Container summary for suse/sle-micro-iso/5.5

• rebuild the package with the go 1.21 security release (bsc#1212475).

This update of cni fixes the following issues:

• rebuild the package with the go 1.21 security release (bsc#1212475).

This update for containerd, runc fixes the following issues:
runc was updated to v1.1.9. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.9
containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes:

• https://github.com/containerd/containerd/releases/tag/v1.7.7
• https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323
• Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages

This update for systemd fixes the following issues:

• Fix mismatch of nss-resolve version in Package Hub (no source code changes)

This update for aaa_base fixes the following issues:

• Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for nghttp2 fixes the following issues:

• CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage
Update to 1.3.3:

• Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
• _rpc_dtablesize: use portable system call
• libtirpc: Fix use-after-free accessing the error number
• Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch
• rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
• Eliminate deadlocks in connects with an MT environment
• clnt_dg_freeres() uncleared set active state may deadlock
• thread safe clnt destruction
• SUNRPC: mutexed access blacklist_read state variable
• SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

• Replace the final SunRPC licenses with BSD licenses
• blacklist: Add a few more well known ports
• libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

• Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors.
• svc_dg: Free xp_netid during destroy
• Fix memory management issues of fd locks
• libtirpc: replace array with list for per-fd locks
• __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
• __rpc_dtbsize: rlim_cur instead of rlim_max
• pkg-config: use the correct replacements for libdir/includedir

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for openssl-1_1 fixes the following issues:

• CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

This update of icu fixes the following issue:

• missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

This update for sqlite3 fixes the following issues:

• CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

This update for curl fixes the following issues:

• CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
• CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

This update of man fixes the following problem:

• The 'man' commands is delivered to SUSE Linux Enterprise Micro to allow browsing man pages.

This update for gpg2 fixes the following issues:

• `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

This update for libtirpc fixes the following issue:

• fix sed parsing in specfile (bsc#1216862)

This update of runc and containerd fixes the following issues:
containerd:

• Update to containerd v1.7.8. Upstream release notes: https://github.com/containerd/containerd/releases/tag/v1.7.8

• Update to catatonit v0.2.0. * Change license to GPL-2.0-or-later.

• Update to catatont v0.1.7 * This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done).

• Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors).

• Update to runc v1.1.10. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.10

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
• Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

This update for lvm2 fixes the following issues:

• Fixed error creating linux volume on SAN device lvmlockd (bsc#1215229)

This update for curl fixes the following issues:

• libssh: Implement SFTP packet size limit (bsc#1216987)

This update for libxcrypt fixes the following issues:

• fix variable name for datamember [bsc#1215496]
• added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

This update for tar fixes the following issues:

• CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969).

This update for pam fixes the following issues:

• CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475).
• Check localtime_r() return value to fix crashing (bsc#1217000)

This update for libssh fixes the following issues:
Security fixes:
- CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209) - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126) - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186) - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm guessing (bsc#1211188) - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)
Other fixes:

• Update to version 0.9.8 - Allow @ in usernames when parsing from URI composes

• Update to version 0.9.7 - Fix several memory leaks in GSSAPI handling code

This update for systemd fixes the following issues:

• resolved: actually check authenticated flag of SOA transaction
• core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
• core: Add trace logging to mount_add_device_dependencies()
• core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
• core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
• core: wrap some long comment
• utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
• utmp-wtmp: Fix error in case isatty() fails
• homed: Handle EINTR gracefully when waiting for device node
• resolved: Handle EINTR returned from fd_wait_for_event() better
• sd-netlink: Handle EINTR from poll() gracefully, as success
• varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
• stdio-bridge: Don't be bothered with EINTR
• sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
• core: Replace slice dependencies as they get added (bsc#1214668)

This update for cpio fixes the following issues:

• CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571).

This update for util-linux fixes the following issues:

• Fix performance degradation (bsc#1207987)

This update for runc fixes the following issues:
Update to runc v1.1.11:

• CVE-2024-21626: Fixed container breakout. (bsc#1218894)

SUSE-CU-2023:3481-1

SUSE-CU-2023:3480-1

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

This update for glibc fixes the following issues:

• nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415)
• Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457)
• elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688)
• elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676)
• ld.so: Always use MAP_COPY to map the first segment (BZ #30452)
• add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

This update for curl fixes the following issues:

• CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026)

This update for apparmor fixes the following issues:

• Update zgrep profile to allow egrep helper use (bsc#1214458)

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

This update for nghttp2 fixes the following issues:

• CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713).

This update for curl fixes the following issues:

• CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888)
• CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889)

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

• elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676)

This update for openssl-1_1 fixes the following issues:

• Displays 'fips' in the version string (bsc#1215215)

This update for systemd-rpm-macros fixes the following issues:

• Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`.

SUSE-CU-2023:3470-1

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:
Security issues fixed:

• CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
• CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
• CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
• CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967).

• Update shell completion to use Group: System/Shells.
• Add daemon.json file with rotation logs configuration (bsc#1114832)
• Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Update go requirements to >= go1.10
• Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
• Remove the usage of 'cp -r' to reduce noise in the build logs.

This update for libmspack fixes the following issues:
Security issues fixed:

• CVE-2018-18584: The CAB block input buffer was one byte too small for the maximal Quantum block, leading to an out-of-bounds write. (bsc#1113038)
• CVE-2018-18585: chmd_read_headers accepted a filename that has '\0' as its first or second character (such as the '/\0' name). (bsc#1113039)
• Fix off-by-one bounds check on CHM PMGI/PMGL chunk numbers and reject empty filenames.

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This is a version update for podman to version 1.4.4 (bsc#1143386).
Additional changes by SUSE on top:

• Remove fuse-overlayfs because it's (currently) an unsatisfied dependency on SLE (bsc#1143386)
• Update libpod.conf to use correct infra_command
• Update libpod.conf to use better versioned pause container
• Update libpod.conf to use official kubic pause container
• Update libpod.conf to match latest features set: detach_keys, lock_type, runtime_supports_json
• Add podman-remote varlink client

• Features

• Bugfixes

• Misc

• Fixed a bug where Podman could not run containers using an older version of Systemd as init
• Updated vendored Buildah to v1.9.0 to resolve a critical bug with Dockerfile RUN instructions
• The error message for running podman kill on containers that are not running has been improved
• Podman remote client can now log to a file if syslog is not available
• The podman exec command now sets its error code differently based on whether the container does not exist, and the command in the container does not exist
• The podman inspect command on containers now outputs Mounts JSON that matches that of docker inspect, only including user-specified volumes and differentiating bind mounts and named volumes
• The podman inspect command now reports the path to a container's OCI spec with the OCIConfigPath key (only included when the container is initialized or running)
• The podman run --mount command now supports the bind-nonrecursive option for bind mounts
• Fixed a bug where podman play kube would fail to create containers due to an unspecified log driver
• Fixed a bug where Podman would fail to build with musl libc
• Fixed a bug where rootless Podman using slirp4netns networking in an environment with no nameservers on the host other than localhost would result in nonfunctional networking
• Fixed a bug where podman import would not properly set environment variables, discarding their values and retaining only keys
• Fixed a bug where Podman would fail to run when built with Apparmor support but run on systems without the Apparmor kernel module loaded
• Remote Podman will now default the username it uses to log in to remote systems to the username of the current user
• Podman now uses JSON logging with OCI runtimes that support it, allowing for better error reporting
• Updated vendored containers/image to v2.0
• Update conmon to v0.3.0
• Support OOM Monitor under cgroup V2
• Add config binary and make target for configuring conmon with a go library for importing values

• Podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems.
• The podman cp now supports pause flag.
• The remote client now supports a configuration file for pre-configuring connections to remote Podman installations
• CVE-2019-10152: Fixed an iproper dereference of symlinks of the the podman cp command which introduced in version 1.1.0 (bsc#1136974).
• Fixed a bug where podman commit could improperly set environment variables that contained = characters
• Fixed a bug where rootless podman would sometimes fail to start containers with forwarded ports
• Fixed a bug where podman version on the remote client could segfault
• Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed
• Fixed a bug where filtering images by label did not work
• Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start
• Fixed a bug where podman generate kube did not work with containers with named volumes
• Fixed a bug where rootless podman would receive permission denied errors accessing conmon.pid
• Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it
• Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash
• Fixed a bug where podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime
• Fixed a bug where podman exec would fail on older kernels
• Podman commit command is now usable with the Podman remote client
• Signature-policy flag has been deprecated
• Updated vendored containers/storage and containers/image libraries with numerous bugfixes
• Updated vendored Buildah to v1.8.3
• Podman now requires Conmon v0.2.0
• The podman cp command is now aliased as podman container cp
• Rootless podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration
• Added fuse-overlayfs dependency to support overlay based rootless image manipulations
• The podman cp command can now read input redirected to STDIN, and output to STDOUT instead of a file, using - instead of an argument.
• The podman remote client now displays version information from both the client and server in podman version
• The podman unshare command has been added, allowing easy entry into the user namespace set up by rootless Podman (allowing the removal of files created by rootless podman, among other things)
• Fixed a bug where Podman containers with the --rm flag were removing created volumes when they were automatically removed
• Fixed a bug where container and pod locks were incorrectly marked as released after a system reboot, causing errors on container and pod removal
• Fixed a bug where Podman pods could not be removed if any container in the pod encountered an error during removal
• Fixed a bug where Podman pods run with the cgroupfs CGroup driver would encounter a race condition during removal, potentially failing to remove the pod CGroup
• Fixed a bug where the podman container checkpoint and podman container restore commands were not visible in the remote client
• Fixed a bug where podman remote ps --ns would not print the container's namespaces
• Fixed a bug where removing stopped containers with healthchecks could cause an error
• Fixed a bug where the default libpod.conf file was causing parsing errors
• Fixed a bug where pod locks were not being freed when pods were removed, potentially leading to lock exhaustion
• Fixed a bug where 'podman run' with SD_NOTIFY set could, on short-running containers, create an inconsistent state rendering the container unusable
• The remote Podman client now uses the Varlink bridge to establish remote connections by default
• Fixed an issue with apparmor_parser (bsc#1123387)

• Update to libpod v1.4.0 (bsc#1137860):
• The podman checkpoint and podman restore commands can now be used to migrate containers between Podman installations on different systems
• The podman cp command now supports a pause flag to pause containers while copying into them
• The remote client now supports a configuration file for pre-configuring connections to remote Podman installations
• Fixed CVE-2019-10152 - The podman cp command improperly dereferenced symlinks in host context
• Fixed a bug where podman commit could improperly set environment variables that contained = characters
• Fixed a bug where rootless Podman would sometimes fail to start containers with forwarded ports
• Fixed a bug where podman version on the remote client could segfault
• Fixed a bug where podman container runlabel would use /proc/self/exe instead of the path of the Podman command when printing the command being executed
• Fixed a bug where filtering images by label did not work
• Fixed a bug where specifying a bing mount or tmpfs mount over an image volume would cause a container to be unable to start
• Fixed a bug where podman generate kube did not work with containers with named volumes
• Fixed a bug where rootless Podman would receive permission denied errors accessing conmon.pid
• Fixed a bug where podman cp with a folder specified as target would replace the folder, as opposed to copying into it
• Fixed a bug where rootless Podman commands could double-unlock a lock, causing a crash
• Fixed a bug where Podman incorrectly set tmpcopyup on /dev/ mounts, causing errors when using the Kata containers runtime
• Fixed a bug where podman exec would fail on older kernels
• The podman commit command is now usable with the Podman remote client
• The --signature-policy flag (used with several image-related commands) has been deprecated
• The podman unshare command now defines two environment variables in the spawned shell: CONTAINERS_RUNROOT and CONTAINERS_GRAPHROOT, pointing to temporary and permanent storage for rootless containers
• Updated vendored containers/storage and containers/image libraries with numerous bugfixes
• Updated vendored Buildah to v1.8.3
• Podman now requires Conmon v0.2.0
• The podman cp command is now aliased as podman container cp
• Rootless Podman will now default init_path using root Podman's configuration files (/etc/containers/libpod.conf and /usr/share/containers/libpod.conf) if not overridden in the rootless configuration

• Update to image v1.5.1
• Vendor in latest containers/storage
• docker/docker_client: Drop redundant Domain(ref.ref) call
• pkg/blobinfocache: Split implementations into subpackages
• copy: progress bar: show messages on completion
• docs: rename manpages to *.5.command
• add container-certs.d.md manpage
• pkg/docker/config: Bring auth tests from docker/docker_client_test
• Don't allocate a sync.Mutex separately

• Add function to parse out mount options from graphdriver
• Merge the disparate parts of all of the Unix-like lockfiles
• Fix unix-but-not-Linux compilation
• Return XDG_RUNTIME_DIR as RootlessRuntimeDir if set
• Cherry-pick moby/moby #39292 for CVE-2018-15664 fixes
• lockfile: add RecursiveLock() API
• Update generated files
• Fix crash on tesing of aufs code
• Let consumers know when Layers and Images came from read-only stores
• chown: do not change owner for the mountpoint
• locks: correctly mark updates to the layers list
• CreateContainer: don't worry about mapping layers unless necessary
• docs: fix manpage for containers-storage.conf
• docs: sort configuration options alphabetically
• docs: document OSTree file deduplication
• Add missing options to man page for containers-storage
• overlay: use the layer idmapping if present
• vfs: prefer layer custom idmappings
• layers: propagate down the idmapping settings
• Recreate symlink when not found
• docs: fix manpage for configuration file
• docs: add special handling for manpages in sect 5
• overlay: fix single-lower test
• Recreate symlink when not found
• overlay: propagate errors from mountProgram
• utils: root in a userns uses global conf file
• Fix handling of additional stores
• Correctly check permissions on rootless directory
• Fix possible integer overflow on 32bit builds
• Evaluate device path for lvm
• lockfile test: make concurrent RW test determinisitc
• lockfile test: make concurrent read tests deterministic
• drivers.DirCopy: fix filemode detection
• storage: move the logic to detect rootless into utils.go
• Don't set (struct flock).l_pid
• Improve documentation of getLockfile
• Rename getLockFile to createLockerForPath, and document it
• Add FILES section to containers-storage.5 man page
• add digest locks
• drivers/copy: add a non-cgo fallback

• CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() (bsc#1123156)

• fuse3 and fuse-overlayfs to support rootless containers.

This update for runc fixes the following issues:
Security issue fixed:

• CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

• Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues:
podman was updated to 1.8.0:

• CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the host when copying a symlink in the container that included a glob operator (#3829 bsc#1155217)

• The name of the cni-bridge in the default config changed from 'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to rename the bridge in the system to the new default if it exists. The trigger is only excuted when updating podman-cni-config from something older than 1.6.0. This is mainly needed for SLE where we're updating from 1.4.4 to 1.8.0 (bsc#1160460).

• Features

• Bugfixes

• Misc

• Add apparmor-abstractions as required runtime dependency to have `tunables/global` available.

• fixed the --force flag for the 'container prune' command. (https://github.com/containers/libpod/issues/4844)

• Features

• Bugfixes

• Misc

• Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher
• Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers
• Suppress spurious log messages when running rootless Podman
• Update vendored containers/storage to v1.13.6
• Fix a deadlock related to writing events
• Do not use the journald event logger when it is not available

• Features

• Bugfixes

• Misc

• Features

• Bugfixes

• Misc

• Add katacontainers as a recommended package, and include it as an additional OCI runtime in the configuration.

• Features

• Bugfixes

• Misc

• Add zsh completion for podman commands

• Features

• Bugfixes

• Misc

• Update libpod.conf to support latest path discovery feature for `runc` and `conmon` binaries.

• do not look in lower layers for the ino if there is no origin xattr set
• attempt to use the file path if the operation on the fd fails with ENXIO
• do not expose internal xattrs through listxattr and getxattr
• fix fallocate for deleted files.
• ignore O_DIRECT. It causes issues with libfuse not using an aligned buffer, causing write(2) to fail with EINVAL.
• on copyup, do not copy the opaque xattr.
• fix a wrong lookup for whiteout files, that could happen on a double unlink.
• fix possible segmentation fault in direct_fsync()
• use the data store to create missing whiteouts
• after a rename, force a directory reload
• introduce inodes cache
• correctly read inode for unix sockets
• avoid hash map lookup when possible
• use st_dev for the ino key
• check whether writeback is supported
• set_attrs: don't require write to S_IFREG
• ioctl: do not reuse fi->fh for directories
• fix skip whiteout deletion optimization
• store the new mode after chmod
• support fuse writeback cache and enable it by default
• add option to disable fsync
• add option to disable xattrs
• add option to skip ino number check in lower layers
• fix fd validity check
• fix memory leak
• fix read after free
• fix type for flistxattr return
• fix warnings reported by lgtm.com
• enable parallel dirops

• Set correct CNI version for 99-loopback.conf

• Library changes:

• Documentation & Convention changes:

• Spec changes:

• Library changes:

• Install sleep binary into CNI plugin directory

• add support for mips64le
• Add missing cniVersion in README example
• bump go-iptables module to v0.4.5
• iptables: add idempotent functions
• portmap doesn't fail if chain doesn't exist
• fix portmap port forward flakiness
• Add Bruce Ma and Piotr Skarmuk as owners

• Enhancements: * static: prioritize the input sources for IPs (#400). * tuning: send gratuitous ARP in case of MAC address update (#403). * bandwidth: use uint64 for Bandwidth value (#389). * ptp: only override DNS conf if DNS settings provided (#388). * loopback: When prevResults are not supplied to loopback plugin, create results to return (#383). * loopback support CNI CHECK and result cache (#374).

• Better input validation: * vlan: add MTU validation to loadNetConf (#405). * macvlan: add MTU validation to loadNetConf (#404). * bridge: check vlan id when loading net conf (#394).

• Bugfixes:

• Docs:

• New features:

• Bug fixes: * Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists * host-device: revert name setting to make retries idempotent (#357). * Vendor update go-iptables. Vendor update go-iptables to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10 * Update go.mod & go.sub * Remove link Down/Up in MAC address change to prevent route flush (#364). * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall error message is 'invalid argument' not 'file exists' * bump containernetworking/cni to v0.7.1

• Bugs:

• Improvements: * host-device: add pciBusID property

• New plugins:

• Plugin features / changelog:

• Bug fixes & minor changes * Correctly DEL on ipam failure for all plugins * Fix bug on ip revert if cmdAdd fails on macvlan and host-device * host-device: Ensure device is down before rename * Fix -hostprefix option * some DHCP servers expect to request for explicit router options * bridge: release IP in case of error * change source of ipmasq rule from ipn to ip

• This release takes a minor change to the portmap plugin: * Portmap: append, rather than prepend, entry rules

• This fixes a potential issue where firewall rules may be bypassed by port mapping

This update for podman, slirp4netns fixes the following issues:
slirp4netns was updated to 0.4.4 (bsc#1167850):

• libslirp: Update to v4.2.0: * New API function slirp_add_unix: add a forward rule to a Unix socket. * New API function slirp_remove_guestfwd: remove a forward rule previously added by slirp_add_exec, slirp_add_unix or slirp_add_guestfwd * New SlirpConfig.outbound_addr{,6} fields to bind output socket to a specific address * socket: do not fallback on host loopback if get_dns_addr() failed or the address is in slirp network * ncsi: fix checksum OOB memory access * tcp_emu(): fix OOB accesses * tftp: restrict relative path access * state: fix loading of guestfwd state

• api: raise an error if the socket path is too long
• libslirp: update to v4.1.0: Including the fix for libslirp sends RST to app in response to arriving FIN when containerized socket is shutdown() with SHUT_WR
• Fix create_sandbox error

• Do not propagate mounts to the parent ns in sandbox

• Support specifying netns path (slirp4netns --netns-type=path PATH TAPNAME)
• Support specifying --userns-path
• Vendor https://gitlab.freedesktop.org/slirp/libslirp (QEMU v4.1+)
• Bring up loopback device when --configure is specified
• Support sandboxing by creating a mount namespace (--enable-sandbox)
• Support seccomp (--enable-seccomp)
• Add new build dependencies libcap-devel and libseccomp-devel

• Fix use-after-free in libslirp

• Fix heap overflow in `ip_reass` on big packet input

• Fix use-after-free

• Fixed dependency on slirp4netns. We need at least 0.4.0 now (bsc#1167850)

This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10

• CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
• Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).

This update for slirp4netns fixes the following issues:
Security issue fixed:

• CVE-2020-1983: Fixed a use-after-free in ip_reass (bsc#1170940).

This update for libmspack fixes the following issues:
Security issue fixed:

• CVE-2019-1010305: Fixed a buffer overflow triggered by a crafted chm file which could have led to information disclosure (bsc#1141680).

• Enable build-time tests (bsc#1130489)

This update for slirp4netns fixes the following issues:

• Update to 0.4.7 (bsc#1172380) * libslirp: update to v4.3.1 (Fix CVE-2020-10756) * Fix config_from_options() to correctly enable ipv6

This update for libtool provides missing the libltdl 32bit library. (bsc#1171566)

This update ships cni and cni-plugins to the Public Cloud Module of SUSE Linux Enterprise 15 SP2.

This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790)

libreoffice:

• Image shown with different aspect ratio (bsc#1176547)
• Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644)
• Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375)
• Wrong bullet points in Impress (bsc#1174465)
• SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955)
• Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471) - SUSE Mint - SUSE Midnight Blue - SUSE Waterhole Blue - SUSE Persimmon
• Fix a crash opening a PPTX. (bsc#1179025)
• Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807)
• Shadow effects for table completely missing (bsc#1178944, bsc#1178943)
• Disable firebird integration for the time being (bsc#1179203)
• Fixes hang on Writer on scrolling/saving of a document (bsc#1136234)
• Wrong rendering of bulleted lists in PPTX document (bsc#1155141)
• Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404)
• Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658)

• fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values.
• worked around floating point rounding errors which prevented two theoretically-equal numeric values from being evaluated as equal in test code.
• added new function to allow printing of single formula tokens.
• added method for setting cached results on formula cells in model_context.
• changed the model_context design to ensure that all sheets are of the same size.
• added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns a string value from cell.
• added cell_access class for querying of cell states without knowing its type ahead of time.
• added document class which provides a layer on top of model_context, to abstract away the handling of formula calculations.
• deprecated model_context::erase_cell() in favor of empty_cell().
• added support for 3D references - references that contain multiple sheets.
• added support for the exponent (^) and concatenation (&) operators.
• fixed incorrect handling of range references containing whole columns such as A:A.
• added support for unordered range references - range references whose start row or column is greater than their end position counterparts, such as A3:A1.
• fixed a bug that prevented nested formula functions from working properly.
• implemented Calc A1 style reference resolver.
• formula results now directly store the string values when the results are of string type. They previously stored string ID values after interning the original strings.
• Removed build-time dependency on spdlog.

• add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file still contains its resource fork
• add a parser for Canvas 3 and 3.5 files
• AppleWorks parser: try to retrieve more Windows presentation
• add a parser for Drawing Table files
• add a parser for Canvas 2 files
• API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29` and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined
• remove the QuarkXPress parser (must be in libqxp)
• retrieve the annotation in MsWord 5 document
• try to better understand RagTime 5-6 document

• Add upstream changes to fix build with GCC 11 (bsc#1181872)

• fix `text:sender-lastname` when creating meta-data

• XYWrite: add a parser to .fil v2 and v4 files
• wks,wk1: correct some problems when retrieving cell's reference.

• See also: https://www.glfw.org/changelog.html
• Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090) * Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h * glfwFocusWindow could terminate on older WMs or without a WM * Creating an undecorated window could fail with BadMatch * Querying a disconnected monitor could segfault * Video modes with a duplicate screen area were discarded * The CMake files did not check for the XInput headers * Key names were not updated when the keyboard layout changed * Decorations could not be enabled after window creation * Content scale fallback value could be inconsistent * Disabled cursor mode was interrupted by indicator windows * Monitor physical dimensions could be reported as zero mm * Window position events were not emitted during resizing * Added on-demand loading of Vulkan and context creation API libraries * [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was set to `GLFW_DONT_CARE` * [X11] Bugfix: Input focus was set before window was visible, causing BadMatch on some non-reparenting WMs * [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on the window frame instead of the client area * [WGL] Added reporting of errors from `WGL_ARB_create_context` extension * [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries * [EGL] Bugfix: Dynamically loaded entry points were not verified
• Made build of geany-tags optional.

This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

• Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
• CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
• CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730).
• btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

• Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
• Fixed /dev/null is not available (bsc#1168481).
• CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

• CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
• Handle a requirement from docker (bsc#1181594).

This update for tar fixes the following issues:

• Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)

This update for libmspack fixes the following issues:

• CVE-2018-14681: Bad KWAJ file header extensions could cause a one or two byte overwrite. (bsc#1103032)
• CVE-2018-14682: There is an off-by-one error in the TOLOWER() macro for CHM decompression. (bsc#1103032)
• CVE-2018-14679: There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service. (bsc#1103032)

This update for unixODBC fixes the following issues:

• ECO: Update unixODBC to 2.3.9 in SLE 15. (jsc#SLE-18004)
• Fix incorrect permission for documentation files.
• Update requires and baselibs for new libodbc2.
• Employ shared library packaging guideline: new subpacakge libodbc2.
• Update to 2.3.9: * Remove '#define UNIXODBC_SOURCE' from unixodbc_conf.h

• Update to 2.3.8: * Add configure support for editline * SQLDriversW was ignoring user config * SQLDataSources Fix termination character * Fix for pooling seg fault * Make calling SQLSetStmtAttrW call the W function in the driver is its there * Try and fix race condition clearing system odbc.ini file * Remove trailing space from isql/iusql SQL * When setting connection attributes set before connect also check if the W entry poins can be used * Try calling the W error functions first if available in the driver * Add iconvperdriver configure option to allow calling unicode_setup in SQLAllocHandle * iconv handles was being lost when reusing pooled connection * Catch null copy in iniPropertyInsert * Fix a few leaks

• Update to 2.3.7: * Fix for pkg-config file update on no linux platforms * Add W entry for GUI work * Various fixes for SQLBrowseConnect/W, SQLGetConnectAttr/W,and SQLSetConnectAttr/W * Fix buffer overflows in SQLConnect/W and refine behaviour of SQLGet/WritePrivateProfileString * SQLBrowseConnect/W allow disconnecting a started browse session after error * Add --with-stats-ftok-name configure option to allow the selection of a file name used to generate the IPC id when collecting stats. Default is the system odbc.ini file * Improve diag record handling with the behavior of Windows DM and export SQLCancelHandle * bug fix when SQLGetPrivateProfileString() is called to get a list of sections or a list of keys * Connection pooling: Fix liveness check for Unicode drivers

This update for runc fixes the following issues:

• Fixed an issue when toolbox container fails to start. (bsc#1189743)

This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

• CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

• Install systemd service file as well (bsc#1190826)

• Fixed a failure to set CPU quota period in some cases on cgroup v1.
• Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped.
• Made release builds reproducible from now on.
• Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec.
• Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working.

• Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume.
• Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters.
• cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes).
• cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely.
• cgroup/systemd/v2: don't freeze cgroup on Set.
• cgroup/systemd/v1: avoid unnecessary freeze on Set.
• fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

• cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers).
• cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way.
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen.
• cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
• cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94)
• cgroupv2: support SkipDevices with systemd driver
• cgroup/systemd: return, not ignore, stop unit error from Destroy
• Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts.
• cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update).
• cgroup1: blkio: support BFQ weights.
• cgroupv2: set per-device io weights if BFQ IO scheduler is available.

• cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls.

• seccomp: fix 32-bit compilation errors
• runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
• runc start: fix 'chdir to cwd: permission denied' for some setups

This update for runc fixes the following issues:
Update to runc v1.0.3.

• CVE-2021-43784: Fixed a potential vulnerability related to the internal usage of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
• Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
• Fixed inability to start when read-only /dev in set in spec.
• Fixed not removing sub-cgroups upon container delete, when rootless cgroup v2 is used with older systemd.
• Fixed returning error from GetStats when hugetlb is unsupported (which causes excessive logging for kubernetes).

This update for libmspack fixes the following issues:

• CVE-2018-18586: Fixed directory traversal in chmextract by adding anti '../' and leading slash protection (bsc#1113040).

This update for slirp4netns fixes the following issues:

• CVE-2020-29130: Fixed an invalid memory access while processing ARP packets (bsc#1179467).

This update for tar fixes the following issues:

• CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
• CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
• CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

• Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges

• Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files

• prepare usrmerge (bsc#1029961)

• Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite

• Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived.

This update for containerd, docker and runc fixes the following issues:
containerd:

• CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)

• Update to Docker 20.10.17-ce. See upstream changelog online at https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145)

• Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return `-EPERM` despite the existence of the `-ENOSYS` stub code (this was due to how s390x does syscall multiplexing).
• Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes.
• Inability to compile with recent clang due to an issue with duplicate constants in libseccomp-golang.
• When using systemd cgroup driver, skip adding device paths that don't exist, to stop systemd from emitting warnings about those paths.
• Socket activation was failing when more than 3 sockets were used.
• Various CI fixes.
• Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
• Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)

• CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. (bsc#1199460)

• `runc spec` no longer sets any inheritable capabilities in the created example OCI spec (`config.json`) file.

• runc run/start can now run a container with read-only /dev in OCI spec, rather than error out. (#3355)
• runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403) libcontainer systemd v2 manager no longer errors out if one of the files listed in /sys/kernel/cgroup/delegate do not exist in container's cgroup. (#3387, #3404)
• Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported' error. (#3406)
• libcontainer/cgroups no longer panics in cgroup v1 managers if stat of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

• libcontainer will now refuse to build without the nsenter package being correctly compiled (specifically this requires CGO to be enabled). This should avoid folks accidentally creating broken runc binaries (and incorrectly importing our internal libraries into their projects). (#3331)

• Add support for RDMA cgroup added in Linux 4.11.
• runc exec now produces exit code of 255 when the exec failed. This may help in distinguishing between runc exec failures (such as invalid options, non-running container or non-existent binary etc.) and failures of the command being executed.
• runc run: new --keep option to skip removal exited containers artefacts. This might be useful to check the state (e.g. of cgroup controllers) after the container hasexited.
• seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD (the latter is just an alias for SCMP_ACT_KILL).
• seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows users to create sophisticated seccomp filters where syscalls can be efficiently emulated by privileged processes on the host.
• checkpoint/restore: add an option (--lsm-mount-context) to set a different LSM mount context on restore.
• intelrdt: support ClosID parameter.
• runc exec --cgroup: an option to specify a (non-top) in-container cgroup to use for the process being executed.
• cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1 machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc run/exec now adds the container to the appropriate cgroup under it).
• sysctl: allow slashes in sysctl names, to better match sysctl(8)'s behaviour.
• mounts: add support for bind-mounts which are inaccessible after switching the user namespace. Note that this does not permit the container any additional access to the host filesystem, it simply allows containers to have bind-mounts configured for paths the user can access but have restrictive access control settings for other users.
• Add support for recursive mount attributes using mount_setattr(2). These have the same names as the proposed mount(8) options -- just prepend r to the option name (such as rro).
• Add runc features subcommand to allow runc users to detect what features runc has been built with. This includes critical information such as supported mount flags, hook names, and so on. Note that the output of this command is subject to change and will not be considered stable until runc 1.2 at the earliest. The runtime-spec specification for this feature is being developed in opencontainers/runtime-spec#1130.
• system: improve performance of /proc/$pid/stat parsing.
• cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change the ownership of certain cgroup control files (as per /sys/kernel/cgroup/delegate) to allow for proper deferral to the container process.
• runc checkpoint/restore: fixed for containers with an external bind mount which destination is a symlink.
• cgroup: improve openat2 handling for cgroup directory handle hardening. runc delete -f now succeeds (rather than timing out) on a paused container.
• runc run/start/exec now refuses a frozen cgroup (paused container in case of exec). Users can disable this using --ignore-paused.
• Update version data embedded in binary to correctly include the git commit of the release.

This update for pcre2 fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for pcre2 fixes the following issues:

• CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

This update for tar fixes the following issues:

• Fix race condition while creating intermediate subdirectories (bsc#1200657)

This update for tar fixes the following issues:

• A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

This update for icu fixes the following issues:

• CVE-2020-21913: Fixed a memory safetey issue that could lead to use after free (bsc#1193951).

This update for runc fixes the following issues:

• Fix mounting via wrong proc fd. When the user and mount namespaces are used, and the bind mount is followed by the cgroup mount in the spec, the cgroup was mounted using the bind mount's mount fd.
• Fix 'permission denied' error from runc run on noexec fs
• Fix regression causing a failed 'exec' error after systemctl daemon-reload (bsc#1202821)

This update for runc fixes the following issues:

• Update to runc v1.1.4 (bsc#1202021)
• Fix failed exec after systemctl daemon-reload (bsc#1202821)
• Fix mounting via wrong proc
• Fix 'permission denied' error from runc run on noexec filesystem

This update for tar fixes the following issues:

• Fix unexpected inconsistency when making directory (bsc#1203600)
• Update race condition fix (bsc#1200657)

This update for cni fixes the following issues:

• CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

This update for tar fixes the following issue:

• Fix hang when unpacking test tarball (bsc#1202436)

This update for tar fixes the following issues:

• CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).

• Fix hang when unpacking test tarball (bsc#1202436).

This update for libxslt fixes the following issues:

• CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

This update for slirp4netns fixes the following issues:

• CVE-2020-29129: Fixed out-of-bounds access while processing NCSI packets (bsc#1179466).
• CVE-2020-29130: Fixed out-of-bounds access while processing ARP packets (bsc#1179467).

This update for libcontainers-common fixes the following issues:

• Add registry.suse.com to the unqualified-search-registries (bsc#1205536)
• New upstream release 20230214
• bump c/storage to 1.45.3
• bump c/image to 5.24.1
• bump c/common to 0.51.0
• containers.conf: - add commented out options containers.read_only, engine.platform_to_oci_runtime,

This update for systemd-rpm-macros fixes the following issue:

• Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079).

This update for kbd fixes the following issue:

• Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702)

This update for systemd-rpm-macros fixes the following issues:

• Adjust functions so they are disabled when called from a chroot (bsc#1211272)

This update for dbus-1 fixes the following issues:

• CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for glibc fixes the following issues:

• getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
• Exclude static archives from preparation for live patching (bsc#1208721)
• resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

This update for curl fixes the following issues:

• CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

This update for gpgme fixes the following issues:
gpgme:

• Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

• Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

This update for apparmor fixes the following issues:

• Add pam_apparmor README (bsc#1213472)

This update for util-linux fixes the following issues:

• Fix blkid for floppy drives (bsc#1194900)
• Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)

This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
• Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)

This update for systemd fixes the following issues:

• Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
• Decrease devlink priority for iso disks (bsc#1213185)
• Do not ignore mount point paths longer than 255 characters (bsc#1208194)
• Refuse hibernation if there's no possible way to resume (bsc#1186606)
• Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
• Drop some entries no longer needed by YaST (bsc#1194609)
• The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
• Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

This update for lvm2 fixes the following issues:

• blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

SUSE-CU-2023:3469-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for zlib provides the following fixes:

• Speedup zlib on power8. (fate#325307)
• Add safeguard against negative values in uInt. (bsc#1071321)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for zlib fixes the following issues:

• Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for zlib fixes the following issues:

• Update the s390 patchset. (bsc#1137624)
• Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
• Use FAT LTO objects in order to provide proper static library.
• Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
• Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)

This update for pinentry fixes the following issues:

• Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for zlib fixes the following issues:

• Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
• Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime.

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for cracklib fixes the following issues:

• Fixed a buffer overflow when processing long words.

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for zlib provides the following fixes:

• Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
• Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

This update for zlib fixes the following issues:

• Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
• Enable hardware compression on s390/s390x (jsc#SLE-13776)

This update for systemd-rpm-macros fixes the following issues:

• Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034)

This update for systemd-rpm-macros fixes the following issues:

• Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir

• Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for gzip fixes the following issue:

• Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

This update for systemd-rpm-macros fixes the following issues:

• Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart
• Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun().
• Does no longer apply presets when migrating from a disabled initscript (bsc#1178481)
• Fix importing of %{_unitdir}

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for systemd-rpm-macros fixes the following issues:

• Bump to version 6

• Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM.

• Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update.

This update for zlib fixes the following issues:

• Fixed hw compression on z15 (bsc#1176201)

This update for systemd-rpm-macros fixes the following issues:

• Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012)
• Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661)

This update for nghttp2 fixes the following issues:

• CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)

This update for gzip fixes the following issues:

• Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

This update for gzip fixes the following issues:

• Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for gzip fixes the following issue:

• gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for nghttp2 fixes the following issue:

• The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for pam-config fixes the following issues:

• Add 'revoke' to the option list for 'pam_keyinit'.
• Fixed an issue when pam-config fails to create a new service config file. (bsc#1187091)

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for systemd-default-settings fixes the following issue:

• Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)

This update for systemd-rpm-macros fixes the following issues:

• Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332)
• Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead.
• %sysusers_create_inline: use here-docs instead of echo (bsc#1186282)

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for kmod fixes the following issues:

• Use docbook 4 rather than docbook 5 for building man pages (bsc#1190190).
• Enable support for ZSTD compressed modules
• Display module information even for modules built into the running kernel (bsc#1189537)
• '/usr/lib' should override '/lib' where both are available. Support '/usr/lib' for depmod.d as well.
• Remove test patches included in release 29

• Update to release 29 * Fix `modinfo -F` not working for built-in modules and certain fields. * Fix a memory leak, overflow and double free on error path.

This update for glibc fixes the following issues:

• CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489).
• CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for kmod fixes the following issues:

• Enable ZSTD compression (bsc#1192104)(jsc#SLE-21256)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for cracklib fixes the following issues:

• Enable build time tests (bsc#1191736)

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for brotli fixes the following issues:

• CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

glibc was updated to fix the following issue:

• Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)

This update for systemd-rpm-macros fixes the following issues:

• Introduce rpm macro %_systemd_util_dir

This update for kmod fixes the following issues:

• Ensure that kmod and packages linking to libkmod provide same features. (bsc#1193430)

This update for zlib fixes the following issues:

• Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

This update for json-c fixes the following issues:

• CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)