----------------------------------------- Version 1.0.0-Build6.15 2024-10-03T09:00:25 ----------------------------------------- Patch: 7 Released: Mon Jul 15 13:04:11 2024 Summary: Security update for less Severity: important References: 1222849,CVE-2024-32487 Description: This update for less fixes the following issues: - CVE-2024-32487: Fix a bug where mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849) ----------------------------------------- Patch: 9 Released: Fri Aug 9 10:33:34 2024 Summary: Recommended update for bash, libcap-ng, libselinux, libselinux-bindings, libsemanage, zypper Severity: low References: Description: This update fixes the following issues: - No change rebuild due to dependency changes. ----------------------------------------- Patch: 18 Released: Tue Aug 20 13:47:06 2024 Summary: Security update for nghttp2 Severity: important References: 1221399,CVE-2024-28182 Description: This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399) ----------------------------------------- Patch: 23 Released: Tue Aug 27 18:49:42 2024 Summary: Security update for python311, python-rpm-macros Severity: important References: 1174091,1189495,1221854,1226447,1226448,1227378,1228780,831629,CVE-2019-20907,CVE-2019-9947,CVE-2020-15523,CVE-2020-15801,CVE-2022-25236,CVE-2023-52425,CVE-2024-0397,CVE-2024-0450,CVE-2024-4032,CVE-2024-6923 Description: This update for python311, python-rpm-macros fixes the following issues: python311: - CVE-2024-0450: Fixed zipfile module vulnerability with 'quoted-overlap' zipbomb (bsc#1221854) - CVE-2024-4032: Fixed incorrect IPv4 and IPv6 private ranges (bsc#1226448) - CVE-2024-0397: Fixed memory race condition in ssl.SSLContext certificate store methods (bsc#1226447) - CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780) - Fixed executable bits for /usr/bin/idle* (bsc#1227378). python-rpm-macros: - Update to version 20240618.c146b29: * Add %FLAVOR_pytest and %FLAVOR_pyunittest variants - Update to version 20240618.1e386da: * Fix python_clone sed regex - Update to version 20240614.02920b8: * Make sure that RPM_BUILD_ROOT env is set * don't eliminate any cmdline arguments in the shebang line * Create python313 macros - Update to version 20240415.c664b45: * Fix typo 310 -> 312 in default-prjconf - Update to version 20240202.501440e: * SPEC0: Drop python39, add python312 to buildset (#169) - Update to version 20231220.98427f3: * fix python2_compile macro - Update to version 20231207.46c2ec3: * make FLAVOR_compile compatible with python2 - Update to version 20231204.dd64e74: * Combine fix_shebang in one line * New macro FLAVOR_fix_shebang_path * Use realpath in %python_clone macro shebang replacement * Compile and fix_shebang in %python_install macros - Update to version 20231010.0a1f0d9: * Revert 'Compile and fix_shebang in %python_install macros' * gh#openSUSE/python-rpm-macros#163 - Update to version 20231010.a32e110: * Compile and fix_shebang in %python_install macros - Update to version 20231005.bf2d3ab: * Fix shebang also in sbin with macro _fix_shebang ----------------------------------------- Patch: 24 Released: Wed Aug 28 13:31:01 2024 Summary: Security update for ca-certificates-mozilla Severity: important References: 1199079,1220356,1227525 Description: This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020 - Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3 ----------------------------------------- Patch: 26 Released: Fri Aug 30 11:28:02 2024 Summary: Recommended update for suse-build-key Severity: critical References: 1229339 Description: This update for suse-build-key fixes the following issues: Extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339) ----------------------------------------- Patch: 27 Released: Tue Sep 3 14:16:21 2024 Summary: Security update for glib2 Severity: low References: 1224044,CVE-2024-34397 Description: This update for glib2 fixes the following issues: - Fixed a possible use after free regression introduced by CVE-2024-34397 patch (bsc#1224044). ----------------------------------------- Patch: 29 Released: Wed Sep 4 12:41:35 2024 Summary: Recommended update for gcc13 Severity: important References: 1188441,1220724,1221239 Description: This update for gcc13 fixes the following issues: - Update to GCC 13.3 release - Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18. - Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441] - Make requirement to lld version specific to avoid requiring the meta-package. - Fix unwinding for JIT code. [bsc#1221239] - Revert libgccjit dependency change. [bsc#1220724] ----------------------------------------- Patch: 30 Released: Wed Sep 4 16:07:40 2024 Summary: Security update for curl Severity: moderate References: 1221665,1221666,1221667,1221668,1227888,1228535,CVE-2024-2004,CVE-2024-2379,CVE-2024-2398,CVE-2024-2466,CVE-2024-6197,CVE-2024-7264 Description: This update for curl fixes the following issues: Security issues fixed: - CVE-2024-7264: ASN.1 date parser overread (bsc#1228535) - CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888) - CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666) - CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668) - CVE-2024-2004: Usage of disabled protocol (bsc#1221665) - CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667) Non-security issue fixed: - Fixed various TLS related issues including FTP over SSL transmission timeouts. ----------------------------------------- Patch: 32 Released: Thu Sep 5 12:12:35 2024 Summary: Security update for glibc Severity: important References: 1221482,1221940,1222992,1223423,1223424,1223425,1228041,CVE-2024-2961,CVE-2024-33599,CVE-2024-33600,CVE-2024-33601,CVE-2024-33602 Description: This update for glibc fixes the following issues: Fixed security issues: - CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425) - CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bsc#1223423) - CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bsc#1223424) - CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424) - CVE-2024-33601, CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (bsc#1223425) - CVE-2024-2961: iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (bsc#1222992) Fixed non-security issues: - Add workaround for invalid use of libc_nonshared.a with non-SUSE libc (bsc#1221482) - Fix segfault in wcsncmp (bsc#1228041) - Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482) - Avoid creating ULP prologue for _start routine (bsc#1221940) - Also add libc_nonshared.a workaround to 32-bit x86 compat package (bsc#1221482) - malloc: Use __get_nprocs on arena_get2 - linux: Use rseq area unconditionally in sched_getcpu ----------------------------------------- Patch: 44 Released: Wed Sep 11 13:33:01 2024 Summary: Security update for expat Severity: important References: 1221289,1229930,1229931,1229932,CVE-2024-28757,CVE-2024-45490,CVE-2024-45491,CVE-2024-45492 Description: This update for expat fixes the following issues: - CVE-2024-45492: detect integer overflow in function nextScaffoldPart (bsc#1229932) - CVE-2024-45491: detect integer overflow in dtdCopy (bsc#1229931) - CVE-2024-45490: reject negative len for XML_ParseBuffer (bsc#1229930) - CVE-2024-28757: XML Entity Expansion attack when there is isolated use of external parsers (bsc#1221289) ----------------------------------------- Patch: 45 Released: Wed Sep 11 13:41:31 2024 Summary: Security update for libxml2 Severity: moderate References: 1224282,CVE-2024-34459 Description: This update for libxml2 fixes the following issues: - CVE-2024-34459: Fixed buffer over-read in (bsc#1224282)