace broken httpretty tests with mock (SC-324) (#973) + Azure: Check if interface is up after sleep when trying to bring it up (#972) [aswinrajamannar] + Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi] + Azure: Logging the detected interfaces (#968) [Moustafa Moustafa] + Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz] + Azure: Limit polling network metadata on connection errors (#961) [aswinrajamannar] + Update inconsistent indentation (#962) [Andrew Kutz] + cc_puppet: support AIO installations and more (#960) [Gabriel Nagy] + Add Puppet contributors to CLA signers (#964) [Noah Fontes] + Datasource for VMware (#953) [Andrew Kutz] + photon: refactor hostname handling and add networkd activator (#958) [sshedi] + Stop copying ssh system keys and check folder permissions (#956) [Emanuele Giuseppe Esposito] + testing: port remaining cloud tests to integration testing framework (SC-191) (#955) + generate contents for ovf-env.xml when provisioning via IMDS (#959) [Anh Vo] + Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski] + Implementing device_aliases as described in docs (#945) [Mal Graty] (LP: #1867532) + testing: fix test_ssh_import_id.py (#954) + Add ability to manage fallback network config on PhotonOS (#941) [sshedi] + Add VZLinux support (#951) [eb3095] + VMware: add network-config support in ovf-env.xml (#947) [PengpengSun] + Update pylint to v2.9.3 and fix the new issues it spots (#946) [Paride Legovini] + Azure: mount default provisioning iso before try device listing (#870) [Anh Vo] + Document known hotplug limitations (#950) + Initial hotplug support (#936) + Fix MIME policy failure on python version upgrade (#934) + run-container: fixup the centos repos baseurls when using http_proxy (#944) [Paride Legovini] + tools: add support for building rpms on rocky linux (#940) + ssh-util: allow cloudinit to merge all ssh keys into a custom user file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito] (LP: #1911680) + VMware: new 'allow_raw_data' switch (#939) [xiaofengw-vmware] + bump pycloudlib version (#935) + add renanrodrigo as a contributor (#938) [Renan Rodrigo] + testing: simplify test_upgrade.py (#932) + freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder] + Add new network activators to bring up interfaces (#919) + Detect a Python version change and clear the cache (#857) [Robert Schweikert] + cloud_tests: fix the Impish release name (#931) [Paride Legovini] + Removed distro specific network code from Photon (#929) [sshedi] + Add support for VMware PhotonOS (#909) [sshedi] + cloud_tests: add impish release definition (#927) [Paride Legovini] + docs: fix stale links rename master branch to main (#926) + Fix DNS in NetworkState (SC-133) (#923) + tests: Add 'adhoc' mark for integration tests (#925) + Fix the spelling of 'DigitalOcean' (#924) [Mark Mercado] + Small Doc Update for ReportEventStack and Test (#920) [Mike Russell] + Replace deprecated collections.Iterable with abc replacement (#922) (LP: #1932048) + testing: OCI availability domain is now required (SC-59) (#910) + add DragonFlyBSD support (#904) [Gonéri Le Bouder] + Use instance-data-sensitive.json in jinja templates (SC-117) (#917) (LP: #1931392) + doc: Update NoCloud docs stating required files (#918) (LP: #1931577) + build-on-netbsd: don't pin a specific py3 version (#913) [Gonéri Le Bouder] + Create the log file with 640 permissions (#858) [Robert Schweikert] + Allow braces to appear in dhclient output (#911) [eb3095] + Docs: Replace all freenode references with libera (#912) + openbsd/net: flush the route table on net restart (#908) [Gonéri Le Bouder] + Add Rocky Linux support to cloud-init (#906) [Louis Abel] + Add 'esposem' as contributor (#907) [Emanuele Giuseppe Esposito] + Add integration test for #868 (#901) + Added support for importing keys via primary/security mirror clauses (#882) [Paul Goins] (LP: #1925395) + [examples] config-user-groups expire in the future (#902) [Geert Stappers] + BSD: static network, set the mtu (#894) [Gonéri Le Bouder] + Add integration test for lp-1920939 (#891) + Fix unit tests breaking from new httpretty version (#903) + Allow user control over update events (#834) + Update test characters in substitution unit test (#893) + cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886) [dermotbradley] + Add AlmaLinux OS support (#872) [Andrew Lukoshko] + Still need to consider the 'network' configuration option ----------------------------------------- Patch: SUSE-2022-1689 Released: Mon May 16 14:09:01 2022 Summary: Security update for containerd, docker Severity: important References: 1193930,1196441,1197284,1197517,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191 Description: This update for containerd, docker fixes the following issues: - CVE-2022-24769: Fixed incorrect default inheritable capabilities (bsc#1197517). - CVE-2022-23648: Fixed directory traversal issue (bsc#1196441). - CVE-2022-27191: Fixed a crash in a golang.org/x/crypto/ssh server (bsc#1197284). - CVE-2021-43565: Fixed a panic in golang.org/x/crypto by empty plaintext packet (bsc#1193930). ----------------------------------------- Patch: SUSE-2022-1718 Released: Tue May 17 17:44:43 2022 Summary: Security update for e2fsprogs Severity: important References: 1198446,CVE-2022-1304 Description: This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------- Patch: SUSE-2022-1824 Released: Tue May 24 10:31:13 2022 Summary: Recommended update for dhcp Severity: moderate References: 1198657 Description: This update for dhcp fixes the following issues: - Properly handle DHCRELAY(6)_OPTIONS (bsc#1198657) ----------------------------------------- Patch: SUSE-2022-2305 Released: Wed Jul 6 13:38:42 2022 Summary: Security update for curl Severity: important References: 1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208 Description: This update for curl fixes the following issues: - CVE-2022-32205: Set-Cookie denial of service (bsc#1200734) - CVE-2022-32206: HTTP compression denial of service (bsc#1200735) - CVE-2022-32207: Unpreserved file permissions (bsc#1200736) - CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737) ----------------------------------------- Patch: SUSE-2022-2341 Released: Fri Jul 8 16:09:12 2022 Summary: Security update for containerd, docker and runc Severity: important References: 1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030 Description: This update for containerd, docker and runc fixes the following issues: containerd: - CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145) docker: - Update to Docker 20.10.17-ce. See upstream changelog online at https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145) runc: Update to runc v1.1.3. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3. * Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing). * Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes. * Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang. * When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths. * Socket activation was failing when more than 3 sockets were used. * Various CI fixes. * Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container. - Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565) Update to runc v1.1.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2. Security issue fixed: - CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. (bsc#1199460) - `runc spec` no longer sets any inheritable capabilities in the created example OCI spec (`config.json`) file. Update to runc v1.1.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1. * runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355) * runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404) * Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported' error. (#3406) * libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435) Update to runc v1.1.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0. - libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331) Update to runc v1.1.0~rc1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1. + Add support for RDMA cgroup added in Linux 4.11. * runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed. + runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container hasexited. + seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL). + seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host. + checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore. + intelrdt: support ClosID parameter. + runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed. + cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it). + sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour. + mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users. + Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro). + Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130. * system: improve performance of /proc/$pid/stat parsing. * cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process. * runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink. * cgroup: improve openat2 handling for cgroup directory handle hardening. runc delete -f now succeeds (rather than timing out) on a paused container. * runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused. - Update version data embedded in binary to correctly include the git commit of the release. ----------------------------------------- Patch: SUSE-2022-2378 Released: Wed Jul 13 10:27:03 2022 Summary: Security update for cifs-utils Severity: important References: 1197216,CVE-2022-27239 Description: This update for cifs-utils fixes the following issues: - CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216). ----------------------------------------- Patch: SUSE-2022-2901 Released: Fri Aug 26 03:34:23 2022 Summary: Recommended update for elfutils Severity: moderate References: Description: This update for elfutils fixes the following issues: - Fix runtime dependency for devel package ----------------------------------------- Patch: SUSE-2022-2925 Released: Mon Aug 29 03:16:48 2022 Summary: Recommended update for audit-secondary Severity: important References: 1201519 Description: This update for audit-secondary fixes the following issues: - Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519) ----------------------------------------- Patch: SUSE-2022-3003 Released: Fri Sep 2 15:01:44 2022 Summary: Security update for curl Severity: low References: 1202593,CVE-2022-35252 Description: This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593). ----------------------------------------- Patch: SUSE-2022-3395 Released: Mon Sep 26 16:35:18 2022 Summary: Recommended update for ca-certificates-mozilla Severity: moderate References: 1181994,1188006,1199079,1202868 Description: This update for ca-certificates-mozilla fixes the following issues: Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868) - Added: - Certainly Root E1 - Certainly Root R1 - DigiCert SMIME ECC P384 Root G5 - DigiCert SMIME RSA4096 Root G5 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Removed: - Hellenic Academic and Research Institutions RootCA 2011 Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079) - Added: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - GlobalSign ECC Root CA R4 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 - HiPKI Root CA - G1 - ISRG Root X2 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA - Removed: - Cybertrust Global Root - DST Root CA X3 - DigiNotar PKIoverheid CA Organisatie - G2 - GlobalSign ECC Root CA R4 - GlobalSign Root CA R2 - GTS Root R1 - GTS Root R2 - GTS Root R3 - GTS Root R4 Updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006) - Added: - HARICA Client ECC Root CA 2021 - HARICA Client RSA Root CA 2021 - HARICA TLS ECC Root CA 2021 - HARICA TLS RSA Root CA 2021 - TunTrust Root CA Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994) - Added new root CAs: - NAVER Global Root Certification Authority - Removed old root CAs: - GeoTrust Global CA - GeoTrust Primary Certification Authority - GeoTrust Primary Certification Authority - G3 - GeoTrust Universal CA - GeoTrust Universal CA 2 - thawte Primary Root CA - thawte Primary Root CA - G2 - thawte Primary Root CA - G3 - VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G5 ----------------------------------------- Patch: SUSE-2022-3520 Released: Tue Oct 4 14:18:34 2022 Summary: Feature update for dmidecode Severity: moderate References: Description: This feature update for dmidecode fixes the following issues: Update dmidecode from version 3.2 to version 3.4 (jsc#SLE-24502, jsc#SLE-24591, jsc#PED-411): - Add bios-revision, firmware-revision and system-sku-number to `-s` option - Decode HPE OEM records 194, 199, 203, 236, 237, 238 ans 240 - Decode system slot base bus width and peers - Document how the UUID fields are interpreted - Don't display the raw CPU ID in quiet mode - Don't use memcpy on /dev/mem on arm64 - Fix OEM vendor name matching - Fix small typo in NEWS file - Improve the formatting of the manual pages - Present HPE type 240 attributes as a proper list instead of packing them on a single line. This makes it more readable overall, and will also scale better if the number of attributes increases - Skip details of uninstalled memory modules - Support for SMBIOS 3.4.0. This includes new memory device types, new processor upgrades, new slot types and characteristics, decoding of memor module extended speed, new system slot types, new processor characteristic and new format of Processor ID - Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS characteristics, new slot characteristics, new on-board device types, new pointing device interface types, and a new record type (type 45 - Firmware Inventory Information) - Use the most appropriate unit for cache size ----------------------------------------- Patch: SUSE-2022-3525 Released: Wed Oct 5 12:17:14 2022 Summary: Security update for cifs-utils Severity: moderate References: 1198976,CVE-2022-29869 Description: This update for cifs-utils fixes the following issues: - Fix changelog to include Bugzilla and CVE tracker id numbers missing from previous update ----------------------------------------- Patch: SUSE-2022-3555 Released: Mon Oct 10 14:05:12 2022 Summary: Recommended update for aaa_base Severity: important References: 1199492 Description: This update for aaa_base fixes the following issues: - The wrapper rootsh is not a restricted shell. (bsc#1199492) ----------------------------------------- Patch: SUSE-2022-3785 Released: Wed Oct 26 20:20:19 2022 Summary: Security update for curl Severity: important References: 1204383,1204386,CVE-2022-32221,CVE-2022-42916 Description: This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386). ----------------------------------------- Patch: SUSE-2022-3806 Released: Thu Oct 27 17:21:11 2022 Summary: Security update for dbus-1 Severity: important References: 1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012 Description: This update for dbus-1 fixes the following issues: - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113). Bugfixes: - Disable asserts (bsc#1087072). ----------------------------------------- Patch: SUSE-2022-3900 Released: Tue Nov 8 10:47:55 2022 Summary: Recommended update for docker Severity: moderate References: 1200022 Description: This update for docker fixes the following issues: - Fix a crash-on-start issue with dockerd (bsc#1200022) ----------------------------------------- Patch: SUSE-2022-3991 Released: Tue Nov 15 13:54:13 2022 Summary: Security update for dhcp Severity: moderate References: 1203988,1203989,CVE-2022-2928,CVE-2022-2929 Description: This update for dhcp fixes the following issues: - CVE-2022-2928: Fixed an option refcount overflow (bsc#1203988). - CVE-2022-2929: Fixed a DHCP memory leak (bsc#1203989). ----------------------------------------- Patch: SUSE-2022-4328 Released: Tue Dec 6 12:25:12 2022 Summary: Recommended update for audit-secondary Severity: moderate References: 1204844 Description: This update for audit-secondary fixes the following issues: - Fix rules not loaded when restarting auditd.service (bsc#1204844) ----------------------------------------- Patch: SUSE-2022-4463 Released: Tue Dec 13 17:04:31 2022 Summary: Security update for containerd Severity: important References: 1197284,1206065,1206235,CVE-2022-23471,CVE-2022-27191 Description: This update for containerd fixes the following issues: Update to containerd v1.6.12 including Docker v20.10.21-ce (bsc#1206065). Also includes the following fix: - CVE-2022-23471: host memory exhaustion through Terminal resize goroutine leak (bsc#1206235). - CVE-2022-27191: crash in a golang.org/x/crypto/ssh server (bsc#1197284). ----------------------------------------- Patch: SUSE-2022-4597 Released: Wed Dec 21 10:13:11 2022 Summary: Security update for curl Severity: important References: 1206308,1206309,CVE-2022-43551,CVE-2022-43552 Description: This update for curl fixes the following issues: - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). - CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308). ----------------------------------------- Patch: SUSE-2023-37 Released: Fri Jan 6 15:35:49 2023 Summary: Security update for ca-certificates-mozilla Severity: important References: 1206212,1206622 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 ----------------------------------------- Patch: SUSE-2023-429 Released: Wed Feb 15 17:41:22 2023 Summary: Security update for curl Severity: important References: 1207990,1207991,1207992,CVE-2023-23914,CVE-2023-23915,CVE-2023-23916 Description: This update for curl fixes the following issues: - CVE-2023-23914: Fixed HSTS ignored on multiple requests (bsc#1207990). - CVE-2023-23915: Fixed HSTS amnesia with --parallel (bsc#1207991). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------- Patch: SUSE-2023-795 Released: Fri Mar 17 09:13:12 2023 Summary: Security update for docker Severity: moderate References: 1205375,1206065,CVE-2022-36109 Description: This update for docker fixes the following issues: Docker was updated to 20.10.23-ce. See upstream changelog at https://docs.docker.com/engine/release-notes/#201023 Docker was updated to 20.10.21-ce (bsc#1206065) See upstream changelog at https://docs.docker.com/engine/release-notes/#201021 Security issues fixed: - CVE-2022-36109: Fixed supplementary group permissions bypass (bsc#1205375) - Fix wrong After: in docker.service, fixes bsc#1188447 - Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux. - Allow to install container-selinux instead of apparmor-parser. - Change to using systemd-sysusers ----------------------------------------- Patch: SUSE-2023-1582 Released: Mon Mar 27 10:31:52 2023 Summary: Security update for curl Severity: moderate References: 1209209,1209210,1209211,1209212,1209214,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 Description: This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). ----------------------------------------- Patch: SUSE-2023-1628 Released: Tue Mar 28 12:28:51 2023 Summary: Security update for containerd Severity: important References: 1206235,CVE-2022-23471 Description: This update for containerd fixes the following issues: - CVE-2022-23471: Fixed host memory exhaustion through Terminal resize goroutine leak (bsc#1206235). - Re-build containerd to use updated golang-packaging (jsc#1342). - Update to containerd v1.6.16 for Docker v23.0.0-ce. * https://github.com/containerd/containerd/releases/tag/v1.6.16 ----------------------------------------- Patch: SUSE-2023-1827 Released: Thu Apr 13 10:18:16 2023 Summary: Security update for containerd Severity: moderate References: 1208423,1208426,CVE-2023-25153,CVE-2023-25173 Description: This update for containerd fixes the following issues: Update to containerd v1.6.19: Security fixes: - CVE-2023-25153: Fixed OCI image importer memory exhaustion (bnc#1208423). - CVE-2023-25173: Fixed supplementary groups not set up properly (bnc#1208426). ----------------------------------------- Patch: SUSE-2023-1947 Released: Fri Apr 21 14:14:41 2023 Summary: Security update for dmidecode Severity: moderate References: 1210418,CVE-2023-30630 Description: This update for dmidecode fixes the following issues: - CVE-2023-30630: Fixed potential privilege escalation vulnerability via file overwrite (bsc#1210418). ----------------------------------------- Patch: SUSE-2023-2224 Released: Wed May 17 09:53:54 2023 Summary: Security update for curl Severity: important References: 1211230,1211231,1211232,1211233,CVE-2023-28319,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 Description: This update for curl adds the following feature: Update to version 8.0.1 (jsc#PED-2580) - CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230). - CVE-2023-28320: siglongjmp race condition (bsc#1211231). - CVE-2023-28321: IDN wildcard matching (bsc#1211232). - CVE-2023-28322: POST-after-PUT confusion (bsc#1211233). ----------------------------------------- Patch: SUSE-2023-2254 Released: Fri May 19 15:20:23 2023 Summary: Security update for containerd Severity: important References: 1210298 Description: This update for containerd fixes the following issues: - Rebuild containerd with a current version of go to catch up on bugfixes and security fixes (bsc#1210298) ----------------------------------------- Patch: SUSE-2023-2481 Released: Fri Jun 9 15:18:12 2023 Summary: Recommended update for dracut Severity: moderate References: 1210909,1211072,1211080 Description: This update for dracut fixes the following issues: - Update to version 055+suse.364.g4c1d0276: - Honor rd.timeout for nvme ctrl_loss_tmo (bsc#1211080) - Suppress warning if hostname is not set (bsc#1211072) - Set netroot=nbft (bsc#1210909) ----------------------------------------- Patch: SUSE-2023-2628 Released: Fri Jun 23 21:43:22 2023 Summary: Security update for cloud-init Severity: important References: 1171511,1203393,1210277,1210652,CVE-2022-2084,CVE-2023-1786 Description: This update for cloud-init fixes the following issues: - CVE-2023-1786: Do not expose sensitive data gathered from the CSP. (bsc#1210277) - CVE-2022-2084: Fixed a bug which caused logging schema failures can include password hashes. (bsc#1210652) - Update to version 23.1 + Support transactional-updates for SUSE based distros + Set ownership for new folders in Write Files Module + add OpenCloudOS and TencentOS support + lxd: Retry if the server isn't ready + test: switch pycloudlib source to pypi + test: Fix integration test deprecation message + Recognize opensuse-microos, dev tooling fixes + sources/azure: refactor imds handler into own module + docs: deprecation generation support + add function is_virtual to distro/FreeBSD + cc_ssh: support multiple hostcertificates + Fix minor schema validation regression and fixup typing + doc: Reword user data debug section + cli: schema also validate vendordata*. + ci: sort and add checks for cla signers file + Add 'ederst' as contributor + readme: add reference to packages dir + docs: update downstream package list + docs: add google search verification + docs: fix 404 render use default notfound_urls_prefix in RTD conf + Fix OpenStack datasource detection on bare metal + docs: add themed RTD 404 page and pointer to readthedocs-hosted + schema: fix gpt labels, use type string for GUID + cc_disk_setup: code cleanup + netplan: keep custom strict perms when 50-cloud-init.yaml exists + cloud-id: better handling of change in datasource files + Warn on empty network key + Fix Vultr cloud_interfaces usage + cc_puppet: Update puppet service name + docs: Clarify networking docs + lint: remove httpretty + cc_set_passwords: Prevent traceback when restarting ssh + tests: fix lp1912844 + tests: Skip ansible test on bionic + Wait for NetworkManager + docs: minor polishing + CI: migrate integration-test to GH actions + Fix permission of SSH host keys + Fix default route rendering on v2 ipv6 + doc: fix path in net_convert command + docs: update net_convert docs + doc: fix dead link + cc_set_hostname: ignore /var/lib/cloud/data/set-hostname if it's empty + distros/rhel.py: _read_hostname() missing strip on 'hostname' + integration tests: add IBM VPC support + machine-id: set to uninitialized to trigger regeneration on clones + sources/azure: retry on connection error when fetching metdata + Ensure ssh state accurately obtained + bddeb: drop dh-systemd dependency on newer deb-based releases + doc: fix `config formats` link in cloudsigma.rst + Fix wrong subp syntax in cc_set_passwords.py + docs: update the PR template link to readthedocs + ci: switch unittests to gh actions + Add mount_default_fields for PhotonOS. + sources/azure: minor refactor for metadata source detection logic + add 'CalvoM' as contributor + ci: doc to gh actions + lxd: handle 404 from missing devices route for LXD 4.0 + docs: Diataxis overhaul + vultr: Fix issue regarding cache and region codes + cc_set_passwords: Move ssh status checking later + Improve Wireguard module idempotency + network/netplan: add gateways as on-link when necessary + tests: test_lxd assert features.networks.zones when present + Use btrfs enquque when available (#1926) [Robert Schweikert] + sources/azure: fix device driver matching for net config (#1914) + BSD: fix duplicate macs in Ifconfig parser + pycloudlib: add lunar support for integration tests + nocloud: add support for dmi variable expansion for seedfrom URL + tools: read-version drop extra call to git describe --long + doc: improve cc_write_files doc + read-version: When insufficient tags, use cloudinit.version.get_version + mounts: document weird prefix in schema + Ensure network ready before cloud-init service runs on RHEL + docs: add copy button to code blocks + netplan: define features.NETPLAN_CONFIG_ROOT_READ_ONLY flag + azure: fix support for systems without az command installed + Fix the distro.osfamily output problem in the openEuler system. + pycloudlib: bump commit dropping azure api smoke test + net: netplan config root read-only as wifi config can contain creds + autoinstall: clarify docs for users + sources/azure: encode health report as utf-8 + Add back gateway4/6 deprecation to docs + networkd: Add support for multiple [Route] sections + doc: add qemu tutorial + lint: fix tip-flake8 and tip-mypy + Add support for setting uid when creating users on FreeBSD + Fix exception in BSD networking code-path + Append derivatives to is_rhel list in cloud.cfg.tmpl + FreeBSD init: use cloudinit_enable as only rcvar + feat: add support aliyun metadata security harden mode + docs: uprate analyze to performance page + test: fix lxd preseed managed network config + Add support for static IPv6 addresses for FreeBSD + Make 3.12 failures not fail the build + Docs: adding relative links + Fix setup.py to align with PEP 440 versioning replacing trailing + Add 'nkukard' as contributor + doc: add how to render new module doc + doc: improve module creation explanation + Add Support for IPv6 metadata to OpenStack + add xiaoge1001 to .github-cla-signers + network: Deprecate gateway{4,6} keys in network config v2 + VMware: Move Guest Customization transport from OVF to VMware + doc: home page links added + net: skip duplicate mac check for netvsc nic and its VF This update for python-responses fixes the following issues: - update to 0.21.0: * Add `threading.Lock()` to allow `responses` working with `threading` module. * Add `urllib3` `Retry` mechanism. See #135 * Removed internal `_cookies_from_headers` function * Now `add`, `upsert`, `replace` methods return registered response. `remove` method returns list of removed responses. * Added null value support in `urlencoded_params_matcher` via `allow_blank` keyword argument * Added strict version of decorator. Now you can apply `@responses.activate(assert_all_requests_are_fired=True)` to your function to validate that all requests were executed in the wrapped function. See #183 ----------------------------------------- Patch: SUSE-2023-2643 Released: Mon Jun 26 15:35:07 2023 Summary: Recommended update for cpupower Severity: moderate References: Description: This update for cpupower fixes the following issues: - Add Emerald Ridge Intel CPU model support (jsc#PED-4393) - Add EMR CPU support to turbostat (jsc#PED-4395) ----------------------------------------- Patch: SUSE-2023-2658 Released: Tue Jun 27 14:46:15 2023 Summary: Recommended update for containerd, docker, runc Severity: moderate References: 1207004,1208074,1210298,1211578 Description: This update for containerd, docker, runc fixes the following issues: - Update to containerd v1.6.21 (bsc#1211578) - Update to Docker 23.0.6-ce (bsc#1211578) - Update to runc v1.1.7 - Require a minimum Go version explicitly (bsc#1210298) - Re-unify packaging for SLE-12 and SLE-15 - Fix build on SLE-12 by switching back to libbtrfs-devel headers - Allow man pages to be built without internet access in OBS - Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux - Fix syntax of boolean dependency - Allow to install container-selinux instead of apparmor-parser - Change to using systemd-sysusers - Update runc.keyring to upstream version - Fix the inability to use `/dev/null` when inside a container (bsc#1207004) ----------------------------------------- Patch: SUSE-2023-2740 Released: Fri Jun 30 10:57:08 2023 Summary: Recommended update for dracut Severity: moderate References: 1212662 Description: This update for dracut fixes the following issues: - Update to version 055+suse.366.g14047665 - Continue parsing if ldd prints 'cannot execute binary file' (bsc#1212662) ----------------------------------------- Patch: SUSE-2023-2836 Released: Fri Jul 14 21:17:52 2023 Summary: Security update for bind Severity: important References: 1212090,1212544,1212567,CVE-2023-2828,CVE-2023-2911 Description: This update for bind fixes the following issues: Update to release 9.16.42 Security Fixes: * The overmem cleaning process has been improved, to prevent the cache from significantly exceeding the configured max-cache-size limit. (CVE-2023-2828) * A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for named to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) Bug Fixes: * Previously, it was possible for a delegation from cache to be returned to the client after the stale-answer-client-timeout duration. This has been fixed. [bsc#1212544, bsc#1212567, jsc#SLE-24600] Update to release 9.16.41 Bug Fixes: * When removing delegations from an opt-out range, empty-non-terminal NSEC3 records generated by those delegations were not cleaned up. This has been fixed. [jsc#SLE-24600] Update to release 9.16.40 Bug Fixes: * Logfiles using timestamp-style suffixes were not always correctly removed when the number of files exceeded the limit set by versions. This has been fixed for configurations which do not explicitly specify a directory path as part of the file argument in the channel specification. * Performance of DNSSEC validation in zones with many DNSKEY records has been improved. Update to release 9.16.39 Feature Changes: * libuv support for receiving multiple UDP messages in a single recvmmsg() system call has been tweaked several times between libuv versions 1.35.0 and 1.40.0; the current recommended libuv version is 1.40.0 or higher. New rules are now in effect for running with a different version of libuv than the one used at compilation time. These rules may trigger a fatal error at startup: - Building against or running with libuv versions 1.35.0 and 1.36.0 is now a fatal error. - Running with libuv version higher than 1.34.2 is now a fatal error when named is built against libuv version 1.34.2 or lower. - Running with libuv version higher than 1.39.0 is now a fatal error when named is built against libuv version 1.37.0, 1.38.0, 1.38.1, or 1.39.0. * This prevents the use of libuv versions that may trigger an assertion failure when receiving multiple UDP messages in a single system call. Bug Fixes: * named could crash with an assertion failure when adding a new zone into the configuration file for a name which was already configured as a member zone for a catalog zone. This has been fixed. * When named starts up, it sends a query for the DNSSEC key for each configured trust anchor to determine whether the key has changed. In some unusual cases, the query might depend on a zone for which the server is itself authoritative, and would have failed if it were sent before the zone was fully loaded. This has now been fixed by delaying the key queries until all zones have finished loading. [jsc#SLE-24600] ----------------------------------------- Patch: SUSE-2023-2847 Released: Mon Jul 17 08:40:42 2023 Summary: Recommended update for audit Severity: moderate References: 1210004 Description: This update for audit fixes the following issues: - Check for AF_UNIX unnamed sockets (bsc#1210004) - Enable livepatching on main library on x86_64 ----------------------------------------- Patch: SUSE-2023-2877 Released: Wed Jul 19 09:43:42 2023 Summary: Security update for dbus-1 Severity: moderate References: 1212126,CVE-2023-34969 Description: This update for dbus-1 fixes the following issues: - CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126). ----------------------------------------- Patch: SUSE-2023-2891 Released: Wed Jul 19 21:14:33 2023 Summary: Security update for curl Severity: moderate References: 1213237,CVE-2023-32001 Description: This update for curl fixes the following issues: - CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237). ----------------------------------------- Patch: SUSE-2023-3253 Released: Wed Aug 9 10:52:10 2023 Summary: Recommended update for bind Severity: moderate References: 1213049 Description: This update for bind fixes the following issues: - Add dnstap support (jsc#PED-4852) - Log named-checkconf output (bsc#1213049) ----------------------------------------- Patch: SUSE-2023-3276 Released: Fri Aug 11 10:20:40 2023 Summary: Recommended update for apparmor Severity: moderate References: 1213472 Description: This update for apparmor fixes the following issues: - Add pam_apparmor README (bsc#1213472) ----------------------------------------- Patch: SUSE-2023-3282 Released: Fri Aug 11 10:26:23 2023 Summary: Recommended update for blog Severity: moderate References: Description: This update for blog fixes the following issues: - Fix big endian cast problems to be able to read commands and ansers as well as passphrases ----------------------------------------- Patch: SUSE-2023-3283 Released: Fri Aug 11 10:28:34 2023 Summary: Feature update for cloud-init Severity: moderate References: 1184758,1210273,1212879,CVE-2021-3429,CVE-2023-1786 Description: This update for cloud-init fixes the following issues: - Default route is not configured (bsc#1212879) - cloud-final service failing in powerVS (bsc#1210273) - Randomly generated passwords logged in clear-text to world-readable file (bsc#1184758, CVE-2021-3429) ----------------------------------------- Patch: SUSE-2023-3393 Released: Wed Aug 23 17:41:55 2023 Summary: Recommended update for dracut Severity: important References: 1214081 Description: This update for dracut fixes the following issues: - Protect against broken links pointing to themselves - Exit if resolving executable dependencies fails (bsc#1214081) ----------------------------------------- Patch: SUSE-2023-3410 Released: Thu Aug 24 06:56:32 2023 Summary: Recommended update for audit Severity: moderate References: 1201519,1204844 Description: This update for audit fixes the following issues: - Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519) - Fix rules not loaded when restarting auditd.service (bsc#1204844) ----------------------------------------- Patch: SUSE-2023-3440 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Severity: low References: 1214025,CVE-2023-4156 Description: This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------- Patch: SUSE-2023-3454 Released: Mon Aug 28 13:43:18 2023 Summary: Security update for ca-certificates-mozilla Severity: important References: 1214248 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------- Patch: SUSE-2023-3536 Released: Tue Sep 5 15:00:27 2023 Summary: Security update for docker Severity: moderate References: 1210797,1212368,1213120,1213229,1213500,1214107,1214108,1214109,CVE-2023-28840,CVE-2023-28841,CVE-2023-28842 Description: This update for docker fixes the following issues: - Update to Docker 24.0.5-ce. See upstream changelong online at bsc#1213229 - Update to Docker 24.0.4-ce. See upstream changelog online at . bsc#1213500 - Update to Docker 24.0.3-ce. See upstream changelog online at . bsc#1213120 - Recommend docker-rootless-extras instead of Require(ing) it, given it's an additional functionality and not inherently required for docker to function. - Add docker-rootless-extras subpackage (https://docs.docker.com/engine/security/rootless) - Update to Docker 24.0.2-ce. See upstream changelog online at . bsc#1212368 * Includes the upstreamed fix for the mount table pollution issue. bsc#1210797 - Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as being provided by this package. - was rebuilt against current GO compiler. ----------------------------------------- Patch: SUSE-2023-3577 Released: Mon Sep 11 15:04:01 2023 Summary: Recommended update for crypto-policies Severity: low References: 1209998 Description: This update for crypto-policies fixes the following issues: - Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998) ----------------------------------------- Patch: SUSE-2023-3717 Released: Thu Sep 21 06:51:51 2023 Summary: Recommended update for apparmor Severity: moderate References: 1214458 Description: This update for apparmor fixes the following issues: - Update zgrep profile to allow egrep helper use (bsc#1214458) ----------------------------------------- Patch: SUSE-2023-3817 Released: Wed Sep 27 18:31:14 2023 Summary: Security update for containerd Severity: important References: 1212475 Description: This update of containerd fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------- Patch: SUSE-2023-3821 Released: Wed Sep 27 18:38:33 2023 Summary: Security update for bind Severity: important References: 1215472,CVE-2023-3341 Description: This update for bind fixes the following issues: Update to release 9.16.44: - CVE-2023-3341: Fixed stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (bsc#1215472). Update to release 9.16.43 * Processing already-queued queries received over TCP could cause an assertion failure, when the server was reconfigured at the same time or the cache was being flushed. This has been fixed. ----------------------------------------- Patch: SUSE-2023-3823 Released: Wed Sep 27 18:42:38 2023 Summary: Security update for curl Severity: important References: 1215026,CVE-2023-38039 Description: This update for curl fixes the following issues: - CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026) ----------------------------------------- Patch: SUSE-2023-3970 Released: Wed Oct 4 14:17:12 2023 Summary: Recommended update for dracut Severity: moderate References: 1215578 Description: This update for dracut fixes the following issues: - Honor nvme-cli's /etc/nvme/config.json in NVMe/TCP (bsc#1215578) ----------------------------------------- Patch: SUSE-2023-4003 Released: Mon Oct 9 08:29:33 2023 Summary: Recommended update for apparmor Severity: moderate References: 1215596 Description: This update for apparmor fixes the following issues: - Handle pam-config errors in pam_apparmor %post and %postun scripts (bsc#1215596) ----------------------------------------- Patch: SUSE-2023-4044 Released: Wed Oct 11 09:01:14 2023 Summary: Security update for curl Severity: important References: 1215888,1215889,CVE-2023-38545,CVE-2023-38546 Description: This update for curl fixes the following issues: - CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888) - CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889) ----------------------------------------- Patch: SUSE-2023-4139 Released: Fri Oct 20 10:06:58 2023 Summary: Recommended update for containerd, runc Severity: moderate References: 1215323 Description: This update for containerd, runc fixes the following issues: runc was updated to v1.1.9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.9 containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes: - https://github.com/containerd/containerd/releases/tag/v1.7.7 - https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages ----------------------------------------- Patch: SUSE-2023-4154 Released: Fri Oct 20 19:33:25 2023 Summary: Recommended update for aaa_base Severity: moderate References: 1107342,1215434 Description: This update for aaa_base fixes the following issues: - Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) ----------------------------------------- Patch: SUSE-2023-4450 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Severity: moderate References: 1209998 Description: This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------- Patch: SUSE-2023-4659 Released: Wed Dec 6 13:04:57 2023 Summary: Security update for curl Severity: moderate References: 1217573,1217574,CVE-2023-46218,CVE-2023-46219 Description: This update for curl fixes the following issues: - CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573). - CVE-2023-46219: HSTS long file name clears contents (bsc#1217574). ----------------------------------------- Patch: SUSE-2023-4703 Released: Mon Dec 11 07:19:53 2023 Summary: Recommended update for dracut Severity: moderate References: 1192986,1217031 Description: This update for dracut fixes the following issues: - Update to version 055+suse.375.g1167ed75 - Fix network device naming in udev-rules (bsc#1192986) ----------------------------------------- Patch: SUSE-2023-4727 Released: Tue Dec 12 12:27:39 2023 Summary: Security update for catatonit, containerd, runc Severity: important References: 1200528,CVE-2022-1996 Description: This update of runc and containerd fixes the following issues: containerd: - Update to containerd v1.7.8. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.8 * CVE-2022-1996: Fixed CORS bypass in go-restful (bsc#1200528) catatonit: - Update to catatonit v0.2.0. * Change license to GPL-2.0-or-later. - Update to catatont v0.1.7 * This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done). - Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). runc: - Update to runc v1.1.10. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.10 ----------------------------------------- Patch: SUSE-2023-4936 Released: Wed Dec 20 17:18:21 2023 Summary: Security update for docker, rootlesskit Severity: important References: 1170415,1170446,1178760,1210141,1213229,1213500,1215323,1217513,CVE-2020-12912,CVE-2020-8694,CVE-2020-8695 Description: This update for docker, rootlesskit fixes the following issues: docker: - Update to Docker 24.0.7-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513 * Deny containers access to /sys/devices/virtual/powercap by default. - CVE-2020-8694 bsc#1170415 - CVE-2020-8695 bsc#1170446 - CVE-2020-12912 bsc#1178760 - Update to Docker 24.0.6-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2406 . bsc#1215323 - Add a docker.socket unit file, but with socket activation effectively disabled to ensure that Docker will always run even if you start the socket individually. Users should probably just ignore this unit file. bsc#1210141 - Update to Docker 24.0.5-ce. See upstream changelong online at https://docs.docker.com/engine/release-notes/24.0/#2405 . bsc#1213229 This update ships docker-rootless support in the docker-rootless-extra package. (jsc#PED-6180) rootlesskit: - new package, for docker rootless support. (jsc#PED-6180) ----------------------------------------- Patch: SUSE-2023-4962 Released: Fri Dec 22 13:45:06 2023 Summary: Recommended update for curl Severity: important References: 1216987 Description: This update for curl fixes the following issues: - libssh: Implement SFTP packet size limit (bsc#1216987) This update also ships curl to the INSTALLER channel. ----------------------------------------- Patch: SUSE-2024-105 Released: Mon Jan 15 15:41:05 2024 Summary: Recommended update for grub2 and efibootmgr Severity: important References: 1217237 Description: This update for grub2 and efibootmgr fixes the following issues: grub2: - Deliver missing grub2-arm64-efi and grub2-powerpc-ieee1275 to SUSE Manager 4.3 (no source changes) (bsc#1217237) efibootmgr: - Deliver missing efibootmgr to SUSE Manager 4.3 (no source changes) (bsc#1217237) ----------------------------------------- Patch: SUSE-2024-128 Released: Tue Jan 16 13:50:37 2024 Summary: Security update for cloud-init Severity: moderate References: 1198269,1201010,1214169,1215740,1215794,1216007,1216011,CVE-2023-1786 Description: This update for cloud-init contains the following fixes: - Move fdupes call back to %install.(bsc#1214169) - Update to version 23.3. (bsc#1216011) * (bsc#1215794) * (bsc#1215740) * (bsc#1216007) + Bump pycloudlib to 1!5.1.0 for ec2 mantic daily image support (#4390) + Fix cc_keyboard in mantic (LP: #2030788) + ec2: initialize get_instance_userdata return value to bytes (#4387) [Noah Meyerhans] + cc_users_groups: Add doas/opendoas support (#4363) [dermotbradley] + Fix pip-managed ansible + status: treat SubState=running and MainPID=0 as service exited + azure/imds: increase read-timeout to 30s (#4372) [Chris Patterson] + collect-logs fix memory usage (SC-1590) (#4289) [Alec Warren] (LP: #1980150) + cc_mounts: Use fallocate to create swapfile on btrfs (#4369) + Undocument nocloud-net (#4318) + feat(akamai): add akamai to settings.py and apport.py (#4370) + read-version: fallback to get_version when git describe fails (#4366) + apt: fix cloud-init status --wait blocking on systemd v 253 (#4364) + integration tests: Pass username to pycloudlib (#4324) + Bump pycloudlib to 1!5.1.0 (#4353) + cloud.cfg.tmpl: reorganise, minimise/reduce duplication (#4272) [dermotbradley] + analyze: fix (unexpected) timestamp parsing (#4347) [Mina Galić] + cc_growpart: fix tests to run on FreeBSD (#4351) [Mina Galić] + subp: Fix spurious test failure on FreeBSD (#4355) [Mina Galić] + cmd/clean: fix tests on non-Linux platforms (#4352) [Mina Galić] + util: Fix get_proc_ppid() on non-Linux systems (#4348) [Mina Galić] + cc_wireguard: make tests pass on FreeBSD (#4346) [Mina Galić] + unittests: fix breakage in test_read_cfg_paths_fetches_cached_datasource (#4328) [Ani Sinha] + Fix test_tools.py collection (#4315) + cc_keyboard: add Alpine support (#4278) [dermotbradley] + Flake8 fixes (#4340) [Robert Schweikert] + cc_mounts: Fix swapfile not working on btrfs (#4319) [王煎饼] (LP: #1884127) + ds-identify/CloudStack: $DS_MAYBE if vm running on vmware/xen (#4281) [Wei Zhou] + ec2: Support double encoded userdata (#4275) [Noah Meyerhans] + cc_mounts: xfs is a Linux only FS (#4334) [Mina Galić] + tests/net: fix TestGetInterfaces' mock coverage for get_master (#4336) [Chris Patterson] + change openEuler to openeuler and fix some bugs in openEuler (#4317) [sxt1001] + Replace flake8 with ruff (#4314) + NM renderer: set default IPv6 addr-gen-mode for all interfaces to eui64 (#4291) [Ani Sinha] + cc_ssh_import_id: add Alpine support and add doas support (#4277) [dermotbradley] + sudoers not idempotent (SC-1589) (#4296) [Alec Warren] (LP: #1998539) + Added support for Akamai Connected Cloud (formerly Linode) (#4167) [Will Smith] + Fix reference before assignment (#4292) + Overhaul module reference page (#4237) [Sally] + replaced spaces with commas for setting passenv (#4269) [Alec Warren] + DS VMware: modify a few log level (#4284) [PengpengSun] + tools/read-version refactors and unit tests (#4268) + Ensure get_features() grabs all features (#4285) + Don't always require passlib dependency (#4274) + tests: avoid leaks into host system checking of ovs-vsctl cmd (#4275) + Fix NoCloud kernel commandline key parsing (#4273) + testing: Clear all LRU caches after each test (#4249) + Remove the crypt dependency (#2139) [Gonéri Le Bouder] + logging: keep current file mode of log file if its stricter than the new mode (#4250) [Ani Sinha] + Remove default membership in redundant groups (#4258) [Dave Jones] (LP: #1923363) + doc: improve datasource_creation.rst (#4262) + Remove duplicate Integration testing button (#4261) [Rishita Shaw] + tools/read-version: fix the tool so that it can handle version parsing errors (#4234) [Ani Sinha] + net/dhcp: add udhcpc support (#4190) [Jean-François Roche] + DS VMware: add i386 arch dir to deployPkg plugin search path [PengpengSun] + LXD moved from linuxcontainers.org to Canonical [Simon Deziel] + cc_mounts.py: Add note about issue with creating mounts inside mounts (#4232) [dermotbradley] + lxd: install lxd from snap, not deb if absent in image + landscape: use landscape-config to write configuration + Add deprecation log during init of DataSourceDigitalOcean (#4194) [tyb-truth] + doc: fix typo on apt.primary.arches (#4238) [Dan Bungert] + Inspect systemd state for cloud-init status (#4230) + instance-data: add system-info and features to combined-cloud-config (#4224) + systemd: Block login until config stage completes (#2111) (LP: #2013403) + tests: proposed should invoke apt-get install -t=-proposed (#4235) + cloud.cfg.tmpl: reinstate ca_certs entry (#4236) [dermotbradley] + Remove feature flag override ability (#4228) + tests: drop stray unrelated file presence test (#4227) + Update LXD URL (#4223) [Sally] + schema: add network v1 schema definition and validation functions + tests: daily PPA for devel series is version 99.daily update tests to match (#4225) + instance-data: write /run/cloud-init/combined-cloud-config.json + mount parse: Fix matching non-existent directories (#4222) [Mina Galić] + Specify build-system for pep517 (#4218) + Fix network v2 metric rendering (#4220) + Migrate content out of FAQ page (SD-1187) (#4205) [Sally] + setup: fix generation of init templates (#4209) [Mina Galić] + docs: Correct some bootcmd example wording + fix changelog + tests: reboot client to assert x-shellscript-per-boot is triggered + nocloud: parse_cmdline no longer detects nocloud-net datasource (#4204) (LP: 4203, #2025180) + Add docstring and typing to mergemanydict (#4200) + BSD: add dsidentify to early startup scripts (#4182) [Mina Galić] + handler: report errors on skipped merged cloud-config.txt parts (LP: #1999952) + Add cloud-init summit writeups (#4179) [Sally] + tests: Update test_clean_log for oci (#4187) + gce: improve ephemeral fallback NIC selection (CPC-2578) (#4163) + tests: pin pytest 7.3.1 to avoid adverse testpaths behavior (#4184) + Ephemeral Networking for FreeBSD (#2165) [Mina Galić] + Clarify directory syntax for nocloud local filesystem. (#4178) + Set default renderer as sysconfig for centos/rhel (#4165) [Ani Sinha] + Test static routes and netplan 0.106 + FreeBSD fix parsing of mount and mount options (#2146) [Mina Galić] + test: add tracking bug id (#4164) + tests: can't match MAC for LXD container veth due to netplan 0.106 (#4162) + Add kaiwalyakoparkar as a contributor (#4156) [Kaiwalya Koparkar] + BSD: remove datasource_list from cloud.cfg template (#4159) [Mina Galić] + launching salt-minion in masterless mode (#4110) [Denis Halturin] + tools: fix run-container builds for rockylinux/8 git hash mismatch (#4161) + fix doc lint: spellchecker tripped up (#4160) [Mina Galić] + Support Ephemeral Networking for BSD (#2127) + Added / fixed support for static routes on OpenBSD and FreeBSD (#2157) [Kadir Mueller] + cc_rsyslog: Refactor for better multi-platform support (#4119) [Mina Galić] (LP: #1798055) + tests: fix test_lp1835584 (#4154) + cloud.cfg mod names: docs and rename salt_minion and set_password (#4153) + vultr: remove check_route check (#2151) [Jonas Chevalier] + Update SECURITY.md (#4150) [Indrranil Pawar] + Update CONTRIBUTING.rst (#4149) [Indrranil Pawar] + Update .github-cla-signers (#4151) [Indrranil Pawar] + Standardise module names in cloud.cfg.tmpl to only use underscore (#4128) [dermotbradley] + Modify PR template so autoclose works From 23.2.2 + Fix NoCloud kernel commandline key parsing (#4273) (Fixes: #4271) (LP: #2028562) + Fix reference before assignment (#4292) (Fixes: #4288) (LP: #2028784) From 23.2.1 + nocloud: Fix parse_cmdline detection of nocloud-net datasource (#4204) (Fixes: 4203) (LP: #2025180) From 23.2 + BSD: simplify finding MBR partitions by removing duplicate code [Mina Galić] + tests: bump pycloudlib version for mantic builds + network-manager: Set higher autoconnect priority for nm keyfiles (#3671) [Ani Sinha] + alpine.py: change the locale file used (#4139) [dermotbradley] + cc_ntp: Sync up with current FreeBSD ntp.conf (#4122) [Mina Galić] + config: drop refresh_rmc_and_interface as RHEL 7 no longer supported [Robert Schweikert] + docs: Add feedback button to docs + net/sysconfig: enable sysconfig renderer if network manager has ifcfg-rh plugin (#4132) [Ani Sinha] + For Alpine use os-release PRETTY_NAME (#4138) [dermotbradley] + network_manager: add a method for ipv6 static IP configuration (#4127) [Ani Sinha] + correct misnamed template file host.mariner.tmpl (#4124) [dermotbradley] + nm: generate ipv6 stateful dhcp config at par with sysconfig (#4115) [Ani Sinha] + Add templates for GitHub Issues + Add 'peers' and 'allow' directives in cc_ntp (#3124) [Jacob Salmela] + FreeBSD: Fix user account locking (#4114) [Mina Galić] (GH: #1854594) + FreeBSD: add ResizeGrowFS class to cc_growpart (#2334) [Mina Galić] + Update tests in Azure TestCanDevBeReformatted class (#2771) [Ksenija Stanojevic] + Replace Launchpad references with GitHub Issues + Fix KeyError in iproute pformat (#3287) [Dmitry Zykov] + schema: read_cfg_paths call init.fetch to lookup /v/l/c/instance + azure/errors: introduce reportable errors for imds (#3647) [Chris Patterson] + FreeBSD (and friends): better identify MBR slices (#2168) [Mina Galić] (LP: #2016350) + azure/errors: add host reporting for dhcp errors (#2167) [Chris Patterson] + net: purge blacklist_drivers across net and azure (#2160) [Chris Patterson] + net: refactor hyper-v VF filtering and apply to get_interfaces() (#2153) [Chris Patterson] + tests: avoid leaks to underlying filesystem for /etc/cloud/clean.d (#2251) + net: refactor find_candidate_nics_on_linux() to use get_interfaces() (#2159) [Chris Patterson] + resolv_conf: Allow > 3 nameservers (#2152) [Major Hayden] + Remove mount NTFS error message (#2134) [Ksenija Stanojevic] + integration tests: fix image specification parsing (#2166) + ci: add hypothesis scheduled GH check (#2149) + Move supported distros list to docs (#2162) + Fix logger, use instance rather than module function (#2163) + README: Point to Github Actions build status (#2158) + Revert 'fix linux-specific code on bsd (#2143)' (#2161) + Do not generate dsa and ed25519 key types when crypto FIPS mode is enabled (#2142) [Ani Sinha] (LP: 2017761) + Add documentation label automatically (#2156) + sources/azure: report success to host and introduce kvp module (#2141) [Chris Patterson] + setup.py: use pkg-config for udev/rules path (#2137) [dankm] + openstack/static: honor the DNS servers associated with a network (#2138) [Gonéri Le Bouder] + fix linux-specific code on bsd (#2143) + cli: schema validation of jinja template user-data (SC-1385) (#2132) (LP: #1881925) + gce: activate network discovery on every boot (#2128) + tests: update integration test to assert 640 across reboots (#2145) + Make user/vendor data sensitive and remove log permissions (#2144) (LP: #2013967) + Update kernel command line docs (SC-1457) (#2133) + docs: update network configuration path links (#2140) [d1r3ct0r] + sources/azure: report failures to host via kvp (#2136) [Chris Patterson] + net: Document use of `ip route append` to add routes (#2130) + dhcp: Add missing mocks (#2135) + azure/imds: retry fetching metadata up to 300 seconds (#2121) [Chris Patterson] + [1/2] DHCP: Refactor dhcp client code (#2122) + azure/errors: treat traceback_base64 as string (#2131) [Chris Patterson] + azure/errors: introduce reportable errors (#2129) [Chris Patterson] + users: schema permit empty list to indicate create no users + azure: introduce identity module (#2116) [Chris Patterson] + Standardize disabling cloud-init on non-systemd (#2112) + Update .github-cla-signers (#2126) [Rob Tongue] + NoCloud: Use seedfrom protocol to determine mode (#2107) + rhel: Remove sysvinit files. (#2114) + tox.ini: set -vvvv --showlocals for pytest (#2104) [Chris Patterson] + Fix NoCloud kernel commandline semi-colon args + run-container: make the container/VM timeout configurable (#2118) [Paride Legovini] + suse: Remove sysvinit files. (#2115) + test: Backport assert_call_count for old requests (#2119) + Add 'licebmi' as contributor (#2113) [Mark Martinez] + Adapt DataSourceScaleway to upcoming IPv6 support (#2033) [Louis Bouchard] + rhel: make sure previous-hostname file ends with a new line (#2108) [Ani Sinha] + Adding contributors for DataSourceAkamai (#2110) [acourdavAkamai] + Cleanup ephemeral IP routes on exception (#2100) [sxt1001] + commit 09a64badfb3f51b1b391fa29be19962381a4bbeb [sxt1001] (LP: #2011291) + Standardize kernel commandline user interface (#2093) + config/cc_resizefs: fix do_resize arguments (#2106) [Chris Patterson] + Fix test_dhclient_exits_with_error (#2105) + net/dhcp: catch dhclient failures and raise NoDHCPLeaseError (#2083) [Chris Patterson] + sources/azure: move pps handling out of _poll_imds() (#2075) [Chris Patterson] + tests: bump pycloudlib version (#2102) + schema: do not manipulate draft4 metaschema for jsonschema 2.6.0 (#2098) + sources/azure/imds: don't count timeout errors as connection errors (#2074) [Chris Patterson] + Fix Python 3.12 unit test failures (#2099) + integration tests: Refactor instance checking (#1989) + ci: migrate remaining jobs from travis to gh (#2085) + missing ending quote in instancedata docs(#2094) [Hong L] + refactor: stop passing log instances to cc_* handlers (#2016) [d1r3ct0r] + tests/vmware: fix test_no_data_access_method failure (#2092) [Chris Patterson] + Don't change permissions of netrules target (#2076) (LP: #2011783) + tests/sources: patch util.get_cmdline() for datasource tests (#2091) [Chris Patterson] + macs: ignore duplicate MAC for devs with driver driver qmi_wwan (#2090) (LP: #2008888) + Fedora: Enable CA handling (#2086) [František Zatloukal] + Send dhcp-client-identifier for InfiniBand ports (#2043) [Waleed Mousa] + cc_ansible: complete the examples and doc (#2082) [Yves] + bddeb: for dev package, derive debhelper-compat from host system + apport: only prompt for cloud_name when instance-data.json is absent + datasource: Optimize datasource detection, fix bugs (#2060) + Handle non existent ca-cert-config situation (#2073) [Shreenidhi Shedi] + sources/azure: add networking check for all source PPS (#2061) [Chris Patterson] + do not attempt dns resolution on ip addresses (#2040) + chore: fix style tip (#2071) + Fix metadata IP in instancedata.rst (#2063) [Brian Haley] + util: Pass deprecation schedule in deprecate_call() (#2064) + config: Update grub-dpkg docs (#2058) + docs: Cosmetic improvements and styling (#2057) [s-makin] + cc_grub_dpkg: Added UEFI support (#2029) [Alexander Birkner] + tests: Write to /var/spool/rsyslog to adhere to apparmor profile (#2059) + oracle-ds: prefer system_cfg over ds network config source (#1998) (LP: #1956788) + Remove dead code (#2038) + source: Force OpenStack when it is only option (#2045) (LP: #2008727) + cc_ubuntu_advantage: improve UA logs discovery + sources/azure: fix regressions in IMDS behavior (#2041) [Chris Patterson] + tests: fix test_schema (#2042) + dhcp: Cleanup unused kwarg (#2037) + sources/vmware/imc: fix-missing-catch-few-negtive-scenarios (#2027) [PengpengSun] + dhclient_hook: remove vestigal dhclient_hook command (#2015) + log: Add standardized deprecation tooling (SC-1312) (#2026) + Enable SUSE based distros for ca handling (#2036) [Robert Schweikert] From 23.1.2 + Make user/vendor data sensitive and remove log permissions (LP: #2013967) (CVE-2023-1786) - Remove six dependency (bsc#1198269) - Update to version 22.4 (bsc#1201010) ----------------------------------------- Patch: SUSE-2024-238 Released: Fri Jan 26 10:56:41 2024 Summary: Security update for cpio Severity: moderate References: 1218571,CVE-2023-7207 Description: This update for cpio fixes the following issues: - CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571). ----------------------------------------- Patch: SUSE-2024-254 Released: Fri Jan 26 17:19:30 2024 Summary: Recommended update for containerd Severity: moderate References: 1217952 Description: This update for containerd fixes the following issues: - Fix permissions of address file (bsc#1217952) - Update to version 1.7.10 ----------------------------------------- Patch: SUSE-2024-322 Released: Fri Feb 2 15:13:26 2024 Summary: Recommended update for aaa_base Severity: moderate References: 1107342,1215434 Description: This update for aaa_base fixes the following issues: - Set JAVA_HOME correctly (bsc#1107342, bsc#1215434) ----------------------------------------- Patch: SUSE-2024-574 Released: Wed Feb 21 10:39:55 2024 Summary: Security update for bind Severity: important References: 1219823,1219826,1219851,1219852,1219853,1219854,CVE-2023-4408,CVE-2023-50387,CVE-2023-50868,CVE-2023-5517,CVE-2023-5679,CVE-2023-6516 Description: This update for bind fixes the following issues: Update to release 9.16.48: - CVE-2023-50387: Fixed a denial-of-service caused by DNS messages containing a lot of DNSSEC signatures (bsc#1219823). - CVE-2023-50868: Fixed a denial-of-service caused by NSEC3 closest encloser proof (bsc#1219826). - CVE-2023-4408: Fixed a denial-of-service caused by DNS messages with many different names (bsc#1219851). - CVE-2023-5517: Fixed a possible crash when nxdomain-redirect was enabled (bsc#1219852). - CVE-2023-5679: Fixed a possible crash when bad interaction between DNS64 and serve-stale, when both of these features are enabled (bsc#1219853). - CVE-2023-6516: Fixed excessive memory consumption when continuously trigger the cache database maintenance (bsc#1219854). ----------------------------------------- Patch: SUSE-2024-586 Released: Thu Feb 22 09:54:21 2024 Summary: Security update for docker Severity: important References: 1219267,1219268,1219438,CVE-2024-23651,CVE-2024-23652,CVE-2024-23653 Description: This update for docker fixes the following issues: Vendor latest buildkit v0.11 including bugfixes for the following: * CVE-2024-23653: BuildKit API doesn't validate entitlement on container creation (bsc#1219438). * CVE-2024-23652: Fixed arbitrary deletion of files (bsc#1219268). * CVE-2024-23651: Fixed race condition in mount (bsc#1219267). ----------------------------------------- Patch: SUSE-2024-305 Released: Mon Mar 11 14:15:37 2024 Summary: Security update for cpio Severity: moderate References: 1218571,1219238,CVE-2023-7207 Description: This update for cpio fixes the following issues: - Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238) ----------------------------------------- Patch: SUSE-2024-849 Released: Tue Mar 12 15:38:03 2024 Summary: Recommended update for cloud-init Severity: important References: 1198533,1214169,1218952 Description: This update for cloud-init contains the following fixes: - Skip tests with empty config. - Support reboot on package update/upgrade via the cloud-init config. (bsc#1198533, bsc#1218952, jsc#SMO-326) - Switch build dependency to the generic distribution-release package. - Move fdupes call back to %install. (bsc#1214169) ----------------------------------------- Patch: SUSE-2024-861 Released: Wed Mar 13 09:12:30 2024 Summary: Recommended update for aaa_base Severity: moderate References: 1218232 Description: This update for aaa_base fixes the following issues: - Silence the output in the case of broken symlinks (bsc#1218232) ----------------------------------------- Patch: SUSE-2024-907 Released: Fri Mar 15 08:57:38 2024 Summary: Recommended update for audit Severity: moderate References: 1215377 Description: This update for audit fixes the following issue: - Fix plugin termination when using systemd service units (bsc#1215377) ----------------------------------------- Patch: SUSE-2024-929 Released: Tue Mar 19 06:36:24 2024 Summary: Recommended update for coreutils Severity: moderate References: 1219321 Description: This update for coreutils fixes the following issues: - tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321) ----------------------------------------- Patch: SUSE-2024-1081 Released: Tue Apr 2 06:50:44 2024 Summary: Recommended update for dracut Severity: important References: 1217083,1219841,1220485,1221675 Description: This update for dracut fixes the following issues: - Update to version 055+suse.382.g80b55af2: * Fix regression with multiple `rd.break=` options (bsc#1221675) * Do not call `strcmp` if the `value` argument is NULL (bsc#1219841) * Correct shellcheck regression when parsing ccw args (bsc#1220485) * Skip README for AMD microcode generation (bsc#1217083) ----------------------------------------- Patch: SUSE-2024-1104 Released: Wed Apr 3 14:29:58 2024 Summary: Recommended update for docker, containerd, rootlesskit, catatonit, slirp4netns, fuse-overlayfs Severity: important References: Description: This update for docker fixes the following issues: - Overlay files are world-writable (bsc#1220339) - Allow disabling apparmor support (some products only support SELinux) The other packages in the update (containerd, rootlesskit, catatonit, slirp4netns, fuse-overlayfs) are no-change rebuilds required because the corresponding binary packages were missing in a number of repositories, thus making docker not installable on some products. ----------------------------------------- Patch: SUSE-2024-1151 Released: Mon Apr 8 11:36:23 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221667,CVE-2024-2004,CVE-2024-2398 Description: This update for curl fixes the following issues: - CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665) - CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667) ----------------------------------------- Patch: SUSE-2024-1352 Released: Fri Apr 19 15:28:38 2024 Summary: Recommended update for cloud-init Severity: important References: 1220132,1221132,1221726,1222113 Description: This update for cloud-init contains the following fixes: - Add cloud-init-no-nmcfg-needed.patch (bsc#1221726) + Do not require a NetworkManager config file in order to detect NetworkManager as the renderer - Add cloud-init-no-openstack-guess.patch (bsc#1222113) + Do not guess if we are running on OpenStack or not. Only recognize the known markers and enable cloud-init if we know for sure. - Do not guess a data source when checking for a CloudStack environment. (bsc#1221132) - Hardcode distribution to suse for proper cloud.cfg generation (bsc#1220132). - Prepare for RPM 4.20 switch patch syntax ----------------------------------------- Patch: SUSE-2024-1429 Released: Wed Apr 24 15:13:10 2024 Summary: Recommended update for ca-certificates Severity: moderate References: 1188500,1221184 Description: This update for ca-certificates fixes the following issue: - Update version (bsc#1221184) * Use flock to serialize calls (bsc#1188500) * Make certbundle.run container friendly * Create /var/lib/ca-certificates if needed ----------------------------------------- Patch: SUSE-2024-1487 Released: Thu May 2 10:43:53 2024 Summary: Recommended update for aaa_base Severity: moderate References: 1211721,1221361,1221407,1222547 Description: This update for aaa_base fixes the following issues: - home and end button not working from ssh client (bsc#1221407) - use autosetup in prep stage of specfile - drop the stderr redirection for csh (bsc#1221361) - drop sysctl.d/50-default-s390.conf (bsc#1211721) - make sure the script does not exit with 1 if a file with content is found (bsc#1222547) ----------------------------------------- Patch: SUSE-2024-1566 Released: Thu May 9 12:33:21 2024 Summary: Recommended update for catatonit Severity: moderate References: Description: This update for catatonit fixes the following issues: - Update to catatonit v0.2.0 - Change license to GPL-2.0-or-later ----------------------------------------- Patch: SUSE-2024-1665 Released: Thu May 16 08:00:09 2024 Summary: Recommended update for coreutils Severity: moderate References: 1221632 Description: This update for coreutils fixes the following issues: - ls: avoid triggering automounts (bsc#1221632) ----------------------------------------- Patch: SUSE-2024-1802 Released: Tue May 28 16:20:18 2024 Summary: Recommended update for e2fsprogs Severity: moderate References: 1223596 Description: This update for e2fsprogs fixes the following issues: EA Inode handling fixes: - ext2fs: avoid re-reading inode multiple times (bsc#1223596) - e2fsck: fix potential out-of-bounds read in inc_ea_inode_refs() (bsc#1223596) - e2fsck: add more checks for ea inode consistency (bsc#1223596) - e2fsck: fix golden output of several tests (bsc#1223596) ----------------------------------------- Patch: SUSE-2024-1876 Released: Fri May 31 06:47:32 2024 Summary: Recommended update for aaa_base Severity: moderate References: 1221361 Description: This update for aaa_base fixes the following issues: - Fix the typo to set JAVA_BINDIR in the csh variant of the alljava profile script (bsc#1221361) ----------------------------------------- Patch: SUSE-2024-2022 Released: Thu Jun 13 16:13:20 2024 Summary: Recommended update for chrony Severity: moderate References: 1213551 Description: This update for chrony fixes the following issues: - Use shorter NTS-KE retry interval when network is down (bsc#1213551) - Use make quickcheck instead of make check to avoid more than 1h build times and failures due to timeouts. This was the default before 3.2 but it changed to make tests more reliable ----------------------------------------- Patch: SUSE-2024-2108 Released: Thu Jun 20 19:35:51 2024 Summary: Security update for containerd Severity: important References: 1221400,1224323,CVE-2023-45288 Description: This update for containerd fixes the following issues: Update to containerd v1.7.17. - CVE-2023-45288: Fixed the limit of CONTINUATION frames read for an HTTP/2 request (bsc#1221400). - Fixed /sys/devices/virtual/powercap accessibility by default containers to mitigate power-based side channel attacks (bsc#1224323). ----------------------------------------- Patch: SUSE-2024-2222 Released: Tue Jun 25 18:10:29 2024 Summary: Recommended update for cloud-init Severity: important References: 1219680,1223469 Description: This update for cloud-init fixes the following issues: - Brute force approach to skip renames if the device is already present (bsc#1219680) - Handle the existence of /usr/etc/sudoers to search for the expected include location (bsc#1223469) - Do not enable cloud-init on systems where there is no DMI just because no data source has been found. No data source means cloud-init will not run. ----------------------------------------- Patch: SUSE-2024-2253 Released: Mon Jul 1 18:33:02 2024 Summary: Recommended update for containerd Severity: moderate References: Description: This update for containerd fixes the following issues: - Revert the noarch change for devel subpackage Switching to noarch causes issues on SLES maintenance updates, reverting it fixes our image builds ----------------------------------------- Patch: SUSE-2024-2696 Released: Thu Aug 1 15:20:51 2024 Summary: Recommended update for dracut Severity: moderate References: 1208690,1226412,1226529 Description: This update for dracut fixes the following issues: - Version update: * feat(crypt): force the inclusion of crypttab entries with x-initrd.attach (bsc#1226529) * fix(mdraid): try to assemble the missing raid device (bsc#1226412) * fix(dracut-install): continue parsing if ldd prints 'cannot be preloaded' (bsc#1208690) ----------------------------------------- Patch: SUSE-2024-2862 Released: Fri Aug 9 09:20:34 2024 Summary: Security update for bind Severity: important References: 1228256,1228257,1228258,CVE-2024-1737,CVE-2024-1975,CVE-2024-4076 Description: This update for bind fixes the following issues: Update to 9.16.50: - Bug Fixes: * A regression in cache-cleaning code enabled memory use to grow significantly more quickly than before, until the configured max-cache-size limit was reached. This has been fixed. * Using rndc flush inadvertently caused cache cleaning to become less effective. This could ultimately lead to the configured max-cache-size limit being exceeded and has now been fixed. * The logic for cleaning up expired cached DNS records was tweaked to be more aggressive. This change helps with enforcing max-cache-ttl and max-ncache-ttl in a timely manner. * It was possible to trigger a use-after-free assertion when the overmem cache cleaning was initiated. This has been fixed. New Features: * Added RESOLVER.ARPA to the built in empty zones. - Security Fixes: * It is possible to craft excessively large numbers of resource record types for a given owner name, which has the effect of slowing down database processing. This has been addressed by adding a configurable limit to the number of records that can be stored per name and type in a cache or zone database. The default is 100, which can be tuned with the new max-types-per-name option. (CVE-2024-1737, bsc#1228256) * Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975, bsc#1228257) * When looking up the NS records of parent zones as part of looking up DS records, it was possible for named to trigger an assertion failure if serve-stale was enabled. This has been fixed. (CVE-2024-4076, bsc#1228258)