Container summary for

SUSE-CU-2023:3915-1

This update for libzypp fixes the following issues:

• RepoManager: remember execution errors in exception history (bsc#1193007)
• Fix exception handling when reading or writing credentials (bsc#1194898)
• Fix install path for parser (bsc#1194597)
• Fix Legacy include (bsc#1194597)
• Public header files on older distros must use c++11 (bsc#1194597)

This update for libzypp, zypper fixes the following issues:

• Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete.

This update for expat fixes the following issues:

• CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
• CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

This update for coreutils fixes the following issues:

• Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
• Properly sort docs and license files (bsc#1082318).

This update for systemd fixes the following issues:

• systemctl: exit with 1 if no unit files found (bsc#1193841).
• add rules for virtual devices (bsc#1193759).
• enforce 'none' for loop devices (bsc#1193759).

This update for yast2-network fixes the following issues:

• Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for cyrus-sasl fixes the following issues:

• CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for openldap2 fixes the following issue:

• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for procps fixes the following issues:

• Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

This update for protobuf fixes the following issues:

• CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

glibc was updated to fix the following issues:
Security issues fixed:

• CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)
• CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
• CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

• Fix pthread_rwlock_try*lock stalls (bsc#1195560)

This update for expat fixes the following issues:

• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
* Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server

• Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
• Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

• Enable syscallfilter unconditionally [bsc#1181826].

• By default we don't write log files but log to journald, so only recommend logrotate.

• Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

• Add support for more accurate reading of PHC on Linux 5.0
• Add support for hardware timestamping on interfaces with read-only timestamping configuration
• Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
• Update seccomp filter to work on more architectures
• Validate refclock driver options
• Fix bindaddress directive on FreeBSD
• Fix transposition of hardware RX timestamp on Linux 4.13 and later
• Fix building on non-glibc systems

• Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

• Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.
• Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

This update for openssl-1_1 fixes the following issues:

• CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for libtirpc fixes the following issues:

• Fix memory leak in client protocol version 2 code (bsc#1193805)

This update for openldap2 fixes the following issue:

• Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for systemd fixes the following issues:

• allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

This update for yaml-cpp fixes the following issues:

• CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
• CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
• CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
• CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

This update for aaa_base fixes the following issues:

• Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
• Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

This update for util-linux fixes the following issues:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)
• Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
• Warn if uuidd lock state is not usable. (bsc#1194642)
• Fix 'su -s' bash completion. (bsc#1172427)

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

• Harden package signature checks (bsc#1184501).

• reworked choice rule generation to cover more usecases
• support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
• support parsing of Debian's Multi-Arch indicator
• fix segfault on conflict resolution when using bindings
• fix split provides not working if the update includes a forbidden vendor change
• support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
• support zstd compressed control files in debian packages
• add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
• support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
• support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
• support solv files with an idarray block
• allow accessing the toolversion at runtime

• ZConfig: Update solver settings if target changes (bsc#1196368)
• Fix possible hang in singletrans mode (bsc#1197134)
• Do 2 retries if mount is still busy.
• Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
• Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
• Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
• Fix handling of ISO media in releaseAll (bsc#1196061)
• Hint on common ptf resolver conflicts (bsc#1194848)
• Hint on ptf<>patch resolver conflicts (bsc#1194848)

• info: print the packages upstream URL if available (fixes #426)
• info: Fix SEGV with not installed PTFs (bsc#1196317)
• Don't prevent less restrictive umasks (bsc#1195999)

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for gzip fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

• Fixed an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)
• Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

This update for e2fsprogs fixes the following issues:

• Add support for 'libreadline7' for Leap. (bsc#1196939)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for systemd-presets-common-SUSE fixes the following issue:

• enable vgauthd service for VMWare by default (bsc#1195251)

This update for binutils fixes the following issues:

• The official name IBM z16 for IBM zSeries arch14 is recognized. (bsc#1198237)

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for llvm7 fixes the following issues:

• Backport fixes and changes from Factory. (bsc#1197775)
• Drop RUNPATH from packaged binaries, instead set LD_LIBRARY_PATH for building and testing to simulate behavior of actual package.
• Fix build with linux-glibc-devel 5.13.

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for gzip fixes the following issues:

• CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issue:

• Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for openldap2 fixes the following issues:
Security:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for gcc8 fixes the following issues:

• Fix build against SP4. (bsc#1197716)
• Remove bogus fixed include bits/statx.h from glibc 2.30 (bsc#1197716)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for binutils fixes the following issues:

• Revert back to old behaviour of not ignoring the in-section content of to be relocated fields on x86-64, even though that's a RELA architecture. Compatibility with buggy object files generated by old tools. [bsc#1198422]
• Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

This update for binutils fixes the following issues:

• For building the shim 15.6~rc1 and later versions aarch64 image, objcopy needs to support efi-app-aarch64 target. (bsc#1198458)

This update for openssl fixes the following issues:

• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for systemd-presets-branding-SLE fixes the following issues:

• Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for p11-kit fixes the following issues:

• CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

This update for systemd fixes the following issues:

• Allow control characters in environment variable values (bsc#1200170)
• basic/env-util: Allow newlines in values of environment variables
• man: tweak description of auto/noauto (bsc#1191502)
• shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
• shared/install: fix error codes returned by install_context_apply()
• shared/install: ignore failures for auxiliary files
• systemctl: suppress enable/disable messages when `-q` is given
• test-env-util: Verify that \r is disallowed in env var values
• test-env-util: print function headers
• udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)

This update for libzypp, zypper fixes the following issues:
libzypp:

• appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
• zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
• PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
• Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
• singletrans: no dry-run commit if doing just download-only
• Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo.
• Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

• Basic JobReport for 'cmdout/monitor'
• versioncmp: if verbose, also print the edition 'parts' which are compared
• Make sure MediaAccess is closed on exception (bsc#1194550)
• Display plus-content hint conditionally
• Honor the NO_COLOR environment variable when auto-detecting whether to use color
• Define table columns which should be sorted natural [case insensitive]
• lr/ls: Use highlight color on name and alias as well

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223).
• CVE-2022-27782: Fixed an issue where TLS and SSH connections would be reused even when a related option had been changed (bsc#1199224).
• CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused by an unbounded number of compression layers (bsc#1200735).
• CVE-2022-32208: Fixed an incorrect message verification issue when performing FTP transfers using krb5 (bsc#1200737).

This update for gnutls fixes the following issues:

• CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020).
• CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).

This update for systemd-presets-common-SUSE fixes the following issues:

• CVE-2022-1706: Fixed accessible configs from unprivileged containers in VMs running on VMware products (bsc#1199524).

• Modify branding-preset-states to fix systemd-presets-common-SUSE not enabling new user systemd service preset configuration just as it handles system service presets. By passing an (optional) second parameter 'user', the save/apply-changes commands now work with user services instead of system ones (bsc#1200485)

• Add the wireplumber user service preset to enable it by default in SLE15-SP4 where it replaced pipewire-media-session, but keep pipewire-media-session preset so we don't have to branch the systemd-presets-common-SUSE package for SP4 (bsc#1200485)

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed an uncontrolled file descriptor consumption, which could be exploited by remote attackers to prevent applications using the library from accepting new connections (bsc#1201680).

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a potential signature forgery via injection into the status line when certain unusual conditions are met (bsc#1201225).

This update for libzypp, zypper fixes the following issues:
libzypp:

• Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
• Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
• Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
• Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

• Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
• Reject install/remove modifier without argument (bsc#1201576)
• zypper-download: Handle unresolvable arguments as errors
• Put signing key supplying repository name in quotes

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for cyrus-sasl fixes the following issues:

• CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635).

This update for libzypp, zypper fixes the following issues:
libzypp:

• Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Remove migration code that is no longer needed (bsc#1203649)
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

• Fix contradiction in the man page: `--download-in-advance` option is the default behavior
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Fix tests to use locale 'C.UTF-8' rather than 'en_US'
• Make sure 'up' respects solver related CLI options (bsc#1201972)
• Remove unneeded code to compute the PPP status because it is now auto established
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

This update for dbus-1 fixes the following issues:
- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).
Bugfixes:
- Disable asserts (bsc#1087072).

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

This update for openssl-1_1 fixes the following issues:

• FIPS: Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode. (bsc#1180995)

This update for aaa_base and iputils fixes the following issues:
aaa_base:

• Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927)
• The wrapper rootsh is not a restricted shell (bsc#1199492)

• Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for binutils fixes the following issues:
The following security bugs were fixed:

• CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).
• CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).
• CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).
• CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).
• CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).
• CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).
• CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).
• CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).
• CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).
• CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).

• SLE toolchain update of binutils, update to 2.39 from 2.37.
• Update to 2.39: * The ELF linker will now generate a warning message if the stack is made executable. Similarly it will warn if the output binary contains a segment with all three of the read, write and execute permission bits set. These warnings are intended to help developers identify programs which might be vulnerable to attack via these executable memory regions. The warnings are enabled by default but can be disabled via a command line option. It is also possible to build a linker with the warnings disabled, should that be necessary. * The ELF linker now supports a --package-metadata option that allows embedding a JSON payload in accordance to the Package Metadata specification. * In linker scripts it is now possible to use TYPE= in an output section description to set the section type value. * The objdump program now supports coloured/colored syntax highlighting of its disassembler output for some architectures. (Currently: AVR, RiscV, s390, x86, x86_64). * The nm program now supports a --no-weak/-W option to make it ignore weak symbols. * The readelf and objdump programs now support a -wE option to prevent them from attempting to access debuginfod servers when following links. * The objcopy program's --weaken, --weaken-symbol, and --weaken-symbols options now works with unique symbols as well.

• Update to 2.38: * elfedit: Add --output-abiversion option to update ABIVERSION. * Add support for the LoongArch instruction set. * Tools which display symbols or strings (readelf, strings, nm, objdump) have a new command line option which controls how unicode characters are handled. By default they are treated as normal for the tool. Using --unicode=locale will display them according to the current locale. Using --unicode=hex will display them as hex byte values, whilst --unicode=escape will display them as escape sequences. In addition using --unicode=highlight will display them as unicode escape sequences highlighted in red (if supported by the output device). * readelf -r dumps RELR relative relocations now. * Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been added to objcopy in order to enable UEFI development using binutils. * ar: Add --thin for creating thin archives. -T is a deprecated alias without diagnostics. In many ar implementations -T has a different meaning, as specified by X/Open System Interface. * Add support for AArch64 system registers that were missing in previous releases. * Add support for the LoongArch instruction set. * Add a command-line option, -muse-unaligned-vector-move, for x86 target to encode aligned vector move as unaligned vector move. * Add support for Cortex-R52+ for Arm. * Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64. * Add support for Cortex-A710 for Arm. * Add support for Scalable Matrix Extension (SME) for AArch64. * The --multibyte-handling=[allow|warn|warn-sym-only] option tells the assembler what to when it encoutners multibyte characters in the input. The default is to allow them. Setting the option to 'warn' will generate a warning message whenever any multibyte character is encountered. Using the option to 'warn-sym-only' will make the assembler generate a warning whenever a symbol is defined containing multibyte characters. (References to undefined symbols will not generate warnings). * Outputs of .ds.x directive and .tfloat directive with hex input from x86 assembler have been reduced from 12 bytes to 10 bytes to match the output of .tfloat directive. * Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in AArch64 GAS. * Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS. * Add support for Intel AVX512_FP16 instructions. * Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF linker to pack relative relocations in the DT_RELR section. * Add support for the LoongArch architecture. * Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF linker to control canonical function pointers and copy relocation. * Add --max-cache-size=SIZE to set the the maximum cache size to SIZE bytes.
• Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.
• Add gprofng subpackage.
• Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).
• Add back fix for bsc#1191473, which got lost in the update to 2.38.
• Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).
• Enable PRU architecture for AM335x CPU (Beagle Bone Black board)

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

This update for libdb-4_8 fixes the following issues:

• CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414).

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for cni fixes the following issues:

• CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

This update for cni-plugins fixes the following issues:

• CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issues

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

This update for util-linux fixes the following issues:

• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
• libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646).

This update for c-ares fixes the following issues:
Updated to version 1.19.0:
- CVE-2022-4904: Fixed missing string length check in config_sortlist() (bsc#1208067).

This update for libxml2 fixes the following issues:

• Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:

• Do not autouninstall SUSE PTF packages
• Ensure 'duplinvolvedmap_all' is reset when a solver is reused
• Fix 'keep installed' jobs not disabling 'best update' rules
• New '-P' and '-W' options for `testsolv`
• New introspection interface for weak dependencies similar to ruleinfos
• Ensure special case file dependencies are written correctly in the testcase writer
• Support better info about alternatives
• Support decision reason queries
• Support merging of related decisions
• Support stringification of multiple solvables
• Support stringification of ruleinfo, decisioninfo and decision reasons

• Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233)
• Avoid redirecting 'history.logfile=/dev/null' into the target
• Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
• Enhance yaml-cpp detection
• Improve download of optional files
• MultiCurl: Make sure to reset the progress function when falling back.
• Properly reset range requests (bsc#1204548)
• Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version.
• Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls.
• Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side.
• ProgressData: enforce reporting the INIT||END state (bsc#1206949)
• ps: fix service detection on newer Tumbleweed systems (bsc#1205636)

• Allow to (re)add a service with the same URL (bsc#1203715)
• Bump dependency requirement to libzypp-devel 17.31.7 or greater
• Explain outdatedness of repositories
• patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
• Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions.
• Update man page and explain '.no_auto_prune' (bsc#1204956)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

This update for systemd-presets-common-SUSE fixes the following issue:

• Enable systemd-pstore.service by default (jsc#PED-2663)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0465: Fixed ignored invalid certificate policies in leaf certificates (bsc#1209878).
• CVE-2023-0466: Fixed disabled certificate policy check (bsc#1209873).

This update for protobuf-c fixes the following issues:

• CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323)

This update for permissions fixes the following issues:

• mariadb: settings for new auth_pam_tool (bsc#1160285, bsc#1210096)

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed:

• Added W3C conformance tests to the testsuite (bsc#1204585).
• Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

This update for zstd fixes the following issues:

• CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

This update for procps fixes the following issue:

• Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for zlib fixes the following issues:

• Add DFLTCC support for using inflate() with a small window (bsc#1206513)

This update for curl fixes the following issues:

• CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).
• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for libzypp, zypper fixes the following issues:

• Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
• multicurl: propagate ssl settings stored in repo url (bsc#1127591)
• MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
• zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
• Teach MediaNetwork to retry on HTTP2 errors.
• Fix selecting installed patterns from picklist (bsc#1209406)
• man: better explanation of --priority

This update for c-ares fixes the following issues:
Update to version 1.19.1:

• CVE-2023-32067: 0-byte UDP payload causes Denial of Service (bsc#1211604)
• CVE-2023-31147: Insufficient randomness in generation of DNS query IDs (bsc#1211605)
• CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton() (bsc#1211606)
• CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607)
• Fix uninitialized memory warning in test
• ares_getaddrinfo() should allow a port of 0
• Fix memory leak in ares_send() on error
• Fix comment style in ares_data.h
• Fix typo in ares_init_options.3
• Sync ax_pthread.m4 with upstream
• Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support

This update of cni-plugins fixes the following issues:

• rebuild the package with the go 1.19 security release (bsc#1200441).

This update of cni fixes the following issues:

• rebuild the package with the go 1.19 security release (bsc#1200441).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

This update for zlib fixes the following issue:

• Fix function calling order to avoid crashes (bsc#1210593)

This update for libzypp fixes the following issues:

• Do not unconditionally release a medium if provideFile failed (bsc#1211661)
• libzypp.spec.cmake: remove duplicate file listing
• Update to version 17.31.12 (22)

This update for libzypp fixes the following issue:

• Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]

This update for openssl-1_1 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

• Update further expiring certificates that affect tests [bsc#1201627] * Add openssl-Update-further-expiring-certificates.patch

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for libzypp, zypper fixes the following issues:
libzypp was updated to version 17.31.14 (22):

• build: honor libproxy.pc's includedir (bsc#1212222)
• Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins.

• targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261)
• targetos: Update help and man page (bsc#1211261)

This update of cni fixes the following issues:

• rebuild the package with the go 1.20 security release (bsc#1206346).

This update of cni-plugins fixes the following issues:

• rebuild the package with the go 1.20 security release (bsc#1206346).

This update for dbus-1 fixes the following issues:

• CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

This update for gpgme fixes the following issues:
gpgme:

• Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

• Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

This update for util-linux fixes the following issues:

• Fix memory leak on parse errors in libmount. (bsc#1193015)

This update for libcap fixes the following issues:

• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

This update for libdb-4_8 fixes the following issues:

• Fix incomplete license tag (bsc#1099695)

This update for openssl-1_1 fixes the following issues:

• Dont pass zero length input to EVP_Cipher (bsc#1213517)

This update for cryptsetup fixes the following issues:

• Handle system with low memory and no swap space (bsc#1211079)

This update for binutils fixes the following issues:

• Add `binutils-disable-dt-relr.sh` to address compatibility problems with the glibc version included in future SUSE Linux Enterprise releases (bsc#1213282, jsc#PED-1435)

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for gawk fixes the following issues:

• CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

This update for libzypp, zypper fixes the following issues:

• Fix occasional isue with downloading very small files (bsc#1213673)
• Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
• Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
• Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
• Revised explanation of --force-resolution in man page (bsc#1213557)
• Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

This update for glib2 fixes the following issues:

• CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files. (bsc#1183533)
• CVE-2023-32665: Fixed GVariant deserialisation which does not match spec for non-normal data. (bsc#1211945)
• CVE-2023-32643: Fixed a heap-buffer-overflow in g_variant_serialised_get_child(). (bsc#1211946)
• CVE-2023-29499: Fixed GVariant offset table entry size which is not checked in is_normal(). (bsc#1211947)
• CVE-2023-32636: Fixed a wrong timeout in fuzz_variant_text(). (bsc#1211948)
• CVE-2023-32611: Fixed an issue where g_variant_byteswap() can take a long time with some non-normal inputs. (bsc#1211951)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for gcc7 fixes the following issues:
Security issue fixed:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

• Fixed KASAN kernel compile. [bsc#1205145]
• Fixed ICE with C++17 code as reported in [bsc#1204505]
• Fixed altivec.h redefining bool in C++ which makes bool unusable (bsc#1195517):
• Adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

This update of cni fixes the following issues:

• rebuild the package with the go 1.21 security release (bsc#1212475).

This update of cni-plugins fixes the following issues:

• rebuild the package with the go 1.21 security release (bsc#1212475).

This update for binutils fixes the following issues:
Update to version 2.41 [jsc#PED-5778]:

• The MIPS port now supports the Sony Interactive Entertainment Allegrex processor, used with the PlayStation Portable, which implements the MIPS II ISA along with a single-precision FPU and a few implementation-specific integer instructions.
• Objdump's --private option can now be used on PE format files to display the fields in the file header and section headers.
• New versioned release of libsframe: libsframe.so.1. This release introduces versioned symbols with version node name LIBSFRAME_1.0. This release also updates the ABI in an incompatible way: this includes removal of sframe_get_funcdesc_with_addr API, change in the behavior of sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
• SFrame Version 2 is now the default (and only) format version supported by gas, ld, readelf and objdump.
• Add command-line option, --strip-section-headers, to objcopy and strip to remove ELF section header from ELF file.
• The RISC-V port now supports the following new standard extensions:

• The RISC-V port now supports the following vendor-defined extensions: - XVentanaCondOps
• Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
• A new .insn directive is recognized by x86 gas.
• Add SME2 support to the AArch64 port.
• The linker now accepts a command line option of --remap-inputs = to relace any input file that matches with . In addition the option --remap-inputs-file= can be used to specify a file containing any number of these remapping directives.
• The linker command line option --print-map-locals can be used to include local symbols in a linker map. (ELF targets only).
• For most ELF based targets, if the --enable-linker-version option is used then the version of the linker will be inserted as a string into the .comment section.
• The linker script syntax has a new command for output sections: ASCIZ 'string' This will insert a zero-terminated string at the current location.
• Add command-line option, -z nosectionheader, to omit ELF section header.

• Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md): * bsc#1209642 aka CVE-2023-1579 aka PR29988 * bsc#1210297 aka CVE-2023-1972 aka PR30285 * bsc#1210733 aka CVE-2023-2222 aka PR29936 * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc) * bsc#1214565 aka CVE-2020-19726 aka PR26240 * bsc#1214567 aka CVE-2022-35206 aka PR29290 * bsc#1214579 aka CVE-2022-35205 aka PR29289 * bsc#1214580 aka CVE-2022-44840 aka PR29732 * bsc#1214604 aka CVE-2022-45703 aka PR29799 * bsc#1214611 aka CVE-2022-48065 aka PR29925 * bsc#1214619 aka CVE-2022-48064 aka PR29922 * bsc#1214620 aka CVE-2022-48063 aka PR29924 * bsc#1214623 aka CVE-2022-47696 aka PR29677 * bsc#1214624 aka CVE-2022-47695 aka PR29846 * bsc#1214625 aka CVE-2022-47673 aka PR29876

• This only existed only for a very short while in SLE-15, as the main variant in devel:gcc subsumed this in binutils-revert-rela.diff. Hence:

• Document fixed CVEs:

• Enable bpf-none cross target and add bpf-none to the multitarget set of supported targets.
• Disable packed-relative-relocs for old codestreams. They generate buggy relocations when binutils-revert-rela.diff is active. [bsc#1206556]
• Disable ZSTD debug section compress by default.
• Enable zstd compression algorithm (instead of zlib) for debug info sections by default.
• Pack libgprofng only for supported platforms.
• Move libgprofng-related libraries to the proper locations (packages).
• Add --without=bootstrap for skipping of bootstrap (faster testing of the package).

• Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]

• Objdump has a new command line option --show-all-symbols which will make it display all symbols that match a given address when disassembling. (Normally only the first symbol that matches an address is shown).
• Add --enable-colored-disassembly configure time option to enable colored disassembly output by default, if the output device is a terminal. Note, this configure option is disabled by default.
• DCO signed contributions are now accepted.
• objcopy --decompress-debug-sections now supports zstd compressed debug sections. The new option --compress-debug-sections=zstd compresses debug sections with zstd.
• addr2line and objdump --dwarf now support zstd compressed debug sections.
• The dlltool program now accepts --deterministic-libraries and --non-deterministic-libraries as command line options to control whether or not it generates deterministic output libraries. If neither of these options are used the default is whatever was set when the binutils were configured.
• readelf and objdump now have a newly added option --sframe which dumps the SFrame section.
• Add support for Intel RAO-INT instructions.
• Add support for Intel AVX-NE-CONVERT instructions.
• Add support for Intel MSRLIST instructions.
• Add support for Intel WRMSRNS instructions.
• Add support for Intel CMPccXADD instructions.
• Add support for Intel AVX-VNNI-INT8 instructions.
• Add support for Intel AVX-IFMA instructions.
• Add support for Intel PREFETCHI instructions.
• Add support for Intel AMX-FP16 instructions.
• gas now supports --compress-debug-sections=zstd to compress debug sections with zstd.
• Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections.
• Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs, XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx, XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head ISA manual, which are implemented in the Allwinner D1.
• Add support for the RISC-V Zawrs extension, version 1.0-rc4.
• Add support for Cortex-X1C for Arm.
• New command line option --gsframe to generate SFrame unwind information on x86_64 and aarch64 targets.
• The linker has a new command line option to suppress the generation of any warning or error messages. This can be useful when there is a need to create a known non-working binary. The option is -w or --no-warnings.
• ld now supports zstd compressed debug sections. The new option --compress-debug-sections=zstd compresses debug sections with zstd.
• Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections.
• Remove support for -z bndplt (MPX prefix instructions).

• Includes fixes for these CVEs:

• Enable by default: --enable-colored-disassembly.
• fix build on x86_64_vX platforms

This update for zypper fixes the following issues:

• Fix name of the bash completion script (bsc#1215007)
• Update notes about failing signature checks (bsc#1214395)
• Improve the SIGINT handler to be signal safe (bsc#1214292)
• Update to version 1.14.64
• Changed location of bash completion script (bsc#1213854).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

This update for shadow fixes the following issues:

• CVE-2023-4641: Fixed potential password leak (bsc#1214806).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

• Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243)
• Run vismain only if linker supports protected data symbol (bsc#1215505)

This update of cni fixes the following issues:

• rebuild the package with the go 1.21 security release (bsc#1212475).

This update of cni-plugins fixes the following issues:

• rebuild the package with the go 1.21 security release (bsc#1212475).

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

This update for util-linux fixes the following issues:

• CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

This update for libzypp, zypper fixes the following issues:

• Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091)
• Fix comment typo on zypp.conf (bsc#1215979)
• Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742)
• Make sure the old target is deleted before a new one is created (bsc#1203760)
• Return 104 also if info suggests near matches
• Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
• commit: Insert a headline to separate output of different rpm scripts (bsc#1041742)

Updates Cilium addon as it got rebuild to include a couple of sercurity fixes

SUSE-CU-2022:69-1

This update for gzip fixes the following issues:
Update from version 1.9 to version 1.10 (jsc#ECO-2217, jsc#SLE-12974)

• Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)

• Fix three data corruption issues. (bsc#1145276, jsc#SLE-5818, jsc#SLE-8914)
• Add support for `DFLTCC` (hardware-accelerated deflation) for s390x arch. (jsc#SLE-5818, jsc#SLE-8914)

• Compressed gzip output no longer contains the current time as a timestamp when the input is not a regular file. Instead, the output contains a `null` (zero) timestamp. This makes gzip's behavior more reproducible when used as part of a pipeline.
• A use of uninitialized memory on some malformed inputs has been fixed.
• A few theoretical race conditions in signal handlers have been fixed.
• Update gnulib for `libio.h` removal.

This update for llvm7 fixes the following issues:

• Fix dsymutil crash on ELF file. (bsc#1176964)
• Add Conflicts: clang-tools to clang7 and llvm7 packages to properly handle newer llvm versions. (bsc#1179155)

This update for util-linux fixes the following issue:

• Do not trigger the automatic close of CDROM. (bsc#1084671)
• Try to automatically configure broken serial lines. (bsc#1175514)
• Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
• Build with `libudev` support to support non-root users. (bsc#1169006)
• Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
• Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)

• key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys).
• This fix uses a hash table to avoid the quadratic behaviour.

This update for gcc7 fixes the following issues:

• Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939]

This update for openldap2 fixes the following issues:
Security issues fixed:

• CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
• CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

• Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for systemd fixes the following issues:

• Added a timestamp to the output of the busctl monitor command (bsc#1180225)
• Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
• Improved the caching of cgroups member mask (bsc#1175458)
• Fixed the dependency definition of sound.target (bsc#1179363)
• Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436)
• time-util: treat /etc/localtime missing as UTC (bsc#1141597)
• Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

This update for systemd fixes the following issues:

• Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
• Fix for an issue when container start causes interference in other containers. (bsc#1178775)

This update for lvm2 fixes the following issue:

• Fixes an issue when boot logical volume gets unmounted during patching. (bsc#1177533)
• Fix for lvm2 to use 'external_device_info_source='udev'' by default. (bsc#1179691)
• Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738)
• Fixed an issue when after storage migration major performance issues occurred on the system. (bsc#1179326)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for lvm2 fixes the following issues:

• lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691).

libprotobuf was updated to fix:

• ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)

This update for libselinux fixes the following issues:

• Corrected the license to public domain (bsc#1180603)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for gcc7 fixes the following issues:

• Fixed webkit2gtk3 build (bsc#1181618)
• Change GCC exception licenses to SPDX format
• Remove include-fixed/pthread.h

This update for glibc fixes the following issues:

• Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
• x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
• gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
• iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
• iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
• Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

This update for openldap2 fixes the following issues:

• bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
• bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
• bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
• bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
• bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
• bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
• bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
• bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

This update for openssl-1_1 fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for zlib fixes the following issues:

• Fixed hw compression on z15 (bsc#1176201)

This update for glib2 fixes the following issues:

• CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)

• CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for systemd-presets-common-SUSE fixes the following issues:

• Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23)
• Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer`
• Avoid needless refresh on boot. (bsc#1165780)

This update for gnutls fixes the following issues:

• CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
• CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

This update for zstd fixes the following issues:

• CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
• CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

This update for libunwind fixes the following issues:

• Update to version 1.5.0. (jsc#ECO-3395)
• Enable s390x for building. (jsc#ECO-3395)
• Fix compilation with 'fno-common'. (bsc#1171549)
• Fix build with 'GCC-10'. (bsc#1160876)

This update for libzypp, zypper fixes the following issues:
Update zypper to version 1.14.43:

• doc: give more details about creating versioned package locks (bsc#1181622)
• man: Document synonymously used patch categories (bsc#1179847)
• Fix source-download commands help (bsc#1180663)
• man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
• Extend apt packagemap (fixes #366)
• --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
• Prefer /run over /var/run.

• Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there.
• Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
• Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement).
• Add missing includes for GCC 11 compatibility.
• Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'.
• Commit: Fix rpmdb compat symlink in case rpm got removed.
• Repo: Allow multiple baseurls specified on one line (fixes #285)
• Regex: Fix memory leak and undefined behavior.
• Add rpm buildrequires for test suite (fixes #279)
• Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use.
• CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
• RepoManager: Force refresh if repo url has changed (bsc#1174016)
• RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
• RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
• RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
• Fixed update of gpg keys with elongated expire date (bsc#1179222)
• needreboot: remove udev from the list (bsc#1179083)
• Fix lsof monitoring (bsc#1179909)
• Rephrase solver problem descriptions (jsc#SLE-8482)
• Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
• Multicurl backend breaks with with unknown filesize (fixes #277)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

This update for openldap2 fixes the following issues:

• Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for mpfr fixes the following issues:

• Fixed an issue when building for ppc64le (bsc#1141190)

• A subtraction of two numbers of the same sign or addition of two numbers of different signs can be rounded incorrectly (and the ternary value can be incorrect) when one of the two inputs is reused as the output (destination) and all these MPFR numbers have exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines).
• The mpfr_fma and mpfr_fms functions can behave incorrectly in case of internal overflow or underflow.
• The result of the mpfr_sqr function can be rounded incorrectly in a rare case near underflow when the destination has exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit machines) and the input has at most GMP_NUMB_BITS bits of precision.
• The behavior and documentation of the mpfr_get_str function are inconsistent concerning the minimum precision (this is related to the change of the minimum precision from 2 to 1 in MPFR 4.0.0). The get_str patch fixes this issue in the following way: the value 1 can now be provided for n (4th argument of mpfr_get_str); if n = 0, then the number of significant digits in the output string can now be 1, as already implied by the documentation (but the code was increasing it to 2).
• The mpfr_cmp_q function can behave incorrectly when the rational (mpq_t) number has a null denominator.
• The mpfr_inp_str and mpfr_out_str functions might behave incorrectly when the stream is a null pointer: the stream is replaced by stdin and stdout, respectively. This behavior is useless, not documented (thus incorrect in case a null pointer would have a special meaning), and not consistent with other input/output functions.

This update for systemd-presets-common-SUSE fixes the following issues:

• Enabled hcn-init.service for HNV on POWER (bsc#1184136)

This update for e2fsprogs fixes the following issues:

• Fixed an issue when building e2fsprogs (bsc#1183791)

This update for systemd fixes the following issues:

• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

This update for libnettle fixes the following issues:

• CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

This update for systemd-presets-branding-SLE fixes the following issues:

• Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780)

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064)

This update for patterns-microos provides the following fix:

• Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for krb5 fixes the following issues:

• Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);

This update for sed fixes the following issues:

• Fixed a building issue with glibc-2.31 (bsc#1183797).

This update for libsolv and libzypp fixes the following issues:
libsolv:
Upgrade from version 0.7.17 to version 0.7.19

• Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
• Fix memory leaks in error cases
• Fix error handling in `solv_xfopen_fd()`
• Fix regex code on win32
• fixed memory leak in choice rule generation
• `repo_add_conda`: add a flag to skip version 2 packages.

• Properly handle permission denied when providing optional files. (bsc#1185239)
• Fix service detection with `cgroupv2`. (bsc#1184997)
• Add missing includes for GCC 11. (bsc#1181874)
• Fix unsafe usage of static in media verifier.
• `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
• `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
• Do no cleanup in custom cache dirs. (bsc#1182936)
• `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

This update for openldap2 fixes the following issue:

• Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)

This update for llvm7 and libqt5-qttools fixes the following issues:
libqt5-qttools:

• Use `libclang` instead of `clang`, now that `llvm7` moved the header files to `libclang` (bsc#1109367, bsc#1184920)

• Remove unneeded and unused dependencies: - groff, bison, flex, jsoncpp

• Devel packages are only required in other devel packages, when their headers are included in the installed headers.
• Skip a test that is broken with 387 FPU registers and avoids check failure on i586. (bsc#1145085)
• Link `libomp` with `atomic` if needed and fix build using gcc-4.8. (bsc#1145085)
• Make build of `gnustep-libobjc2` package reproducible. (bsc#1067478)
• Remove `-fno-strict-aliasing` which upstream doesn't use any more.
• Package `clang` builtin headers with `libclang`. (bsc#1109367)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for lz4 fixes the following issues:

• CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

This update for libxml2 fixes the following issues:

• CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for curl fixes the following issues:

• CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
• CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
• Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
• Allow partial chain verification (jsc#SLE-17956).

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)

This update for gcc fixes the following issues:

• Added gccgo symlink and go and gofmt as alternatives to support parallel installation of golang (bsc#1096677)

This update for gpg2 fixes the following issues:

• Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308).

This update for libnettle fixes the following issues:

• CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for systemd-presets-common-SUSE fixes the following issues:
When installing the systemd-presets-common-SUSE package for the first time in a new system, it might happen that some services are installed before systemd so the %systemd_pre/post macros would not work. This is handled by enabling all preset services in this package's %posttrans section but it wasn't enabling user services, just system services. Now it enables also the user services installed before this package (bsc#1186561)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for openldap2 fixes the following issues:

• Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)

This update for systemd fixes the following issues:
cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)

This update for dbus-1 fixes the following issues:

• CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
• Skip udev rules if 'elevator=' is used (bsc#1184994)

This update for curl fixes the following issues:

• CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
• CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
• CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
• CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)

This update for c-ares fixes the following issues:
Version update to git snapshot 1.17.1+20200724:

• CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
• If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
• Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
• Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
• Use unbuffered /dev/urandom for random data to prevent early startup performance issues

This update for cpio fixes the following issues:

• A regression in last update would cause builds to hang on various architectures(bsc#1189465)

This update for cpio fixes the following issues:

• A regression in the previous update could lead to crashes (bsc#1189465)

This update for krb5 fixes the following issues:

• CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)

This update for dbus-1 fixes the following issues:

• CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505)

This update for openssl-1_1 fixes the following security issue:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for openldap2 fixes the following issue:

• openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)

This update for openssl-1_1 fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

This update for gcc fixes the following issues:

• With gcc-PIE add -pie even when -fPIC is specified but we are not linking a shared library. [bsc#1185348]
• Fix postun of gcc-go alternative.

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for c-ares fixes the following issue:

• Allow '_' as part of DNS response. (bsc#1190225) - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which contained underscores.

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
• Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
• Rules weren't applied to dm devices (multipath) (bsc#1188713).
• Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
• Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
• Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

This update for glibc fixes the following issues:

• CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
• CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

The SUSE Linux Enterprise 15 SP2 kernel was updated.

The following security bugs were fixed:

• CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
• CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
• CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
• CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
• CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
• CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986)

• ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes).
• apparmor: remove duplicate macro list_entry_is_head() (git-fixes).
• ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes).
• ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes).
• ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes).
• ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes).
• ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes).
• ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes).
• ath9k: fix sleeping in atomic context (git-fixes).
• blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
• blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
• blk-mq: mark if one queue map uses managed irq (bsc#1185762).
• Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes).
• bnx2x: fix an error code in bnx2x_nic_load() (git-fixes).
• bnxt_en: Add missing DMA memory barriers (git-fixes).
• bnxt_en: Disable aRFS if running on 212 firmware (git-fixes).
• bnxt_en: Do not enable legacy TX push on older firmware (git-fixes).
• bnxt_en: Store the running firmware version code (git-fixes).
• bnxt: count Tx drops (git-fixes).
• bnxt: disable napi before canceling DIM (git-fixes).
• bnxt: do not lock the tx queue from napi poll (git-fixes).
• bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes).
• btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626).
• clk: at91: clk-generated: Limit the requested rate to our range (git-fixes).
• clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes).
• console: consume APC, DM, DCS (git-fixes).
• cuse: fix broken release (bsc#1190596).
• cxgb4: dont touch blocked freelist bitmap after free (git-fixes).
• debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746).
• devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353).
• dmaengine: ioat: depends on !UML (git-fixes).
• dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes).
• dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes).
• docs: Fix infiniband uverbs minor number (git-fixes).
• drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes).
• drm: avoid blocking in drm_clients_info's rcu section (git-fixes).
• drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes).
• drm/amd/display: Fix timer_per_pixel unit error (git-fixes).
• drm/amdgpu: Fix BUG_ON assert (git-fixes).
• drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes).
• drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes).
• drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes).
• e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100).
• e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes).
• EDAC/i10nm: Fix NVDIMM detection (bsc#1152489).
• EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489).
• erofs: fix up erofs_lookup tracepoint (git-fixes).
• fbmem: do not allow too huge resolutions (git-fixes).
• fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes).
• fpga: machxo2-spi: Return an error on failure (git-fixes).
• fuse: flush extending writes (bsc#1190595).
• fuse: truncate pagecache on atomic_o_trunc (bsc#1190705).
• genirq: add device_has_managed_msi_irq (bsc#1185762).
• gpio: uniphier: Fix void functions to remove return value (git-fixes).
• gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes).
• gve: fix the wrong AdminQ buffer overflow check (bsc#1176940).
• hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
• hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
• hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes).
• hwmon: (tmp421) fix rounding for negative values (git-fixes).
• hwmon: (tmp421) report /PVLD condition as fault (git-fixes).
• i40e: Add additional info to PHY type error (git-fixes).
• i40e: Fix firmware LLDP agent related warning (git-fixes).
• i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes).
• i40e: Fix logic of disabling queues (git-fixes).
• i40e: Fix queue-to-TC mapping on Tx (git-fixes).
• iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940).
• iavf: Set RSS LUT and key in reset handle path (git-fixes).
• ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
• ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943).
• ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943).
• ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943).
• ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943).
• ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943).
• ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943).
• ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943).
• ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943).
• ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943).
• ice: Prevent probing virtual functions (git-fixes).
• iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes).
• include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes).
• iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784).
• ionic: cleanly release devlink instance (bsc#1167773).
• ionic: count csum_none when offload enabled (bsc#1167773).
• ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
• ipc/util.c: use binary search for max_idx (bsc#1159886).
• ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467).
• ipvs: avoid expiring many connections from timer (bsc#1190467).
• ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467).
• ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467).
• iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes).
• kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
• kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
• kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716).
• kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead.
• libata: fix ata_host_start() (git-fixes).
• mac80211-hwsim: fix late beacon hrtimer handling (git-fixes).
• mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes).
• mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes).
• mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes).
• mac80211: mesh: fix potentially unaligned access (git-fixes).
• media: cedrus: Fix SUNXI tile size calculation (git-fixes).
• media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes).
• media: dib8000: rewrite the init prbs logic (git-fixes).
• media: imx258: Limit the max analogue gain to 480 (git-fixes).
• media: imx258: Rectify mismatch of VTS value (git-fixes).
• media: rc-loopback: return number of emitters rather than error (git-fixes).
• media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes).
• media: uvc: do not do DMA on stack (git-fixes).
• media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes).
• mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes).
• mlx4: Fix missing error code in mlx4_load_one() (git-fixes).
• mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes).
• mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785).
• mmc: core: Return correct emmc response in case of ioctl error (git-fixes).
• mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes).
• mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes).
• net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
• net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
• net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
• net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
• net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
• net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
• net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
• net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
• net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
• net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
• net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes).
• net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
• net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes).
• net/mlx5: Fix flow table chaining (git-fixes).
• net/mlx5: Fix return value from tracer initialization (git-fixes).
• net/mlx5: Unload device upon firmware fatal error (git-fixes).
• net/mlx5e: Avoid creating tunnel headers for local route (git-fixes).
• net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes).
• net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes).
• netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062).
• nfp: update ethtool reporting of pauseframe control (git-fixes).
• NFS: change nfs_access_get_cached to only report the mask (bsc#1190746).
• NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746).
• NFS: pass cred explicitly for access tests (bsc#1190746).
• nvme: avoid race in shutdown namespace removal (bsc#1188067).
• nvme: fix refcounting imbalance when all paths are down (bsc#1188067).
• parport: remove non-zero check on count (git-fixes).
• PCI: aardvark: Fix checking for PIO status (git-fixes).
• PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
• PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
• PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
• PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes).
• PCI: Add AMD GPU multi-function power dependencies (git-fixes).
• PCI: ibmphp: Fix double unmap of io_mem (git-fixes).
• PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes).
• PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes).
• PCI: pci-bridge-emul: Fix big-endian support (git-fixes).
• PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
• PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes).
• PM: base: power: do not try to use non-existing RTC for storing data (git-fixes).
• PM: EM: Increase energy calculation precision (git-fixes).
• power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes).
• power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes).
• powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289).
• powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868).
• powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523).
• powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729).
• powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729).
• powerpc/perf: Fix the check for SIAR value (bsc#1065729).
• powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729).
• powerpc/perf: Use stack siar instead of mfspr (bsc#1065729).
• powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729).
• powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729).
• powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729).
• powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498).
• powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729).
• pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523).
• pwm: img: Do not modify HW state in .remove() callback (git-fixes).
• pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes).
• pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes).
• qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes).
• RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774).
• Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes).
• regmap: fix page selection for noinc reads (git-fixes).
• regmap: fix page selection for noinc writes (git-fixes).
• regmap: fix the offset of register error log (git-fixes).
• Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746).
• rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages.
• rpm/kernel-binary.spec: Use only non-empty certificates.
• rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
• rtc: rx8010: select REGMAP_I2C (git-fixes).
• rtc: tps65910: Correct driver module alias (git-fixes).
• s390/unwind: use current_frame_address() to unwind current task (bsc#1185677).
• sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292).
• scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576).
• scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576).
• scsi: fc: Add EDC ELS definition (bsc#1190576).
• scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576).
• scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576).
• scsi: lpfc: Add cm statistics buffer support (bsc#1190576).
• scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576).
• scsi: lpfc: Add cmfsync WQE support (bsc#1190576).
• scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576).
• scsi: lpfc: Add EDC ELS support (bsc#1190576).
• scsi: lpfc: Add MIB feature enablement support (bsc#1190576).
• scsi: lpfc: Add rx monitoring statistics (bsc#1190576).
• scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576).
• scsi: lpfc: Add support for cm enablement buffer (bsc#1190576).
• scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576).
• scsi: lpfc: Add support for the CM framework (bsc#1190576).
• scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576).
• scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576).
• scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576).
• scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576).
• scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576).
• scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576).
• scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576).
• scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576).
• scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576).
• scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576).
• scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576).
• scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576).
• scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576).
• scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576).
• scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576).
• scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576).
• scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576).
• scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576).
• scsi: lpfc: Remove unneeded variable (bsc#1190576).
• scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576).
• scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576).
• scsi: lpfc: Use correct scnprintf() limit (bsc#1190576).
• scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576).
• scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576).
• scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576).
• scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297).
• serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes).
• serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes).
• serial: mvebu-uart: fix driver's tx_empty callback (git-fixes).
• serial: sh-sci: fix break handling for sysrq (git-fixes).
• spi: Fix tegra20 build with CONFIG_PM=n (git-fixes).
• staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes).
• staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes).
• staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes).
• thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes).
• time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes).
• tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes).
• tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes).
• tty: synclink_gt, drop unneeded forward declarations (git-fixes).
• usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes).
• usb: core: hcd: Add support for deferring roothub registration (git-fixes).
• usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes).
• usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes).
• usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes).
• usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes).
• usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes).
• usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes).
• usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes).
• usb: host: fotg210: fix the actual_length of an iso packet (git-fixes).
• usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes).
• usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes).
• usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes).
• usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes).
• usb: serial: option: add device id for Foxconn T99W265 (git-fixes).
• usb: serial: option: add Telit LN920 compositions (git-fixes).
• usb: serial: option: remove duplicate USB device ID (git-fixes).
• usbip: give back URBs for unsent unlink requests during cleanup (git-fixes).
• usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes).
• video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes).
• video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes).
• video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes).
• video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes).
• vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406).
• vmxnet3: add support for ESP IPv6 RSS (bsc#1190406).
• vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406).
• vmxnet3: prepare for version 6 changes (bsc#1190406).
• vmxnet3: remove power of 2 limitation on the queues (bsc#1190406).
• vmxnet3: set correct hash type based on rss information (bsc#1190406).
• vmxnet3: update to version 6 (bsc#1190406).
• watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes).
• x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302).
• x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439).
• x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289).
• x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489).
• x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489).
• x86/resctrl: Fix default monitoring groups reporting (bsc#1152489).
• xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651).
• xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679).
• xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes).
• xhci: Set HCD flag to defer primary roothub registration (git-fixes).

This update for krb5 fixes the following issues:

• CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).

This update for yast2-network fixes the following issues:

• Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
• Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
• Consider aliases sections as case insensitive (bsc#1190739).
• Display user defined device name in the devices overview (bnc#1190645).
• Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
• Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
• Fix desktop file so the control center tooltip is translated (bsc#1187270).
• Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
• Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for util-linux fixes the following issues:
Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:

• CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
• agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
• mount: Fix 'mount' output for net file systems (bsc#1122417).
• ipcs: Avoid overflows (bsc#1178236)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for binutils fixes the following issues:
Update to binutils 2.37:

• The GNU Binutils sources now requires a C99 compiler and library to build.
• Support for Realm Management Extension (RME) for AArch64 has been added.
• A new linker option '-z report-relative-reloc' for x86 ELF targets has been added to report dynamic relative relocations.
• A new linker option '-z start-stop-gc' has been added to disable special treatment of __start_*/__stop_* references when --gc-sections.
• A new linker options '-Bno-symbolic' has been added which will cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
• The readelf tool has a new command line option which can be used to specify how the numeric values of symbols are reported. --sym-base=0|8|10|16 tells readelf to display the values in base 8, base 10 or base 16. A sym base of 0 represents the default action of displaying values under 10000 in base 10 and values above that in base 16.
• A new format has been added to the nm program. Specifying '--format=just-symbols' (or just using -j) will tell the program to only display symbol names and nothing else.
• A new command line option '--keep-section-symbols' has been added to objcopy and strip. This stops the removal of unused section symbols when the file is copied. Removing these symbols saves space, but sometimes they are needed by other tools.
• The '--weaken', '--weaken-symbol' and '--weaken-symbols' options supported by objcopy now make undefined symbols weak on targets that support weak symbols.
• Readelf and objdump can now display and use the contents of .debug_sup sections.
• Readelf and objdump will now follow links to separate debug info files by default. This behaviour can be stopped via the use of the new '-wN' or '--debug-dump=no-follow-links' options for readelf and the '-WN' or '--dwarf=no-follow-links' options for objdump. Also the old behaviour can be restored by the use of the '--enable-follow-debug-links=no' configure time option.

• Nm has a new command line option: '--quiet'. This suppresses 'no symbols' diagnostic.

• General:

• X86/x86_64:

• ARM/AArch64: