Container summary for

SUSE-CU-2023:3916-1

This update for libzypp fixes the following issues:

• RepoManager: remember execution errors in exception history (bsc#1193007)
• Fix exception handling when reading or writing credentials (bsc#1194898)
• Fix install path for parser (bsc#1194597)
• Fix Legacy include (bsc#1194597)
• Public header files on older distros must use c++11 (bsc#1194597)

This update for libzypp, zypper fixes the following issues:

• Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete.

This update for coreutils fixes the following issues:

• Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
• Properly sort docs and license files (bsc#1082318).

This update for systemd fixes the following issues:

• systemctl: exit with 1 if no unit files found (bsc#1193841).
• add rules for virtual devices (bsc#1193759).
• enforce 'none' for loop devices (bsc#1193759).

This update for yast2-network fixes the following issues:

• Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for cyrus-sasl fixes the following issues:

• CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

This update for openldap2 fixes the following issue:

• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for procps fixes the following issues:

• Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

glibc was updated to fix the following issues:
Security issues fixed:

• CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)
• CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
• CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

• Fix pthread_rwlock_try*lock stalls (bsc#1195560)

This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
* Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server

• Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
• Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

• Enable syscallfilter unconditionally [bsc#1181826].

• By default we don't write log files but log to journald, so only recommend logrotate.

• Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

• Add support for more accurate reading of PHC on Linux 5.0
• Add support for hardware timestamping on interfaces with read-only timestamping configuration
• Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
• Update seccomp filter to work on more architectures
• Validate refclock driver options
• Fix bindaddress directive on FreeBSD
• Fix transposition of hardware RX timestamp on Linux 4.13 and later
• Fix building on non-glibc systems

• Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

• Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.
• Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

This update for openssl-1_1 fixes the following issues:

• CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for libtirpc fixes the following issues:

• Fix memory leak in client protocol version 2 code (bsc#1193805)

This update for openldap2 fixes the following issue:

• Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for systemd fixes the following issues:

• allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

This update for yaml-cpp fixes the following issues:

• CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
• CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
• CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
• CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

This update for aaa_base fixes the following issues:

• Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
• Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

This update for util-linux fixes the following issues:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)
• Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
• Warn if uuidd lock state is not usable. (bsc#1194642)
• Fix 'su -s' bash completion. (bsc#1172427)

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

• Harden package signature checks (bsc#1184501).

• reworked choice rule generation to cover more usecases
• support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
• support parsing of Debian's Multi-Arch indicator
• fix segfault on conflict resolution when using bindings
• fix split provides not working if the update includes a forbidden vendor change
• support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
• support zstd compressed control files in debian packages
• add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
• support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
• support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
• support solv files with an idarray block
• allow accessing the toolversion at runtime

• ZConfig: Update solver settings if target changes (bsc#1196368)
• Fix possible hang in singletrans mode (bsc#1197134)
• Do 2 retries if mount is still busy.
• Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
• Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
• Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
• Fix handling of ISO media in releaseAll (bsc#1196061)
• Hint on common ptf resolver conflicts (bsc#1194848)
• Hint on ptf<>patch resolver conflicts (bsc#1194848)

• info: print the packages upstream URL if available (fixes #426)
• info: Fix SEGV with not installed PTFs (bsc#1196317)
• Don't prevent less restrictive umasks (bsc#1195999)

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for e2fsprogs fixes the following issues:

• Add support for 'libreadline7' for Leap. (bsc#1196939)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issue:

• Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for openldap2 fixes the following issues:
Security:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

This update for openssl fixes the following issues:

• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for p11-kit fixes the following issues:

• CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

This update for systemd fixes the following issues:

• Allow control characters in environment variable values (bsc#1200170)
• basic/env-util: Allow newlines in values of environment variables
• man: tweak description of auto/noauto (bsc#1191502)
• shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
• shared/install: fix error codes returned by install_context_apply()
• shared/install: ignore failures for auxiliary files
• systemctl: suppress enable/disable messages when `-q` is given
• test-env-util: Verify that \r is disallowed in env var values
• test-env-util: print function headers
• udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)

This update for libzypp, zypper fixes the following issues:
libzypp:

• appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
• zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
• PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
• Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
• singletrans: no dry-run commit if doing just download-only
• Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo.
• Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

• Basic JobReport for 'cmdout/monitor'
• versioncmp: if verbose, also print the edition 'parts' which are compared
• Make sure MediaAccess is closed on exception (bsc#1194550)
• Display plus-content hint conditionally
• Honor the NO_COLOR environment variable when auto-detecting whether to use color
• Define table columns which should be sorted natural [case insensitive]
• lr/ls: Use highlight color on name and alias as well

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223).
• CVE-2022-27782: Fixed an issue where TLS and SSH connections would be reused even when a related option had been changed (bsc#1199224).
• CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused by an unbounded number of compression layers (bsc#1200735).
• CVE-2022-32208: Fixed an incorrect message verification issue when performing FTP transfers using krb5 (bsc#1200737).

This update for gnutls fixes the following issues:

• CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020).
• CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed an uncontrolled file descriptor consumption, which could be exploited by remote attackers to prevent applications using the library from accepting new connections (bsc#1201680).

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a potential signature forgery via injection into the status line when certain unusual conditions are met (bsc#1201225).

This update for libzypp, zypper fixes the following issues:
libzypp:

• Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
• Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
• Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
• Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

• Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
• Reject install/remove modifier without argument (bsc#1201576)
• zypper-download: Handle unresolvable arguments as errors
• Put signing key supplying repository name in quotes

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for cyrus-sasl fixes the following issues:

• CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635).

This update for libzypp, zypper fixes the following issues:
libzypp:

• Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Remove migration code that is no longer needed (bsc#1203649)
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

• Fix contradiction in the man page: `--download-in-advance` option is the default behavior
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Fix tests to use locale 'C.UTF-8' rather than 'en_US'
• Make sure 'up' respects solver related CLI options (bsc#1201972)
• Remove unneeded code to compute the PPP status because it is now auto established
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

This update for openssl-1_1 fixes the following issues:

• FIPS: Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode. (bsc#1180995)

This update for aaa_base and iputils fixes the following issues:
aaa_base:

• Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927)
• The wrapper rootsh is not a restricted shell (bsc#1199492)

• Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issues

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

This update for util-linux fixes the following issues:

• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
• libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646).

This update for libxml2 fixes the following issues:

• Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:

• Do not autouninstall SUSE PTF packages
• Ensure 'duplinvolvedmap_all' is reset when a solver is reused
• Fix 'keep installed' jobs not disabling 'best update' rules
• New '-P' and '-W' options for `testsolv`
• New introspection interface for weak dependencies similar to ruleinfos
• Ensure special case file dependencies are written correctly in the testcase writer
• Support better info about alternatives
• Support decision reason queries
• Support merging of related decisions
• Support stringification of multiple solvables
• Support stringification of ruleinfo, decisioninfo and decision reasons

• Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233)
• Avoid redirecting 'history.logfile=/dev/null' into the target
• Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
• Enhance yaml-cpp detection
• Improve download of optional files
• MultiCurl: Make sure to reset the progress function when falling back.
• Properly reset range requests (bsc#1204548)
• Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version.
• Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls.
• Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side.
• ProgressData: enforce reporting the INIT||END state (bsc#1206949)
• ps: fix service detection on newer Tumbleweed systems (bsc#1205636)

• Allow to (re)add a service with the same URL (bsc#1203715)
• Bump dependency requirement to libzypp-devel 17.31.7 or greater
• Explain outdatedness of repositories
• patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
• Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions.
• Update man page and explain '.no_auto_prune' (bsc#1204956)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0465: Fixed ignored invalid certificate policies in leaf certificates (bsc#1209878).
• CVE-2023-0466: Fixed disabled certificate policy check (bsc#1209873).

This update for permissions fixes the following issues:

• mariadb: settings for new auth_pam_tool (bsc#1160285, bsc#1210096)

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed:

• Added W3C conformance tests to the testsuite (bsc#1204585).
• Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

This update for zstd fixes the following issues:

• CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

This update for procps fixes the following issue:

• Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for zlib fixes the following issues:

• Add DFLTCC support for using inflate() with a small window (bsc#1206513)

This update for curl fixes the following issues:

• CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).
• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for libzypp, zypper fixes the following issues:

• Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
• multicurl: propagate ssl settings stored in repo url (bsc#1127591)
• MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
• zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
• Teach MediaNetwork to retry on HTTP2 errors.
• Fix selecting installed patterns from picklist (bsc#1209406)
• man: better explanation of --priority

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

This update for zlib fixes the following issue:

• Fix function calling order to avoid crashes (bsc#1210593)

This update for libzypp fixes the following issues:

• Do not unconditionally release a medium if provideFile failed (bsc#1211661)
• libzypp.spec.cmake: remove duplicate file listing
• Update to version 17.31.12 (22)

This update for libzypp fixes the following issue:

• Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]

This update for openssl-1_1 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

• Update further expiring certificates that affect tests [bsc#1201627] * Add openssl-Update-further-expiring-certificates.patch

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for libzypp, zypper fixes the following issues:
libzypp was updated to version 17.31.14 (22):

• build: honor libproxy.pc's includedir (bsc#1212222)
• Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins.

• targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261)
• targetos: Update help and man page (bsc#1211261)

This update for gpgme fixes the following issues:
gpgme:

• Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

• Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

This update for util-linux fixes the following issues:

• Fix memory leak on parse errors in libmount. (bsc#1193015)

This update for libcap fixes the following issues:

• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

This update for openssl-1_1 fixes the following issues:

• Dont pass zero length input to EVP_Cipher (bsc#1213517)

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

This update for libzypp, zypper fixes the following issues:

• Fix occasional isue with downloading very small files (bsc#1213673)
• Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
• Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
• Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
• Revised explanation of --force-resolution in man page (bsc#1213557)
• Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

This update for glib2 fixes the following issues:

• CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files. (bsc#1183533)
• CVE-2023-32665: Fixed GVariant deserialisation which does not match spec for non-normal data. (bsc#1211945)
• CVE-2023-32643: Fixed a heap-buffer-overflow in g_variant_serialised_get_child(). (bsc#1211946)
• CVE-2023-29499: Fixed GVariant offset table entry size which is not checked in is_normal(). (bsc#1211947)
• CVE-2023-32636: Fixed a wrong timeout in fuzz_variant_text(). (bsc#1211948)
• CVE-2023-32611: Fixed an issue where g_variant_byteswap() can take a long time with some non-normal inputs. (bsc#1211951)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

This update for zypper fixes the following issues:

• Fix name of the bash completion script (bsc#1215007)
• Update notes about failing signature checks (bsc#1214395)
• Improve the SIGINT handler to be signal safe (bsc#1214292)
• Update to version 1.14.64
• Changed location of bash completion script (bsc#1213854).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

This update for shadow fixes the following issues:

• CVE-2023-4641: Fixed potential password leak (bsc#1214806).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

• Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243)
• Run vismain only if linker supports protected data symbol (bsc#1215505)

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

This update for util-linux fixes the following issues:

• CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

This update for libzypp, zypper fixes the following issues:

• Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091)
• Fix comment typo on zypp.conf (bsc#1215979)
• Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742)
• Make sure the old target is deleted before a new one is created (bsc#1203760)
• Return 104 also if info suggests near matches
• Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
• commit: Insert a headline to separate output of different rpm scripts (bsc#1041742)

SUSE-CU-2022:71-1

This update for util-linux fixes the following issue:

• Do not trigger the automatic close of CDROM. (bsc#1084671)
• Try to automatically configure broken serial lines. (bsc#1175514)
• Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
• Build with `libudev` support to support non-root users. (bsc#1169006)
• Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
• Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)

• key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys).
• This fix uses a hash table to avoid the quadratic behaviour.

This update for openldap2 fixes the following issues:
Security issues fixed:

• CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
• CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

• Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for systemd fixes the following issues:

• Added a timestamp to the output of the busctl monitor command (bsc#1180225)
• Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
• Improved the caching of cgroups member mask (bsc#1175458)
• Fixed the dependency definition of sound.target (bsc#1179363)
• Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436)
• time-util: treat /etc/localtime missing as UTC (bsc#1141597)
• Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

This update for systemd fixes the following issues:

• Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
• Fix for an issue when container start causes interference in other containers. (bsc#1178775)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

libprotobuf was updated to fix:

• ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)

This update for libselinux fixes the following issues:

• Corrected the license to public domain (bsc#1180603)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for glibc fixes the following issues:

• Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
• x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
• gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
• iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
• iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
• Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

This update for openldap2 fixes the following issues:

• bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
• bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
• bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
• bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
• bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
• bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
• bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
• bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

This update for openssl-1_1 fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for zlib fixes the following issues:

• Fixed hw compression on z15 (bsc#1176201)

This update for glib2 fixes the following issues:

• CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)

• CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for gnutls fixes the following issues:

• CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
• CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

This update for zstd fixes the following issues:

• CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
• CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

This update for libzypp, zypper fixes the following issues:
Update zypper to version 1.14.43:

• doc: give more details about creating versioned package locks (bsc#1181622)
• man: Document synonymously used patch categories (bsc#1179847)
• Fix source-download commands help (bsc#1180663)
• man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
• Extend apt packagemap (fixes #366)
• --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
• Prefer /run over /var/run.

• Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there.
• Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
• Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement).
• Add missing includes for GCC 11 compatibility.
• Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'.
• Commit: Fix rpmdb compat symlink in case rpm got removed.
• Repo: Allow multiple baseurls specified on one line (fixes #285)
• Regex: Fix memory leak and undefined behavior.
• Add rpm buildrequires for test suite (fixes #279)
• Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use.
• CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
• RepoManager: Force refresh if repo url has changed (bsc#1174016)
• RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
• RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
• RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
• Fixed update of gpg keys with elongated expire date (bsc#1179222)
• needreboot: remove udev from the list (bsc#1179083)
• Fix lsof monitoring (bsc#1179909)
• Rephrase solver problem descriptions (jsc#SLE-8482)
• Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
• Multicurl backend breaks with with unknown filesize (fixes #277)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

This update for openldap2 fixes the following issues:

• Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for e2fsprogs fixes the following issues:

• Fixed an issue when building e2fsprogs (bsc#1183791)

This update for systemd fixes the following issues:

• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

This update for libnettle fixes the following issues:

• CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064)

This update for patterns-microos provides the following fix:

• Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for krb5 fixes the following issues:

• Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);

This update for sed fixes the following issues:

• Fixed a building issue with glibc-2.31 (bsc#1183797).

This update for libsolv and libzypp fixes the following issues:
libsolv:
Upgrade from version 0.7.17 to version 0.7.19

• Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
• Fix memory leaks in error cases
• Fix error handling in `solv_xfopen_fd()`
• Fix regex code on win32
• fixed memory leak in choice rule generation
• `repo_add_conda`: add a flag to skip version 2 packages.

• Properly handle permission denied when providing optional files. (bsc#1185239)
• Fix service detection with `cgroupv2`. (bsc#1184997)
• Add missing includes for GCC 11. (bsc#1181874)
• Fix unsafe usage of static in media verifier.
• `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
• `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
• Do no cleanup in custom cache dirs. (bsc#1182936)
• `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

This update for openldap2 fixes the following issue:

• Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for lz4 fixes the following issues:

• CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

This update for libxml2 fixes the following issues:

• CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for curl fixes the following issues:

• CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
• CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
• Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
• Allow partial chain verification (jsc#SLE-17956).

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)

This update for gpg2 fixes the following issues:

• Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308).

This update for libnettle fixes the following issues:

• CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for openldap2 fixes the following issues:

• Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)

This update for systemd fixes the following issues:
cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
• Skip udev rules if 'elevator=' is used (bsc#1184994)

This update for curl fixes the following issues:

• CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
• CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
• CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
• CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)

This update for cpio fixes the following issues:

• A regression in last update would cause builds to hang on various architectures(bsc#1189465)

This update for cpio fixes the following issues:

• A regression in the previous update could lead to crashes (bsc#1189465)

This update for krb5 fixes the following issues:

• CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)

This update for openssl-1_1 fixes the following security issue:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for openldap2 fixes the following issue:

• openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)

This update for openssl-1_1 fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
• Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
• Rules weren't applied to dm devices (multipath) (bsc#1188713).
• Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
• Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
• Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

This update for glibc fixes the following issues:

• CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
• CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

This update for krb5 fixes the following issues:

• CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).

This update for yast2-network fixes the following issues:

• Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
• Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
• Consider aliases sections as case insensitive (bsc#1190739).
• Display user defined device name in the devices overview (bnc#1190645).
• Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
• Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
• Fix desktop file so the control center tooltip is translated (bsc#1187270).
• Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
• Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for util-linux fixes the following issues:
Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:

• CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
• agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
• mount: Fix 'mount' output for net file systems (bsc#1122417).
• ipcs: Avoid overflows (bsc#1178236)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for zypper fixes the following issues:

• Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
• Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
• Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
• Protect against strict/relaxed user umask via sudo. (bsc#1183589)
• xml summary: Add solvables repository alias. (bsc#1182372)
• Allow trusted repos to add additional signing keys. (bsc#1184326)
• MediaCurl: Fix logging of redirects.
• Let negative values wait forever for the zypp lock. (bsc#1184399)
• Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325)
• Fix service detection with cgroupv2. (bsc#1184997)
• Add hints to 'trust GPG key' prompt.
• Enhance XML output of repo GPG options
• Add optional attributes showing the raw values actually present in the '.repo' file.
• Link all executables with -pie (bsc#1186447)
• Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645)
• Fix solver jobs for PTFs. (bsc#1186503)
• choice rules: treat orphaned packages as newest. (bc#1190465)
• Add need reboot/restart hint to XML install summary. (bsc#1188435)
• Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
• Fix obs:// platform guessing for Leap. (bsc#1187425)
• Fix purge-kernels fails. (bsc#1187738)
• Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
• Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156)
• Do not check of signatures and keys two times(redundant). (bsc#1190059)
• Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
• Show key fpr from signature when signature check fails. (bsc#1187224)
• Make sure to keep states alives while transitioning. (bsc#1190199)
• Fix crashes in logging code when shutting down. (bsc#1189031)
• Manpage: Improve description about patch updates. (bsc#1187466)
• Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602)
• Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
• Disable logger in the child after fork (bsc#1192436)
• Check log writer before accessing it (bsc#1192337)
• Allow uname-r format in purge kernels keepspec
• zypper should keep cached files if transaction is aborted (bsc#1190356)
• Require a minimum number of mirrors for multicurl (bsc#1191609)
• Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
• Fix translations (bsc#1191370)
• RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for systemd fixes the following issues:

• Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
• Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
• shutdown: Reduce log level of unmounts (bsc#1191252)
• pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
• core: rework how we connect to the bus (bsc#1190325)
• mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
• virt: detect Amazon EC2 Nitro instance (bsc#1190440)
• Several fixes for umount
• busctl: use usec granularity for the timestamp printed by the busctl monitor command
• fix unitialized fields in MountPoint in dm_list_get()
• shutdown: explicitly set a log target
• mount-util: add mount_option_mangle()
• dissect: automatically mark partitions read-only that have a read-only file system
• build-sys: require proper libmount version
• systemd-shutdown: use log_set_prohibit_ipc(true)
• rationalize interface for opening/closing logging
• pid1: when we can't log to journal, remember our fallback log target
• log: remove LOG_TARGET_SAFE pseudo log target
• log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
• log: add new 'prohibit_ipc' flag to logging system
• log: make log_set_upgrade_syslog_to_journal() take effect immediately
• dbus: split up bus_done() into seperate functions
• machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
• virt: if we detect Xen by DMI, trust that over CPUID

This update for glibc fixes the following issues:

• libio: do not attempt to free wide buffers of legacy streams (bsc#1183085)
• CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for aaa_base fixes the following issues:

• Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
• Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
• Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
• Support xz compressed kernel (bsc#1162581)

This update for curl fixes the following issues:

• Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This update for openssl-1_1 fixes the following issues:

• Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters consistently with our other codestreams (bsc#1180995)

This update for systemd fixes the following issues:

• Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates

This update for p11-kit fixes the following issues:

• CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
• Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

This update for zlib fixes the following issues:

• Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

This update for libzypp fixes the following issues:

• Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
• Fix wrong encoding of URI compontents of ISO images (bsc#954813)
• When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
• Introduce zypp-curl as a sublibrary for CURL related code
• zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
• Save all signatures associated with a public key in its PublicKeyData

SUSE-CU-2020:780-1

This update for glibc fixes the following issues:

• Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178)
• Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100)

This update for util-linux fixes the following issues:

• blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
• nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
• Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
• mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911)

This update for ca-certificates-mozilla fixes the following issues:
update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
* AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
* certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017

• reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871)

This update for e2fsprogs fixes the following issues:

• Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

This update for systemd fixes the following issues:

• Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages.
• vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
• fix infinite timeout. (bsc#1158336)
• bpf: mount bpffs by default on boot. (bsc#1146991)
• man: explain precedence for options which take a list.
• man: unify titling, fix description of precedence in sysusers.d(5)
• udev-event: fix timeout log messages.

This update for zlib provides the following fixes:

• Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
• Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

This update for curl fixes the following issues:

• An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231]

This update for openldap2 fixes the following issues:

• bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125.

This update for libxml2 fixes the following issues:

• CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).

This update for zlib fixes the following issues:

• Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
• Enable hardware compression on s390/s390x (jsc#SLE-13776)

This update for krb5 fixes the following issue:

• Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

This update for openldap2 fixes the following issues:

• CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

This update for libzypp, zypper provides the following fixes:
Changes in libzypp:

• VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
• Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
• Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
• Make sure reading from lsof does not block forever. (bsc#1174240)
• Just collect details for the signatures found.

• man: Enhance description of the global package cache. (bsc#1175592)
• man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273)
• Directly list subcommands in 'zypper help'. (bsc#1165424)
• Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
• Point out that plaindir repos do not follow symlinks. (bsc#1174561)
• Fix help command for list-patches.

This update for permissions fixes the following issues:

• whitelist WMP (bsc#1161335, bsc#1176625)

This update for aaa_base fixes the following issues:

• DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS
• check for Packages.db and use this instead of Packages. (bsc#1171762)
• Rename path() to _path() to avoid using a general name.
• refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
• etc/profile add some missing ;; in case esac statements
• profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
• backup-rpmdb: exit if zypper is running (bsc#1161239)
• Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

This update for libproxy fixes the following issues:

• CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
• CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:

• bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

• CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain.
• CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740)
• CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051).
• CVE-2018-5741: Fixed the documentation (bsc#1109160).
• CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958).
• CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958).
• CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443).
• CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443).
• CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443).
• CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443).
• CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

• Add engine support to OpenSSL EdDSA implementation.
• Add engine support to OpenSSL ECDSA implementation.
• Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
• Warn about AXFR streams with inconsistent message IDs.
• Make ISC rwlock implementation the default again.
• Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
• Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
• Fixed an issue where bind was not working in FIPS mode (bsc#906079).
• Fixed dependency issues (bsc#1118367 and bsc#1118368).
• GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
• Fixed an issue with FIPS (bsc#1128220).
• The liblwres library is discontinued upstream and is no longer included.
• Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
• Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
• The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
• Zone timers are now exported via statistics channel.
• The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
• 'rndc dnstap -roll ' did not limit the number of saved files to .
• Add 'rndc dnssec -status' command.
• Addressed a couple of situations where named could crash.
• Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf]
• Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
• Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713)
• /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313]
• Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092).
• Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for procps fixes the following issues:

• Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for gnutls fixes the following issues:

• Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
• FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
• FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
• FIPS: Add TLS KDF selftest (bsc#1176671)

This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:

• When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
• Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched.
• RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435)
• VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918)
• Update docs regarding 'opensuse' namepace matching.
• Link against libzstd to close libsolvs open references (as we link statically)

• The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency.

• info: Assume descriptions starting with '

  ' are richtext (bsc#935885)

• help: prevent 'whatis' from writing to stderr (bsc#1176712)
• wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271)

• make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238]
• fix deduceq2addedmap clearing bits outside of the map
• conda: feature depriorization first
• conda: fix startswith implementation
• move find_update_seeds() call in cleandeps calculation
• set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
• new testcase_mangle_repo_names() function
• new solv_fmemopen() function

This update for systemd fixes the following issues:

• seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
• test-seccomp: log function names
• test-seccomp: add log messages when skipping tests
• basic/virt: Detect PowerVM hypervisor (bsc#1176800)
• fs-util: suppress world-writable warnings if we read /dev/null
• udevadm: rename option '--log-priority' into '--log-level'
• udev: rename kernel option 'log_priority' into 'log_level'
• fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)
• Fix memory protection default (bsc#1167471)
• cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
• Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

• Removed CAs:

• Added CAs:

This update for libsolv, libzypp, zypper fixes the following issues:
libzypp was updated to version 17.25.1:

• Fix bsc#1176902: When kernel-rt has been installed, the purge-kernels service fails during boot.
• Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched.
• RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435)
• VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918)
• Update docs regarding 'opensuse' namepace matching.
• New solver testcase format.
• Link against libzsd to close libsolvs open references (as we link statically)

• info: Assume descriptions starting with '

  ' are richtext (bsc#935885)

• Use new testcase API in libzypp.
• BuildRequires: libzypp-devel >= 17.25.0.
• help: prevent 'whatis' from writing to stderr (bsc#1176712)
• wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271)

• do not ask the namespace callback for splitprovides when writing a testcase
• fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes
• improve choicerule generation so that package updates are prefered in more cases
• make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238]
• fix deduceq2addedmap clearing bits outside of the map
• conda: feature depriorization first
• conda: fix startswith implementation
• move find_update_seeds() call in cleandeps calculation
• set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
• new testcase_mangle_repo_names() function
• new solv_fmemopen() function

This update for findutils fixes the following issues:

• Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

This update for openldap2 fixes the following issues:

• CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

This update for krb5 fixes the following security issue:

• CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

This update for systemd fixes the following issues:

• build-sys: optionally disable support of journal over the network (bsc#1177458)
• ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
• mount: don't propagate errors from mount_setup_unit() further up
• Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
• Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package
• Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
• Make use of %{_unitdir} and %{_sysusersdir}
• Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for gnutls fixes the following issue:

• Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)

This update for openssl-1_1 fixes the following issues:
This update backports various bugfixes for FIPS:

• Restore private key check in EC_KEY_check_key [bsc#1177479]
• Add shared secret KAT to FIPS DH selftest [bsc#1175847]
• Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847]
• Fix locking issue uncovered by python testsuite (bsc#1166848)
• Fix the sequence of locking operations in FIPS mode [bsc#1165534]
• Fix deadlock in FIPS rand code (bsc#1165281)
• Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
• Fix FIPS DRBG without derivation function (bsc#1161198)
• Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203)
• Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499)

• Restore the EVP_PBE_scrypt() behavior from before the KDF patch by treating salt=NULL as salt='' (bsc#1160158)

This update for glib2 fixes the following issues:

• Add support for slim format of timezone. (bsc#1178346)
• Fix DST incorrect end day when using slim format. (bsc#1178346)

This update for libusb-1_0 fixes the following issues:

• Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for aaa_base fixes the following issue:

• Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

This update for openssl-1_1 fixes the following issues:

• CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

This update for curl fixes the following issues:

• CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
• CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
• CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

SUSE-CU-2020:388-1

This update for glib2 fixes the following issues:
Security issues fixed:

• CVE-2018-16428: Do not do a NULL pointer dereference (crash). Avoid that, at the cost of introducing a new translatable error message (bsc#1107121).
• CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

• various GVariant parsing issues have been resolved (bsc#1111499)

This update for glib2 provides the following fix:

• Enable systemtap. (fate#326393, bsc#1090047)

This update for glib2 fixes the following issues:
Security issue fixed:

• CVE-2019-12450: Fixed an improper file permission when copy operation takes place (bsc#1137001).

• glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there was a connection thus giving false positives to PackageKit (bsc#1103678)

This update for glib2 fixes the following issues:
Security issue fixed:

• CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

This update for audit fixes the following issues:

• Fix hang on startup. (bsc#1156159)
• Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)

This update for gnutls fixes the following issues:

• CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506).
• Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461).

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.13 to fix:

• Fix solvable swapping messing up idarrays
• fix ruleinfo of complex dependencies returning the wrong origin

• Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only.
• remove 'using namespace std;' (bsc#1166610, fixes #218)
• Online doc: add 'Hardware (modalias) dependencies' page (fixes #216)
• Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs.
• RepoVariables: Add safe guard in case the caller does not own a zypp instance.
• Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
• Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476)
• Log patch status changes to history (jsc#SLE-5116)
• Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
• update translations
• boost: Fix deprecated auto_unit_test.hpp includes.
• Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
• Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format.
• yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it.
• Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770)
• RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
• RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro).
• Remove legacy rpmV3database conversion code.
• Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990)
• Remove undocumented rug legacy stuff.
• Remove 'using namespace std;' (bsc#1166610)
• patch table: Add 'Since' column if history data are available (jsc#SLE-5116)

• Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
• Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
• Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543)
• Correctly detect ambigous switch abbreviations (bsc#1165573)
• zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems.
• Do not allow the abbreviation of cli arguments (bsc#1164543)
• accoring to according in all translation files.
• Always show exception history if available.
• Use default package cache location for temporary repos (bsc#1130873)

This update for zypper fixes the following issues:

• Print switch abbrev warning to stderr (bsc#1172925)
• Fix typo in man page (bsc#1169947)

This update for perl fixes the following issues:

• CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863).
• CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864).
• CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866).
• Fixed a bad warning in features.ph (bsc#1172348).

This update for krb5 fixes the following issue:

• Call systemd to reload the services instead of init-scripts. (bsc#1169357)

This update for systemd fixes the following issues:

• Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698)

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

This update for zstd fixes the following issues:

• Fix for build error caused by wrong static libraries. (bsc#1133297)
• Correction in spec file marking the license as documentation. (bsc#1082318)
• Add new package for SLE-15. (jsc#ECO-1886)

This update for openldap2 fixes the following issues:

• CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
• Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

This update for permissions fixes the following issues:

• Removed conflicting entries which might expose pcp to security issues (bsc#1171883)

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.14:

• Enable zstd compression support
• Support blacklisted packages in solver_findproblemrule() (bnc#1172135)
• Support rules with multiple negative literals in choice rule generation
• Fix solvable swapping messing up idarrays
• fix ruleinfo of complex dependencies returning the wrong origin

• Enable zchunk metadata download if libsolv supports it.
• Older kernel-devel packages are not properly purged (bsc#1171224)
• doc: enhance service plugin example.
• Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only.
• remove 'using namespace std;' (bsc#1166610, fixes #218)
• Online doc: add 'Hardware (modalias) dependencies' page (fixes #216)
• Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs.
• RepoVariables: Add safe guard in case the caller does not own a zypp instance.
• Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
• Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476)
• Log patch status changes to history (jsc#SLE-5116)
• Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
• boost: Fix deprecated auto_unit_test.hpp includes.
• Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
• Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format.
• yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it.
• Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770)
• RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
• RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro).
• Remove legacy rpmV3database conversion code.
• Fix core dump with corrupted history file (bsc#1170801)

• Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990)
• Remove undocumented rug legacy stuff.
• Remove 'using namespace std;' (bsc#1166610)
• patch table: Add 'Since' column if history data are available (jsc#SLE-5116)
• Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
• Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
• Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543)
• Correctly detect ambigous switch abbreviations (bsc#1165573)
• zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems.
• Do not allow the abbreviation of cli arguments (bsc#1164543)
• accoring to according in all translation files.
• Always show exception history if available.
• Use default package cache location for temporary repos (bsc#1130873)
• Print switch abbrev warning to stderr (bsc#1172925)
• Fix typo in man page (bsc#1169947)