Container summary for suse/sle-micro-iso/base-5.5

SUSE-CU-2024:5305-1

SUSE-CU-2024:5266-1

SUSE-CU-2024:5189-1

SUSE-CU-2024:5147-1

SUSE-CU-2024:5122-1

SUSE-CU-2024:5070-1

SUSE-CU-2024:4821-1

SUSE-CU-2024:4753-1

SUSE-CU-2024:4111-1

SUSE-CU-2024:4040-1

SUSE-CU-2024:3955-1

SUSE-CU-2024:3954-1

SUSE-CU-2024:3894-1

SUSE-CU-2024:2997-1

SUSE-CU-2024:2292-1

SUSE-CU-2024:2273-1

SUSE-CU-2024:2259-1

SUSE-CU-2024:1985-1

SUSE-CU-2024:1541-1

SUSE-CU-2024:473-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:

• CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
• CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
• CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
• CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967).

• Update shell completion to use Group: System/Shells.
• Add daemon.json file with rotation logs configuration (bsc#1114832)
• Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Update go requirements to >= go1.10
• Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
• Remove the usage of 'cp -r' to reduce noise in the build logs.

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for libmspack fixes the following issues:
Security issues fixed:

• CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)
• CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039)
• Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for pinentry fixes the following issues:

• Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for runc fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

• Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10

• CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
• Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for libmspack fixes the following issues:
Security issue fixed:

• CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file which could have led to information disclosure (bsc#1141680).

• Enable build-time tests (bsc#1130489)

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for cracklib fixes the following issues:

• Fixed a buffer overflow when processing long words.

This update for libtool provides missing the libltdl 32bit library. (bsc#1171566)

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for systemd-rpm-macros fixes the following issues:

• Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034)

This update for systemd-rpm-macros fixes the following issues:

• Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir

• Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for gzip fixes the following issue:

• Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

This update for systemd-rpm-macros fixes the following issues:

• Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart
• Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun().
• Does no longer apply presets when migrating from a disabled initscript (bsc#1178481)
• Fix importing of %{_unitdir}

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for systemd-rpm-macros fixes the following issues:

• Bump to version 6

• Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM.

• Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update.

This update for systemd-rpm-macros fixes the following issues:

• Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012)
• Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661)

This update for nghttp2 fixes the following issues:

• CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)

This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

This update for gzip fixes the following issues:

• Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

This update for gzip fixes the following issues:

• Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for gzip fixes the following issue:

• gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for nghttp2 fixes the following issue:

• The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

• Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
• CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730).
• btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

• Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
• Fixed /dev/null is not available (bsc#1168481).
• CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

• CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
• Handle a requirement from docker (bsc#1181594).

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for tar fixes the following issues:

• Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for pam-config fixes the following issues:

• Add 'revoke' to the option list for 'pam_keyinit'.
• Fixed an issue when pam-config fails to create a new service config file. (bsc#1187091)

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for systemd-default-settings fixes the following issue:

• Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)

This update for libmspack fixes the following issues:

• CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032)
• CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032)
• CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032)

This update for unixODBC fixes the following issues:

• ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004)
• Fix incorrect permission for documentation files.
• Update requires and baselibs for new libodbc2.
• Employ shared library packaging guideline: new subpacakge libodbc2.
• Update to 2.3.9: * Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h

• Update to 2.3.8: * Add configure support for editline * SQLDriversW was ignoring user config * SQLDataSources Fix termination character * Fix for pooling seg fault * Make calling SQLSetStmtAttrW call the W function in the driver is its there * Try and fix race condition clearing system odbc.ini file * Remove trailing space from isql/iusql SQL * When setting connection attributes set before connect also check if the W entry poins can be used * Try calling the W error functions first if available in the driver * Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle * iconv handles was being lost when reusing pooled connection * Catch null copy in iniPropertyInsert * Fix a few leaks

• Update to 2.3.7: * Fix for pkg-config file update on no linux platforms * Add W entry for GUI work * Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W * Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString * SQLBrowseConnect/W allow disconnecting a started browse session after error * Add --with-stats-ftok-name configure option to allow the selection of a file name used to generate the IPC id when collecting stats. Default is the system odbc.ini file * Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle * bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys * Connection pooling: Fix liveness check for Unicode drivers

This update for systemd-rpm-macros fixes the following issues:

• Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332)
• Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead.
• %sysusers_create_inline: use here-docs instead of echo (bsc#1186282)

This update for runc fixes the following issues:

• Fixed an issue when toolbox container fails to start. (bsc#1189743)

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for kmod fixes the following issues:

• Use docbook 4 rather than docbook 5 for building man pages (bsc#1190190).
• Enable support for ZSTD compressed modules
• Display module information even for modules built into the running kernel (bsc#1189537)
• '/usr/lib' should override '/lib' where both are available. Support '/usr/lib' for depmod.d as well.
• Remove test patches included in release 29

• Update to release 29 * Fix `modinfo -F` not working for built-in modules and certain fields. * Fix a memory leak, overflow and double free on error path.

This update for glibc fixes the following issues:

• CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489).
• CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

• CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

• Install systemd service file as well (bsc#1190826)

• Fixed a failure to set CPU quota period in some cases on cgroup v1.
• Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped.
• Made release builds reproducible from now on.
• Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec.
• Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working.

• Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume.
• Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters.
• cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes).
• cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely.
• cgroup/systemd/v2: don't freeze cgroup on Set.
• cgroup/systemd/v1: avoid unnecessary freeze on Set.
• fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

• cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers).
• cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way.
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen.
• cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
• cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94)
• cgroupv2: support SkipDevices with systemd driver
• cgroup/systemd: return, not ignore, stop unit error from Destroy
• Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts.
• cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update).
• cgroup1: blkio: support BFQ weights.
• cgroupv2: set per-device io weights if BFQ IO scheduler is available.

• cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls.

• seccomp: fix 32-bit compilation errors
• runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
• runc start: fix 'chdir to cwd: permission denied' for some setups

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for kmod fixes the following issues:

• Enable ZSTD compression (bsc#1192104)(jsc#SLE-21256)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for cracklib fixes the following issues:

• Enable build time tests (bsc#1191736)

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for brotli fixes the following issues:

• CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

glibc was updated to fix the following issue:

• Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)

This update for systemd-rpm-macros fixes the following issues:

• Introduce rpm macro %_systemd_util_dir

This update for kmod fixes the following issues:

• Ensure that kmod and packages linking to libkmod provide same features. (bsc#1193430)

This update for runc fixes the following issues:
Update to runc v1.0.3.

• CVE-2021-43784: Fixed a potential vulnerability related to the internal usage of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
• Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
• Fixed inability to start when read-only /dev in set in spec.
• Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd.
• Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes).

This update for libmspack fixes the following issues:

• CVE-2018-18586: Fixed directory traversal in chmextract by adding anti '../' and leading slash protection (bsc#1113040).

This update for json-c fixes the following issues:

• CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)

This update for glibc fixes the following issues:

• Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).

This update for glibc fixes the following issues:

• CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
• CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)

• IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)

This update for systemd-rpm-macros fixes the following issues:

• Bump version to 10

• %sysusers_create_inline was wrongly marked as deprecated
• %sysusers_create can be useful in certain cases and won't go away until we'll move to file triggers. So don't mark it as deprecated too

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for timezone fixes the following issues:

• timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for openldap2 fixes the following issues:

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for tar fixes the following issues:

• CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
• CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
• CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

• Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges

• Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files

• prepare usrmerge (bsc#1029961)

• Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite

• Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived.

This update for gzip fixes the following issues:

• CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for glibc fixes the following issues:

• Add the correct name for the IBM Z16 (bsc#1198751).

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for curl fixes the following issues:

• CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)
• CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
• CVE-2022-32207: Unpreserved file permissions (bsc#1200736)
• CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

This update for containerd, docker and runc fixes the following issues:
containerd:

• CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)

• Update to Docker 20.10.17-ce. See upstream changelog online at https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145)

• Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing).
• Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes.
• Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang.
• When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths.
• Socket activation was failing when more than 3 sockets were used.
• Various CI fixes.
• Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
• Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)

• CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. (bsc#1199460)

• `runc spec` no longer sets any inheritable capabilities in the created example OCI spec (`config.json`) file.

• runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355)
• runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404)
• Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported' error. (#3406)
• libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

• libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331)

• Add support for RDMA cgroup added in Linux 4.11.
• runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed.
• runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container hasexited.
• seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL).
• seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host.
• checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore.
• intelrdt: support ClosID parameter.
• runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed.
• cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it).
• sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour.
• mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users.
• Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro).
• Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130.
• system: improve performance of /proc/$pid/stat parsing.
• cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process.
• runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink.
• cgroup: improve openat2 handling for cgroup directory handle hardening. runc delete -f now succeeds (rather than timing out) on a paused container.
• runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused.
• Update version data embedded in binary to correctly include the git commit of the release.

This update for pcre2 fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for systemd fixes the following issues:

• Make {/etc,/usr/lib}/systemd/network owned by both udev and systemd-network. The configuration files put in these directories are read by both udevd and systemd-networkd (bsc#1201276)
• Allow control characters in environment variable values (bsc#1200170)
• Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
• Fix parsing error in s390 udev rules conversion script (bsc#1198732)
• core/device: device_coldplug(): don't set DEVICE_DEAD
• core/device: do not downgrade device state if it is already enumerated
• core/device: drop unnecessary condition

This update for rpm-config-SUSE fixes the following issues:

• Add SBAT values macros for other packages (bsc#1193282)

This update for glibc fixes the following issues:

• Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
• i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
• Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125)

This update for pcre2 fixes the following issues:

• CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

This update for permissions fixes the following issues:

• apptainer: fix starter-suid location (bsc#1198720)
• static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
• postfix: add postlog setgid for maildrop binary (bsc#1201385)

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for tar fixes the following issues:

• Fix race condition while creating intermediate subdirectories (bsc#1200657)

This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries.

This update for tar fixes the following issues:

• A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

This update for elfutils fixes the following issues:

• Fix runtime dependency for devel package

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for systemd fixes the following issues:

• Don't replace /etc/systemd/system/tmp.mount symlink with a dangling one pointing to /usr/lib/systemd/ (bsc#1201795)
• Drop or soften some of the deprecation warnings (jsc#PED-944)
• Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
• Avoid applying presets to any services shipped by the experimental sub-package, as they aren't enabled by default
• analyze: Fix offline check for syscal filter
• calendarspec: Fix timer skipping the next elapse
• core: Allow command argument to be longer
• hwdb: Add AV production controllers to hwdb and add uaccess
• hwdb: Allow console users access to rfkill
• hwdb: Allow end-users root-less access to TL866 EPROM readers
• hwdb: Permit unsetting power/persist for USB devices
• hwdb: Tag IR cameras as such
• hwdb: Fix parsing issue
• hwdb: Make usb match patterns uppercase
• hwdb: Update the hardware database
• journal-file: Stop using the event loop if it's already shutting down
• journal-remote: Disable `--trust` option when gnutls is disabled and check_permission() should not be called
• journald: Ensure resources are properly allocated for SIGTERM handling
• kernel-install: Ensure modules.builtin.alias.bin is removed when no longer needed
• macro: Account for negative values in DECIMAL_STR_WIDTH()
• manager: Disallow clone3() function call in seccomp filters
• missing-syscall: Define MOVE_MOUNT_T_EMPTY_PATH if missing
• pid1,cgroup-show: Prevent failure if cgroup.procs in some subcgroups is not readable
• resolve: Fix typo in dns_class_is_pseudo()
• sd-event: Improve handling of process events and termination of processes
• sd-ipv4acd: Fix ARP packet conflicts occurring when sender hardware is one of the host's interfaces
• stdio-bridge: Improve the meaning of the error message
• tmpfiles: Check for the correct directory

This update for timezone fixes the following issue:

• Reflect new Chile DST change (bsc#1202310)

This update for curl fixes the following issues:

• CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593).

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for jitterentropy fixes the following issues:

• Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870)

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for runc fixes the following issues:

• Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
• Fix 'permission denied' error from runc run on noexec fs
• Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)

This update for glibc fixes the following issues:

• Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
• powerpc: Optimized memcmp for power10 (jsc#PED-987)

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386).

This update for permissions fixes the following issues:

• Fix regression introduced by backport of security fix (bsc#1203911)
• Add permissions for enlightenment helper on 32bit arches (bsc#1194047)

This update for dbus-1 fixes the following issues:
- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).
Bugfixes:
- Disable asserts (bsc#1087072).

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for runc fixes the following issues:

• Update to runc v1.1.4 (bsc#1202021)
• Fix failed exec after systemctl daemon-reload (bsc#1202821)
• Fix mounting via wrong proc
• Fix 'permission denied' error from runc run on noexec filesystem

This update for systemd fixes the following issues:

• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428 * 0469b9f2bc pstore: do not try to load all known pstore modules * ad05f54439 pstore: Run after modules are loaded * ccad817445 core: Add trigger limit for path units * 281d818fe3 core/mount: also add default before dependency for automount mount units * ffe5b4afa8 logind: fix crash in logind on user-specified message string

• Document udev naming scheme (bsc#1204179)
• Make 'sle15-sp3' net naming scheme still available for backward compatibility reason

This update for libusb-1_0 fixes the following issues:

• Fix regression where some devices no longer work if they have a configuration value of 0 (bsc#1201590)

This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

• Mexico will no longer observe DST except near the US border
• Chihuahua moves to year-round -06 on 2022-10-30
• Fiji no longer observes DST
• In vanguard form, GMT is now a Zone and Etc/GMT a link
• zic now supports links to links, and vanguard form uses this
• Simplify four Ontario zones
• Fix a Y2438 bug when reading TZif data
• Enable 64-bit time_t on 32-bit glibc platforms
• Omit large-file support when no longer needed
• Jordan and Syria switch from +02/+03 with DST to year-round +03
• Palestine transitions are now Saturdays at 02:00
• Simplify three Ukraine zones into one
• Improve tzselect on intercontinental Zones
• Chile's DST is delayed by a week in September 2022 (bsc#1202324)
• Iran no longer observes DST after 2022
• Rename Europe/Kiev to Europe/Kyiv
• New `zic -R` command option
• Vanguard form now uses %z

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for libeconf fixes the following issues:

• Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165)

• Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters'

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for tar fixes the following issues:

• Fix unexpected inconsistency when making directory (bsc#1203600)
• Update race condition fix (bsc#1200657)

This update for curl fixes the following issues:

• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
• CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308).

This update for GNOME 41 fixes the following issues:
atkmm1_6:

• Version update from 2.28.1 to 2.28.3 (jsc#PED-2235): * Meson build: Avoid unnecessary configuration warnings * Meson build: Perl is not required by new versions of mm-common * Meson build: Require meson >= 0.55.0 * Meson build: Specify 'check' option in run_command(). Will be necessary with future versions of Meson. * Require atk >= 2.12.0 Not a new requirement, but previously it was not specified in configure.ac and meson.build * Support building with Visual Studio 2022

• Version update from 41.1 to 41.2 (jsc#PED-2235): * eog-window: use correct type for display_profile * Fix discovery of Evince for multi-page images

• Version update 41.3 to 41.4 (jsc#PED-2235): * shell: Fix failures when thumbnail extraction takes too long * Fix build with meson 0.60.0 and newer

• Ensure evolution-devel is forward compatible with evolution-data-server-devel in a same major version (jsc#PED-2235)

• Version update from 3.42.4 to 3.42.5 (jsc#PED-2235): * Google OAuth out-of-band (oob) flow will be deprecated

• Version update 0.15.3 to 0.15.5 (jsc#PED-2235): * vapi: Add missing generic type argument * Fix docs build against newer eds version * Fix build against newer eds version * Remove volatile keyword from tests

• Version update 3.41.0 to 3.41.1 (jsc#PED-2235): * Add G_SPAWN_CLOEXEC_PIPES flag to all the g_spawn commands * Add gi-docgen dependency which is needed by the docs * Fix build with meson 0.60.0 and newer * Fix build without systemd * Several CI fixes

• Version update from 3.26.2 to 3.26.4 (jsc#PED-2235): * Fix to a test data file not being installed, and a bug fix for a bug in the libsoup3 port * Add support for libsoup 3.x

• Version update from 1.70.1 to 1.70.2 (jsc#PED-2235): * Build and compatibility fixes backported from the development branch * Reverse order of running-from-source checks
• Require xorg-x11-Xvfb for proper package build (bsc#1203274)

• Version update from 2.70.4 to 2.70.5 (jsc#PED-2235): * Bugs fixed: glgo#GNOME/GLib#2620, glgo#GNOME/GLib!2537, glgo#GNOME/GLib!2555 * Split gtk-docs from -devel package, these are not needed during building projects using glib2

• Fix the size of logo icon in About system (bsc#1200581)
• Version update from 41.4 to 41.7 (jsc#PED-2235): * Cellular: Remove duplicate line from .desktop * Info: Allow changing 'Device Name' by pressing 'Enter' * Info: Remove trailing space after CPU name * Keyboard: Fix crash resetting all keyboard shortcuts * Keyboard: Fix leaks * Network: Fix saving passwords for non-wifi connections * Network: Fix critical when opening VPN details page * Wacom: Fix leaks

• Version update from 41.2 to 41.8 (jsc#PED-2235): * Version increase but no actual changes

• Version update from 41.0 to 41.1 (jsc#PED-2235): * Ensure the correct album is played * Fix build with meson 0.61.0 and newer * Fix crash on empty selection * Fix incorrect playlist import * Fix time displayed in RTL languages * Improve async queue work * Make random shuffle actually random * Make shuffle random * Speed increase on first startup on larger collections * Time is reversed in RTL

• Version update from 41.2 to 41.3 (jsc#PED-2235): * Add Icelandic translation

• Clear error messages that can be ignored because expected to happen for GDM sessions (bsc#1204867)
• Add fix for gnome-session to exit immediately when lost name on bus (bsc#1175622, bsc#1188882)

• Disable offline update suggestion before shutdown/reboot in SLE and openSUSE Leap (bsc#944832)
• Version update from 41.4 to 41.9 (jsc#PED-2235): * Allow extension updates with only Extension Manager installed * Allow more intermediate icon sizes in app grid * Disable workspace switching while in search. * Do not create systemd scope for D-Bus activated apps * Fix calendar to correctly align world clocks header in RTL * Fix drag placeholder position in dash in RTL locales * Fix edge case where windows stay dimmed after a modal is closed * Fix feedback when turning on a11y features by keyboard * Fix focus tracking in magnifier on wayland * Fix fractional timezone offsets in world clock * Fix glitches in overview transition * Fix logging in with realmd * Fix memory leak * Fix opening device settings for enterprise WPA networks * Fix programatically set scrollview fade * Fix regression in ibus support * Fix unresponsive top bar in overview when in fullscreen * Handle monitor changes during startup animation * Hide overview after 'Show Details' from app context menu * Improve Belgian on-screen keyboard layout * Improve CSS shadow appearance * Make sure startup animation completes * Misc. bug fixes and cleanups * Only close messages via delete key if they can be closed * Respect IM hint for candidates list in on-screen keyboard

• Disable offline update feature in SUSE Linux Enterprise and openSUSE Leap (bsc#944832)
• Version update from 41.4 to 41.5 (jsc#PED-2235): * Added several appstream-related fixed * Disable scroll-by-mouse-wheel on featured carousel * Ensure details page shows app provided on command line

• Version update from 3.42.2 to 3.42.3 (jsc#PED-2235): * Fix build with meson 0.61.0 and newer * window: Use a normal menu for the popup menu

• Version update from 41.1 to 41.5 (jsc#PED-2235): * Added missing icon for network-wired-symbolic

• Version update from 1.8.4 to 1.10.0 (jsc#PED-2235): * Build: distribute more files in tarballs * Documentation improvements

• Version update from 3.24.5 to 3.24.6 (jsc#PED-2235): * Build with Meson: MSVC build: Support Visual Studio 2022 * Check if Perl is required for building documentation * Don't use deprecated python3.path() and execute (..., gui_app...) * GTK: TreeValueProxy: Declare copy constructor = default, avoiding warnings from the claing++ compiler * Object::_release_c_instance(): Unref orphan managed widgets * SizeGroup demo: Set active items in the combo boxs, so something is shown * Specify 'check' option in run_command()

• Version update from 1.3.0 to 1.3.1 (jsc#PED-2235): * Add 'check' arg to meson run_command() * Fix invalid use of subprojects with meson * Support ZRLE encoding for zero size alpha cursors

• Version update from 0.12.11 to 0.14.1 (jsc#PED-2235): * Add utility function to format GDateTime to the iso variant DIDL expects * Allow to be used as a subproject * Drop autotools * Fix stripping @refID * Fix unsetting subtitleFileType * Make Feature derivable again * Obsolete code removal. * Port to modern GObject * Remove hand-written ref-counting, use RcBox/AtomicRcBox instead. * Switch to meson build system, following upstream
• Rename libgupnp-av-1_0-2 subpackage to libgupnp-av-1_0-3, correcting the package name to match the provided library
• Conflict with the wrongly provided libgupnp-av-1_0-2

• Version update from 1.48.1 to 1.48.2 (jsc#PED-2235): * sftp: Adapt on new OpenSSH password prompts * smb: Rework anonymous handling to avoid EINVAL * smb: Ignore EINVAL for kerberos/ccache login

• Version update from 1.14.48 to 1.14.50 (jsc#PED-2235): * Fix error handling problem when writing ole files * Fix problems with non-western text in OLE properties * Use g_date_time_new_from_iso8601 and g_date_time_format_iso8601 when available

• Version update from 1.9.5 to 1.9.6 (jsc#PED-2235): * build: Add introspection/vapi/tests options * build: Use library() to optionally build a static library

• Version update from 1.8.32 to 1.8.40 (jsc#PED-2235): * Ad-Hoc networks now default to using WPA2 instead of WEP * Add possibility of building libnma-gtk4 library with Gtk4 support * Do not allow setting empty 802.1x domain for EAP TLS * Fixed keyboard accelerator for certificate chooser * Fixed libnma-gtk4 version of mobile-wizard * Include OWE wireless security option * The GtkBuilder files for Gtk4 are now included in the release tarball * WEP is no longer provided as an option for connecting to hidden networks due to its deprecated status
• New sub-packages libnma-gtk4-0, typelib-1_0-NMA4-1_0 and libnma-gtk4-devel
• Split out documentation files in own docs sub-package

• Version update from 0.7.10 to 0.7.12 (jsc#PED-2235): * Delete unused notifynotification.xml * Fix potential build errors with old glib version we require * docs/notify-send: Add --transient option to manpage * notification: Bookend calling NotifyActionCallback with temporary reference * notification: Include sender-pid hint by default if not provided * notify-send: Add debug message about server not supporting persistence * notify-send: Add explicit option to create transient notifications * notify-send: Add support for boolean hints * notify-send: Move server capabilities check to a separate function * notify-send: Support passing any hint value, by parsing variant strings

• Version update from 1.30.0 to 1.32.0 (jsc#PED-2235): * Icon licenses have been corrected * Parallel build system operation fixes * Use gi-docgen for documentation * Various build warnings squashed * Various GIR data that should not have been exported was removed
• Stop packaging the demo files/sub-package

• Version update from 2.52.6 to 2.52.9 (jsc#PED-2235): * Catch circular references when rendering patterns * Fix regressions when computing element geometries * Fix regression outputting all text as paths

• Version update from 0.20.4 to 0.20.5 (jsc#PED-2235): * Add bash-completion for secret-tool * Add locking capabilities to secret tool * Add support for TPM2 based secret storage * Create default collection after DBus.Error.UnknownObject * Detect local storage in snaps in the same way as flatpaks * Drop autotools-based build * GI annotation and documentation fixes * Port documentation to gi-docgen * Use G_GNUC_NULL_TERMINATED where appropriate collection, methods, prompt: Port to GTask * secret-file-backend: Avoid closing the same file descriptor twice

• Version update from 41.5 to 41.9 (jsc#PED-2235): * Fix '--replace option' * Fix missing root window properties after XWayland start * Fix night light without GAMMA_LUT property * KMS: Survive missing GAMMA_LUT property * wayland: Fix rotation transform * Misc. bug fixes

• Version update from 41.2 to 41.5(jsc#PED-2235): * Drag-and-drop bugfixes * HighContrast style fixes

• Version update from 41.1 to 41.3 (jsc#PED-2235): * Add more event-flood detection and handling for improved performance * Fix bug causing accessing preferences to fail for Esperanto * Web: Fix bug causing widgets descending from off-screen label elements to be skipped over * Web: Fix presentation of the FluentUI react dialog (and any other dialog which has an ARIA document-role descendant) * WebKitGtk: Fail gracefully when structural navigation commands are used in WebKitGtk 2.36.x

• Add python3-cairo to SUSE Linux Enterprise Micro 5.3 as it is now required by python3-gobject-cairo

• Add dependency on python-cairo to python-gobject-cairo: The introspection wrapper needs pycairo (bsc#1179584)
• Version update from 3.42.0 to 3.42.2 (jsc#PED-2235): * Add a workaround for a PyPy 3.9+ bug when threads are used * Do not error out for unknown scopes * Prompt an error instead of crashing when marshaling unsupported fundamental types in some cases * Fix a crash/refcounting error in case marshaling a hash table fails * Fix crashes when marshaling zero terminated arrays for certain item types * Implement DynamicImporter.find_spec() to silence deprecation warning * Make the test suite pass again with PyPy * Some test/CI fixes * gtk overrides: Do not override Treeview.enable_model_drag_xx for GTK4 * gtk overrides: restore Gtk.ListStore.insert_with_valuesv with newer GTK4 * interface: Fix leak when overriding GInterfaceInfo * setup.py: look up pycairo headers without importing the module

• Allow system calls used by gstreamer (bsc#1196205)
• Version update from 3.2.2 to 3.2.1 (jsc#PED-2235): * Backport seccomp rules for rseq and mbind syscalls

• Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Add missing TraverseVisitor.visit_data_type() * Add support for 'copy_/free_function' metadata for compact classes * Catch and throw possible inner error of lock statements * Clear SemanticAnalyzer.current_{symbol,source_file} when not needed anymore * Don't count instance-parameter when checking for backwards closure reference * Fix a few binding errors * Free empty stack list for code contexts * Handle duplicated and unnamed symbols. * Improve UI parsing and handling of nested objects and properties * Make sure to drop our 'trap' jump target in case of an error * Move dynamic property errors to semantic analyzer pass * Require lvalue access of delegate target/destroy 'fields' * Show source location when reporting deprecations * Transform assignment of an array element as needed * manual: Update from wiki.gnome.org * parser: Improve handling of nullable VarType in with-statement * parser: Reduce the source reference of main block method to its beginning

• Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Properly bind property in Lockdown portal

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

• Support by-path devlink for multipath nvme block devices (bsc#1200723).

This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):

• In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
• Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time.
• Changes for pre-1996 northern Canada
• Update to past DST transition in Colombia (1993), Singapore (1981)
• 'timegm' is now supported by default

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

This update for tar fixes the following issue:

• Fix hang when unpacking test tarball (bsc#1202436)

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed an issue where users could access coredumps with changed uid, gid or capabilities (bsc#1205000).

• Enabled the pstore service (jsc#PED-2663).
• Fixed an issue accessing TPM when secure boot is enabled (bsc#1204944).
• Fixed an issue where a pamd file could get accidentally overwritten after an update (bsc#1207264).

This update for curl fixes the following issues:

• CVE-2023-23914: Fixed HSTS ignored on multiple requests (bsc#1207990).
• CVE-2023-23915: Fixed HSTS amnesia with --parallel (bsc#1207991).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for tar fixes the following issues:

• CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).

• Fix hang when unpacking test tarball (bsc#1202436).

This update for systemd fixes the following issues:

• Merge of v249.15
• Drop workaround related to systemd-timesyncd that addressed a Factory issue.
• Conditionalize the use of /lib/modprobe.d only on systems with split usr support enabled (i.e. SLE).
• Make use of the %systemd_* rpm macros consistently. Using the upstream variants will ease the backports of Factory changes to SLE since Factory systemd uses the upstream variants exclusively.
• machines.target belongs to systemd-container, do its init/cleanup steps from the scriptlets of this sub-package.
• Make sure we apply the presets on units shipped by systemd package.
• systemd-testsuite: move the integration tests in a dedicated sub directory.
• Move systemd-cryptenroll into udev package.

This update for libxslt fixes the following issues:

• CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

This update for jitterentropy fixes the following issues:

• build jitterentropy library with debuginfo (bsc#1207789)

This update for console-setup and kbd fixes the following issue:

• Fix Caps_Lock mapping for us.map and others (bsc#1202853)

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for curl fixes the following issues:

• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).

This update for zstd fixes the following issues:

• CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

• Fix avx2 strncmp offset compare condition check (bsc#1208358)
• elf: Allow dlopen of filter object to work (bsc#1207571)
• powerpc: Fix unrecognized instruction errors with recent GCC
• x86: Cache computation for AMD architecture (bsc#1207957)

This update for systemd fixes the following issues:

• Fix return non-zero value when disabling SysVinit service (bsc#1208432)
• Drop build requirement on libpci, it's not no longer needed
• Move systemd-boot and all components managing (secure) UEFI boot into udev sub-package, so they aren't installed in systemd based containers

This update for timezone fixes the following issues:

• Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later.

This update for systemd-rpm-macros fixes the following issue:

• Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079).

This update for runc fixes the following issues:
Update to runc v1.1.5:
Security fixes:

• CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884).
• CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
• CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

This update for glib2 fixes the following issues:

• CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
• CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).

• Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for curl adds the following feature:
Update to version 8.0.1 (jsc#PED-2580)

• CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230).
• CVE-2023-28320: siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: POST-after-PUT confusion (bsc#1211233).

This update for systemd fixes the following issues:

• udev-rules: fix nvme symlink creation on namespace changes (bsc#1207410)
• Optimize when hundred workers claim the same symlink with the same priority (bsc#1203141)
• Add nss-resolve and systemd-network to Packagehub-Subpackages (MSC-626)

This update of runc fixes the following issues:

• rebuild the package with the go 19.9 secure release (bsc#1200441).

This update for kbd fixes the following issue:

• Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702)

This update for systemd-rpm-macros fixes the following issues:

• Adjust functions so they are disabled when called from a chroot (bsc#1211272)

This update for openldap2 fixes the following issues:

• CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

• Update further expiring certificates that affect tests (bsc#1201627)

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for containerd, docker, runc fixes the following issues:

• Update to containerd v1.6.21 (bsc#1211578)
• Update to Docker 23.0.6-ce (bsc#1211578)
• Update to runc v1.1.7
• Require a minimum Go version explicitly (bsc#1210298)
• Re-unify packaging for SLE-12 and SLE-15
• Fix build on SLE-12 by switching back to libbtrfs-devel headers
• Allow man pages to be built without internet access in OBS
• Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux
• Fix syntax of boolean dependency
• Allow to install container-selinux instead of apparmor-parser
• Change to using systemd-sysusers
• Update runc.keyring to upstream version
• Fix the inability to use `/dev/null` when inside a container (bsc#1207004)

This update for libcap fixes the following issues:

• CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for libxml2 fixes the following issues:

• Build also for modern python version (jsc#PED-68)

This update for audit fixes the following issues:

• Check for AF_UNIX unnamed sockets (bsc#1210004)
• Enable livepatching on main library on x86_64

This update for openldap2 fixes the following issues:

• libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

This update for dbus-1 fixes the following issues:

• CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for glibc fixes the following issues:

• getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
• Exclude static archives from preparation for live patching (bsc#1208721)
• resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

This update for curl fixes the following issues:

• CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

This update for lvm2 fixes the following issues:

• multipath_component_detection = 0 in lvm.conf does not have any effect (bsc#1212613)

This update for gpgme fixes the following issues:
gpgme:

• Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

• Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

This update for libcontainers-common fixes the following issues:

• New subpackage libcontainers-sles-mounts which adds SLE-specific mounts on SLE systems (bsc#1211124)
• Own /etc/containers/systemd and /usr/share/containers/systemd for podman quadlet
• Remove container-storage-driver.sh to default to the overlay driver instead of btrfs
• Remove obsolete Requires(post): util-linux-systemd
• Add registry.suse.com to the unqualified-search-registries

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

This update for libxml2 fixes the following issues:

• Build also for modern python version (jsc#PED-68)

This update for systemd-presets-common-SUSE fixes the following issues:

• Fix systemctl being called with an empty argument (bsc#1212496)
• Don't call systemctl list-unit-files with an empty argument (bsc#1212496)
• Add wtmpdb-update-boot.service and wtmpdb-rotate.timer

This update for openssl-1_1 fixes the following issues:

• Dont pass zero length input to EVP_Cipher (bsc#1213517)

This update for cryptsetup fixes the following issues:

• Handle system with low memory and no swap space (bsc#1211079)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

This update for apparmor fixes the following issues:

• Add pam_apparmor README (bsc#1213472)

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

This update for audit fixes the following issues:

• Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
• Fix rules not loaded when restarting auditd.service (bsc#1204844)

This update for gawk fixes the following issues:

• CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

This update for systemd fixes the following issues:

• Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
• Decrease devlink priority for iso disks (bsc#1213185)
• Do not ignore mount point paths longer than 255 characters (bsc#1208194)
• Refuse hibernation if there's no possible way to resume (bsc#1186606)
• Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
• Drop some entries no longer needed by YaST (bsc#1194609)
• The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
• Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

This update for lvm2 fixes the following issues:

• blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

This update for sysuser-tools fixes the following issues:

• Update to version 3.2
• Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
• Add 'quilt setup' friendly hint to %sysusers_requires usage
• Use append so if a pre file already exists it isn't overridden
• Invoke bash for bash scripts (bsc#1195391)
• Remove all systemd requires not supported on SLE15 (bsc#1214140)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

This update for apparmor fixes the following issues:

• Update zgrep profile to allow egrep helper use (bsc#1214458)

This update for libcontainers-common fixes the following issues:

• Require libcontainers-sles-mounts for *all* SLE products, and not just SLES. (bsc#1215291)

This update for glibc fixes the following issues:

• nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415)
• Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457)
• elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688)
• elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676)
• ld.so: Always use MAP_COPY to map the first segment (BZ #30452)
• add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

This update for curl fixes the following issues:

• CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026)

This update of runc fixes the following issues:

• Update to runc v1.1.8.