Container summary for suse/389-ds

SUSE-CU-2024:5221-1

This update for glibc fixes the following issue:

• Apply libc_nonshared.a workaround on s390x and ppc64le architectures (bsc#1231051).

SUSE-CU-2024:5210-1

This update for gcc14 fixes the following issues:
This update ships the GNU Compiler Collection GCC 14.2. (jsc#PED-10474)
The compiler runtime libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 13 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP5 and SP6, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc14 compilers use:

• install 'gcc14' or 'gcc14-c++' or one of the other 'gcc14-COMPILER' frontend packages.
• override your Makefile to use CC=gcc14, CXX=g++14 and similar overrides for the other languages.

• Add libquadmath0-devel-gcc14 sub-package to allow installing quadmath.h and SO link without installing the fortran frontend

• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Remove timezone Recommends from the libstdc++6 package. [bsc#1221601]
• Revert libgccjit dependency change. [bsc#1220724]
• Fix libgccjit-devel dependency, a newer shared library is OK.
• Fix libgccjit dependency, the corresponding compiler isn't required.
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Re-enable AutoReqProv for cross packages but filter files processed via __requires_exclude_from and __provides_exclude_from. [bsc#1219031]
• Package m2rte.so plugin in the gcc14-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc14 from gcc14-m2 as m2 programs are linked against libstdc++6.

SUSE-CU-2024:5086-1

SUSE-CU-2024:5016-1

This update for bash fixes the following issues:

• Load completion file eveh if a brace expansion is in the command line included (bsc#1227807).

SUSE-CU-2024:4931-1

This update for cyrus-sasl fixes the following issues:

• Make DIGEST-MD5 work with openssl3 ( bsc#1230111 ) RC4 is legacy provided since openSSL3 and requires explicit loading, disable openssl3 depricated API warnings.

SUSE-CU-2024:4858-1

This update for e2fsprogs fixes the following issue:

• resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145).

SUSE-CU-2024:4779-1

SUSE-CU-2024:4751-1

This update for openssl-3 fixes the following issues:

• CVE-2024-41996: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE (bsc#1230698)

This update for glibc fixes the following issue:

• Use nss-systemd by default also in SLE (bsc#1230638).

This update for systemd fixes the following issues:

• Determine the effective user limits in a systemd setup (jsc#PED-5659)
• Don't try to restart the udev socket units anymore. (bsc#1228809).
• Add systemd.rules rework (bsc#1229518).
• Don't mention any rpm macros inside comments, even if escaped (bsc#1228091).
• upstream commit (bsc#1226414).
• Make the 32bit version of libudev.so available again (bsc#1228223).
• policykit-1 renamed to polkitd

SUSE-CU-2024:4674-1

SUSE-CU-2024:4652-1

This update for python3 fixes the following issues:

• CVE-2024-6923: Fixed uncontrolled CPU resource consumption when in http.cookies module (bsc#1228780).
• CVE-2024-5642: Fixed buffer overread when NPN is used and invalid values are sent to the OpenSSL API (bsc#1227233).
• CVE-2024-7592: Fixed Email header injection due to unquoted newlines (bsc#1229596).
• CVE-2024-6232: excessive backtracking when parsing tarfile headers leads to ReDoS. (bsc#1230227)

• %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999).
• Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378).
• Remove %suse_update_desktop_file macro as it is not useful any more.

SUSE-CU-2024:4586-1

SUSE-CU-2024:4487-1

This update for ncurses fixes the following issues:

• Allow the terminal description based on static fallback entries to be freed (bsc#1229028)

SUSE-CU-2024:4310-1

SUSE-CU-2024:4273-1

This update for expat fixes the following issues:

• CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
• CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
• CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)

SUSE-CU-2024:4203-1

SUSE-CU-2024:4128-1

This update for glibc fixes the following issue:

• s390x-wcsncmp patch for s390x: Fix segfault in wcsncmp (bsc#1228042).

SUSE-CU-2024:3995-1

This update for openssl-3 fixes the following issues:

• CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465)

• FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365).
• FIPS: RSA keygen PCT requirements.
• FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: Block non-Approved Elliptic Curves (bsc#1221786).
• FIPS: Service Level Indicator (bsc#1221365).
• FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751).
• FIPS: Add required selftests: (bsc#1221760).
• FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821).
• FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827).
• FIPS: Zero initialization required (bsc#1221752).
• FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696).
• FIPS: NIST SP 800-56Brev2 (bsc#1221824).
• FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: NIST SP 800-56Arev3 (bsc#1221822).
• FIPS: Error state has to be enforced (bsc#1221753).

This update for mozilla-nss fixes the following issues:

• FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).

This update for permissions fixes the following issues:

• Update to version 20240826: * permissions: remove outdated entries (bsc#1228968)

• Update to version 20240826: * cockpit: revert path change (bsc#1229329)

SUSE-CU-2024:3921-1

SUSE-CU-2024:3904-1

This update for python3-setuptools fixes the following issues:

• CVE-2024-6345: Fixed code execution via download functions in the package_index module (bsc#1228105)

SUSE-CU-2024:3843-1

This update for pam fixes the following issue:

• Prevent cursor escape from the login prompt (bsc#1194818).

SUSE-CU-2024:3753-1

This update for 389-ds fixes the following issues:
Security issues fixed:

• CVE-2024-3657: Fixed potential denial of service via specially crafted kerberos AS-REQ request (bsc#1225512)
• CVE-2024-5953: Fixed a denial of service caused by malformed userPassword hashes (bsc#1226277)
• CVE-2024-2199: Fixed a crash caused by malformed userPassword in do_modify() (bsc#1225507)

• crash when user does change password using iso-8859-1 encoding (bsc#1228912)

• Update to version 2.2.10:

This update for openssl-1_1 fixes the following issues:

• CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)

• Build with no-afalgeng. (bsc#1226463)
• Fixed C99 violations to allow the package to build with GCC 14. (bsc#1225907)

SUSE-CU-2024:3660-1

SUSE-CU-2024:3591-1

SUSE-CU-2024:3508-1

This update for shadow fixes the following issues:

• Fixed not copying of skel files (bsc#1228770)

SUSE-CU-2024:3507-1

This update for permissions fixes the following issue:

• cockpit: moved setuid executable (bsc#1228548)

SUSE-CU-2024:3436-1

SUSE-CU-2024:3338-1

This update for mozilla-nss fixes the following issues:

• Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
• Added 'Provides: nss' so other RPMs that require 'nss' can be installed (jira PED-6358).

• FIPS: added safe memsets (bsc#1222811)
• FIPS: restrict AES-GCM (bsc#1222830)
• FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
• FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
• FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)

• Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918)

• bmo#1905691 - ChaChaXor to return after the function

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

• add diagnostic assertions for SFTKObject refcount.
• freeing the slot in DeleteCertAndKey if authentication failed
• fix formatting issues.
• Add Firmaprofesional CA Root-A Web to NSS.
• remove invalid acvp fuzz test vectors.
• pad short P-384 and P-521 signatures gtests.
• remove unused FreeBL ECC code.
• pad short P-384 and P-521 signatures.
• be less strict about ECDSA private key length.
• Integrate HACL* P-521.
• Integrate HACL* P-384.
• memory leak in create_objects_from_handles.
• ensure all input is consumed in a few places in mozilla::pkix
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• clean up escape handling
• Use lib::pkix as default validator instead of the old-one
• Need to add high level support for PQ signing.
• Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• Allow for non-full length ecdsa signature when using softoken
• Modification of .taskcluster.yml due to mozlint indent defects
• Implement support for PBMAC1 in PKCS#12
• disable VLA warnings for fuzz builds.
• remove redundant AllocItem implementation.
• add PK11_ReadDistrustAfterAttribute.
• - Clang-formatting of SEC_GetMgfTypeByOidTag update
• Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
• sftk_getParameters(): Fix fallback to default variable after error with configfile.
• Switch to the mozillareleases/image_builder image

• switch from ec_field_GFp to ec_field_plain

• merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
• remove ckcapi.
• avoid a potential PK11GenericObject memory leak.
• Remove incomplete ESDH code.
• Decrypt RSA OAEP encrypted messages.
• Fix certutil CRLDP URI code.
• Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
• Add ability to encrypt and decrypt CMS messages using ECDH.
• Correct Templates for key agreement in smime/cmsasn.c.
• Moving the decodedCert allocation to NSS.
• Allow developers to speed up repeated local execution of NSS tests that depend on certificates.

• Removing check for message len in ed25519 (bmo#1325335)
• add ed25519 to SECU_ecName2params. (bmo#1884276)
• add EdDSA wycheproof tests. (bmo#1325335)
• nss/lib layer code for EDDSA. (bmo#1325335)
• Adding EdDSA implementation. (bmo#1325335)
• Exporting Certificate Compression types (bmo#1881027)
• Updating ACVP docker to rust 1.74 (bmo#1880857)
• Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
• Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

• (CVE-2023-5388) Timing attack against RSA decryption in TLS
• Certificate Compression: enabling the check that the compression was advertised
• Move Windows workers to nss-1/b-win2022-alpha
• Remove Email trust bit from OISTE WISeKey Global Root GC CA
• Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
• Certificate Compression: Updating nss_bogo_shim to support Certificate compression
• TLS Certificate Compression (RFC 8879) Implementation
• Add valgrind annotations to freebl kyber operations for constant-time execution tests
• Set nssckbi version number to 2.66
• Add Telekom Security roots
• Add D-Trust 2022 S/MIME roots
• Remove expired Security Communication RootCA1 root
• move keys to a slot that supports concatenation in PK11_ConcatSymKeys
• remove unmaintained tls-interop tests
• bogo: add support for the -ipv6 and -shim-id shim flags
• bogo: add support for the -curves shim flag and update Kyber expectations
• bogo: adjust expectation for a key usage bit test
• mozpkix: add option to ignore invalid subject alternative names
• Fix selfserv not stripping `publicname:` from -X value
• take ownership of ecckilla shims
• add valgrind annotations to freebl/ec.c
• PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
• Update zlib to 1.3.1

• make Xyber768d00 opt-in by policy
• add libssl support for xyber768d00
• add PK11_ConcatSymKeys
• add Kyber and a PKCS#11 KEM interface to softoken
• add a FreeBL API for Kyber
• part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
• part 1: add a script for vendoring kyber from pq-crystals repo
• Removing the calls to RSA Blind from loader.*
• fix worker type for level3 mac tasks
• RSA Blind implementation
• Remove DSA selftests
• read KWP testvectors from JSON
• Backed out changeset dcb174139e4f
• Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
• Wrap CC shell commands in gyp expansions

• Use pypi dependencies for MacOS worker in ./build_gyp.sh
• p7sign: add -a hash and -u certusage (also p7verify cleanups)
• add a defensive check for large ssl_DefSend return values
• Add dependency to the taskcluster script for Darwin
• Upgrade version of the MacOS worker for the CI

• Bump builtins version number.
• Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
• Remove 4 DigiCert (Symantec/Verisign) Root Certificates
• Remove 3 TrustCor Root Certificates from NSS.
• Remove Camerfirma root certificates from NSS.
• Remove old Autoridad de Certificacion Firmaprofesional Certificate.
• Add four Commscope root certificates to NSS.
• Add TrustAsia Global Root CA G3 and G4 root certificates.
• Include P-384 and P-521 Scalar Validation from HACL*
• Include P-256 Scalar Validation from HACL*.
• After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
• Add means to provide library parameters to C_Initialize
• add OSXSAVE and XCR0 tests to AVX2 detection.
• Typo in ssl3_AppendHandshakeNumber
• Introducing input check of ssl3_AppendHandshakeNumber
• Fix Invalid casts in instance.c

• Updated code and commit ID for HACL*
• update ACVP fuzzed test vector: refuzzed with current NSS
• Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
• NSS needs a database tool that can dump the low level representation of the database
• declare string literals using char in pkixnames_tests.cpp
• avoid implicit conversion for ByteString
• update rust version for acvp docker
• Moving the init function of the mpi_ints before clean-up in ec.c
• P-256 ECDH and ECDSA from HACL*
• Add ACVP test vectors to the repository
• Stop relying on std::basic_string
• Transpose the PPC_ABI check from Makefile to gyp

• Update zlib in NSS to 1.3.
• softoken: iterate hashUpdate calls for long inputs.
• regenerate NameConstraints test certificates (bsc#1214980).

• Set nssckbi version number to 2.62
• Add 4 Atos TrustedRoot Root CA certificates to NSS
• Add 4 SSL.com Root CA certificates
• Add Sectigo E46 and R46 Root CA certificates
• Add LAWtrust Root CA2 (4096)
• Remove E-Tugra Certification Authority root
• Remove Camerfirma Chambers of Commerce Root.
• Remove Hongkong Post Root CA 1
• Remove E-Tugra Global Root CA ECC v3 and RSA v3
• Avoid redefining BYTE_ORDER on hppa Linux

• Implementation of the HW support check for ADX instruction
• Removing the support of Curve25519
• Fix comment about the addition of ticketSupportsEarlyData
• Adding args to enable-legacy-db build
• dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
• Initialize flags in slot structures
• Improve the length check of RSA input to avoid heap overflow
• Followup Fixes
• avoid processing unexpected inputs by checking for m_exptmod base sign
• add a limit check on order_k to avoid infinite loop
• Update HACL* to commit 5f6051d2
• add SHA3 to cryptohi and softoken
• HACL SHA3
• Disabling ASM C25519 for A but X86_64

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
• clean up escape handling.
• remove redundant AllocItem implementation.
• Disable ASM support for Curve25519.
• Disable ASM support for Curve25519 for all but X86_64.

SUSE-CU-2024:3284-1

This update for shadow fixes the following issues:

• CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).

This update for openssl-3 fixes the following issues:
Security fixes:

• CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138)

• Build with no-afalgeng (bsc#1226463)
• Build with enabled sm2 and sm4 support (bsc#1222899)
• Fix non-reproducibility issue (bsc#1223336)

This update for systemd fixes the following issues:
systemd was updated from version 254.13 to version 254.15:

• Changes in version 254.15:

• Changes in version 254.14:

SUSE-CU-2024:3166-1

This update for python3 fixes the following issues:

• CVE-2023-52425: Fixed backport so it uses features sniffing, not just comparing version number (bsc#1219559).
• CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
• CVE-2024-4032: Rearranging definition of private v global IP. (bsc#1226448)
• CVE-2024-0397: Remove a memory race condition in ssl.SSLContext certificate store methods. (bsc#1226447)

SUSE-CU-2024:3117-1

SUSE-CU-2024:3056-1

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

SUSE-CU-2024:3013-1

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:

• Update to Firefox ESR 60.4 (bsc#1119105)
• CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
• CVE-2018-18492: Fixed a use-after-free with select element
• CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
• CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
• CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
• CVE-2018-12405: Fixed a few memory safety bugs

• Update to NSS 3.40.1 (bsc#1119105)
• CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
• CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
• CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
• Fixed a decryption failure during FFDHE key exchange
• Various security fixes in the ASN.1 code

• Update mozilla-nspr to 4.20 (bsc#1119105)

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

• New function in pk11pub.h: PK11_FindRawCertsWithSubject
• The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374)
• Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
• Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
• Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
• Add IPSEC IKE support to softoken (bmo#1546229)
• Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
• Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed.
• Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

• Changed prbit.h to use builtin function on aarch64.
• Removed Gonk/B2G references.

This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module.

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for libdb-4_8 fixes the following issues:

• Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244)

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:

• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
• CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
• CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

• Whitespace in C files was cleaned up and no longer uses tab characters for indenting.

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for 389-ds to version 1.4.2.2 fixes the following issues:
389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes.
Issue addressed:

• Enabled python lib389 installer tooling to match upstream and suse documentation.

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53

• CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for python-argparse-manpage fixes the following issues:

• Made the multiline text look better

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for MozillaThunderbird and mozilla-nspr fixes the following issues:

• Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
• Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title
• Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes
• Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket
• Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3

• update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for python-distro fixes the following issues:
Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212)

• Backward compatibility: - Keep output as native string so we can compatible with python2 interface - Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION`

• Bug Fixes: - Fix detection of RHEL 6 `ComputeNode` - Fix Oracle 4/5 `lsb_release` id and names - Ignore `/etc/plesk-release` file while parsing distribution - Return `_uname_info` from the `uname_info()` method - Fixed `CloudLinux` id discovery - Update Oracle matching - Warn about wrong locale.

• Documentation: - Distro is the recommended replacement for `platform.linux_distribution` - Add Ansible reference implementation and fix arch-linux link - Add facter reference implementation

This update for protobuf fixes the following issues:

• Add missing dependency of python subpackages on python-six. (bsc#1177127)

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for MozillaFirefox fixes the following issues:

• Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for python-six fixes the following issue:

• python-six had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for salt fixes the following issues:
Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028)

• Check if dpkgnotify is executable (bsc#1186674)
• Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028)
• virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support
• Set distro requirement to oldest supported version in requirements/base.txt
• Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382)
• Always require `python3-distro` (bsc#1182293)
• Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing
• Fix pkg states when DEB package has 'all' arch
• Do not force beacons configuration to be a list.
• Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
• msgpack support for version >= 1.0.0 (bsc#1171257)
• Fix issue parsing errors in ansiblegate state module
• Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)
• transactional_update: detect recursion in the executor
• Add subpackage salt-transactional-update (jsc#SLE-18033)
• Improvements on 'ansiblegate' module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks
• Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
• Regression fix of salt-ssh on processing targets
• Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281)
• Add notify beacon for Debian/Ubuntu systems
• Fix zmq bug that causes salt-call to freeze (bsc#1181368)

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This patch updates the Python AWS SDK stack in SLE 15:
General:
# aws-cli

• Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package.

• Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package.

• Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0

• Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0

• CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)

This update for python3 fixes the following issues:

• Fixed an issue when the missing 'stropts.h' causing build errors for different python modules. (bsc#1187338)

This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:

• implement new socket option PR_SockOpt_DontFrag
• support larger DNS records by increasing the default buffer size for DNS queries
• Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138
• PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version.

• bmo#1713562 - Fix test leak.
• bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
• bmo#1693206 - Implement PKCS8 export of ECDSA keys.
• bmo#1712883 - DTLS 1.3 draft-43.
• bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
• bmo#1713562 - Validate ECH public names.
• bmo#1717610 - Add function to get seconds from epoch from pkix::Time.

• bmo#1683710 - Add a means to disable ALPN.
• bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
• bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
• bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
• bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.

• bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
• bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
• bmo#1708307 - Remove Trustis FPS Root CA from NSS.
• bmo#1707097 - Add Certum Trusted Root CA to NSS.
• bmo#1707097 - Add Certum EC-384 CA to NSS.
• bmo#1703942 - Add ANF Secure Server Root CA to NSS.
• bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
• bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
• bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
• bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
• bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
• bmo#1709291 - Add VerifyCodeSigningCertificateChain.

• bmo#1709654 - Update for NetBSD configuration.
• bmo#1709750 - Disable HPKE test when fuzzing.
• bmo#1566124 - Optimize AES-GCM for ppc64le.
• bmo#1699021 - Add AES-256-GCM to HPKE.
• bmo#1698419 - ECH -10 updates.
• bmo#1692930 - Update HPKE to final version.
• bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
• bmo#1703936 - New coverity/cpp scanner errors.
• bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
• bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
• bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.

• bmo#1705286 - Properly detect mips64.
• bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and

• bmo#1697380 - Make a clang-format run on top of helpful contributions.
• bmo#1683520 - ECCKiila P384, change syntax of nested structs

• bmo#1688374 - Fix parallel build NSS-3.61 with make
• bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()

• bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key

• TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information.
• December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information.

• bmo#1679290 - Fix potential deadlock with certain third-party

• Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData

• bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
• bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
• bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
• bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
• bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed

• bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode.
• bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni).
• bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions.
• bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows.
• bmo#1667153 - Add PK11_ImportDataKey for data object import.
• bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value.

• The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
• The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
• Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed.
• https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

• bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
• bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
• bmo#1654142 - Add CPU feature detection for Intel SHA extension.
• bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
• bmo#1656986 - Properly detect arm64 during GYP build architecture

• P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
• PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633)
• DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)

• bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
• bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
• bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
• bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length.
• bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED.
• bmo#1646594 - Fix AVX2 detection in makefile builds.
• bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate.
• bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
• bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
• bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
• bmo#1649226 - Add Wycheproof ECDSA tests.
• bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
• bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover.
• bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension.

• Support for TLS 1.3 external pre-shared keys (bmo#1603042).
• Use ARM Cryptography Extension for SHA256, when available (bmo#1528113)
• The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
• The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.

• A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list.

• bmo#1528113 - Use ARM Cryptography Extension for SHA256.
• bmo#1603042 - Add TLS 1.3 external PSK support.
• bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
• bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
• bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
• bmo#1641716 - Add Microsoft's non-EV root certificates.
• bmo1621151 - Disable email trust bit for 'O=Government

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This update for python3 fixes the following issues:

• CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374).
• CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241).
• CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287).

• We do not require python-rpm-macros package (bsc#1180125).
• Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858).
• Stop providing 'python' symbol, which means python2 currently (bsc#1185588).
• Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668).

This update for python3 fixes the following issues:

• Don't use OpenSSL 1.1 on platforms which don't have it.

• Remove shebangs from python-base libraries in '_libdir'. (bsc#1193179, bsc#1192249).
• Build against 'openssl 1.1' as it is incompatible with 'openssl 3.0+' (bsc#1190566)
• Fix for permission error when changing the mtime of the source file in presence of 'SOURCE_DATE_EPOCH'.

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for python-jsonschema, python-rfc3987, python-strict-rfc3339 fixes the following issues:

• Add patch to fix build with new webcolors.

• update to version 3.2.0 (jsc#SLE-18756): * Added a format_nongpl setuptools extra, which installs only format dependencies that are non-GPL (#619).

• specfile: * require python-importlib-metadata
• update to version 3.1.1: * Temporarily revert the switch to js-regex until #611 and #612 are resolved.
• changes from version 3.1.0: - Regular expressions throughout schemas now respect the ECMA 262 dialect, as recommended by the specification (#609).

• Activate more of the test suite
• Remove tests and benchmarking from the runtime package
• Update to v3.0.2 - Fixed a bug where 0 and False were considered equal by const and enum
• from v3.0.1 - Fixed a bug where extending validators did not preserve their notion of which validator property contains $id information.

• Update to 3.0.1: - Support for Draft 6 and Draft 7 - Draft 7 is now the default - New TypeChecker object for more complex type definitions (and overrides) - Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification

• Use %license instead of %doc (bsc#1082318)

• Remove hashbang from runtime module
• Replace PyPI URL with https://github.com/dgerber/rfc3987
• Activate doctests

• Add missing runtime dependency on timezone
• Replace dead link with GitHub URL
• Activate test suite

• Trim bias from descriptions.

• Initial commit, needed by flex

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for python3 fixes the following issues:

• CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for python-cryptography fixes the following issues:
python-cryptography was updated to 3.3.2.
update to 3.3.0:

• BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change is to conform with an upcoming OpenSSL release that will no longer support sizes outside this window.
• BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we now raise ValueError rather than UnsupportedAlgorithm when an unsupported cipher is used. This change is to conform with an upcoming OpenSSL release that will no longer distinguish between error types.
• BACKWARDS INCOMPATIBLE: We no longer allow loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.
• Added the recover_data_from_signature() function to RSAPublicKey for recovering the signed data from an RSA signature.

• CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability.
• Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.

• **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based :term:`U-label` parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5.
• ``backend`` arguments to functions are no longer required and the default backend will automatically be selected if no ``backend`` is provided.
• Added initial support for parsing certificates from PKCS7 files with :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` .
• Calling ``update`` or ``update_into`` on :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data`` longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This also resolves the same issue in :doc:`/fernet`.

• RSA generate_private_key() no longer accepts public_exponent values except 65537 and 3 (the latter for legacy purposes).
• X.509 certificate parsing now enforces that the version field contains a valid value, rather than deferring this check until version is accessed.
• Deprecated support for Python 2
• Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa private keys: load_ssh_private_key() for loading and OpenSSH for writing.
• Added support for OpenSSH certificates to load_ssh_public_key().
• Added encrypt_at_time() and decrypt_at_time() to Fernet.
• Added support for the SubjectInformationAccess X.509 extension.
• Added support for parsing SignedCertificateTimestamps in OCSP responses.
• Added support for parsing attributes in certificate signing requests via get_attribute_for_oid().
• Added support for encoding attributes in certificate signing requests via add_attribute().
• On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
• Added initial support for creating PKCS12 files with serialize_key_and_certificates().

• BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden.
• BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade.
• BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed.
• Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format.
• BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514.
• Added support for parsing single_extensions in an OCSP response.
• NameAttribute values can now be empty strings.

This update for python3 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

• Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
• FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
• FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
• FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325).
• Run test suite at build time, and make it pass (bsc#1198486).
• FIPS: skip algorithms that are hard disabled in FIPS mode.
• Prevent expired PayPalEE cert from failing the tests.
• Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc.
• FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
• Update FIPS validation string to version-release format.
• FIPS: remove XCBC MAC from list of FIPS approved algorithms.
• Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
• FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
• FIPS: allow testing of unapproved algorithms (bsc#1192228).
• FIPS: add version indicators. (bmo#1729550, bsc#1192086).
• FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

• Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
• Update mercurial in clang-format docker image.
• Use of uninitialized pointer in lg_init after alloc fail.
• selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
• Add SECMOD_LockedModuleHasRemovableSlots.
• Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
• Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
• TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
• Correct invalid record inner and outer content type alerts.
• NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
• improve error handling after nssCKFWInstance_CreateObjectHandle.
• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
• NSS 3.79 should depend on NSPR 4.34

• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

• Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
• Reworked overlong record size checks and added TLS1.3 specific boundaries.
• Add ECH Grease Support to tstclnt
• Add a strict variant of moz::pkix::CheckCertHostname.
• Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
• Make SEC_PKCS12EnableCipher succeed
• Update zlib in NSS to 1.2.12.

• Fix link to TLS page on wireshark wiki
• Add two D-TRUST 2020 root certificates.
• Add Telia Root CA v2 root certificate.
• Remove expired explicitly distrusted certificates from certdata.txt.
• support specific RSA-PSS parameters in mozilla::pkix
• Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
• Remove token member from NSSSlot struct.
• Provide secure variants of mpp_pprime and mpp_make_prime.
• Support UTF-8 library path in the module spec string.
• Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
• Update googletest to 1.11.0
• Add SetTls13GreaseEchSize to experimental API.
• TLS 1.3 Illegal legacy_version handling/alerts.
• Fix calculation of ECH HRR Transcript.
• Allow ld path to be set as environment variable.
• Ensure we don't read uninitialized memory in ssl gtests.
• Fix DataBuffer Move Assignment.
• internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
• rework signature verification in mozilla::pkix

• Remove token member from NSSSlot struct.
• Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
• Check return value of PK11Slot_GetNSSToken.
• Use Wycheproof JSON for RSASSA-PSS
• Add SHA256 fingerprint comments to old certdata.txt entries.
• Avoid truncating files in nss-release-helper.py.
• Throw illegal_parameter alert for illegal extensions in handshake message.

• Make DottedOIDToCode.py compatible with python3.
• Avoid undefined shift in SSL_CERT_IS while fuzzing.
• Remove redundant key type check.
• Update ABI expectations to match ECH changes.
• Enable CKM_CHACHA20.
• check return on NSS_NoDB_Init and NSS_Shutdown.
• Run ECDSA test vectors from bltest as part of the CI tests.
• Add ECDSA test vectors to the bltest command line tool.
• Allow to build using clang's integrated assembler.
• Allow to override python for the build.
• test HKDF output rather than input.
• Use ASSERT macros to end failed tests early.
• move assignment operator for DataBuffer.
• Add test cases for ECH compression and unexpected extensions in SH.
• Update tests for ECH-13.
• Tidy up error handling.
• Add tests for ECH HRR Changes.
• Server only sends GREASE HRR extension if enabled by preference.
• Update generation of the Associated Data for ECH-13.
• When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
• Allow for compressed, non-contiguous, extensions.
• Scramble the PSK extension in CHOuter.
• Split custom extension handling for ECH.
• Add ECH-13 HRR Handling.
• Client side ECH padding.
• Stricter ClientHelloInner Decompression.
• Remove ECH_inner extension, use new enum format.
• Update the version number for ECH-13 and adjust the ECHConfig size.

• mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
• Ensure clients offer consistent ciphersuites after HRR
• NSS does not properly restrict server keys based on policy
• Set nssckbi version number to 2.54
• Replace Google Trust Services LLC (GTS) R4 root certificate
• Replace Google Trust Services LLC (GTS) R3 root certificate
• Replace Google Trust Services LLC (GTS) R2 root certificate
• Replace Google Trust Services LLC (GTS) R1 root certificate
• Replace GlobalSign ECC Root CA R4
• Remove Expired Root Certificates - DST Root CA X3
• Remove Expiring Cybertrust Global Root and GlobalSign root certificates
• Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
• Add iTrusChina ECC root certificate
• Add iTrusChina RSA root certificate
• Add ISRG Root X2 root certificate
• Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
• Avoid a clang 13 unused variable warning in opt build
• Check for missing signedData field
• Ensure DER encoded signatures are within size limits

• enable key logging option (boo#1195040)

• Add SHA-2 support to mozilla::pkix's OSCP implementation

• check for missing signedData field.
• Ensure DER encoded signatures are within size limits.
• NSS needs FiPS 140-3 version indicators.
• pkix_CacheCert_Lookup doesn't return cached certs
• sunset Coverity from NSS

• Fix nsinstall parallel failure.
• Increase KDF cache size to mitigate perf regression in about:logins

• Set nssckbi version number to 2.52.
• Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
• Import of PKCS#12 files with Camellia encryption is not supported
• Add HARICA Client ECC Root CA 2021.
• Add HARICA Client RSA Root CA 2021.
• Add HARICA TLS ECC Root CA 2021.
• Add HARICA TLS RSA Root CA 2021.
• Add TunTrust Root CA certificate to NSS.

• Update test case to verify fix.
• Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
• Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
• Avoid using a lookup table in nssb64d.
• Use HW accelerated SHA2 on AArch64 Big Endian.
• Change default value of enableHelloDowngradeCheck to true.
• Cache additional PBE entries.
• Read HPKE vectors from official JSON.

• Disable DTLS 1.0 and 1.1 by default
• integrity checks in key4.db not happening on private components with AES_CBC

• Disable DTLS 1.0 and 1.1 by default (backed out again)
• integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
• SSL handling of signature algorithms ignores environmental invalid algorithms.
• sqlite 3.34 changed it's open semantics, causing nss failures.
• Gtest update changed the gtest reports, losing gtest details in all.sh reports.
• NSS incorrectly accepting 1536 bit DH primes in FIPS mode
• SQLite calls could timeout in starvation situations.
• Coverity/cpp scanner errors found in nss 3.67
• Import the NSS documentation from MDN in nss/doc.
• NSS using a tempdir to measure sql performance not active

• CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

• add an API that returns a preferred loopback IP on hosts that have two IP stacks available.

This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

• Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
• FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
• FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
• FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325).
• Run test suite at build time, and make it pass (bsc#1198486).
• FIPS: skip algorithms that are hard disabled in FIPS mode.
• Prevent expired PayPalEE cert from failing the tests.
• Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc.
• FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
• Update FIPS validation string to version-release format.
• FIPS: remove XCBC MAC from list of FIPS approved algorithms.
• Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
• FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
• FIPS: allow testing of unapproved algorithms (bsc#1192228).
• FIPS: add version indicators. (bmo#1729550, bsc#1192086).
• FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

• Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
• Update mercurial in clang-format docker image.
• Use of uninitialized pointer in lg_init after alloc fail.
• selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
• Add SECMOD_LockedModuleHasRemovableSlots.
• Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
• Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
• TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
• Correct invalid record inner and outer content type alerts.
• NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
• improve error handling after nssCKFWInstance_CreateObjectHandle.
• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
• NSS 3.79 should depend on NSPR 4.34

• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

• Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
• Reworked overlong record size checks and added TLS1.3 specific boundaries.
• Add ECH Grease Support to tstclnt
• Add a strict variant of moz::pkix::CheckCertHostname.
• Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
• Make SEC_PKCS12EnableCipher succeed
• Update zlib in NSS to 1.2.12.

• Fix link to TLS page on wireshark wiki
• Add two D-TRUST 2020 root certificates.
• Add Telia Root CA v2 root certificate.
• Remove expired explicitly distrusted certificates from certdata.txt.
• support specific RSA-PSS parameters in mozilla::pkix
• Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
• Remove token member from NSSSlot struct.
• Provide secure variants of mpp_pprime and mpp_make_prime.
• Support UTF-8 library path in the module spec string.
• Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
• Update googletest to 1.11.0
• Add SetTls13GreaseEchSize to experimental API.
• TLS 1.3 Illegal legacy_version handling/alerts.
• Fix calculation of ECH HRR Transcript.
• Allow ld path to be set as environment variable.
• Ensure we don't read uninitialized memory in ssl gtests.
• Fix DataBuffer Move Assignment.
• internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
• rework signature verification in mozilla::pkix

• Remove token member from NSSSlot struct.
• Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
• Check return value of PK11Slot_GetNSSToken.
• Use Wycheproof JSON for RSASSA-PSS
• Add SHA256 fingerprint comments to old certdata.txt entries.
• Avoid truncating files in nss-release-helper.py.
• Throw illegal_parameter alert for illegal extensions in handshake message.

• Make DottedOIDToCode.py compatible with python3.
• Avoid undefined shift in SSL_CERT_IS while fuzzing.
• Remove redundant key type check.
• Update ABI expectations to match ECH changes.
• Enable CKM_CHACHA20.
• check return on NSS_NoDB_Init and NSS_Shutdown.
• Run ECDSA test vectors from bltest as part of the CI tests.
• Add ECDSA test vectors to the bltest command line tool.
• Allow to build using clang's integrated assembler.
• Allow to override python for the build.
• test HKDF output rather than input.
• Use ASSERT macros to end failed tests early.
• move assignment operator for DataBuffer.
• Add test cases for ECH compression and unexpected extensions in SH.
• Update tests for ECH-13.
• Tidy up error handling.
• Add tests for ECH HRR Changes.
• Server only sends GREASE HRR extension if enabled by preference.
• Update generation of the Associated Data for ECH-13.
• When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
• Allow for compressed, non-contiguous, extensions.
• Scramble the PSK extension in CHOuter.
• Split custom extension handling for ECH.
• Add ECH-13 HRR Handling.
• Client side ECH padding.
• Stricter ClientHelloInner Decompression.
• Remove ECH_inner extension, use new enum format.
• Update the version number for ECH-13 and adjust the ECHConfig size.

• mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
• Ensure clients offer consistent ciphersuites after HRR
• NSS does not properly restrict server keys based on policy
• Set nssckbi version number to 2.54
• Replace Google Trust Services LLC (GTS) R4 root certificate
• Replace Google Trust Services LLC (GTS) R3 root certificate
• Replace Google Trust Services LLC (GTS) R2 root certificate
• Replace Google Trust Services LLC (GTS) R1 root certificate
• Replace GlobalSign ECC Root CA R4
• Remove Expired Root Certificates - DST Root CA X3
• Remove Expiring Cybertrust Global Root and GlobalSign root certificates
• Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
• Add iTrusChina ECC root certificate
• Add iTrusChina RSA root certificate
• Add ISRG Root X2 root certificate
• Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
• Avoid a clang 13 unused variable warning in opt build
• Check for missing signedData field
• Ensure DER encoded signatures are within size limits

• enable key logging option (boo#1195040)

• Add SHA-2 support to mozilla::pkix's OSCP implementation

• check for missing signedData field.
• Ensure DER encoded signatures are within size limits.
• NSS needs FiPS 140-3 version indicators.
• pkix_CacheCert_Lookup doesn't return cached certs
• sunset Coverity from NSS

• Fix nsinstall parallel failure.
• Increase KDF cache size to mitigate perf regression in about:logins

• Set nssckbi version number to 2.52.
• Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
• Import of PKCS#12 files with Camellia encryption is not supported
• Add HARICA Client ECC Root CA 2021.
• Add HARICA Client RSA Root CA 2021.
• Add HARICA TLS ECC Root CA 2021.
• Add HARICA TLS RSA Root CA 2021.
• Add TunTrust Root CA certificate to NSS.

• Update test case to verify fix.
• Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
• Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
• Avoid using a lookup table in nssb64d.
• Use HW accelerated SHA2 on AArch64 Big Endian.
• Change default value of enableHelloDowngradeCheck to true.
• Cache additional PBE entries.
• Read HPKE vectors from official JSON.

• Disable DTLS 1.0 and 1.1 by default
• integrity checks in key4.db not happening on private components with AES_CBC

• Disable DTLS 1.0 and 1.1 by default (backed out again)
• integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
• SSL handling of signature algorithms ignores environmental invalid algorithms.
• sqlite 3.34 changed it's open semantics, causing nss failures.
• Gtest update changed the gtest reports, losing gtest details in all.sh reports.
• NSS incorrectly accepting 1536 bit DH primes in FIPS mode
• SQLite calls could timeout in starvation situations.
• Coverity/cpp scanner errors found in nss 3.67
• Import the NSS documentation from MDN in nss/doc.
• NSS using a tempdir to measure sql performance not active

• CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

This update for permissions fixes the following issues:

• apptainer: fix starter-suid location (bsc#1198720)
• static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
• postfix: add postlog setgid for maildrop binary (bsc#1201385)

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries.

This update for elfutils fixes the following issues:

• Fix runtime dependency for devel package

This update for mozilla-nss fixes the following issues:
Update to NSS 3.79.1 (bsc#1202645)

• compare signature and signatureAlgorithm fields in legacy certificate verifier.
• Uninitialized value in cert_ComputeCertType.
• protect SFTKSlot needLogin with slotLock.
• avoid data race on primary password change.
• check for null template in sec_asn1{d,e}_push_state.

• FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298).

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

This update for nss_synth fixes the following issues:

• Support running 389-ds with bare uid/gid (non-root) in containers. (jsc#SLE-22585)

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for jitterentropy fixes the following issues:

• Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870)

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for python3 fixes the following issues:

• CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).

This update for permissions fixes the following issues:

• Fix regression introduced by backport of security fix (bsc#1203911)
• Add permissions for enlightenment helper on 32bit arches (bsc#1194047)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.34.1:

• add file descriptor sanity checks in the NSPR poll function.

• Bump minimum NSPR version to 4.34.1.
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.

• FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
• FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980).
• FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546).
• FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546).
• FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
• FIPS: Use libjitterentropy for entropy (bsc#1202870).
• FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729)

• Bump minimum NSPR version to 4.34.1.
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.

• FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
• FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980).
• FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546).
• FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
• FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546).
• FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
• FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870).
• FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms.
• FIPS: Use libjitterentropy for entropy.
• FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for libeconf fixes the following issues:

• Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165)

• Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters'

This update for libdb-4_8 fixes the following issues:

• CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414).

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for python3 fixes the following issues:

• CVE-2022-37454: Fixed a buffer overflow in hashlib.sha3_* implementations. (bsc#1204577)
• CVE-2020-10735: Fixed a bug to limit amount of digits converting text to int and vice vera. (bsc#1203125)

• Fixed a crash in the garbage collection (bsc#1188607).

This update for mozilla-nss fixes the following issues:

• FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)
• FIPS: Allow the use SHA keygen mechs (bsc#1191546).
• FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980).

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for python-wheel fixes the following issues:

• CVE-2022-40898: Fixed an excessive use of CPU that could be triggered via a crafted regular expression (bsc#1206670).

This update for mozilla-nss fixes the following issues:

• CVE-2022-3479: Fixed a potential crash that could be triggered when a server requested a client authentication certificate, but the client had no certificates stored (bsc#1204272).
• Updated to version 3.79.3 (bsc#1207038): - CVE-2022-23491: Removed trust for 3 root certificates from TrustCor.

This update for python-setuptools fixes the following issues:

• CVE-2022-40897: Fixed an excessive CPU usage that could be triggered by fetching a malicious HTML document (bsc#1206667).

This update for mozilla-nss fixes the following issues:
Updated to NSS 3.79.4 (bsc#1208138):
- CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types.

This update for python3 fixes the following issues:
- CVE-2022-45061: Fixed DoS when IDNA decodes extremely long domain names (bsc#1205244).
Bugfixes:
- Fixed issue where email.generator.py replaces a non-existent header (bsc#1208443).

This update for jitterentropy fixes the following issues:

• build jitterentropy library with debuginfo (bsc#1207789)

This update for python-cryptography fixes the following issues:
- CVE-2023-23931: Fixed memory corruption due to invalidly changed immutable object (bsc#1208036).

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for python3 fixes the following issues:

• CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).

• Eliminate unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355).

This update for mozilla-nss fixes the following issues:

• FIPS 140-3: Adjust SLI reporting for PBKDF2 parameter validation (bsc#1208999)
• FIPS 140-3: Update session->lastOpWasFIPS before destroying the key after derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. (bsc#1191546)
• FIPS 140-3: more changes for pairwise consistency checks. (bsc#1207209)
• Add manpages to mozilla-nss-tools (bsc#1208242)

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This release of python311, python311-pip, python311-setuptools adds the following feature:

• Add Python-3.11 to SLE-15-SP4 Python Module (jsc#PED-68, jsc#PED-2634)

This update for python-packaging fixes the following issues:

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• Add patch to fix testsuite on big-endian targets
• Ignore python3.6.2 since the test doesn't support it.
• update to 21.3: * Add a pp3-none-any tag * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion * Fix a spelling mistake

• update to 21.2: * Update documentation entry for 21.1. * Update pin to pyparsing to exclude 3.0.0. * PEP 656: musllinux support * Drop support for Python 2.7, Python 3.4 and Python 3.5 * Replace distutils usage with sysconfig * Add support for zip files * Use cached hash attribute to short-circuit tag equality comparisons * Specify the default value for the 'specifier' argument to 'SpecifierSet' * Proper keyword-only 'warn' argument in packaging.tags * Correctly remove prerelease suffixes from ~= check * Fix type hints for 'Version.post' and 'Version.dev' * Use typing alias 'UnparsedVersion' * Improve type inference * Tighten the return typeo

• Add Provides: for python*dist(packaging). (bsc#1186870)

• add no-legacyversion-warning.patch to restore compatibility with 20.4

• update to 20.9: * Add support for the ``macosx_10_*_universal2`` platform tags * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``

• update to 20.8: * Revert back to setuptools for compatibility purposes for some Linux distros * Do not insert an underscore in wheel tags when the interpreter version number is more than 2 digits * Fix flit configuration, to include LICENSE files * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag * Add some missing type hints to `packaging.requirements` * Officially support Python 3.9 * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes * Handle ``OSError`` on non-dynamic executables when attempting to resolve the glibc version string.

• update to 20.4: * Canonicalize version before comparing specifiers. * Change type hint for ``canonicalize_name`` to return ``packaging.utils.NormalizedName``. This enables the use of static typing tools (like mypy) to detect mixing of normalized and un-normalized names.

This update for python3 fixes the following issues:

• CVE-2007-4559: Fixed filter for tarfile.extractall (bsc#1203750).

• Fixed unittest.mock.patch.dict returns function when applied to coroutines (bsc#1211158).

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for libcap fixes the following issues:

• CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.35

• fixes for building with clang
• use the number of online processors for the PR_GetNumberOfProcessors() API on some platforms
• fix build on mips+musl libc
• Add support for the LoongArch 64-bit architecture

• clang-format lib/freebl/stubs.c
• Add a constant time select function
• Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
• output early build errors by default
• Update the technical constraints for KamuSM
• Add BJCA Global Root CA1 and CA2 root certificates
• Enable default UBSan Checks
• Add explicit handling of zero length records
• Tidy up DTLS ACK Error Handling Path
• Refactor zero length record tests
• Fix compiler warning via correct assert
• run linux tests on nss-t/t-linux-xlarge-gcp
• In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
• Fix reading raw negative numbers
• Repairing unreachable code in clang built with gyp
• Integrate Vale Curve25519
• Removing unused flags for Hacl*
• Adding a better error message
• Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
• Fall back to the softokn when writing certificate trust
• FIPS-104-3 requires we restart post programmatically
• cmd/ecperf: fix dangling pointer warning on gcc 13
• Update ACVP dockerfile for compatibility with debian package changes
• Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
• Removed deprecated sprintf function and replaced with snprintf
• fix rst warnings in nss doc
• Fix incorrect pygment style
• Change GYP directive to apply across platforms
• Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

• Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

• Update the technical constraints for KamuSM.
• Add BJCA Global Root CA1 and CA2 root certificates.

• revert freebl/softoken RSA_MIN_MODULUS_BITS increase
• PR_STATIC_ASSERT is cursed
• Need to add policy control to keys lengths for signatures
• Fix unreachable code warning in fuzz builds
• Fix various compiler warnings in NSS
• Enable various compiler warnings for clang builds
• set PORT error after sftk_HMACCmp failure
• Need to add policy control to keys lengths for signatures
• remove data length assertion in sec_PKCS7Decrypt
• Make high tag number assertion failure an error
• CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
• Tolerate certificate_authorities xtn in ClientHello
• Fix build failure on Windows
• migrate Win 2012 tasks to Azure
• fix title length in doc
• Add interop tests for HRR and PSK to GREASE suite
• Add presence/absence tests for TLS GREASE
• Correct addition of GREASE value to ALPN xtn
• CH extension permutation
• TLS GREASE (RFC8701)
• improve handling of unknown PKCS#12 safe bag types
• use a different treeherder symbol for each docker image build task
• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag
• build failure while implicitly casting SECStatus to PRUInt32

• improve handling of unknown PKCS#12 safe bag types

• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag.
• build failure while implicitly casting SECStatus to PRUInt32
• Add check for ClientHello SID max length
• Added EarlyData ALPN test support to BoGo shim
• ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
• On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
• ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
• Added Bogo ECH rejection test support
• Added ECH 0Rtt support to BoGo shim
• RSA OAEP Wycheproof JSON
• RSA decrypt Wycheproof JSON
• ECDSA Wycheproof JSON
• ECDH Wycheproof JSON
• PKCS#1v1.5 wycheproof json
• Use X25519 wycheproof json
• Move scripts to python3
• Properly link FuzzingEngine for oss-fuzz.
• Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
• NSS needs to move off of DSA for integrity checks
• Add initial testing with ACVP vector sets using acvp-rust
• Don't clone libFuzzer, rely on clang instead

• NULL password encoding incorrect
• Fix rng stub signature for fuzzing builds
• Updating the compiler parsing for build
• Modification of supported compilers
• tstclnt crashes when accessing gnutls server without a user cert in the database.
• Add configuration option to enable source-based coverage sanitizer
• Update ECCKiila generated files.
• Add support for the LoongArch 64-bit architecture
• add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
• Additional zero-length RSA modulus checks

• conscious language removal in NSS
• Set nssckbi version number to 2.60
• Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
• Remove Staat der Nederlanden EV Root CA from NSS
• Remove EC-ACC root cert from NSS
• Remove SwissSign Platinum CA - G2 from NSS
• Remove Network Solutions Certificate Authority
• compress docker image artifact with zstd
• Migrate nss from AWS to GCP
• Enable static builds in the CI
• Removing SAW docker from the NSS build system
• Initialising variables in the rsa blinding code
• Implementation of the double-signing of the message for ECDSA
• Adding exponent blinding for RSA.

• Modification of the primes.c and dhe-params.c in order to have better looking tables
• Update zlib in NSS to 1.2.13
• Skip building modutil and shlibsign when building in Firefox
• Mark _nss_version_c unused on clang-cl
• bmo#1795668 - Remove redundant variable definitions in lowhashtest
• Add note about python executable to build instructions.

• Bump minimum NSPR version to 4.35
• Add a flag to disable building libnssckbi.

• Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
• Set nssckbi version number to 2.58
• Add two SECOM root certificates to NSS
• Add two DigitalSign root certificates to NSS
• Remove Camerfirma Global Chambersign Root from NSS
• Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
• Removed skipping of ECH on equality of private and public server name
• Added comment and bug reference to ECHRandomHRRExtension bogo test
• Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
• Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing
• Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo
• Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
• Update BoGo tests to recent BoringSSL version
• Bump minimum NSPR version to 4.34.1

• check for null template in sec_asn1{d,e}_push_state
• QuickDER: Forbid NULL tags with non-zero length
• Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
• Cast the result of GetProcAddress
• pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

• Enable aarch64 hardware crypto support on OpenBSD
• make NSS_SecureMemcmp 0/1 valued
• Add no_application_protocol alert handler and test client error code is set
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
• required for Firefox 104

• raised NSPR requirement to 4.34.1

• changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

• Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
• Add support for asynchronous client auth hooks.
• nss-policy-check: make unknown keyword check optional.
• GatherBuffer: Reduced plaintext buffer allocations

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.90:

• Add a constant time select function
• Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
• output early build errors by default
• Update the technical constraints for KamuSM
• Add BJCA Global Root CA1 and CA2 root certificates
• Enable default UBSan Checks
• Add explicit handling of zero length records
• Tidy up DTLS ACK Error Handling Path
• Refactor zero length record tests
• Fix compiler warning via correct assert
• run linux tests on nss-t/t-linux-xlarge-gcp
• In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
• Fix reading raw negative numbers
• Repairing unreachable code in clang built with gyp
• Integrate Vale Curve25519
• Removing unused flags for Hacl*
• Adding a better error message
• Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
• Fall back to the softokn when writing certificate trust
• FIPS-104-3 requires we restart post programmatically
• cmd/ecperf: fix dangling pointer warning on gcc 13
• Update ACVP dockerfile for compatibility with debian package changes
• Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
• Removed deprecated sprintf function and replaced with snprintf
• fix rst warnings in nss doc
• Fix incorrect pygment style
• Change GYP directive to apply across platforms
• Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

• Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

• Update the technical constraints for KamuSM.
• Add BJCA Global Root CA1 and CA2 root certificates.

• revert freebl/softoken RSA_MIN_MODULUS_BITS increase
• PR_STATIC_ASSERT is cursed
• Need to add policy control to keys lengths for signatures
• Fix unreachable code warning in fuzz builds
• Fix various compiler warnings in NSS
• Enable various compiler warnings for clang builds
• set PORT error after sftk_HMACCmp failure
• Need to add policy control to keys lengths for signatures
• remove data length assertion in sec_PKCS7Decrypt
• Make high tag number assertion failure an error
• CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
• Tolerate certificate_authorities xtn in ClientHello
• Fix build failure on Windows
• migrate Win 2012 tasks to Azure
• fix title length in doc
• Add interop tests for HRR and PSK to GREASE suite
• Add presence/absence tests for TLS GREASE
• Correct addition of GREASE value to ALPN xtn
• CH extension permutation
• TLS GREASE (RFC8701)
• improve handling of unknown PKCS#12 safe bag types
• use a different treeherder symbol for each docker image build task
• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag
• build failure while implicitly casting SECStatus to PRUInt32

• improve handling of unknown PKCS#12 safe bag types

• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag.
• build failure while implicitly casting SECStatus to PRUInt32
• Add check for ClientHello SID max length
• Added EarlyData ALPN test support to BoGo shim
• ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
• On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
• ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
• Added Bogo ECH rejection test support
• Added ECH 0Rtt support to BoGo shim
• RSA OAEP Wycheproof JSON
• RSA decrypt Wycheproof JSON
• ECDSA Wycheproof JSON
• ECDH Wycheproof JSON
• PKCS#1v1.5 wycheproof json
• Use X25519 wycheproof json
• Move scripts to python3
• Properly link FuzzingEngine for oss-fuzz.
• Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
• NSS needs to move off of DSA for integrity checks
• Add initial testing with ACVP vector sets using acvp-rust
• Don't clone libFuzzer, rely on clang instead

• NULL password encoding incorrect
• Fix rng stub signature for fuzzing builds
• Updating the compiler parsing for build
• Modification of supported compilers
• tstclnt crashes when accessing gnutls server without a user cert in the database.
• Add configuration option to enable source-based coverage sanitizer
• Update ECCKiila generated files.
• Add support for the LoongArch 64-bit architecture
• add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
• Additional zero-length RSA modulus checks

• conscious language removal in NSS
• Set nssckbi version number to 2.60
• Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
• Remove Staat der Nederlanden EV Root CA from NSS
• Remove EC-ACC root cert from NSS
• Remove SwissSign Platinum CA - G2 from NSS
• Remove Network Solutions Certificate Authority
• compress docker image artifact with zstd
• Migrate nss from AWS to GCP
• Enable static builds in the CI
• Removing SAW docker from the NSS build system
• Initialising variables in the rsa blinding code
• Implementation of the double-signing of the message for ECDSA
• Adding exponent blinding for RSA.

• Modification of the primes.c and dhe-params.c in order to have better looking tables
• Update zlib in NSS to 1.2.13
• Skip building modutil and shlibsign when building in Firefox
• Use __STDC_VERSION__ rather than __STDC__ as a guard
• Remove redundant variable definitions in lowhashtest
• Add note about python executable to build instructions.

• Bump minimum NSPR version to 4.35
• Add a flag to disable building libnssckbi.

• Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
• Set nssckbi version number to 2.58
• Add two SECOM root certificates to NSS
• Add two DigitalSign root certificates to NSS
• Remove Camerfirma Global Chambersign Root from NSS
• Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
• Removed skipping of ECH on equality of private and public server name
• Added comment and bug reference to ECHRandomHRRExtension bogo test
• Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
• Added check for server only sending ECH extension

• check for null template in sec_asn1{d,e}_push_state
• QuickDER: Forbid NULL tags with non-zero length
• Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
• Cast the result of GetProcAddress
• pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

• Enable aarch64 hardware crypto support on OpenBSD
• make NSS_SecureMemcmp 0/1 valued
• Add no_application_protocol alert handler and test client error code is set
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
• required for Firefox 104

• raised NSPR requirement to 4.34.1

• changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

• Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
• Add support for asynchronous client auth hooks.
• nss-policy-check: make unknown keyword check optional.
• GatherBuffer: Reduced plaintext buffer allocations

This update for audit fixes the following issues:

• Check for AF_UNIX unnamed sockets (bsc#1210004)
• Enable livepatching on main library on x86_64

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for libdb-4_8 fixes the following issues:

• Fix incomplete license tag (bsc#1099695)

This update for python-pyasn1 fixes the following issues:

• To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805)

This update for audit fixes the following issues:

• Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
• Fix rules not loaded when restarting auditd.service (bsc#1204844)

This update for python3 fixes the following issue:

• Rename sources in preparation of python3.11 (jsc#PED-68)

This update for icu73_2 fixes the following issues:

• Update to release 73.2

• fixes builds where UCHAR_TYPE is re-defined such as libqt5-qtwebengine

• Update to release 73.1

• Update to release 72.1

• bump library packagename to libicu71 to match the version.

• update to 71.1:

• ICU-21793 Fix ucptrietest golden diff [bsc#1192935]

• Update to release 70.1:

• ICU-21613 Fix undefined behaviour in ComplexUnitsConverter::applyRounder

• Update to release 69.1

• Backport ICU-21366 (bsc#1182645)

• Update to release 68.2

• Add back icu.keyring, see https://unicode-org.atlassian.net/browse/ICU-21361

• Update to release 68.1

• Add the provides for libicu to Make .Net core can install successfully. (bsc#1167603, bsc#1161007)

• Update to version 67.1

• Update to version 66.1

• Remove /usr/lib(64)/icu/current [bsc#1158955].

• Update to release 65.1 (jsc#SLE-11118).

This update for sysuser-tools fixes the following issues:

• Update to version 3.2
• Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
• Add 'quilt setup' friendly hint to %sysusers_requires usage
• Use append so if a pre file already exists it isn't overridden
• Invoke bash for bash scripts (bsc#1195391)
• Remove all systemd requires not supported on SLE15 (bsc#1214140)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for python3 fixes the following issues:

• CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692).

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This feature update for python3 packages adds the following:

• First batch of python3.11 modules (jsc#PED-68)
• Rename sources of python3-kubernetes, python3-cryptography and python3-cryptography-vectors to accommodate

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage
Update to 1.3.3:

• Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
• _rpc_dtablesize: use portable system call
• libtirpc: Fix use-after-free accessing the error number
• Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch
• rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
• Eliminate deadlocks in connects with an MT environment
• clnt_dg_freeres() uncleared set active state may deadlock
• thread safe clnt destruction
• SUNRPC: mutexed access blacklist_read state variable
• SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

• Replace the final SunRPC licenses with BSD licenses
• blacklist: Add a few more well known ports
• libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

• Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors.
• svc_dg: Free xp_netid during destroy
• Fix memory management issues of fd locks
• libtirpc: replace array with list for per-fd locks
• __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
• __rpc_dtbsize: rlim_cur instead of rlim_max
• pkg-config: use the correct replacements for libdir/includedir

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for python3-setuptools fixes the following issues:

• CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667).

This update for sqlite3 fixes the following issues:

• CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

This update for libtirpc fixes the following issue:

• fix sed parsing in specfile (bsc#1216862)

This update for python3-cryptography fixes the following issues:

• CVE-2023-49083: Fixed a NULL pointer dereference when loading certificates from a PKCS#7 bundle (bsc#1217592).

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
• Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

This update for icu73_2 fixes the following issue:

• ships 32bit icu library on SLES 15 SP3 to complement the ICU 69 32bit libraries.

This update for mozilla-nss fixes the following issues:
Mozilla NSS was updated to NSS 3.90.1

• regenerate NameConstraints test certificates.
• add OSXSAVE and XCR0 tests to AVX2 detection.

This update for libxcrypt fixes the following issues:

• fix variable name for datamember [bsc#1215496]
• added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

This update for pam fixes the following issues:

• CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475).
• Check localtime_r() return value to fix crashing (bsc#1217000)

This update for python-argcomplete fixes the following issues:

• Use update-alternatives for package binaries to avoid conflict with python311 stack (bsc#1219305)

This update for python3 fixes the following issues:

• CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).

This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:

• CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)

This update for python3 fixes the following issues:

• CVE-2023-6597: Fixed symlink bug in cleanup of tempfile.TemporaryDirectory (bsc#1219666).
• CVE-2022-48566: Make compare_digest more constant-time (bsc#1214691).

This update for audit fixes the following issue:

• Fix plugin termination when using systemd service units (bsc#1215377)

This update for coreutils fixes the following issues:

• tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

This update for expat fixes the following issues:

• CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
• CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for gcc13 fixes the following issues:

• Fix unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Fixed building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]

This update for python3 fixes the following issue:

• Fix syslog making default 'ident' from sys.argv (bsc#1222109)

This update for python-argcomplete and python-Twisted fixes the following issue:

• Fix update-alternatives (bsc#1224109)

This update for coreutils fixes the following issues:

• ls: avoid triggering automounts (bsc#1221632)

This update for perl fixes the following issues:
Security issues fixed:

• CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216)
• CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233)

• make Net::FTP work with TLS 1.3 (bsc#1213638)

This update for 389-ds fixes the following issues:

• Update to version 2.2.8~git65.347aae6:
• CVE-2024-1062: Resolved possible denial of service when audit logging is enabled. (bsc#1219836)

This update for libbpf fixes the following issues:

• Fixed potential null pointer dereference in bpf_object__collect_prog_relos() (bsc#1221101)

This update for glibc fixes the following issues:

• Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482)

This update for e2fsprogs fixes the following issues:

• EA Inode handling fixes: - e2fsck: add more checks for ea inode consistency (bsc#1223596) - e2fsck: fix golden output of several tests (bsc#1223596)

This update for jitterentropy fixes the following issues:

• Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command.

• add FIPS 140 hints to man page
• simplify the test tool to search for optimal configurations
• fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
• enhancement: add ARM64 assembler code to read high-res timer

This update for openssl-1_1 fixes the following issues:

• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

This update for openssl-3 fixes the following issues:
Security issues fixed:

• CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388)
• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

• Enable livepatching support (bsc#1223428)
• Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456)

This update for gcc13 fixes the following issues:
Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.

This update for iproute2 fixes the following issues:
iproute2 was updated to version 6.4 (jsc#PED-6820 jsc#PED-6844, jsc#PED-8358):

• Fixed display of bound but unconnected sockets (bsc#1204562)
• Changes in version 6.4: * bridge: mdb: added underlay destination IP support, UDP destination port support, destination VNI support, source VNI support, outgoing interface support * macvlan: added the 'bclim' parameter

• Changes in version 6.3: * New release of iproute2 corresponding to the 6.3 kernel. No large feature improvements only incremental improvements to the bridge mdb support, mostly just bug fixes.

• Changes in version 6.2:

• Changes in version 6.1:

• Changes in version 6.0:

• Changes in version 5.19:

• Changes in version 5.18:

• Changes in version 5.17:

• Add tmpfiles.d conf for /run/netns

• Changes in version 5.16:

• Changes in version 5.15:

This update for systemd contains the following fixes:

• testsuite: move a misplaced %endif

• Do not remove existing configuration files in /etc. If these files were modified on the systemd, that may cause unwanted side effects (bsc#1226415).

• Import upstream commit (merge of v254.13) Use the pty slave fd opened from the namespace when transient service is running in a container. This revert the backport of the broken commit until a fix is released in the v254-stable tree.

• Import upstream commit (merge of v254.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc