Container summary for

SUSE-CU-2023:1338-1

This update for libzypp fixes the following issues:

• RepoManager: remember execution errors in exception history (bsc#1193007)
• Fix exception handling when reading or writing credentials (bsc#1194898)
• Fix install path for parser (bsc#1194597)
• Fix Legacy include (bsc#1194597)
• Public header files on older distros must use c++11 (bsc#1194597)

This update for libzypp, zypper fixes the following issues:

• Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete.

This update for coreutils fixes the following issues:

• Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
• Properly sort docs and license files (bsc#1082318).

This update for systemd fixes the following issues:

• systemctl: exit with 1 if no unit files found (bsc#1193841).
• add rules for virtual devices (bsc#1193759).
• enforce 'none' for loop devices (bsc#1193759).

This update for yast2-network fixes the following issues:

• Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for cyrus-sasl fixes the following issues:

• CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

This update for openldap2 fixes the following issue:

• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for procps fixes the following issues:

• Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

This update for protobuf fixes the following issues:

• CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

glibc was updated to fix the following issues:
Security issues fixed:

• CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)
• CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
• CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

• Fix pthread_rwlock_try*lock stalls (bsc#1195560)

This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
* Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server

• Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
• Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

• Enable syscallfilter unconditionally [bsc#1181826].

• By default we don't write log files but log to journald, so only recommend logrotate.

• Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

• Add support for more accurate reading of PHC on Linux 5.0
• Add support for hardware timestamping on interfaces with read-only timestamping configuration
• Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
• Update seccomp filter to work on more architectures
• Validate refclock driver options
• Fix bindaddress directive on FreeBSD
• Fix transposition of hardware RX timestamp on Linux 4.13 and later
• Fix building on non-glibc systems

• Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

• Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.
• Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

This update for openssl-1_1 fixes the following issues:

• CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for libtirpc fixes the following issues:

• Fix memory leak in client protocol version 2 code (bsc#1193805)

This update for openldap2 fixes the following issue:

• Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for systemd fixes the following issues:

• allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

This update for yaml-cpp fixes the following issues:

• CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
• CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
• CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
• CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

This update for aaa_base fixes the following issues:

• Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
• Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

This update for util-linux fixes the following issues:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)
• Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
• Warn if uuidd lock state is not usable. (bsc#1194642)
• Fix 'su -s' bash completion. (bsc#1172427)

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

• Harden package signature checks (bsc#1184501).

• reworked choice rule generation to cover more usecases
• support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
• support parsing of Debian's Multi-Arch indicator
• fix segfault on conflict resolution when using bindings
• fix split provides not working if the update includes a forbidden vendor change
• support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
• support zstd compressed control files in debian packages
• add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
• support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
• support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
• support solv files with an idarray block
• allow accessing the toolversion at runtime

• ZConfig: Update solver settings if target changes (bsc#1196368)
• Fix possible hang in singletrans mode (bsc#1197134)
• Do 2 retries if mount is still busy.
• Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
• Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
• Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
• Fix handling of ISO media in releaseAll (bsc#1196061)
• Hint on common ptf resolver conflicts (bsc#1194848)
• Hint on ptf<>patch resolver conflicts (bsc#1194848)

• info: print the packages upstream URL if available (fixes #426)
• info: Fix SEGV with not installed PTFs (bsc#1196317)
• Don't prevent less restrictive umasks (bsc#1195999)

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for e2fsprogs fixes the following issues:

• Add support for 'libreadline7' for Leap. (bsc#1196939)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issue:

• Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for openldap2 fixes the following issues:
Security:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

This update for openssl fixes the following issues:

• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for p11-kit fixes the following issues:

• CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

This update for systemd fixes the following issues:

• Allow control characters in environment variable values (bsc#1200170)
• basic/env-util: Allow newlines in values of environment variables
• man: tweak description of auto/noauto (bsc#1191502)
• shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
• shared/install: fix error codes returned by install_context_apply()
• shared/install: ignore failures for auxiliary files
• systemctl: suppress enable/disable messages when `-q` is given
• test-env-util: Verify that \r is disallowed in env var values
• test-env-util: print function headers
• udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)

This update for libzypp, zypper fixes the following issues:
libzypp:

• appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
• zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
• PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
• Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
• singletrans: no dry-run commit if doing just download-only
• Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo.
• Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

• Basic JobReport for 'cmdout/monitor'
• versioncmp: if verbose, also print the edition 'parts' which are compared
• Make sure MediaAccess is closed on exception (bsc#1194550)
• Display plus-content hint conditionally
• Honor the NO_COLOR environment variable when auto-detecting whether to use color
• Define table columns which should be sorted natural [case insensitive]
• lr/ls: Use highlight color on name and alias as well

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223).
• CVE-2022-27782: Fixed an issue where TLS and SSH connections would be reused even when a related option had been changed (bsc#1199224).
• CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused by an unbounded number of compression layers (bsc#1200735).
• CVE-2022-32208: Fixed an incorrect message verification issue when performing FTP transfers using krb5 (bsc#1200737).

This update for gnutls fixes the following issues:

• CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020).
• CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed an uncontrolled file descriptor consumption, which could be exploited by remote attackers to prevent applications using the library from accepting new connections (bsc#1201680).

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a potential signature forgery via injection into the status line when certain unusual conditions are met (bsc#1201225).

This update for libzypp, zypper fixes the following issues:
libzypp:

• Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
• Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
• Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
• Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

• Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
• Reject install/remove modifier without argument (bsc#1201576)
• zypper-download: Handle unresolvable arguments as errors
• Put signing key supplying repository name in quotes

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for cyrus-sasl fixes the following issues:

• CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635).

This update for libzypp, zypper fixes the following issues:
libzypp:

• Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Remove migration code that is no longer needed (bsc#1203649)
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

• Fix contradiction in the man page: `--download-in-advance` option is the default behavior
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Fix tests to use locale 'C.UTF-8' rather than 'en_US'
• Make sure 'up' respects solver related CLI options (bsc#1201972)
• Remove unneeded code to compute the PPP status because it is now auto established
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

This update for openssl-1_1 fixes the following issues:

• FIPS: Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode. (bsc#1180995)

This update for aaa_base and iputils fixes the following issues:
aaa_base:

• Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927)
• The wrapper rootsh is not a restricted shell (bsc#1199492)

• Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issues

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

This update for util-linux fixes the following issues:

• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
• libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646).

This update for libxml2 fixes the following issues:

• Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:

• Do not autouninstall SUSE PTF packages
• Ensure 'duplinvolvedmap_all' is reset when a solver is reused
• Fix 'keep installed' jobs not disabling 'best update' rules
• New '-P' and '-W' options for `testsolv`
• New introspection interface for weak dependencies similar to ruleinfos
• Ensure special case file dependencies are written correctly in the testcase writer
• Support better info about alternatives
• Support decision reason queries
• Support merging of related decisions
• Support stringification of multiple solvables
• Support stringification of ruleinfo, decisioninfo and decision reasons

• Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233)
• Avoid redirecting 'history.logfile=/dev/null' into the target
• Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
• Enhance yaml-cpp detection
• Improve download of optional files
• MultiCurl: Make sure to reset the progress function when falling back.
• Properly reset range requests (bsc#1204548)
• Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version.
• Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls.
• Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side.
• ProgressData: enforce reporting the INIT||END state (bsc#1206949)
• ps: fix service detection on newer Tumbleweed systems (bsc#1205636)

• Allow to (re)add a service with the same URL (bsc#1203715)
• Bump dependency requirement to libzypp-devel 17.31.7 or greater
• Explain outdatedness of repositories
• patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
• Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions.
• Update man page and explain '.no_auto_prune' (bsc#1204956)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

This update for helm fixes the following issues:

• CVE-2022-23525: Fixed denial of service through repository index file (bsc#1206469).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0465: Fixed ignored invalid certificate policies in leaf certificates (bsc#1209878).
• CVE-2023-0466: Fixed disabled certificate policy check (bsc#1209873).

This update for permissions fixes the following issues:

• mariadb: settings for new auth_pam_tool (bsc#1160285, bsc#1210096)

This update for helm fixes the following issues:

• CVE-2022-1996: Fixed a bug that could lead to CORS bypass in go-restful. (bsc#1200528)

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed:

• Added W3C conformance tests to the testsuite (bsc#1204585).
• Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .

SUSE-CU-2022:79-1

This update for util-linux fixes the following issue:

• Do not trigger the automatic close of CDROM. (bsc#1084671)
• Try to automatically configure broken serial lines. (bsc#1175514)
• Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
• Build with `libudev` support to support non-root users. (bsc#1169006)
• Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
• Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)

• key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys).
• This fix uses a hash table to avoid the quadratic behaviour.

This update for openldap2 fixes the following issues:
Security issues fixed:

• CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
• CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

• Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for systemd fixes the following issues:

• Added a timestamp to the output of the busctl monitor command (bsc#1180225)
• Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
• Improved the caching of cgroups member mask (bsc#1175458)
• Fixed the dependency definition of sound.target (bsc#1179363)
• Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436)
• time-util: treat /etc/localtime missing as UTC (bsc#1141597)
• Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

This update for systemd fixes the following issues:

• Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
• Fix for an issue when container start causes interference in other containers. (bsc#1178775)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

libprotobuf was updated to fix:

• ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)

This update for libselinux fixes the following issues:

• Corrected the license to public domain (bsc#1180603)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for glibc fixes the following issues:

• Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
• x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
• gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
• iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
• iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
• Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

This update for openldap2 fixes the following issues:

• bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
• bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
• bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
• bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
• bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
• bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
• bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
• bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

This update for openssl-1_1 fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for zlib fixes the following issues:

• Fixed hw compression on z15 (bsc#1176201)

This update for glib2 fixes the following issues:

• CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)

• CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for gnutls fixes the following issues:

• CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
• CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

This update for zstd fixes the following issues:

• CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
• CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

This update for libzypp, zypper fixes the following issues:
Update zypper to version 1.14.43:

• doc: give more details about creating versioned package locks (bsc#1181622)
• man: Document synonymously used patch categories (bsc#1179847)
• Fix source-download commands help (bsc#1180663)
• man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
• Extend apt packagemap (fixes #366)
• --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
• Prefer /run over /var/run.

• Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there.
• Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
• Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement).
• Add missing includes for GCC 11 compatibility.
• Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'.
• Commit: Fix rpmdb compat symlink in case rpm got removed.
• Repo: Allow multiple baseurls specified on one line (fixes #285)
• Regex: Fix memory leak and undefined behavior.
• Add rpm buildrequires for test suite (fixes #279)
• Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use.
• CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
• RepoManager: Force refresh if repo url has changed (bsc#1174016)
• RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
• RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
• RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
• Fixed update of gpg keys with elongated expire date (bsc#1179222)
• needreboot: remove udev from the list (bsc#1179083)
• Fix lsof monitoring (bsc#1179909)
• Rephrase solver problem descriptions (jsc#SLE-8482)
• Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
• Multicurl backend breaks with with unknown filesize (fixes #277)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

This update for openldap2 fixes the following issues:

• Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for e2fsprogs fixes the following issues:

• Fixed an issue when building e2fsprogs (bsc#1183791)

This update for systemd fixes the following issues:

• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

This update for libnettle fixes the following issues:

• CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064)

This update for patterns-microos provides the following fix:

• Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for krb5 fixes the following issues:

• Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);

This update for sed fixes the following issues:

• Fixed a building issue with glibc-2.31 (bsc#1183797).

This update for libsolv and libzypp fixes the following issues:
libsolv:
Upgrade from version 0.7.17 to version 0.7.19

• Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
• Fix memory leaks in error cases
• Fix error handling in `solv_xfopen_fd()`
• Fix regex code on win32
• fixed memory leak in choice rule generation
• `repo_add_conda`: add a flag to skip version 2 packages.

• Properly handle permission denied when providing optional files. (bsc#1185239)
• Fix service detection with `cgroupv2`. (bsc#1184997)
• Add missing includes for GCC 11. (bsc#1181874)
• Fix unsafe usage of static in media verifier.
• `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
• `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
• Do no cleanup in custom cache dirs. (bsc#1182936)
• `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

This update for openldap2 fixes the following issue:

• Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for lz4 fixes the following issues:

• CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

This update for libxml2 fixes the following issues:

• CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for curl fixes the following issues:

• CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
• CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
• Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
• Allow partial chain verification (jsc#SLE-17956).

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)

This update for gpg2 fixes the following issues:

• Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308).

This update for libnettle fixes the following issues:

• CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for openldap2 fixes the following issues:

• Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)

This update for systemd fixes the following issues:
cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
• Skip udev rules if 'elevator=' is used (bsc#1184994)

This update for curl fixes the following issues:

• CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
• CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
• CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
• CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)

This update for cpio fixes the following issues:

• A regression in last update would cause builds to hang on various architectures(bsc#1189465)

This update for cpio fixes the following issues:

• A regression in the previous update could lead to crashes (bsc#1189465)

This update for krb5 fixes the following issues:

• CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)

This update for openssl-1_1 fixes the following security issue:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for openldap2 fixes the following issue:

• openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)

This update for openssl-1_1 fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

This update for netcfg fixes the following issues:

• add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

This update for systemd fixes the following issues:

• CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
• Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
• Rules weren't applied to dm devices (multipath) (bsc#1188713).
• Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
• Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
• Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

This update for glibc fixes the following issues:

• CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
• CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

This update for krb5 fixes the following issues:

• CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).

This update for yast2-network fixes the following issues:

• Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
• Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
• Consider aliases sections as case insensitive (bsc#1190739).
• Display user defined device name in the devices overview (bnc#1190645).
• Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
• Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
• Fix desktop file so the control center tooltip is translated (bsc#1187270).
• Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
• Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for util-linux fixes the following issues:
Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:

• CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
• agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
• mount: Fix 'mount' output for net file systems (bsc#1122417).
• ipcs: Avoid overflows (bsc#1178236)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for zypper fixes the following issues:

• Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
• Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
• Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
• Protect against strict/relaxed user umask via sudo. (bsc#1183589)
• xml summary: Add solvables repository alias. (bsc#1182372)
• Allow trusted repos to add additional signing keys. (bsc#1184326)
• MediaCurl: Fix logging of redirects.
• Let negative values wait forever for the zypp lock. (bsc#1184399)
• Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325)
• Fix service detection with cgroupv2. (bsc#1184997)
• Add hints to 'trust GPG key' prompt.
• Enhance XML output of repo GPG options
• Add optional attributes showing the raw values actually present in the '.repo' file.
• Link all executables with -pie (bsc#1186447)
• Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645)
• Fix solver jobs for PTFs. (bsc#1186503)
• choice rules: treat orphaned packages as newest. (bc#1190465)
• Add need reboot/restart hint to XML install summary. (bsc#1188435)
• Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
• Fix obs:// platform guessing for Leap. (bsc#1187425)
• Fix purge-kernels fails. (bsc#1187738)
• Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
• Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156)
• Do not check of signatures and keys two times(redundant). (bsc#1190059)
• Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
• Show key fpr from signature when signature check fails. (bsc#1187224)
• Make sure to keep states alives while transitioning. (bsc#1190199)
• Fix crashes in logging code when shutting down. (bsc#1189031)
• Manpage: Improve description about patch updates. (bsc#1187466)
• Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602)
• Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
• Disable logger in the child after fork (bsc#1192436)
• Check log writer before accessing it (bsc#1192337)
• Allow uname-r format in purge kernels keepspec
• zypper should keep cached files if transaction is aborted (bsc#1190356)
• Require a minimum number of mirrors for multicurl (bsc#1191609)
• Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
• Fix translations (bsc#1191370)
• RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for systemd fixes the following issues:

• Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
• Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
• shutdown: Reduce log level of unmounts (bsc#1191252)
• pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
• core: rework how we connect to the bus (bsc#1190325)
• mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
• virt: detect Amazon EC2 Nitro instance (bsc#1190440)
• Several fixes for umount
• busctl: use usec granularity for the timestamp printed by the busctl monitor command
• fix unitialized fields in MountPoint in dm_list_get()
• shutdown: explicitly set a log target
• mount-util: add mount_option_mangle()
• dissect: automatically mark partitions read-only that have a read-only file system
• build-sys: require proper libmount version
• systemd-shutdown: use log_set_prohibit_ipc(true)
• rationalize interface for opening/closing logging
• pid1: when we can't log to journal, remember our fallback log target
• log: remove LOG_TARGET_SAFE pseudo log target
• log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
• log: add new 'prohibit_ipc' flag to logging system
• log: make log_set_upgrade_syslog_to_journal() take effect immediately
• dbus: split up bus_done() into seperate functions
• machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
• virt: if we detect Xen by DMI, trust that over CPUID

This update for glibc fixes the following issues:

• libio: do not attempt to free wide buffers of legacy streams (bsc#1183085)
• CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for aaa_base fixes the following issues:

• Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
• Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
• Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
• Support xz compressed kernel (bsc#1162581)

This update for curl fixes the following issues:

• Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This update for openssl-1_1 fixes the following issues:

• Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters consistently with our other codestreams (bsc#1180995)

This update for systemd fixes the following issues:

• Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates

This update for p11-kit fixes the following issues:

• CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
• Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

This update for zlib fixes the following issues:

• Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

This update for libzypp fixes the following issues:

• Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
• Fix wrong encoding of URI compontents of ISO images (bsc#954813)
• When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
• Introduce zypp-curl as a sublibrary for CURL related code
• zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
• Save all signatures associated with a public key in its PublicKeyData

SUSE-CU-2020:788-1

This update for glib2 fixes the following issues:
Security issues fixed:

• CVE-2018-16428: Do not do a NULL pointer dereference (crash). Avoid that, at the cost of introducing a new translatable error message (bsc#1107121).
• CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

• various GVariant parsing issues have been resolved (bsc#1111499)

This update for glib2 provides the following fix:

• Enable systemtap. (fate#326393, bsc#1090047)

This update for glib2 fixes the following issues:
Security issue fixed:

• CVE-2019-12450: Fixed an improper file permission when copy operation takes place (bsc#1137001).

• glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there was a connection thus giving false positives to PackageKit (bsc#1103678)

This update for glib2 fixes the following issues:
Security issue fixed:

• CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for aaa_base fixes the following issues:

• Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
• Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292).

• Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893).
• Fixed Hardware support in toolchain (bsc#1151582).
• Fixed syscalls during early process initialization (SLE-8348).
• Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
• Moved to posix_spawn on popen (bsc#1149332).

This update for e2fsprogs fixes the following issues:

• CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

This update for p11-kit fixes the following issues:

• Also build documentation (bsc#1013125)

This update for systemd fixes the following issues:

• CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages.

• Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)

• libblkid: open device in nonblock mode. (bsc#1084671)
• udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
• bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)
• fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
• fileio: initialize errno to zero before we do fread()
• fileio: try to read one byte too much in read_full_stream()
• logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
• logind: never elect a session that is stopping as display

• journal: include kmsg lines from the systemd process which exec()d us (#8078)
• udevd: don't use monitor after manager_exit()
• udevd: capitalize log messages in on_sigchld()
• udevd: merge conditions to decrease indentation
• Revert 'udevd: fix crash when workers time out after exit is signal caught'
• core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
• udevd: fix crash when workers time out after exit is signal caught
• udevd: wait for workers to finish when exiting (bsc#1106383)

• Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457)

• networkd: VXLan Make group and remote variable separate (bsc#1156213)
• networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
• fs-util: let's avoid unnecessary strerror()
• fs-util: introduce inotify_add_watch_and_warn() helper
• ask-password: improve log message when inotify limit is reached (bsc#1155574)
• shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
• man: alias names can't be used with enable command (bsc#1151377)

• Add boot option to not use swap at system start (jsc#SLE-7689)

• Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920)

This update for openldap2 provides the following fix:

• Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)

This update for libsolv, libzypp, zypper fixes the following issues:

Security issue fixed:

• CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

• Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).
• Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).
• Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).
• Load only target resolvables for zypper rm (bsc#1157377).
• Fix broken search by filelist (bsc#1135114).
• Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).
• Do not sort out requested locales which are not available (bsc#1155678).
• Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).
• XML add patch issue-date and issue-list (bsc#1154805).
• Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).
• Always execute commit when adding/removing locales (fixes bsc#1155205).
• Fix description of --table-style,-s in man page (bsc#1154804).

This update for libgcrypt fixes the following issues:

• ECDSA: Check range of coordinates (bsc#1161216)
• FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
• FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
• FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
• FIPS: keywrap gives incorrect results [bsc#1161218]
• FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]

This update for perl fixes the following issues:

• Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

This update for aaa_base fixes the following issues:

• Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for permissions fixes the following issues:
Security issues fixed:

• CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)
• CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).

• Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).
• Fixed capability handling when doing multiple permission changes at once (bsc#1161779).

This update for cyrus-sasl fixes the following issues:

• Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
• Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)

This update for ca-certificates-mozilla to 2.40 fixes the following issues:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:

• Certplus Class 2 Primary CA
• Deutsche Telekom Root CA 2
• CN=Swisscom Root CA 2
• UTN-USERFirst-Client Authentication and Email

• Entrust Root Certification Authority - G4

This update for libgcrypt fixes the following issues:

• FIPS: Run the self-tests from the constructor [bsc#1164950]

This update for aaa_base fixes the following issues:

• get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
• added '-h'/'--help' to the command old
• change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues

This update for glibc fixes the following issues:

• CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784).
• Fixed an issue where pthread were not always locked correctly (bsc#1164505).
• Document mprotect and introduce section on memory protection (bsc#1163184).

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for systemd fixes the following issues:

• Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
• Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)

This update for nghttp2 fixes the following issues:
Security issues fixed:

• CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
• CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).
• CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003)

• Fixed mistake in spec file (bsc#1125689)

• Conditionally remove dependecy on jemalloc for SLE-12
• Require correct library from devel package - boo#1125689

• This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513 “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

• Add nghttp2_option_set_max_outbound_ack API function
• nghttpx: Fix request stall

• This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend.

• libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230.
• mruby has been upgraded to 2.0.1.
• libnghttp2-asio now supports boost-1.70.
• http-parser has been replaced with llhttp.
• nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT.

This update for glibc fixes the following issues:

• Allow dlopen of filter object to work (bsc#1166106, BZ #16272)

This update for systemd fixes the following issues:

• manager: fix job mode when signalled to shutdown etc (bsc#1161262)
• remove fallback for user/exit.target
• dbus method Manager.Exit() does not start exit.target
• do not install rescue.target for alt-↑
• %j/%J unit specifiers

• This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team.

• core: coldplug possible nop_job (bsc#1139459)
• Revert 'udev: use 'deadline' IO scheduler for SSD disks'
• Fix typo in function name
• polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
• sd-bus: introduce API for re-enqueuing incoming messages
• polkit: on async pk requests, re-validate action/details

This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:
libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):
Full Release Notes can be found on:
https://wiki.documentfoundation.org/ReleaseNotes/6.4

• Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816)
• Move the animation library to core package bsc#1162152

• Added BoringSSL support (chenbd).
• Added gnutls-3.6.x support (alonbl).
• Added DSA and ECDSA key size getter for MSCNG (vmiklos).
• Added --enable-mans configuration option (alonbl).
• Added coninuous build integration for MacOSX (vmiklos).
• Several other small fixes (more details).

• Make sure to recommend at least one backend when you install just xmlsec1

• Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use

• Added AES-GCM support for OpenSSL and MSCNG (snargit).
• Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
• Added RSA-OAEP support for MSCNG (vmiklos).
• Continuous build integration in Travis and Appveyor.
• Several other small fixes (more details).

• Updated the English dictionaries: GB+US+CA+AU
• Bring shipped Spanish dictionary up to version 2.5

• add a backport of Boost.Optional::has_value() for LibreOffice

• Initial commit, needed by libreoffice 6.4

This update for glibc fixes the following issues:

• CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631).

This update for permissions fixes the following issue:

• whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)

This update for libgcrypt fixes the following issues:

• FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
• FIPS: Fix drbg to be threadsafe (bsc#1167674)
• FIPS: Run self-tests from constructor during power-on [bsc#1166748]

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for e2fsprogs fixes the following issues:

• e2fsck: clarify overflow link count error message (bsc#1160979)
• ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
• ext2fs: implement dir entry creation in htree directories (bsc#1160979)
• tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
• tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

This update for libssh fixes the following issues:

• CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

This update for permissions fixes the following issues:

• Fixed spelling of icinga group (bsc#1168364)

This update for rpm fixes the following issues:

• Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300)

This update for libsolv fixes the following issues:
libsolv was updated to version 0.7.11:

• fix solv_zchunk decoding error if large chunks are used (bsc#1159314)
• treat retracted pathes as irrelevant
• made add_update_target work with multiversion installs

This update for gnutls fixes the following issues:

• Backport AES XTS support (bsc#1168835)

This update for libgcrypt fixes the following issues:
This update for libgcrypt fixes the following issues:

• FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
• FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
• Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
• Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)

This update for gnutls fixes the following issues:

• FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992)

This update for systemd fixes the following issues:

• Fix check for address to keep interface names stable. (bsc#1168076)
• Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
• Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)

This update for libgcrypt fixes the following issues:

• FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)

This update for openldap2 fixes the following issues:

• CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for permissions fixes the following issues:

• Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173)

This update for gnutls fixes the following issues:

• Add RSA 4096 key generation support in FIPS mode (bsc#1171422)

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for libxml2 fixes the following issues:

• CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
• CVE-2019-19956: Fixed a memory leak (bsc#1159928).
• CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for libgcrypt fixes the following issues:

• FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)

This update for glibc fixes the following issues:

• nptl: wait for pending setxid request also in detached thread. (bsc#1162930)

This update for zlib fixes the following issues:

• Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
• Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime.

This update for aaa_base fixes the following issues:

• Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
• Better support of Midnight Commander. (bsc#1170527)

This update for libxml2 fixes the following issues:

• CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).

This update for audit fixes the following issues:

• Fix hang on startup. (bsc#1156159)
• Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)

This update for gnutls fixes the following issues:

• CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506).
• Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461).

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.13 to fix:

• Fix solvable swapping messing up idarrays
• fix ruleinfo of complex dependencies returning the wrong origin

• Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only.
• remove 'using namespace std;' (bsc#1166610, fixes #218)
• Online doc: add 'Hardware (modalias) dependencies' page (fixes #216)
• Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs.
• RepoVariables: Add safe guard in case the caller does not own a zypp instance.
• Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
• Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476)
• Log patch status changes to history (jsc#SLE-5116)
• Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
• update translations
• boost: Fix deprecated auto_unit_test.hpp includes.
• Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
• Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format.
• yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it.
• Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770)
• RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
• RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro).
• Remove legacy rpmV3database conversion code.
• Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990)
• Remove undocumented rug legacy stuff.
• Remove 'using namespace std;' (bsc#1166610)
• patch table: Add 'Since' column if history data are available (jsc#SLE-5116)

• Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
• Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
• Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543)
• Correctly detect ambigous switch abbreviations (bsc#1165573)
• zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems.
• Do not allow the abbreviation of cli arguments (bsc#1164543)
• accoring to according in all translation files.
• Always show exception history if available.
• Use default package cache location for temporary repos (bsc#1130873)

This update for zypper fixes the following issues:

• Print switch abbrev warning to stderr (bsc#1172925)
• Fix typo in man page (bsc#1169947)

This update for perl fixes the following issues:

• CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863).
• CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864).
• CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866).
• Fixed a bad warning in features.ph (bsc#1172348).

This update for krb5 fixes the following issue:

• Call systemd to reload the services instead of init-scripts. (bsc#1169357)

This update for systemd fixes the following issues:

• Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698)

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

This update for zstd fixes the following issues:

• Fix for build error caused by wrong static libraries. (bsc#1133297)
• Correction in spec file marking the license as documentation. (bsc#1082318)
• Add new package for SLE-15. (jsc#ECO-1886)

This update for openldap2 fixes the following issues:

• CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
• Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

This update for permissions fixes the following issues:

• Removed conflicting entries which might expose pcp to security issues (bsc#1171883)

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to 0.7.14:

• Enable zstd compression support
• Support blacklisted packages in solver_findproblemrule() (bnc#1172135)
• Support rules with multiple negative literals in choice rule generation
• Fix solvable swapping messing up idarrays
• fix ruleinfo of complex dependencies returning the wrong origin

• Enable zchunk metadata download if libsolv supports it.
• Older kernel-devel packages are not properly purged (bsc#1171224)
• doc: enhance service plugin example.
• Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only.
• remove 'using namespace std;' (bsc#1166610, fixes #218)
• Online doc: add 'Hardware (modalias) dependencies' page (fixes #216)
• Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs.
• RepoVariables: Add safe guard in case the caller does not own a zypp instance.
• Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
• Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476)
• Log patch status changes to history (jsc#SLE-5116)
• Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
• boost: Fix deprecated auto_unit_test.hpp includes.
• Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
• Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format.
• yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it.
• Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770)
• RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
• RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro).
• Remove legacy rpmV3database conversion code.
• Fix core dump with corrupted history file (bsc#1170801)

• Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990)
• Remove undocumented rug legacy stuff.
• Remove 'using namespace std;' (bsc#1166610)
• patch table: Add 'Since' column if history data are available (jsc#SLE-5116)
• Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
• Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
• Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543)
• Correctly detect ambigous switch abbreviations (bsc#1165573)
• zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems.
• Do not allow the abbreviation of cli arguments (bsc#1164543)
• accoring to according in all translation files.
• Always show exception history if available.
• Use default package cache location for temporary repos (bsc#1130873)
• Print switch abbrev warning to stderr (bsc#1172925)
• Fix typo in man page (bsc#1169947)

This update for libsolv, libzypp fixes the following issues:
libsolv was updated to version 0.7.14:

• Enable zstd compression support for sle15
• Support blacklisted packages in solver_findproblemrule() (bsc#1172135)
• Support rules with multiple negative literals in choice rule generation

• Enable zchunk metadata download if libsolv supports it.
• Older kernel-devel packages are not properly purged (bsc#1171224)
• doc: enhance service plugin example.
• Fix core dump with corrupted history file (bsc#1170801)
• Better handling of the purge-kernels algorithm. (bsc#1173106)
• Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011)
• ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for systemd fixes the following issues:

• migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229)

• Fix inconsistent file modes for some ghost files (bsc#1173227)

• Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422)

This update for glibc fixes the following issues:

• Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178)
• Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100)

This update for util-linux fixes the following issues:

• blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
• nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
• Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
• mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911)

This update for ca-certificates-mozilla fixes the following issues:
update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:
* AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3
Added CAs:
* certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017

• reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871)

This update for e2fsprogs fixes the following issues:

• Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

This update for systemd fixes the following issues:

• Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages.
• vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
• fix infinite timeout. (bsc#1158336)
• bpf: mount bpffs by default on boot. (bsc#1146991)
• man: explain precedence for options which take a list.
• man: unify titling, fix description of precedence in sysusers.d(5)
• udev-event: fix timeout log messages.

This update for zlib provides the following fixes:

• Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
• Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

This update for curl fixes the following issues:

• An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231]

This update for openldap2 fixes the following issues:

• bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125.

This update for libxml2 fixes the following issues:

• CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).

This update for zlib fixes the following issues:

• Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
• Enable hardware compression on s390/s390x (jsc#SLE-13776)

This update for krb5 fixes the following issue:

• Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

This update for openldap2 fixes the following issues:

• CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

This update for libzypp, zypper provides the following fixes:
Changes in libzypp:

• VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
• Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
• Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
• Make sure reading from lsof does not block forever. (bsc#1174240)
• Just collect details for the signatures found.

• man: Enhance description of the global package cache. (bsc#1175592)
• man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273)
• Directly list subcommands in 'zypper help'. (bsc#1165424)
• Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
• Point out that plaindir repos do not follow symlinks. (bsc#1174561)
• Fix help command for list-patches.

This update for permissions fixes the following issues:

• whitelist WMP (bsc#1161335, bsc#1176625)

This update for aaa_base fixes the following issues:

• DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS
• check for Packages.db and use this instead of Packages. (bsc#1171762)
• Rename path() to _path() to avoid using a general name.
• refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
• etc/profile add some missing ;; in case esac statements
• profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
• backup-rpmdb: exit if zypper is running (bsc#1161239)
• Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

This update for libproxy fixes the following issues:

• CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
• CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).