Image summary for suse-sles-15-sp6-chost-byos-v20240708-hvm-ssd-x86_64

SUSE-IU-2024:631-1

This update for containerd fixes the following issues:

• Revert the noarch change for devel subpackage

This update for openssh fixes the following issues:

• CVE-2024-6387: Fixed race condition in a signal handler (bsc#1226642)

This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5.
This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro.

This update for libxml2 fixes the following issues:

• CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282).

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

SUSE-IU-2024:563-1

This update for growpart provides the following fix:

• Support btrfs resize and handle ro setup in rootgrow. (bsc#1097455, bsc#1098681)

This update for docker fixes the following issues:

• Build the client binary with -buildmode=pie to fix issues on POWER. (bsc#1100727)
• Fix an issue where changed AppArmor profiles don't actually get applied on Docker daemon reboot. (bsc#1099277)
• Update to AppArmor patch so that signal mediation also works for signals between in-container processes. (bsc#1073877)
• Do not log incorrect warnings when attempting to inject non-existent host files. (bsc#1065609)

This update fixes the following issues:
hwdata:

• Update to version 0.314: + Updated pci, usb and vendor ids.

• Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120)
• Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388)

This update for fuse fixes the following issues:

• CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for rpcbind fixes the following issues:

• Fix tool stack buffer overflow aborting (bsc#969953)

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for containerd, docker and go fixes the following issues:
containerd and docker:

• Add backport for building containerd (bsc#1102522, bsc#1113313)
• Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce. (bsc#1102522)
• Enable seccomp support on SLE12 (fate#325877)
• Update to containerd v1.1.1, which is the required version for the Docker v18.06.0-ce upgrade. (bsc#1102522)
• Put containerd under the podruntime slice (bsc#1086185)
• 3rd party registries used the default Docker certificate (bsc#1084533)
• Handle build breakage due to missing 'export GOPATH' (caused by resolution of boo#1119634). I believe Docker is one of the only packages with this problem.

• golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187)
• Make profile.d/go.sh no longer set GOROOT=, in order to make switching between versions no longer break. This ends up removing the need for go.sh entirely (because GOPATH is also set automatically) (boo#1119634)
• Fix a regression that broke go get for import path patterns containing '...' (bsc#1119706)

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for suse-build-key fixes the following issues:

• Include the SUSE PTF GPG key in the key directory to avoid it being stripped via %doc stripping in CAASP. (bsc#1044232)

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for containerd, docker, docker-runc and golang-github-docker-libnetwork fixes the following issues:
Security issues fixed for containerd, docker, docker-runc and golang-github-docker-libnetwork:

• CVE-2018-16873: cmd/go: remote command execution during 'go get -u' (bsc#1118897)
• CVE-2018-16874: cmd/go: directory traversal in 'go get' via curly braces in import paths (bsc#1118898)
• CVE-2018-16875: crypto/x509: CPU denial of service (bsc#1118899)

• Disable leap based builds for kubic flavor (bsc#1121412)
• Allow users to explicitly specify the NIS domainname of a container (bsc#1001161)
• Update docker.service to match upstream and avoid rlimit problems (bsc#1112980)
• Allow docker images larger then 23GB (bsc#1118990)
• Docker version update to version 18.09.0-ce (bsc#1115464)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:

• CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
• CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
• CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
• CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967).

• Update shell completion to use Group: System/Shells.
• Add daemon.json file with rotation logs configuration (bsc#1114832)
• Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Update go requirements to >= go1.10
• Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
• Remove the usage of 'cp -r' to reduce noise in the build logs.

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This update for hwdata fixes the following issues:
Update to version 0.320 (bsc#1121410):

• Updated the pci, usb and vendor ids vendor and product databases.

This update for samba fixes the following issues:
Security issue fixed:

• CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).

• Out of bound read in ldb_wildcard_compare
• Hold at most 10 outstanding paged result cookies
• Put 'results_store' into a doubly linked list
• Refuse to build Samba against a newer minor version of ldb

• Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
• Abide to the load_printers parameter in smb.conf (bsc#1124223).
• Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for python-Jinja2 to version 2.10.1 fixes the following issues:
Security issues fixed:

• CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815).
• CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323).

This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:

• CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).
• CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
• CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).
• CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
• CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).

• Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).
• Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).
• Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).
• docker-test: Improvements to test packaging (bsc#1128746).
• Move daemon.json file to /etc/docker directory (bsc#1114832).
• Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).
• Fix go build failures (bsc#1121397).

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for libtasn1 fixes the following issues:
Security issue fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).

This update for docker fixes the following issues:
Security issue fixed:

• CVE-2018-15664: Fixed an issue which could make docker cp vulnerable to symlink-exchange race attacks (bsc#1096726).

This update for rpcbind fixes the following issues:

• Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659)
• Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update.

This update for docker fixes the following issues:

• Mark daemon.json as %config(noreplace) to not overwrite it during installation (bsc#1138920)

This update for cloud-init fixes the following issues:

• Fixes a bug where only the last defined route was written to the routes configuration file (bsc#1132692)
• Fixes a bug where a new network rules file for network devices didn't apply immediately (bsc#1125950)
• Improved the writing of route config files to avoid issues (bsc#1125992)
• Fixes a bug where OpenStack instances where not detected on VIO (bsc#1136440)
• Fixes a bug where IPv4 and IPv6 were not set up as default routes (bsc#1121878)
• Added a fix to prevent the resolv.conf to be empty (bsc#1119397)
• Uses now the proper name to designate IPv6 addresses in ifcfg-* files (bsc#1126101)
• Fixes an issue where the ifroute-eth0 file got corrupted when cloning an existing instance (bsc#1123694)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker:

• CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409).
• CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).
• Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649).

• Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).
• Update to runc 425e105d5a03, which is required by Docker (bsc#1139649).

• CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967).
• Update to containerd v1.2.6, which is required by docker (bsc#1139649).

• Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649).

This update for pinentry fixes the following issues:

• Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)

This update for cloud-init provides the following fixes:

• Properly handle static routes. The EphemeralDHCP context manager did not parse or handle rfc3442 classless static routes which prevented reading datasource metadata in some clouds. (bsc#1141969)
• The __str__ implementation no longer delivers the name of the interface, use the 'name' attribute instead to form a proper path in the sysfs tree. (bsc#1144363)
• If no routes are set for a subnet but the subnet has a gateway specified, set the gateway as the default route for the interface. (bsc#1144881)

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for dhcp fixes the following issues:
Secuirty issue fixed:

• CVE-2019-6470: Fixed DHCPv6 server crashes (bsc#1134078).

• Add compile option --enable-secs-byteorder to avoid duplicate lease warnings (bsc#1089524).
• Use IPv6 when called as dhclient6, dhcpd6, and dhcrelay6 (bsc#1136572).

This update for rpcbind fixes the following issues:

• Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343)

This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

• library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures
• library: Just check for SIGLOST and don't delete it
• library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
• library: Use size_t for alloc functions CVE-2018-1126
• library: Increase comm size to 64
• pgrep: Fix stack-based buffer overflow CVE-2018-1125
• pgrep: Remove >15 warning as comm can be longer
• ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
• ps: Increase command name selection field to 64
• top: Don't use cwd for location of config CVE-2018-1122
• update translations
• library: build on non-glibc systems
• free: fix scaling on 32-bit systems
• Revert 'Support running with child namespaces'
• library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
• doc: Document I idle state in ps.1 and top.1
• free: fix some of the SI multiples
• kill: -l space between name parses correctly
• library: dont use vm_min_free on non Linux
• library: don't strip off wchan prefixes (ps & top)
• pgrep: warn about 15+ char name only if -f not used
• pgrep/pkill: only match in same namespace by default
• pidof: specify separator between pids
• pkill: Return 0 only if we can kill process
• pmap: fix duplicate output line under '-x' option
• ps: avoid eip/esp address truncations
• ps: recognizes SCHED_DEADLINE as valid CPU scheduler
• ps: display NUMA node under which a thread ran
• ps: Add seconds display for cputime and time
• ps: Add LUID field
• sysctl: Permit empty string for value
• sysctl: Don't segv when file not available
• sysctl: Read and write large buffers
• top: add config file support for XDG specification
• top: eliminated minor libnuma memory leak
• top: show fewer memory decimal places (configurable)
• top: provide command line switch for memory scaling
• top: provide command line switch for CPU States
• top: provides more accurate cpu usage at startup
• top: display NUMA node under which a thread ran
• top: fix argument parsing quirk resulting in SEGV
• top: delay interval accepts non-locale radix point
• top: address a wishlist man page NLS suggestion
• top: fix potential distortion in 'Mem' graph display
• top: provide proper multi-byte string handling
• top: startup defaults are fully customizable
• watch: define HOST_NAME_MAX where not defined
• vmstat: Fix alignment for disk partition format
• watch: Support ANSI 39,49 reset sequences

This update for runc fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

• Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for cloud-init to version 19.2 fixes the following issues:
Security issue fixed:

• CVE-2019-0816: Fixed the unnecessary extra ssh keys that were added to authorized_keys (bsc#1129124).

• Short circuit the conditional for identifying the sysconfig renderer (bsc#1154092, bsc#1142988).
• If /etc/resolv.conf is a symlink, break it. This will avoid netconfig from clobbering the changes cloud-init applied (bsc#1151488).

This update for growpart, growpart-rootgrow contains the following fixes:
growpart:

• Removed rootgrow sub-package as it is a standalone package now. (bsc#1154357, jsc#ECO-550)

• Added growpart-rootgrow as a standalone package. (bsc#1154357, jsc#ECO-550)
• Bump from version 1.0.0 to 1.0.1: - Fixed binary location in service unit file.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed incomplete patch for LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308).

• Update to Docker 19.03.5-ce (bsc#1158590).
• Update to Docker 19.03.3-ce (bsc#1153367).
• Update to Docker 19.03.2-ce (bsc#1150397).
• Fixed default installation such that --userns-remap=default works properly (bsc#1143349).
• Fixed nginx blocked by apparmor (bsc#1122469).

This update for python-jsonpatch fixes the following issues:

• Drop jsondiff binary to avoid conflict with python-jsondiff package.

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for cloud-init fixes the following issues:

• Fixed an issue where it was not possible to add SSH keys and thus it was not possible to log into the system (bsc#1161132, bsc#1161133)
• Fixes an issue where the IPv6 interface variable was not correctly set in an ifcfg file (bsc#1156139)
• The route's destination network will now be written in CIDR notation. This provides support for correctly recording IPv6 routes (bsc#1155376)
• Many smaller fixes came with this package as well. For a full list of all changes, refer to the rpm's changes file.

This update for c-ares fixes the following issues:
c-ares version update to 1.15.0:

• Add ares_init_options() configurability for path to resolv.conf file
• Ability to exclude building of tools (adig, ahost, acountry) in CMake
• Report ARES_ENOTFOUND for .onion domain names as per RFC7686 (bsc#1125306)
• Apply the IPv6 server blacklist to all nameserver sources
• Prevent changing name servers while queries are outstanding
• ares_set_servers_csv() on failure should not leave channel in a bad state
• getaddrinfo - avoid infinite loop in case of NXDOMAIN
• ares_getenv - return NULL in all cases
• implement ares_getaddrinfo

• Fixed a regression in DNS results that contain both A and AAAA answers.
• Add netcfg as the build requirement and runtime requirement.

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for growpart fixes the following issues:

• Operation system disk is not automatically resized beyond 2TB on Azure hosts. (bsc#1164736)

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for suse-build-key fixes the following issues:

• created a new security@suse.de communication key (bsc#1166334)

This update for cloud-init fixes the following security issues:

• CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG (bsc#1162937).
• CVE-2020-8632: Increased the default random password length from 9 to 20 (bsc#1162936).

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10

• CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
• Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for wireshark and libmaxminddb fixes the following issues:
Update wireshark to new major version 3.2.2 and introduce libmaxminddb for GeoIP support (bsc#1156288).
New features include:

• Added support for 111 new protocols, including WireGuard, LoRaWAN, TPM 2.0, 802.11ax and QUIC
• Improved support for existing protocols, like HTTP/2
• Improved analytics and usability functionalities

This update fixes the following issues:
New python-pytest versions are provided.
In Basesystem:

• python3-pexpect: updated to 4.8.0
• python3-py: updated to 1.8.1
• python3-zipp: shipped as dependency in version 0.6.0

• python2-pexpect: updated to 4.8.0
• python2-py: updated to 1.8.1

This update for cloud-init contains the following fixes:

• Update previous patches with the following additions: + In cases where the config contains 2 or more default gateway specifications for an interface only write the first default route, log warning message about skipped routes + Avoid writing invalid route specification if neither the network nor destination is specified in the route configuration + Still need to consider the 'network' configuration uption for the v1 config implementation. Fixes regression introduced with update from Wed Feb 12 19:30:42. + Add the default gateway to the ifroute config file when specified as part of the subnet configuration. (bsc#1165296) + Fix typo to properly extrakt provided netmask data (bsc#1163178, bsc#1165296) + Fix for default gateway and IPv6. (bsc#1144881) + Routes will be written if there is only a default gateway. (bsc#1148645)

• BuildRequire pkgconfig(udev) instead of udev, which allow OS to shortcut through the -mini flavor.

• Update to cloud-init 19.2. (bsc#1099358, bsc#1145622)

This update for suse-build-key fixes the following issues:

• add a /usr/share/container-keys/ directory for GPG based Container verification.
• Add the SUSE build key as 'suse-container-key.asc'. (PM-1845 bsc#1170347)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for hwdata fixes the following issues:
Update from version 0.320 to version 0.324 (bsc#1168806)

• Updated pci, usb and vendor ids.
• Replace pciutils-ids package providing compatibility symbolic link

This update for jq fixes the following issues:
jq was updated to version 1.6:

• Destructuring Alternation
• many new builtins (see docs)
• Add support for ASAN and UBSAN
• Make it easier to use jq with shebangs
• Add $ENV builtin variable to access environment
• Add JQ_COLORS env var for configuring the output colors
• change: Calling jq without a program argument now always assumes

• Make jq depend on libjq1, so upgrading jq upgrades both

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:

• CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).

• Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone.
• Add tarball signatures and freetype2.keyring

• Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector.

• Enable subpixel rendering with infinality config:

• Re-enable freetype-config, there is just too many fallouts.

• Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli.
• freetype-config is now deprecated by upstream and not enabled by default.

• Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option.
• Add tarball signatures and freetype2.keyring

• Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs.

• Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues.

• Update to version 2.9.1 * No changelog upstream.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13

• CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377).

This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:

• Support transforming bitmap glyphs from python. (bsc#1169444)
• Allow python-Sphinx >= 3

• Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once.

• Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
• Include the subfamily in the filename of converted fonts
• Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
• Replace some unicode values in cu-pua12.pcf.gz to fix them
• Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not.
• Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular

• Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3

This update for cloud-init contains the following fixes:

• rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/.

This update for openvswitch fixes the following issues:

• Preserve the old default OVS_USER_ID for users that removed the override at /etc/sysconfig/openvswitch. (bsc#1172861)
• Fix possible changes of openvswitch configuration during upgrades. (bsc#1172929)

This update for efivar fixes the following issues:

• fix logic that checks for UCS-2 string termination (bsc#1127544)
• fix casting of IPv4 addresses
• Don't require an EUI for NVMe (bsc#1100077)
• Add support for ACPI Generic Container and Embedded Controller root nodes (bsc#1101023)
• fix for compilation failures bsc#1120862

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for ca-certificates-mozilla fixes the following issues:
Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
* AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
* certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017

This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues:
supportutils-plugin-suse-public-cloud:

• Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt are installed at the same time (bsc#1174618)
• Sensitive information like credentials (such as access keys) will be removed when the metadata is being collected (bsc#1170475, bsc#1170476)

• Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240)
• Detects when the VM is running in ASM (Azure Classic) and does now handle the condition to generate the data without requiring access to the full IMDS available, only in ARM instances (bsc#1173357, bsc#1174847)

This update for supportutils-plugin-suse-public-cloud contains the following fix:

• Update to version 1.0.5: (bsc#1175250, bsc#1175251) + Query for new GCE initialization code packages

This update for libmaxminddb fixes the following issues:

• update to 1.4.3: * Use of uninitialized memory in dump_entry_data_list() could have cause a heap buffer flow in mmdblookup [bsc#1175006]

This update for systemd-rpm-macros fixes the following issues:

• Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034)

This update for systemd-rpm-macros fixes the following issues:

• Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir

• Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi

This update for suse-build-key fixes the following issues:

• The SUSE Notary Container key is different from the build signing key, include this key instead as suse-container-key. (PM-1845 bsc#1170347)

• The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759)

This update for efivar fixes the following issues:

• Fixed an issue when segmentation fault are caused on non-EFI systems. (bsc#1175989)

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for procps fixes the following issues:

• Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for freetype2 fixes the following issues:

• CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).

This update for sysconfig fixes the following issues:

• Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285)
• Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325)
• Fix for 'chrony helper' calling in background. (bsc#1173391)
• Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566)

This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

• Removed CAs:

• Added CAs:

This update for cloud-init contains the following fixes:

• Avoid exception if no gateway information is present and warning is triggered for existing routing. (bsc#1177526)

• From 20.1 (first vesrion after 19.4) + ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) (LP: #1863943) + utils: use SystemRandom when generating random password. (#204) [Dimitri John Ledkov] + docs: mount_default_files is a list of 6 items, not 7 (#212) + azurecloud: fix issues with instances not starting (#205) (LP: #1861921) + unittest: fix stderr leak in cc_set_password random unittest output. (#208) + cc_disk_setup: add swap filesystem force flag (#207) + import sysvinit patches from freebsd-ports tree (#161) [Igor Galić] + docs: fix typo (#195) [Edwin Kofler] + sysconfig: distro-specific config rendering for BOOTPROTO option (#162) [Robert Schweikert] (LP: #1800854) + cloudinit: replace 'from six import X' imports (except in util.py) (#183) + run-container: use 'test -n' instead of 'test ! -z' (#202) [Paride Legovini] + net/cmdline: correctly handle static ip= config (#201) [Dimitri John Ledkov] (LP: #1861412) + Replace mock library with unittest.mock (#186) + HACKING.rst: update CLA link (#199) + Scaleway: Fix DatasourceScaleway to avoid backtrace (#128) [Louis Bouchard] + cloudinit/cmd/devel/net_convert.py: add missing space (#191) + tools/run-container: drop support for python2 (#192) [Paride Legovini] + Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789) + Make the RPM build use Python 3 (#190) [Paride Legovini] + cc_set_password: increase random pwlength from 9 to 20 (#189) (LP: #1860795) + .travis.yml: use correct Python version for xenial tests (#185) + cloudinit: remove ImportError handling for mock imports (#182) + Do not use fallocate in swap file creation on xfs. (#70) [Eduardo Otubo] (LP: #1781781) + .readthedocs.yaml: install cloud-init when building docs (#181) (LP: #1860450) + Introduce an RTD config file, and pin the Sphinx version to the RTD default (#180) + Drop most of the remaining use of six (#179) + Start removing dependency on six (#178) + Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy] + docs: add proposed SRU testing procedure (#167) + util: rename get_architecture to get_dpkg_architecture (#173) + Ensure util.get_architecture() runs only once (#172) + Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann] + freebsd: remove superflu exception mapping (#166) [Gonéri Le Bouder] + ssh_auth_key_fingerprints_disable test: fix capitalization (#165) [Paride Legovini] + util: move uptime's else branch into its own boottime function (#53) [Igor Galić] (LP: #1853160) + workflows: add contributor license agreement checker (#155) + net: fix rendering of 'static6' in network config (#77) (LP: #1850988) + Make tests work with Python 3.8 (#139) [Conrad Hoffmann] + fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74] + freebsd: fix create_group() cmd (#146) [Gonéri Le Bouder] + doc: make apt_update example consistent (#154) + doc: add modules page toc with links (#153) (LP: #1852456) + Add support for the amazon variant in cloud.cfg.tmpl (#119) [Frederick Lefebvre] + ci: remove Python 2.7 from CI runs (#137) + modules: drop cc_snap_config config module (#134) + migrate-lp-user-to-github: ensure Launchpad repo exists (#136) + docs: add initial troubleshooting to FAQ (#104) [Joshua Powers] + doc: update cc_set_hostname frequency and descrip (#109) [Joshua Powers] (LP: #1827021) + freebsd: introduce the freebsd renderer (#61) [Gonéri Le Bouder] + cc_snappy: remove deprecated module (#127) + HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130) + freebsd: cloudinit service requires devd (#132) [Gonéri Le Bouder] + cloud-init: fix capitalisation of SSH (#126) + doc: update cc_ssh clarify host and auth keys [Joshua Powers] (LP: #1827021) + ci: emit names of tests run in Travis (#120)

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for c-ares fixes the following issues:

• Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html

This update for cloud-init contains the following fixes:

• Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151) + Properly set the password for the default user in all circumstances

• Patch the full package version into the cloud-init version file

• Update cloud-init-write-routes.patch (bsc#1177526) + Fix missing default route when dual stack network setup is used. Once a default route was configured for Ipv6 or IPv4 the default route configuration for the othre protocol was skipped.

• Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882).

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for gzip fixes the following issue:

• Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

This update for systemd-rpm-macros fixes the following issues:

• Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart
• Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun().
• Does no longer apply presets when migrating from a disabled initscript (bsc#1178481)
• Fix importing of %{_unitdir}

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for hwdata fixes the following issues:

• Added merge-pciids.pl to fully duplicate behavior of pciutils-ids (bsc#1180422, bsc#1180482)
• Updated pci, usb and vendor ids.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:

• CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).
• CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)

• Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).

• Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401)

• Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243

• Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708

• Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14

• Enable fish-completion

• Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460)

• Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires.

• Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support).
• Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly.

• Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243

• Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460)

This update for docker, golang-github-docker-libnetwork fixes the following issues:

• A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168)

This update for cloud-init contains the following fixes:

• Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing.

• Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility

This update for python-Jinja2 fixes the following issues:

• CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944).

This update for protobuf fixes the following issues:

• Add missing dependency of python subpackages on python-six. (bsc#1177127)

This update for systemd-rpm-macros fixes the following issues:

• Bump to version 6

• Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM.

• Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update.

This update for efivar fixes the following issues:

• Fixed an issue with the NVME path parsing (bsc#1181967)

This update for systemd-rpm-macros fixes the following issues:

• Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012)
• Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661)

This update for hwdata fixes the following issues:

• Updated pci, usb and vendor ids (bsc#1182482, bsc#1170160, jsc#SLE-13791)

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for cloud-init fixes the following issues:

• Does no longer include the sudoers.d directory twice (bsc#1181283)

This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105)

This update for gzip fixes the following issues:

• Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for gzip fixes the following issues:

• Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

This update for dhcp fixes the following issues:

• Use '/run' instead of '/var/run' for PIDFile in 'dhcrelay.service'. (bsc#1185157)

This update for cloud-init fixes the following issues:

• Fixed an issue, where the bonding options were wrongly configured in SLE and openSUSE (bsc#1184085)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for snappy fixes the following issues:
Update from version 1.1.3 to 1.1.8

• Small performance improvements.
• Removed `snappy::string` alias for `std::string`.
• Improved `CMake` configuration.
• Improved packages descriptions.
• Fix RPM groups.
• Aarch64 fixes
• PPC speedups
• PIE improvements
• Fix license install. (bsc#1080040)
• Fix a 1% performance regression when snappy is used in PIE executable.
• Improve compression performance by 5%.
• Improve decompression performance by 20%.
• Use better download URL.
• Fix a build issue for tensorflow2. (bsc#1184507)

This update for dhcp fixes the following issues:

• CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)

This update for python-py fixes the following issues:

• CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505).

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for gzip fixes the following issue:

• gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for sysconfig fixes the following issue:

• sysconfig had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for hwdata fixes the following issues:

• Update to version 0.347: + Updated pci, usb and vendor ids. (bsc#1185697)

• Update to version 0.346: + Updated pci, usb and vendor ids. (bsc#1182482, jsc#SLE-13791, bsc#1170160)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

• Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
• CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730).
• btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

• Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
• Fixed /dev/null is not available (bsc#1168481).
• CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

• CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
• Handle a requirement from docker (bsc#1181594).

This update for python-urllib3 fixes the following issues:

• CVE-2021-33503: Fixed a denial of service when the URL contained many @ characters in the authority component (bsc#1187045)

This update for python-six fixes the following issue:

• python-six had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for patterns-microos provides the following fix:

• Add zypper-migration-plugin to the default pattern. (bsc#1186791)

This update for tar fixes the following issues:

• Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for dosfstools fixes the following issue:

• Fixed a bug that was causing an installation issue when trying to create an EFI partition on an NVMe-over-Fabrics device (bsc#1172863)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for efivar provides the following fix:

• Fix the eMMC sysfs parsing. (bsc#1187386)

This update for containerd fixes the following issues:

• CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282)

This update for hwdata fixes the following issue:

• Version 0.349: Updated pci, usb and vendor ids (bsc#1187948).

This update for shim fixes the following issues:

• shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464)
• Avoid deleting the mirrored RT variables (bsc#1187696)
• Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
• Handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)
• Relax the maximum variable size check for u-boot (bsc#1185621)
• Relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)
• Ignore the odd LoadOptions length (bsc#1185232)
• shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist
• Fided the size of rela sections for AArch64
• Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)
• Avoid potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)
• Avoid buffer overflow when copying data to the MOK config table (bsc#1185232)

This update for sysconfig fixes the following issues:

• Link as Position Independent Executable (bsc#1184124).

This update for python-pytz fixes the following issues:

• Add %pyunittest shim for platforms where it is missing.
• Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink. (bsc#1185748)
• Bump tzdata_version
• update to 2021.1: * update to IANA 2021a timezone release

This update for systemd-default-settings fixes the following issue:

• Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)

This update for c-ares fixes the following issues:
Version update to git snapshot 1.17.1+20200724:

• CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
• If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
• Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
• Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
• Use unbuffered /dev/urandom for random data to prevent early startup performance issues

This patch updates the Python AWS SDK stack in SLE 15:
General:
# aws-cli

• Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package.

• Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0

• Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0

• CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)

This update for cloud-init contains the following:

• Change log file creation mode to 640. (bsc#1183939)
• Do not write the generated password to the log file. (bsc#1184758)
• Allow purging cache when Python when version change detected.

This update for systemd-rpm-macros fixes the following issues:

• Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332)
• Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead.
• %sysusers_create_inline: use here-docs instead of echo (bsc#1186282)

This update for runc fixes the following issues:

• Fixed an issue when toolbox container fails to start. (bsc#1189743)

This update for hwdata fixes the following issue:

• Update pci, usb and vendor ids (bsc#1190091)

This update for python3 fixes the following issues:

• Fixed an issue when the missing 'stropts.h' causing build errors for different python modules. (bsc#1187338)

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for c-ares fixes the following issue:

• Allow '_' as part of DNS response. (bsc#1190225) - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which contained underscores.

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for docker fixes the following issues:

• Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34.
• Add shell requires for the *-completion subpackages.

This update for ca-certificates-mozilla fixes the following issues:

• remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858)

This update for ca-certificates-mozilla fixes the following issues:

• A new sub-package for minimal base containers (jsc#SLE-22162)

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

• CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

• Install systemd service file as well (bsc#1190826)

• Fixed a failure to set CPU quota period in some cases on cgroup v1.
• Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped.
• Made release builds reproducible from now on.
• Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec.
• Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working.

• Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume.
• Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters.
• cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes).
• cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely.
• cgroup/systemd/v2: don't freeze cgroup on Set.
• cgroup/systemd/v1: avoid unnecessary freeze on Set.
• fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

• cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers).
• cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way.
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen.
• cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
• cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94)
• cgroupv2: support SkipDevices with systemd driver
• cgroup/systemd: return, not ignore, stop unit error from Destroy
• Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts.
• cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update).
• cgroup1: blkio: support BFQ weights.
• cgroupv2: set per-device io weights if BFQ IO scheduler is available.

• cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls.

• seccomp: fix 32-bit compilation errors
• runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
• runc start: fix 'chdir to cwd: permission denied' for some setups

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for hwdata fixes the following issue:

• Update to version 0.353 (bsc#1191375)

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for brotli fixes the following issues:

• CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).

This update for python-Babel fixes the following issues:

• CVE-2021-42771: Fixed relative path traversal that may lead to arbitrary locale files loading and arbitrary code execution (bsc#1185768).

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This update for systemd-rpm-macros fixes the following issues:

• Introduce rpm macro %_systemd_util_dir

This update for python3 fixes the following issues:

• CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374).
• CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241).
• CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287).

• We do not require python-rpm-macros package (bsc#1180125).
• Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858).
• Stop providing 'python' symbol, which means python2 currently (bsc#1185588).
• Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668).

This update for runc fixes the following issues:
Update to runc v1.0.3.

• CVE-2021-43784: Fixed a potential vulnerability related to the internal usage of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
• Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
• Fixed inability to start when read-only /dev in set in spec.
• Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd.
• Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes).

This update for python3 fixes the following issues:

• Don't use OpenSSL 1.1 on platforms which don't have it.

• Remove shebangs from python-base libraries in '_libdir'. (bsc#1193179, bsc#1192249).
• Build against 'openssl 1.1' as it is incompatible with 'openssl 3.0+' (bsc#1190566)
• Fix for permission error when changing the mtime of the source file in presence of 'SOURCE_DATE_EPOCH'.

This update for dosfstools fixes the following issues:

• To be able to create filesystems compatible with previous version, add -g command line option to mkfs (bsc#1188401)
• BREAKING CHANGES: After fixing of bsc#1172863 in the last update, mkfs started to create different images than before. Applications that depend on exact FAT file format (e. g. embedded systems) may be broken in two ways: * The introduction of the alignment may create smaller images than before, with a different positions of important image elements. It can break existing software that expect images in doststools <= 4.1 style. To work around these problems, use '-a' command line argument. * The new image may contain a different geometry values. Geometry sensitive applications expecting doststools <= 4.1 style images can fails to accept different geometry values. There is no direct work around for this problem. But you can take the old image, use 'file -s $IMAGE', check its 'sectors/track' and 'heads', and use them in the newly introduced '-g' command line argument.

This update for hwdata fixes the following issues:

• Update hwdata from version 0.353 to 0.355 which includes updated pci, usb and vendor ids (bsc#1194338)

This update for cloud-init fixes the following issues:

• Update to version 21.2 (bsc#1186004) + Add \r\n check for SSH keys in Azure (#889) + Revert 'Add support to resize rootfs if using LVM (#721)' (#887) (LP: #1922742) + Add Vultaire as contributor (#881) [Paul Goins] + Azure: adding support for consuming userdata from IMDS (#884) [Anh Vo] + test_upgrade: modify test_upgrade_package to run for more sources (#883) + Fix chef module run failure when chef_license is set (#868) [Ben Hughes] + Azure: Retry net metadata during nic attach for non-timeout errs (#878) [aswinrajamannar] + Azure: Retrieve username and hostname from IMDS (#865) [Thomas Stringer] + Azure: eject the provisioning iso before reporting ready (#861) [Anh Vo] + Use `partprobe` to re-read partition table if available (#856) [Nicolas Bock] (LP: #1920939) + fix error on upgrade caused by new vendordata2 attributes (#869) (LP: #1922739) + add prefer_fqdn_over_hostname config option (#859) [hamalq] (LP: #1921004) + Emit dots on travis to avoid timeout (#867) + doc: Replace remaining references to user-scripts as a config module (#866) [Ryan Harper] + azure: Removing ability to invoke walinuxagent (#799) [Anh Vo] + Add Vultr support (#827) [David Dymko] + Fix unpickle for source paths missing run_dir (#863) [lucasmoura] (LP: #1899299) + sysconfig: use BONDING_MODULE_OPTS on SUSE (#831) [Jens Sandmann] + bringup_static_routes: fix gateway check (#850) [Petr Fedchenkov] + add hamalq user (#860) [hamalq] + Add support to resize rootfs if using LVM (#721) [Eduardo Otubo] (LP: #1799953) + Fix mis-detecting network configuration in initramfs cmdline (#844) (LP: #1919188) + tools/write-ssh-key-fingerprints: do not display empty header/footer (#817) [dermotbradley] + Azure helper: Ensure Azure http handler sleeps between retries (#842) [Johnson Shi] + Fix chef apt source example (#826) [timothegenzmer] + .travis.yml: generate an SSH key before running tests (#848) + write passwords only to serial console, lock down cloud-init-output.log (#847) (LP: #1918303) + Fix apt default integration test (#845) + integration_tests: bump pycloudlib dependency (#846) + Fix stack trace if vendordata_raw contained an array (#837) [eb3095] + archlinux: Fix broken locale logic (#841) [Kristian Klausen] (LP: #1402406) + Integration test for #783 (#832) + integration_tests: mount more paths IN_PLACE (#838) + Fix requiring device-number on EC2 derivatives (#836) (LP: #1917875) + Remove the vi comment from the part-handler example (#835) + net: exclude OVS internal interfaces in get_interfaces (#829) (LP: #1912844) + tox.ini: pass OS_* environment variables to integration tests (#830) + integration_tests: add OpenStack as a platform (#804) + Add flexibility to IMDS api-version (#793) [Thomas Stringer] + Fix the TestApt tests using apt-key on Xenial and Hirsute (#823) [Paride Legovini] (LP: #1916629) + doc: remove duplicate 'it' from nocloud.rst (#825) [V.I. Wood] + archlinux: Use hostnamectl to set the transient hostname (#797) [Kristian Klausen] + cc_keys_to_console.py: Add documentation for recently added config key (#824) [dermotbradley] + Update cc_set_hostname documentation (#818) [Toshi Aoyama]

• Fix unit test fail in TestGetPackageMirrorInfo::test_substitution.

• Add patch from upstream to remove python2 compatibility so cloud-init builds fine in Tumbleweed with a recent Jinja2 version. This patch is only applied in TW.

This update for boost fixes the following issues:

• Fix compilation errors (bsc#1194522)

This update for containerd, docker fixes the following issues:

• CVE-2021-41089: Fixed 'cp' can chmod host files (bsc#1191015).
• CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434).
• CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334).
• CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121).
• CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273).

This update for systemd-rpm-macros fixes the following issues:

• Bump version to 10

• %sysusers_create_inline was wrongly marked as deprecated
• %sysusers_create can be useful in certain cases and won't go away until we'll move to file triggers. So don't mark it as deprecated too

This update for blog fixes the following issues:

• Update to version 2.26 * On s390/x and PPC64 gcc misses unused arg0

• Update to version 2.24 * Avoid install errror due missed directory

• Update to version 2.22 * Avoid KillMode=none for newer systemd version as well as rework the systemd unit files of blog (bsc#1186506)

• Move to /usr for UsrMerge (bsc#1191057)

• Update to version 2.21 * Merge pull request #4 from samueldr/fix/makefile Fixup Makefile for better build system support * Silent new gcc compiler

This update for supportutils-plugin-suse-public-cloud fixes the following issues:

• Update to version 1.0.6 (bsc#1195095, bsc#1195096) - Include cloud-init logs whenever they are present - Update the packages we track in AWS, Azure, and Google - Include the ecs logs for AWS ECS instances

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for containerd fixes the following issues:

• CVE-2022-23648: A specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host (bsc#1196441).

This update for pciutils fixes the following issues:

• Report the theoretical speeds for PCIe 5.0 and 6.0 (bsc#1192862)

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for suse-build-key fixes the following issues:

• The old SUSE PTF key was extended, but also move it to suse_ptf_key_old.asc (as it is a DSA1024 key).
• Added a new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
• Extended the expiry of SUSE Linux Enterprise 11 key (bsc#1194845)
• Added SUSE Container signing key in PEM format for use e.g. by cosign.
• The SUSE security key was replaced with 2022 edition (E-Mail usage only). (bsc#1196495)

This update for procps fixes the following issues:

• Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for python-jsonschema, python-rfc3987, python-strict-rfc3339 fixes the following issues:

• Add patch to fix build with new webcolors.

• update to version 3.2.0 (jsc#SLE-18756): * Added a format_nongpl setuptools extra, which installs only format dependencies that are non-GPL (#619).

• specfile: * require python-importlib-metadata
• update to version 3.1.1: * Temporarily revert the switch to js-regex until #611 and #612 are resolved.
• changes from version 3.1.0: - Regular expressions throughout schemas now respect the ECMA 262 dialect, as recommended by the specification (#609).

• Activate more of the test suite
• Remove tests and benchmarking from the runtime package
• Update to v3.0.2 - Fixed a bug where 0 and False were considered equal by const and enum
• from v3.0.1 - Fixed a bug where extending validators did not preserve their notion of which validator property contains $id information.

• Update to 3.0.1: - Support for Draft 6 and Draft 7 - Draft 7 is now the default - New TypeChecker object for more complex type definitions (and overrides) - Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification

• Use %license instead of %doc (bsc#1082318)

• Remove hashbang from runtime module
• Replace PyPI URL with https://github.com/dgerber/rfc3987
• Activate doctests

• Add missing runtime dependency on timezone
• Replace dead link with GitHub URL
• Activate test suite

• Trim bias from descriptions.

• Initial commit, needed by flex

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for python3 fixes the following issues:

• CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for cloud-init contains the following fixes:

• Enable broader systemctl location. (bsc#1193531)

• Remove unneeded BuildRequires on python3-nose.

This update of containerd fixes the following issue:

• container-ctr is shipped to the PackageHub repos.

This update for suse-build-key fixes the following issues:
No longer install 1024bit keys by default. (bsc#1197293)

• The SLE11 key has been moved to documentation directory, and is obsoleted / removed by the package.
• The old PTF (pre March 2022) key moved to documentation directory.

This update for cloud-init contains the following fixes:

• Update to version 21.4 (bsc#1192343, jsc#PM-3181) + Also include VMWare functionality for (jsc#PM-3175) + Remove patches included upstream. + Forward port fixes. + Fix for VMware Test, system dependend, not properly mocked previously. + Azure: fallback nic needs to be reevaluated during reprovisioning (#1094) [Anh Vo] + azure: pps imds (#1093) [Anh Vo] + testing: Remove calls to 'install_new_cloud_init' (#1092) + Add LXD datasource (#1040) + Fix unhandled apt_configure case. (#1065) [Brett Holman] + Allow libexec for hotplug (#1088) + Add necessary mocks to test_ovf unit tests (#1087) + Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336) + distros: Remove a completed 'TODO' comment (#1086) + cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083) [dermotbradley] + Add 'install hotplug' module (SC-476) (#1069) (LP: #1946003) + hosts.alpine.tmpl: rearrange the order of short and long hostnames (#1084) [dermotbradley] + Add max version to docutils + cloudinit/dmi.py: Change warning to debug to prevent console display (#1082) [dermotbradley] + remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele Giuseppe Esposito] + Add module 'write-files-deferred' executed in stage 'final' (#916) [Lucendio] + Bump pycloudlib to fix CI (#1080) + Remove pin in dependencies for jsonschema (#1078) + Add 'Google' as possible system-product-name (#1077) [vteratipally] + Update Debian security suite for bullseye (#1076) [Johann Queuniet] + Leave the details of service management to the distro (#1074) [Andy Fiddaman] + Fix typos in setup.py (#1059) [Christian Clauss] + Update Azure _unpickle (SC-500) (#1067) (LP: #1946644) + cc_ssh.py: fix private key group owner and permissions (#1070) [Emanuele Giuseppe Esposito] + VMware: read network-config from ISO (#1066) [Thomas Weißschuh] + testing: mock sleep in gce unit tests (#1072) + CloudStack: fix data-server DNS resolution (#1004) [Olivier Lemasle] (LP: #1942232) + Fix unit test broken by pyyaml upgrade (#1071) + testing: add get_cloud function (SC-461) (#1038) + Inhibit sshd-keygen@.service if cloud-init is active (#1028) [Ryan Harper] + VMWARE: search the deployPkg plugin in multiarch dir (#1061) [xiaofengw-vmware] (LP: #1944946) + Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493) + Use specified tmp location for growpart (#1046) [jshen28] + .gitignore: ignore tags file for ctags users (#1057) [Brett Holman] + Allow comments in runcmd and report failed commands correctly (#1049) [Brett Holman] (LP: #1853146) + tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050) [Paride Legovini] + Allow disabling of network activation (SC-307) (#1048) (LP: #1938299) + renderer: convert relative imports to absolute (#1052) [Paride Legovini] + Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045) [Vlastimil Holer] + integration-requirements: bump the pycloudlib commit (#1047) [Paride Legovini] + Allow Vultr to set MTU and use as-is configs (#1037) [eb3095] + pin jsonschema in requirements.txt (#1043) + testing: remove cloud_tests (#1020) + Add andgein as contributor (#1042) [Andrew Gein] + Make wording for module frequency consistent (#1039) [Nicolas Bock] + Use ascii code for growpart (#1036) [jshen28] + Add jshen28 as contributor (#1035) [jshen28] + Skip test_cache_purged_on_version_change on Azure (#1033) + Remove invalid ssh_import_id from examples (#1031) + Cleanup Vultr support (#987) [eb3095] + docs: update cc_disk_setup for fs to raw disk (#1017) + HACKING.rst: change contact info to James Falcon (#1030) + tox: bump the pinned flake8 and pylint version (#1029) [Paride Legovini] (LP: #1944414) + Add retries to DataSourceGCE.py when connecting to GCE (#1005) [vteratipally] + Set Azure to apply networking config every BOOT (#1023) + Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603) + docs: fix typo and include sudo for report bugs commands (#1022) [Renan Rodrigo] (LP: #1940236) + VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun] + Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798) + Integration test upgrades for the 21.3-1 SRU (#1001) + Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans] + Improve ug_util.py (#1013) [Shreenidhi Shedi] + Support openEuler OS (#1012) [zhuzaifangxuele] + ssh_utils.py: ignore when sshd_config options are not key/value pairs (#1007) [Emanuele Giuseppe Esposito] + Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006) + cc_update_etc_hosts: Use the distribution-defined path for the hosts file (#983) [Andy Fiddaman] + Add CloudLinux OS support (#1003) [Alexandr Kravchenko] + puppet config: add the start_agent option (#1002) [Andrew Bogott] + Fix `make style-check` errors (#1000) [Shreenidhi Shedi] + Make cloud-id copyright year (#991) [Andrii Podanenko] + Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi] + Update ds-identify to pass shellcheck (#979) [Andrew Kutz] + Azure: Retry dhcp on timeouts when polling reprovisiondata (#998) [aswinrajamannar] + testing: Fix ssh keys integration test (#992)

• From 21.3 + Azure: During primary nic detection, check interface status continuously before rebinding again (#990) [aswinrajamannar] + Fix home permissions modified by ssh module (SC-338) (#984) (LP: #1940233) + Add integration test for sensitive jinja substitution (#986) + Ignore hotplug socket when collecting logs (#985) (LP: #1940235) + testing: Add missing mocks to test_vmware.py (#982) + add Zadara Edge Cloud Platform to the supported clouds list (#963) [sarahwzadara] + testing: skip upgrade tests on LXD VMs (#980) + Only invoke hotplug socket when functionality is enabled (#952) + Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz] + cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi] + Replace broken httpretty tests with mock (SC-324) (#973) + Azure: Check if interface is up after sleep when trying to bring it up (#972) [aswinrajamannar] + Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi] + Azure: Logging the detected interfaces (#968) [Moustafa Moustafa] + Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz] + Azure: Limit polling network metadata on connection errors (#961) [aswinrajamannar] + Update inconsistent indentation (#962) [Andrew Kutz] + cc_puppet: support AIO installations and more (#960) [Gabriel Nagy] + Add Puppet contributors to CLA signers (#964) [Noah Fontes] + Datasource for VMware (#953) [Andrew Kutz] + photon: refactor hostname handling and add networkd activator (#958) [sshedi] + Stop copying ssh system keys and check folder permissions (#956) [Emanuele Giuseppe Esposito] + testing: port remaining cloud tests to integration testing framework (SC-191) (#955) + generate contents for ovf-env.xml when provisioning via IMDS (#959) [Anh Vo] + Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski] + Implementing device_aliases as described in docs (#945) [Mal Graty] (LP: #1867532) + testing: fix test_ssh_import_id.py (#954) + Add ability to manage fallback network config on PhotonOS (#941) [sshedi] + Add VZLinux support (#951) [eb3095] + VMware: add network-config support in ovf-env.xml (#947) [PengpengSun] + Update pylint to v2.9.3 and fix the new issues it spots (#946) [Paride Legovini] + Azure: mount default provisioning iso before try device listing (#870) [Anh Vo] + Document known hotplug limitations (#950) + Initial hotplug support (#936) + Fix MIME policy failure on python version upgrade (#934) + run-container: fixup the centos repos baseurls when using http_proxy (#944) [Paride Legovini] + tools: add support for building rpms on rocky linux (#940) + ssh-util: allow cloudinit to merge all ssh keys into a custom user file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito] (LP: #1911680) + VMware: new 'allow_raw_data' switch (#939) [xiaofengw-vmware] + bump pycloudlib version (#935) + add renanrodrigo as a contributor (#938) [Renan Rodrigo] + testing: simplify test_upgrade.py (#932) + freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder] + Add new network activators to bring up interfaces (#919) + Detect a Python version change and clear the cache (#857) [Robert Schweikert] + cloud_tests: fix the Impish release name (#931) [Paride Legovini] + Removed distro specific network code from Photon (#929) [sshedi] + Add support for VMware PhotonOS (#909) [sshedi] + cloud_tests: add impish release definition (#927) [Paride Legovini] + docs: fix stale links rename master branch to main (#926) + Fix DNS in NetworkState (SC-133) (#923) + tests: Add 'adhoc' mark for integration tests (#925) + Fix the spelling of 'DigitalOcean' (#924) [Mark Mercado] + Small Doc Update for ReportEventStack and Test (#920) [Mike Russell] + Replace deprecated collections.Iterable with abc replacement (#922) (LP: #1932048) + testing: OCI availability domain is now required (SC-59) (#910) + add DragonFlyBSD support (#904) [Gonéri Le Bouder] + Use instance-data-sensitive.json in jinja templates (SC-117) (#917) (LP: #1931392) + doc: Update NoCloud docs stating required files (#918) (LP: #1931577) + build-on-netbsd: don't pin a specific py3 version (#913) [Gonéri Le Bouder] + Create the log file with 640 permissions (#858) [Robert Schweikert] + Allow braces to appear in dhclient output (#911) [eb3095] + Docs: Replace all freenode references with libera (#912) + openbsd/net: flush the route table on net restart (#908) [Gonéri Le Bouder] + Add Rocky Linux support to cloud-init (#906) [Louis Abel] + Add 'esposem' as contributor (#907) [Emanuele Giuseppe Esposito] + Add integration test for #868 (#901) + Added support for importing keys via primary/security mirror clauses (#882) [Paul Goins] (LP: #1925395) + [examples] config-user-groups expire in the future (#902) [Geert Stappers] + BSD: static network, set the mtu (#894) [Gonéri Le Bouder] + Add integration test for lp-1920939 (#891) + Fix unit tests breaking from new httpretty version (#903) + Allow user control over update events (#834) + Update test characters in substitution unit test (#893) + cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886) [dermotbradley] + Add AlmaLinux OS support (#872) [Andrew Lukoshko]

This update for hwdata fixes the following issues:

• Updated pci, usb and vendor ids (bsc#1196332)

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for tar fixes the following issues:

• CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
• CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
• CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

• Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges

• Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files

• prepare usrmerge (bsc#1029961)

• Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite

• Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived.

This update for gzip fixes the following issues:

• CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for containerd, docker fixes the following issues:

• CVE-2022-24769: Fixed incorrect default inheritable capabilities (bsc#1197517).
• CVE-2022-23648: Fixed directory traversal issue (bsc#1196441).
• CVE-2022-27191: Fixed a crash in a golang.org/x/crypto/ssh server (bsc#1197284).
• CVE-2021-43565: Fixed a panic in golang.org/x/crypto by empty plaintext packet (bsc#1193930).

This update for hwdata fixes the following issues:

• Updated pci, usb and vendor ids (bsc#1196332)

This update for dhcp fixes the following issues:

• Properly handle DHCRELAY(6)_OPTIONS (bsc#1198657)

This update for suse-build-key fixes the following issues:

• still ship the old ptf key in the documentation directory (bsc#1198504)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for containerd, docker and runc fixes the following issues:
containerd:

• CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)

• Update to Docker 20.10.17-ce. See upstream changelog online at https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145)

• Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing).
• Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes.
• Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang.
• When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths.
• Socket activation was failing when more than 3 sockets were used.
• Various CI fixes.
• Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
• Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)

• CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. (bsc#1199460)

• `runc spec` no longer sets any inheritable capabilities in the created example OCI spec (`config.json`) file.

• runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355)
• runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404)
• Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported' error. (#3406)
• libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

• libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331)

• Add support for RDMA cgroup added in Linux 4.11.
• runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed.
• runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container hasexited.
• seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL).
• seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host.
• checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore.
• intelrdt: support ClosID parameter.
• runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed.
• cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it).
• sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour.
• mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users.
• Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro).
• Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130.
• system: improve performance of /proc/$pid/stat parsing.
• cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process.
• runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink.
• cgroup: improve openat2 handling for cgroup directory handle hardening. runc delete -f now succeeds (rather than timing out) on a paused container.
• runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused.
• Update version data embedded in binary to correctly include the git commit of the release.

This update for python-cryptography fixes the following issues:
python-cryptography was updated to 3.3.2.
update to 3.3.0:

• BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change is to conform with an upcoming OpenSSL release that will no longer support sizes outside this window.
• BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we now raise ValueError rather than UnsupportedAlgorithm when an unsupported cipher is used. This change is to conform with an upcoming OpenSSL release that will no longer distinguish between error types.
• BACKWARDS INCOMPATIBLE: We no longer allow loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.
• Added the recover_data_from_signature() function to RSAPublicKey for recovering the signed data from an RSA signature.

• CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability.
• Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.

• **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based :term:`U-label` parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5.
• ``backend`` arguments to functions are no longer required and the default backend will automatically be selected if no ``backend`` is provided.
• Added initial support for parsing certificates from PKCS7 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` .
• Calling ``update`` or ``update_into`` on :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data`` longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This also resolves the same issue in :doc:`/fernet`.

• RSA generate_private_key() no longer accepts public_exponent values except 65537 and 3 (the latter for legacy purposes).
• X.509 certificate parsing now enforces that the version field contains a valid value, rather than deferring this check until version is accessed.
• Deprecated support for Python 2
• Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa private keys: load_ssh_private_key() for loading and OpenSSH for writing.
• Added support for OpenSSH certificates to load_ssh_public_key().
• Added encrypt_at_time() and decrypt_at_time() to Fernet.
• Added support for the SubjectInformationAccess X.509 extension.
• Added support for parsing SignedCertificateTimestamps in OCSP responses.
• Added support for parsing attributes in certificate signing requests via get_attribute_for_oid().
• Added support for encoding attributes in certificate signing requests via add_attribute().
• On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
• Added initial support for creating PKCS12 files with serialize_key_and_certificates().

• BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden.
• BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade.
• BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed.
• Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format.
• BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514.
• Added support for parsing single_extensions in an OCSP response.
• NameAttribute values can now be empty strings.

This update for python3 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for cifs-utils fixes the following issues:

• CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).

This update for logrotate fixes the following issues:
Security issues fixed:

• CVE-2022-1348: Fixed insecure permissions for state file creation (bsc#1199652).
• Improved coredump handing for SUID binaries (bsc#1192449).

• Fixed 'logrotate emits unintended warning: keyword size not properly separated, found 0x3d' (bsc#1200278, bsc#1200802).

This update for python-PyJWT fixes the following issues:

• CVE-2022-29217: Fixed key confusion through non-blocklisted public key format (bsc#1199756).

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for rpm-config-SUSE fixes the following issues:

• Add SBAT values macros for other packages (bsc#1193282)

This update for python-cssselect implements packages to the unrestrictied repository.

This update for permissions fixes the following issues:

• apptainer: fix starter-suid location (bsc#1198720)
• static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
• postfix: add postlog setgid for maildrop binary (bsc#1201385)

This update for yaml-cpp fixes the following issue:

• Version 0.6.3 changed ABI without changing SONAME. Re-add symbol from the old ABI to prevent ABI breakage and crash of applications compiled with 0.6.1 (bsc#1200624, bsc#1178332, bsc#1178331, bsc#1160171).

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for tar fixes the following issues:

• Fix race condition while creating intermediate subdirectories (bsc#1200657)

This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries.

This update for aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures fixes the following issues:

• Update in SLE-15 (bsc#1196696, bsc#1195916, jsc#SLE-23972)

• Remove redundant python3 dependency from Requires
• Update regular expression to fix python shebang
• Style is enforced upstream and triggers unnecessary build version requirements
• Allow specifying fs_id in cloudwatch log group name
• Includes fix for stunnel path
• Added hardening to systemd service(s).
• Raise minimal pytest version
• Fix typo in the ansi2html Requires
• Cleanup with spec-cleaner
• Make sure the tests are really executed
• Remove useless devel dependency
• Multiprocessing support in Python 3.8 was broken, but is now fixed
• Bumpy the URL to point to github rather than to docs

This update for tar fixes the following issues:

• A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

This update for python-iniconfig provides the following fix:

• Ship python3-iniconfig also to openSUSE 15.3 and 15.4 (bsc#1202498)

This update for elfutils fixes the following issues:

• Fix runtime dependency for devel package

This update for audit-secondary fixes the following issues:

• Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)

This update for python-iniconfig provides the following fix:

• Ship missing python2-iniconfig to openSUSE 15.3 (bsc#1202498)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for python-pyOpenSSL fixes the following issues:

• Fixed checks for invalid ALPN lists before calling OpenSSL (gh#pyca/pyopenssl#1056).

• The minimum ``cryptography`` version is now 3.3.
• Raise an error when an invalid ALPN value is set.
• Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version``
• Updated ``to_cryptography`` and ``from_cryptography`` methods to support an upcoming release of ``cryptography`` without raising deprecation warnings.

This update for python-pytz fixes the following issues:

• update to 2022.1: matches tzdata 2022a

• declare python 3.10 compatibility

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for hwdata fixes the following issue:

• Update pci, usb and vendor ids to version 0.360 (bsc#1200110)

This update for libyajl fixes the following issues:

• CVE-2022-24795: Fixed heap-based buffer overflow when handling large inputs (bsc#1198405).

This update for sysconfig fixes the following issues:

• netconfig: remove sed dependency
• netconfig/dns-resolver: remove search limit of 6 domains (bsc#1199093)
• netconfig: cleanup /var/run leftovers (bsc#1194557)
• netconfig: update ntp man page documentation, fix typos
• netconfig: revert NM default policy change change (bsc#1185882) With the change to the default policy, netconfig with NetworkManager as network.service accepted settings from all services/programs directly instead only from NetworkManager, where plugins/services have to deliver their settings to apply them.
• Also support service(network) provides

This update for freetype2 fixes the following issues:

• CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830).
• CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832).
• CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823).

• Updated to version 2.10.4

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for oniguruma fixes the following issues:

• CVE-2019-19246: Fixed an out of bounds access during regular expression matching (bsc#1157805).
• CVE-2019-19204: Fixed an out of bounds access when compiling a crafted regular expression (bsc#1164569).
• CVE-2019-19203: Fixed an out of bounds access when performing a string search (bsc#1164550).
• CVE-2019-16163: Fixed an uncontrolled recursion issue when compiling a crafted regular expression, which could lead to denial of service (bsc#1150130).
• CVE-2020-26159: Fixed an off-by-one buffer overflow (bsc#1177179).
• CVE-2019-13224: Fixed a potential use-after-free when handling multiple different encodings (bsc#1142847).

This update for jitterentropy fixes the following issues:

• Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870)

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for ca-certificates-mozilla fixes the following issues:
Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)

• Added:

• Removed:

• Added:

• Removed:

• Added:

• Added new root CAs:

• Removed old root CAs:

This update for runc fixes the following issues:

• Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
• Fix 'permission denied' error from runc run on noexec fs
• Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This feature update for dmidecode fixes the following issues:
Update dmidecode from version 3.2 to version 3.4 (jsc#SLE-24502, jsc#SLE-24591, jsc#PED-411):

• Add bios-revision, firmware-revision and system-sku-number to `-s` option
• Decode HPE OEM records 194, 199, 203, 236, 237, 238 ans 240
• Decode system slot base bus width and peers
• Document how the UUID fields are interpreted
• Don't display the raw CPU ID in quiet mode
• Don't use memcpy on /dev/mem on arm64
• Fix OEM vendor name matching
• Fix small typo in NEWS file
• Improve the formatting of the manual pages
• Present HPE type 240 attributes as a proper list instead of packing them on a single line. This makes it more readable overall, and will also scale better if the number of attributes increases
• Skip details of uninstalled memory modules
• Support for SMBIOS 3.4.0. This includes new memory device types, new processor upgrades, new slot types and characteristics, decoding of memor module extended speed, new system slot types, new processor characteristic and new format of Processor ID
• Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS characteristics, new slot characteristics, new on-board device types, new pointing device interface types, and a new record type (type 45 - Firmware Inventory Information)
• Use the most appropriate unit for cache size