Container summary for ses/7.1/ceph/grafana
SUSE-CU-2023:3071-1
| Container Advisory ID | SUSE-CU-2023:3071-1 |
| Container Tags | ses/7.1/ceph/grafana:9.5.5 , ses/7.1/ceph/grafana:9.5.5.3.4.156 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 3.4.156 |
The following patches have been included in this update:
| Advisory ID | SUSE-RU-2023:2497-1
|
| Released | Tue Jun 13 15:37:25 2023 |
| Summary | Recommended update for libzypp |
| Type | recommended |
| Severity | important |
| References | 1211661,1212187 |
Description:
This update for libzypp fixes the following issues:
- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
- Do not unconditionally release a medium if provideFile failed. [bsc#1211661]
| Advisory ID | SUSE-SU-2023:2575-1
|
| Released | Wed Jun 21 13:41:49 2023 |
| Summary | Security update for SUSE Manager Client Tools |
| Type | security |
| Severity | important |
| References | 1192154,1192696,1200480,1201535,1201539,1203185,1203596,1203597,1204501,1209645,1210907,CVE-2020-7753,CVE-2021-3807,CVE-2021-3918,CVE-2021-43138,CVE-2022-0155,CVE-2022-27664,CVE-2022-31097,CVE-2022-31107,CVE-2022-32149,CVE-2022-35957,CVE-2022-36062,CVE-2023-1387,CVE-2023-1410 |
Description:
This update fixes the following issues:
grafana:
- Version update from 8.5.22 to 9.5.1 (jsc#PED-3694):
* Security fixes:
- CVE-2023-1410: grafana: Stored XSS in Graphite FunctionDescription tooltip (bsc#1209645)
- CVE-2023-1387: grafana: JWT URL-login flow leaks token to data sources through request parameter in proxy requests
(bnc#1210907)
- CVE-2022-36062: grafana: Fix RBAC folders/dashboards privilege escalation (bsc#1203596)
- CVE-2022-35957: grafana: Escalation from admin to server admin when auth proxy is used (bsc#1203597)
- CVE-2022-32149: Upgrade x/text to version unaffected by CVE-2022-32149 (bsc#1204501)
- CVE-2022-31107: grafana: OAuth account takeover (bsc#1201539)
- CVE-2022-31097: grafana: stored XSS vulnerability (bsc#1201535)
- CVE-2022-27664: go1.18,go1.19: net/http: handle server errors after sending GOAWAY (bsc#1203185)
- CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
- CVE-2021-43138: spacewalk-web: a malicious user can obtain privileges via the mapValues() method(bsc#1200480)
- CVE-2021-3918: json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes
('Prototype Pollution') (bsc#1192696)
- CVE-2021-3807: node-ansi-regex: Inefficient Regular Expression Complexity in chalk/ansi-regex (bsc#1192154)
- CVE-2020-7753: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function
* Important changes:
- Default named retention policies won't be used to query.
Users who have a default named retention policy in their influxdb database, have to rename it to something else.
To change the hardcoded retention policy in the dashboard.json, users must then select the right retention policy
from dropdown and save the panel/dashboard.
- Grafana Alerting rules with NoDataState configuration set to Alerting will now respect 'For' duration.
- Users who use LDAP role sync to only sync Viewer, Editor and Admin roles, but grant Grafana Server Admin role
manually will not be able to do that anymore. After this change, LDAP role sync will override any manual changes
to Grafana Server Admin role assignments. If grafana_admin is left unset in LDAP role mapping configuration, it
will default to false.
- The InfluxDB backend migration feature toggle (influxdbBackendMigration) has been reintroduced in this version
as issues were discovered with backend processing of InfluxDB data. Unless this feature toggle is enabled, all
InfluxDB data will be parsed in the frontend. This frontend processing is the default behavior.
In Grafana 9.4.4, InfluxDB data parsing started to be handled in the backend. If you have upgraded to 9.4.4
and then added new transformations on InfluxDB data, those panels will fail to render. To resolve this either:
Remove the affected panel and re-create it or edit the `time` field as `Time` in `panel.json`
or `dashboard.json`
- The `@grafana/ui` package helper function `selectOptionInTest` used in frontend tests has been removed as it
caused testing libraries to be bundled in the production code of Grafana. If you were using this helper function
in your tests please update your code accordingly.
- Removed deprecated `checkHealth` prop from the `@grafana/e2e` `addDataSource` configuration. Previously this
value defaulted to `false`, and has not been used in end-to-end tests since Grafana 8.0.3.
- Removed the deprecated `LegacyBaseMap`, `LegacyValueMapping`, `LegacyValueMap`, and `LegacyRangeMap` types, and
`getMappedValue` function from grafana-data. See the documentation for the migration.
This change fixes a bug in Grafana where intermittent failure of database, network between Grafana and the
database, or error in querying the database would cause all alert rules to be unscheduled in Grafana.
Following this change scheduled alert rules are not updated unless the query is successful.
- The `get_alert_rules_duration_seconds` metric has been renamed to `schedule_query_alert_rules_duration_seconds`
- Any secret (data sources credential, alert manager credential, etc, etc) created or modified with Grafana v9.0
won't be decryptable from any previous version (by default) because the way encrypted secrets are stored into the
database has changed. Although secrets created or modified with previous versions will still be decryptable by
Grafana v9.0.
- If required, although generally discouraged, the `disableEnvelopeEncryption` feature toggle can be enabled to
keep envelope encryption disabled once updating to Grafana
- In case of need to rollback to an earlier version of Grafana (i.e. Grafana v8.x) for any reason, after being
created or modified any secret with Grafana v9.0, the `envelopeEncryption` feature toggle will need to be enabled
to keep backwards compatibility (only from `v8.3.x` a bit unstable, from `8.5.x` stable).
- As a final attempt to deal with issues related with the aforementioned situations, the
`grafana-cli admin secrets-migration rollback` command has been designed to move back all the Grafana secrets
encrypted with envelope encryption to legacy encryption. So, after running that command it should be safe to
disable envelope encryption and/or roll back to a previous version of Grafana.
Alternatively or complementarily to all the points above, backing up the Grafana database before updating could
be a good idea to prevent disasters (although the risk of getting some secrets corrupted only applies to those
updates/created with after updating to Grafana v9.0).
- In Elasticsearch, browser access mode was deprecated in grafana 7.4.0 and removed in 9.0.0. If you used this mode
please switch to server access mode on the datasource configuration page.
- Environment variables passed from Grafana to external Azure plugins have been renamed:
`AZURE_CLOUD` renamed to `GFAZPL_AZURE_CLOUD`,
`AZURE_MANAGED_IDENTITY_ENABLED` renamed to `GFAZPL_MANAGED_IDENTITY_ENABLED`,
`AZURE_MANAGED_IDENTITY_CLIENT_ID` renamed to `GFAZPL_MANAGED_IDENTITY_CLIENT_ID`.
There are no known plugins which were relying on these variables. Moving forward plugins should read Azure
settings only via Grafana Azure SDK which properly handles old and new environment variables.
- Removes support for for ElasticSearch versions after their end-of-life, currently versions < 7.10.0.
To continue to use ElasticSearch data source, upgrade ElasticSearch to version 7.10.0+.
- Application Insights and Insight Analytics queries in Azure Monitor were deprecated in Grafana 8.0 and finally
removed in 9.0. Deprecated queries will no longer be executed.
- grafana/ui: Button now specifies a default type='button'.
The `Button` component provided by @grafana/ui now specifies a default `type='button'` when no type is provided.
In previous versions, if the attribute was not specified for buttons associated with a `
| Advisory ID | SUSE-RU-2023:2625-1
|
| Released | Fri Jun 23 17:16:11 2023 |
| Summary | Recommended update for gcc12 |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for gcc12 fixes the following issues:
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
* includes regression and other bug fixes
- Speed up builds with --enable-link-serialization.
- Update embedded newlib to version 4.2.0
| Advisory ID | SUSE-RU-2023:2742-1
|
| Released | Fri Jun 30 11:40:56 2023 |
| Summary | Recommended update for autoyast2, libzypp, yast2-pkg-bindings, yast2-update, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1202234,1209565,1211261,1212187,1212222 |
Description:
This update for yast2-pkg-bindings fixes the following issues:
libzypp was updated to version 17.31.14 (22):
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- build: honor libproxy.pc's includedir (bsc#1212222)
zypper was updated to version 1.14.61:
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
yast2-pkg-bindings, autoyast:
- Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
- Selected products are not installed after resetting the package manager internally (bsc#1202234)
yast2-update:
- Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)
| Advisory ID | SUSE-RU-2023:2855-1
|
| Released | Mon Jul 17 16:35:21 2023 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1212260 |
Description:
This update for openldap2 fixes the following issues:
- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)
| Advisory ID | SUSE-SU-2023:2882-1
|
| Released | Wed Jul 19 11:49:39 2023 |
| Summary | Security update for perl |
| Type | security |
| Severity | important |
| References | 1210999,CVE-2023-31484 |
Description:
This update for perl fixes the following issues:
- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).
| Advisory ID | SUSE-RU-2023:2885-1
|
| Released | Wed Jul 19 16:58:43 2023 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1208721,1209229,1211828 |
Description:
This update for glibc fixes the following issues:
- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)
| Advisory ID | SUSE-SU-2023:2917-1
|
| Released | Thu Jul 20 11:49:45 2023 |
| Summary | Security update for SUSE Manager Client Tools |
| Type | security |
| Severity | critical |
| References | 1212099,1212100,1212641,CVE-2023-2183,CVE-2023-2801,CVE-2023-3128 |
Description:
This update fixes the following issues:
grafana:
- Update to version 9.5.5:
* CVE-2023-3128: Fix authentication bypass using Azure AD OAuth (bsc#1212641, jsc#PED-3694)
* Bug fixes:
* Auth: Show invite button if disable login form is set to false.
* Azure: Fix Kusto auto-completion for Azure datasources.
* RBAC: Remove legacy AC editor and admin role on new dashboard route.
* API: Revert allowing editors to access GET /datasources.
* Settings: Add ability to override skip_org_role_sync with Env variables.
- Update to version 9.5.3:
* CVE-2023-2801: Query: Prevent crash while executing concurrent mixed queries (bsc#1212099)
* CVE-2023-2183: Alerting: Require alert.notifications:write permissions to test receivers and templates (bsc#1212100)
- Update to version 9.5.2:
Alerting: Scheduler use rule fingerprint instead of version.
Explore: Update table min height.
DataLinks: Encoded URL fixed.
TimeSeries: Fix leading null-fill for missing intervals.
Dashboard: Revert fixed header shown on mobile devices in the new panel header.
PostgreSQL: Fix TLS certificate issue by downgrading lib/pq.
Provisioning: Fix provisioning issues with legacy alerting and data source permissions.
Alerting: Fix misleading status code in provisioning API.
Loki: Fix log samples using `instant` queries.
Panel Header: Implement new Panel Header on Angular Panels.
Azure Monitor: Fix bug that was not showing resources for certain locations.
Alerting: Fix panic when reparenting receivers to groups following an attempted rename via Provisioning.
Cloudwatch Logs: Clarify Cloudwatch Logs Limits.
- Update to 9.5.1
Loki Variable Query Editor: Fix bug when the query is updated
Expressions: Fix expression load with legacy UID -100
| Advisory ID | SUSE-RU-2023:2918-1
|
| Released | Thu Jul 20 12:00:17 2023 |
| Summary | Recommended update for gpgme |
| Type | recommended |
| Severity | moderate |
| References | 1089497 |
Description:
This update for gpgme fixes the following issues:
gpgme:
- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
libassuan:
- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements
| Advisory ID | SUSE-SU-2023:2956-1
|
| Released | Tue Jul 25 08:33:38 2023 |
| Summary | Security update for libcap |
| Type | security |
| Severity | moderate |
| References | 1211419,CVE-2023-2603 |
Description:
This update for libcap fixes the following issues:
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
| Advisory ID | SUSE-SU-2023:3179-1
|
| Released | Thu Aug 3 13:59:38 2023 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | moderate |
| References | 1201627,1207534,1213487,CVE-2022-4304,CVE-2023-3446 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
The previous fix for this timing side channel turned out to cause a
severe 2-3x performance regression in the typical use case (bsc#1207534).
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).
- Update further expiring certificates that affect tests [bsc#1201627]
| Advisory ID | SUSE-RU-2023:3284-1
|
| Released | Fri Aug 11 10:29:50 2023 |
| Summary | Recommended update for shadow |
| Type | recommended |
| Severity | moderate |
| References | 1206627,1213189 |
Description:
This update for shadow fixes the following issues:
- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)
| Advisory ID | SUSE-SU-2023:3291-1
|
| Released | Fri Aug 11 12:51:21 2023 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | moderate |
| References | 1213517,1213853,CVE-2023-3817 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
| Advisory ID | SUSE-SU-2023:3365-1
|
| Released | Fri Aug 18 20:35:01 2023 |
| Summary | Security update for krb5 |
| Type | security |
| Severity | important |
| References | 1214054,CVE-2023-36054 |
Description:
This update for krb5 fixes the following issues:
- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)
| Advisory ID | SUSE-SU-2023:3472-1
|
| Released | Tue Aug 29 10:55:16 2023 |
| Summary | Security update for procps |
| Type | security |
| Severity | low |
| References | 1214290,CVE-2023-4016 |
Description:
This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).
| Advisory ID | SUSE-RU-2023:3515-1
|
| Released | Fri Sep 1 15:54:25 2023 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1158763,1210740,1213231,1213557,1213673 |
Description:
This update for libzypp, zypper fixes the following issues:
- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)
| Advisory ID | SUSE-SU-2023:3639-1
|
| Released | Mon Sep 18 13:33:16 2023 |
| Summary | Security update for libeconf |
| Type | security |
| Severity | moderate |
| References | 1198165,1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181 |
Description:
This update for libeconf fixes the following issues:
Update to version 0.5.2.
- CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
- CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)
The following non-security bug was fixed:
- Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165).
| Advisory ID | SUSE-SU-2023:3661-1
|
| Released | Mon Sep 18 21:44:09 2023 |
| Summary | Security update for gcc12 |
| Type | security |
| Severity | important |
| References | 1214052,CVE-2023-4039 |
Description:
This update for gcc12 fixes the following issues:
- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).
| Advisory ID | SUSE-SU-2023:3698-1
|
| Released | Wed Sep 20 11:01:15 2023 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | important |
| References | 1214768,CVE-2023-39615 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).
SUSE-CU-2023:1836-1
| Container Advisory ID | SUSE-CU-2023:1836-1 |
| Container Tags | ses/7.1/ceph/grafana:8.5.22 , ses/7.1/ceph/grafana:8.5.22.3.4.77 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 3.4.77 |
The following patches have been included in this update:
| Advisory ID | SUSE-SU-2023:1711-1
|
| Released | Fri Mar 31 13:33:04 2023 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 |
Description:
This update for curl fixes the following issues:
- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).
| Advisory ID | SUSE-SU-2023:1718-1
|
| Released | Fri Mar 31 15:47:34 2023 |
| Summary | Security update for glibc |
| Type | security |
| Severity | moderate |
| References | 1207571,1207957,1207975,1208358,CVE-2023-0687 |
Description:
This update for glibc fixes the following issues:
Security issue fixed:
- CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)
Other issues fixed:
- Fix avx2 strncmp offset compare condition check (bsc#1208358)
- elf: Allow dlopen of filter object to work (bsc#1207571)
- powerpc: Fix unrecognized instruction errors with recent GCC
- x86: Cache computation for AMD architecture (bsc#1207957)
| Advisory ID | SUSE-SU-2023:1790-1
|
| Released | Thu Apr 6 15:36:15 2023 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | moderate |
| References | 1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
- CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
- CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).
| Advisory ID | SUSE-RU-2023:1805-1
|
| Released | Tue Apr 11 10:12:41 2023 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | important |
| References | |
Description:
This update for timezone fixes the following issues:
- Version update from 2022g to 2023c:
* Egypt now uses DST again, from April through October.
* This year Morocco springs forward April 23, not April 30.
* Palestine delays the start of DST this year.
* Much of Greenland still uses DST from 2024 on.
* America/Yellowknife now links to America/Edmonton.
* tzselect can now use current time to help infer timezone.
* The code now defaults to C99 or later.
| Advisory ID | SUSE-SU-2023:1904-1
|
| Released | Wed Apr 19 05:09:21 2023 |
| Summary | Security update for grafana |
| Type | security |
| Severity | important |
| References | 1208819,1208821,1209645,CVE-2023-0507,CVE-2023-0594,CVE-2023-1410 |
Description:
This version update from 8.5.20 to 8.5.22 for grafana fixes the following issues:
- Security issues fixed:
* CVE-2023-1410: Fix XSS in Graphite functions tooltip (bsc#1209645)
* CVE-2023-0507: Apply attribute sanitation to GeomapPanel (bsc#1208821)
* CVE-2023-0594: Avoid storing XSS in TraceView panel (bsc#1208819)
- The following non-security bug was fixed:
* Login: Fix panic when UpsertUser is called without ReqContext
| Advisory ID | SUSE-RU-2023:1945-1
|
| Released | Fri Apr 21 14:13:27 2023 |
| Summary | Recommended update for elfutils |
| Type | recommended |
| Severity | moderate |
| References | 1203599 |
Description:
This update for elfutils fixes the following issues:
- go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)
| Advisory ID | SUSE-SU-2023:2048-1
|
| Released | Wed Apr 26 21:05:45 2023 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | important |
| References | 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132).
The following non-security bugs were fixed:
- Added W3C conformance tests to the testsuite (bsc#1204585).
- Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .
| Advisory ID | SUSE-SU-2023:2070-1
|
| Released | Fri Apr 28 13:56:33 2023 |
| Summary | Security update for shadow |
| Type | security |
| Severity | moderate |
| References | 1210507,CVE-2023-29383 |
Description:
This update for shadow fixes the following issues:
- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).
| Advisory ID | SUSE-SU-2023:2074-1
|
| Released | Fri Apr 28 17:02:25 2023 |
| Summary | Security update for zstd |
| Type | security |
| Severity | moderate |
| References | 1209533,CVE-2022-4899 |
Description:
This update for zstd fixes the following issues:
- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).
| Advisory ID | SUSE-SU-2023:2076-1
|
| Released | Fri Apr 28 17:35:05 2023 |
| Summary | Security update for glib2 |
| Type | security |
| Severity | moderate |
| References | 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180 |
Description:
This update for glib2 fixes the following issues:
- CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
- CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).
The following non-security bug was fixed:
- Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).
| Advisory ID | SUSE-RU-2023:2104-1
|
| Released | Thu May 4 21:05:30 2023 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | moderate |
| References | 1209122 |
Description:
This update for procps fixes the following issue:
- Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)
| Advisory ID | SUSE-SU-2023:2111-1
|
| Released | Fri May 5 14:34:00 2023 |
| Summary | Security update for ncurses |
| Type | security |
| Severity | moderate |
| References | 1210434,CVE-2023-29491 |
Description:
This update for ncurses fixes the following issues:
- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).
| Advisory ID | SUSE-RU-2023:2133-1
|
| Released | Tue May 9 13:37:10 2023 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1206513 |
Description:
This update for zlib fixes the following issues:
- Add DFLTCC support for using inflate() with a small window (bsc#1206513)
| Advisory ID | SUSE-SU-2023:2227-1
|
| Released | Wed May 17 09:57:41 2023 |
| Summary | Security update for curl |
| Type | security |
| Severity | important |
| References | 1211231,1211232,1211233,1211339,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 |
Description:
This update for curl fixes the following issues:
- CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
- CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
- CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).
| Advisory ID | SUSE-RU-2023:2247-1
|
| Released | Thu May 18 17:04:38 2023 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1127591,1195633,1208329,1209406,1210870 |
Description:
This update for libzypp, zypper fixes the following issues:
- Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
- multicurl: propagate ssl settings stored in repo url (bsc#1127591)
- MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
- Teach MediaNetwork to retry on HTTP2 errors.
- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority
| Advisory ID | SUSE-RU-2023:2333-1
|
| Released | Wed May 31 09:01:28 2023 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1210593 |
Description:
This update for zlib fixes the following issue:
- Fix function calling order to avoid crashes (bsc#1210593)
| Advisory ID | SUSE-SU-2023:2343-1
|
| Released | Thu Jun 1 11:35:28 2023 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | important |
| References | 1211430,CVE-2023-2650 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
| Advisory ID | SUSE-RU-2023:2365-1
|
| Released | Mon Jun 5 09:22:46 2023 |
| Summary | Recommended update for util-linux |
| Type | recommended |
| Severity | moderate |
| References | 1210164 |
Description:
This update for util-linux fixes the following issues:
- Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164)
| Advisory ID | SUSE-SU-2023:2484-1
|
| Released | Mon Jun 12 08:49:58 2023 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | moderate |
| References | 1211795,CVE-2023-2953 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).
| Advisory ID | SUSE-RU-2023:2488-1
|
| Released | Mon Jun 12 11:10:29 2023 |
| Summary | Recommended update for ceph, ceph-image, ceph-iscsi |
| Type | recommended |
| Severity | moderate |
| References | 1199880,1201088,1208820,1209621,1210153,1210243,1210314,1210719,1210784,1210944,1211090 |
Description:
This update for ceph, ceph-image, ceph-iscsi fixes the following issues:
- Update to 16.2.13-66-g54799ee0666:
+ (bsc#1199880) mgr: don't dump global config holding gil
+ (bsc#1209621) cephadm: fix NFS haproxy failover if active node disappears
+ (bsc#1210153) mgr/cephadm: fix handling of mgr upgrades with 3 or more mgrs
+ (bsc#1210243, bsc#1210314) ceph-volume: fix regression in activate
+ (bsc#1210719) cephadm: mount host /etc/hosts for daemon containers in podman deployments
+ (bsc#1210784) mgr/dashboard: Fix SSO error: 'str' object has no attribute 'decode'
+ (bsc#1210944) cmake: patch boost source to support python 3.11
+ (bsc#1211090) fix FTBFS on s390x
- Add _multibuild to define additional spec files as additional
flavors. Eliminates the need for source package links in OBS.
- Update to 16.2.11-65-g8b7e6fc0182:
+ (bsc#1201088) test/librados: fix FTBFS on gcc 13
+ (bsc#1208820) mgr/dashboard: allow to pass controls on iscsi disk create
- Update to 16.2.11-62-gce6291a3463:
+ (bsc#1201088) fix FTBFS on gcc 13
- Update to 16.2.13-66-g54799ee0666:
+ (bsc#1199880) mgr: don't dump global config holding gil
+ (bsc#1209621) cephadm: fix NFS haproxy failover if active node disappears
+ (bsc#1210153) mgr/cephadm: fix handling of mgr upgrades with 3 or more mgrs
+ (bsc#1210243, bsc#1210314) ceph-volume: fix regression in activate
+ (bsc#1210719) cephadm: mount host /etc/hosts for daemon containers in podman deployments
+ (bsc#1210784) mgr/dashboard: Fix SSO error: 'str' object has no attribute 'decode'
+ (bsc#1210944) cmake: patch boost source to support python 3.11
+ (bsc#1211090) fix FTBFS on s390x
- Add _multibuild to define additional spec files as additional
flavors. Eliminates the need for source package links in OBS.
- Update to 16.2.11-65-g8b7e6fc0182:
+ (bsc#1201088) test/librados: fix FTBFS on gcc 13
+ (bsc#1208820) mgr/dashboard: allow to pass controls on iscsi disk create
- Update to 16.2.11-62-gce6291a3463:
+ (bsc#1201088) fix FTBFS on gcc 13
- Update to 3.5+1679292226.g8769429:
+ rbd-target-api: don't ignore controls on disk create (bsc#1208820)
- checkin.sh: default to ses7 branch
SUSE-CU-2023:797-1
| Container Advisory ID | SUSE-CU-2023:797-1 |
| Container Tags | ses/7.1/ceph/grafana:8.5.20 , ses/7.1/ceph/grafana:8.5.20.3.4.1 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 3.4.1 |
The following patches have been included in this update:
| Advisory ID | SUSE-RU-2023:714-1
|
| Released | Mon Mar 13 10:53:25 2023 |
| Summary | Recommended update for rpm |
| Type | recommended |
| Severity | important |
| References | 1207294 |
Description:
This update for rpm fixes the following issues:
- Fix missing python(abi) for 3.XX versions (bsc#1207294)
| Advisory ID | SUSE-RU-2023:776-1
|
| Released | Thu Mar 16 17:29:23 2023 |
| Summary | Recommended update for gcc12 |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.
To use gcc12 compilers use:
- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.
For a full changelog with all new GCC12 features, check out
https://gcc.gnu.org/gcc-12/changes.html
| Advisory ID | SUSE-RU-2023:786-1
|
| Released | Thu Mar 16 19:36:09 2023 |
| Summary | Recommended update for libsolv, libzypp, zypper |
| Type | recommended |
| Severity | important |
| References | 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949 |
Description:
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:
- Do not autouninstall SUSE PTF packages
- Ensure 'duplinvolvedmap_all' is reset when a solver is reused
- Fix 'keep installed' jobs not disabling 'best update' rules
- New '-P' and '-W' options for `testsolv`
- New introspection interface for weak dependencies similar to ruleinfos
- Ensure special case file dependencies are written correctly in the testcase writer
- Support better info about alternatives
- Support decision reason queries
- Support merging of related decisions
- Support stringification of multiple solvables
- Support stringification of ruleinfo, decisioninfo and decision reasons
libzypp:
- Avoid calling getsockopt when we know the info already.
This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when
accepting new socket connections (bsc#1178233)
- Avoid redirecting 'history.logfile=/dev/null' into the target
- Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
- Enhance yaml-cpp detection
- Improve download of optional files
- MultiCurl: Make sure to reset the progress function when falling back.
- Properly reset range requests (bsc#1204548)
- Removing a PTF without enabled repos should always fail (bsc#1203248)
Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well.
To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the
installed PTF packages to theit latest version.
- Skip media.1/media download for http repo status calc.
This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed.
This optimisation only takes place if the repo does specify only downloading base urls.
- Use a dynamic fallback for BLKSIZE in downloads.
When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed,
relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar
metric as the MirrorCache implementation on the server side.
- ProgressData: enforce reporting the INIT||END state (bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems (bsc#1205636)
zypper:
- Allow to (re)add a service with the same URL (bsc#1203715)
- Bump dependency requirement to libzypp-devel 17.31.7 or greater
- Explain outdatedness of repositories
- patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
- Provide `removeptf` command (bsc#1203249)
A remove command which prefers replacing dependant packages to removing them as well.
A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant
packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the
remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official
update versions.
- Update man page and explain '.no_auto_prune' (bsc#1204956)
| Advisory ID | SUSE-SU-2023:821-1
|
| Released | Mon Mar 20 16:35:03 2023 |
| Summary | Security update for grafana |
| Type | security |
| Severity | important |
| References | 1207749,1207750,1208065,1208293,CVE-2022-23552,CVE-2022-39324,CVE-2022-41723,CVE-2022-46146 |
Description:
This update for grafana fixes the following issues:
- CVE-2022-23552: Fixed SVG processing by adding a dompurify preprocessor step (bsc#1207749).
- CVE-2022-39324: Fixed originalUrl spoof security issue (bsc#1207750).
- CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208293).
- CVE-2022-46146: Fixed basic authentication bypass by updating the exporter toolkit (bsc#1208065).
- Trim leading and trailing whitespaces from email and username on signup
- Fix invitation validation: Check whether the provided email address is the same as where the invitation is sent
| Advisory ID | SUSE-SU-2023:1584-1
|
| Released | Mon Mar 27 10:32:31 2023 |
| Summary | Security update for ceph |
| Type | security |
| Severity | important |
| References | 1187748,1188911,1192838,1192840,1196046,1199183,1200262,1200317,1200501,1200978,1201604,1201797,1201837,1201976,1202077,1202292,1203375,1204430,1205025,1205436,1206158,CVE-2022-0670,CVE-2022-3650,CVE-2022-3854 |
Description:
This update for ceph fixes the following issues:
Security issues fixed:
- CVE-2022-0670: Fixed user/tenant read/write access to an entire file system (bsc#1201837).
- CVE-2022-3650: Fixed Python script that allowed privilege escalation from ceph to root (bsc#1204430).
- CVE-2022-3854: Fixed possible DoS issue in ceph URL processing on RGW backends (bsc#1205025).
Bug fixes:
- osd, tools, kv: non-aggressive, on-line trimming of accumulated dups (bsc#1199183).
- ceph-volume: fix fast device alloc size on mulitple device (bsc#1200262).
- cephadm: update monitoring container images (bsc#1200501).
- mgr/dashboard: prevent alert redirect (bsc#1200978).
- mgr/volumes: Add subvolumegroup resize cmd (bsc#1201797).
- monitoring/ceph-mixin: add RGW host to label info (bsc#1201976).
- mgr/dashboard: enable addition of custom Prometheus alerts (bsc#1202077).
- python-common: Add 'KB' to supported suffixes in SizeMatcher (bsc#1203375).
- mgr/dashboard: fix rgw connect when using ssl (bsc#1205436).
- ceph.spec.in: Add -DFMT_DEPRECATED_OSTREAM to CXXFLAGS (bsc#1202292).
- cephfs-shell: move source to separate subdirectory (bsc#1201604).
Fix in previous release:
- mgr/cephadm: try to get FQDN for configuration files (bsc#1196046).
- When an RBD is mapped, it is attempted to be deployed as an OSD. (bsc#1187748).
- OSD marked down causes wrong backfill_toofull (bsc#1188911).
- cephadm: Fix iscsi client caps (allow mgr calls) (bsc#1192838).
- mgr/cephadm: fix and improve osd draining (bsc#1200317).
- add iscsi and nfs to upgrade process (bsc#1206158).
- mgr/mgr_module.py: CLICommand: Fix parsing of kwargs arguments (bsc#1192840).
SUSE-CU-2023:627-1
| Container Advisory ID | SUSE-CU-2023:627-1 |
| Container Tags | ses/7.1/ceph/grafana:8.5.15 , ses/7.1/ceph/grafana:8.5.15.2.2.401 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.401 |
The following patches have been included in this update:
| Advisory ID | SUSE-RU-2023:676-1
|
| Released | Wed Mar 8 14:33:23 2023 |
| Summary | Recommended update for libxml2 |
| Type | recommended |
| Severity | moderate |
| References | 1204585 |
Description:
This update for libxml2 fixes the following issues:
- Add W3C conformance tests to the testsuite (bsc#1204585):
* Added file xmlts20080827.tar.gz
SUSE-CU-2023:498-1
| Container Advisory ID | SUSE-CU-2023:498-1 |
| Container Tags | ses/7.1/ceph/grafana:8.5.15 , ses/7.1/ceph/grafana:8.5.15.2.2.393 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.393 |
The following patches have been included in this update:
| Advisory ID | SUSE-SU-2022:3871-1
|
| Released | Fri Nov 4 13:26:29 2022 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | important |
| References | 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).
- CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).
- CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).
| Advisory ID | SUSE-RU-2022:3901-1
|
| Released | Tue Nov 8 10:50:06 2022 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1180995,1203046 |
Description:
This update for openssl-1_1 fixes the following issues:
- Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)
- Fix memory leaks (bsc#1203046)
| Advisory ID | SUSE-RU-2022:3910-1
|
| Released | Tue Nov 8 13:05:04 2022 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for pam fixes the following issue:
- Update pam_motd to the most current version. (PED-1712)
| Advisory ID | SUSE-SU-2022:3922-1
|
| Released | Wed Nov 9 09:03:33 2022 |
| Summary | Security update for protobuf |
| Type | security |
| Severity | important |
| References | 1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171 |
Description:
This update for protobuf fixes the following issues:
- CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).
- CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)
- CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)
| Advisory ID | SUSE-RU-2022:3961-1
|
| Released | Mon Nov 14 07:33:50 2022 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | important |
| References | 1203652 |
Description:
This update for zlib fixes the following issues:
- Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)
| Advisory ID | SUSE-RU-2022:3973-1
|
| Released | Mon Nov 14 15:38:25 2022 |
| Summary | Recommended update for util-linux |
| Type | recommended |
| Severity | moderate |
| References | 1201959,1204211 |
Description:
This update for util-linux fixes the following issues:
- Fix file conflict during upgrade (bsc#1204211)
- libuuid improvements (bsc#1201959, PED-1150):
libuuid: Fix range when parsing UUIDs.
Improve cache handling for short running applications-increment the cache size over runtime.
Implement continuous clock handling for time based UUIDs.
Check clock value from clock file to provide seamless libuuid.
| Advisory ID | SUSE-SU-2022:4056-1
|
| Released | Thu Nov 17 15:38:08 2022 |
| Summary | Security update for systemd |
| Type | security |
| Severity | moderate |
| References | 1204179,1204968,CVE-2022-3821 |
Description:
This update for systemd fixes the following issues:
- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).
- Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2
* 8a70235d8a core: Add trigger limit for path units
* 93e544f3a0 core/mount: also add default before dependency for automount mount units
* 5916a7748c logind: fix crash in logind on user-specified message string
- Document udev naming scheme (bsc#1204179).
| Advisory ID | SUSE-RU-2022:4066-1
|
| Released | Fri Nov 18 10:43:00 2022 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | important |
| References | 1177460,1202324,1204649,1205156 |
Description:
This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):
- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z
| Advisory ID | SUSE-RU-2022:4198-1
|
| Released | Wed Nov 23 13:15:04 2022 |
| Summary | Recommended update for rpm |
| Type | recommended |
| Severity | moderate |
| References | 1202750 |
Description:
This update for rpm fixes the following issues:
- Strip critical bit in signature subpackage parsing
- No longer deadlock DNF after pubkey import (bsc#1202750)
| Advisory ID | SUSE-RU-2022:4256-1
|
| Released | Mon Nov 28 12:36:32 2022 |
| Summary | Recommended update for gcc12 |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the
PackageHub repositories.
To use gcc12 compilers use:
- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.
For a full changelog with all new GCC12 features, check out
https://gcc.gnu.org/gcc-12/changes.html
| Advisory ID | SUSE-SU-2022:4428-1
|
| Released | Tue Dec 13 08:29:38 2022 |
| Summary | Security update for grafana |
| Type | security |
| Severity | important |
| References | 1188571,1189520,1192383,1192763,1193492,1193686,1199810,1201535,1201539,1203596,1203597,CVE-2021-36222,CVE-2021-3711,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-29170,CVE-2022-31097,CVE-2022-31107,CVE-2022-35957,CVE-2022-36062 |
Description:
This update for grafana fixes the following issues:
Version update from 8.3.10 to 8.5.13 (jsc#PED-2145):
- Security fixes:
* CVE-2022-36062: (bsc#1203596)
* CVE-2022-35957: (bsc#1203597)
* CVE-2022-31107: (bsc#1201539)
* CVE-2022-31097: (bsc#1201535)
* CVE-2022-29170: (bsc#1199810)
* CVE-2021-43813, CVE-2021-43815: (bsc#1193686)
* CVE-2021-43798: (bsc#1193492)
* CVE-2021-41244: (bsc#1192763)
* CVE-2021-41174: (bsc#1192383)
* CVE-2021-3711: (bsc#1189520)
* CVE-2021-36222: (bsc#1188571)
- Features and enhancements:
* AccessControl: Disable user remove and user update roles when they do not have the permissions
* AccessControl: Provisioning for teams
* Alerting: Add custom grouping to Alert Panel
* Alerting: Add safeguard for migrations that might cause dataloss
* Alerting: AlertingProxy to elevate permissions for request forwarded to data proxy when RBAC enabled
* Alerting: Grafana uses > instead of >= when checking the For duration
* Alerting: Move slow queries in the scheduler to another goroutine
* Alerting: Remove disabled flag for data source when migrating alerts
* Alerting: Show notification tab of legacy alerting only to editor
* Alerting: Update migration to migrate only alerts that belon to existing org\dashboard
* Alerting: Use expanded labels in dashboard annotations
* Alerting: Use time.Ticker instead of alerting.Ticker in ngalert
* Analytics: Add user id tracking to google analytics
* Angular: Add AngularJS plugin support deprecation plan to docs site
* API: Add usage stats preview endpoint
* API: Extract OpenAPI specification from source code using go-swagger
* Auth: implement auto_sign_up for auth.jwt
* Azure monitor Logs: Optimize data fetching in resource picker
* Azure Monitor Logs: Order subscriptions in resource picker by name
* Azure Monitor: Include datasource ref when interpolating variables.
* AzureMonitor: Add support for not equals and startsWith operators when creating Azure Metrics dimension filters.
* AzureMonitor: Do not quote variables when a custom 'All' variable option is used
* AzureMonitor: Filter list of resources by resourceType
* AzureMonitor: Update allowed namespaces
* BarChart: color by field, x time field, bar radius, label skipping
* Chore: Implement OpenTelemetry in Grafana
* Cloud Monitoring: Adds metric type to Metric drop down options
* CloudMonitor: Correctly encode default project response
* CloudWatch: Add all ElastiCache Redis Metrics
* CloudWatch: Add Data Lifecycle Manager metrics and dimension
* CloudWatch: Add Missing Elasticache Host-level metrics
* CloudWatch: Add multi-value template variable support for log group names in logs query builder
* CloudWatch: Add new AWS/ES metrics. #43034, @sunker
* Cloudwatch: Add support for AWS/PrivateLink* metrics and dimensions
* Cloudwatch: Add support for new AWS/RDS EBS* metrics
* Cloudwatch: Add syntax highlighting and autocomplete for 'Metric Search'
* Cloudwatch: Add template variable query function for listing log groups
* Configuration: Add ability to customize okta login button name and icon
* Elasticsearch: Add deprecation notice for < 7.10 versions.
* Explore: Support custom display label for exemplar links for Prometheus datasource
* Hotkeys: Make time range absolute/permanent
* InfluxDB: Use backend for influxDB by default via feature toggle
* Legend: Use correct unit for percent and count calculations
* Logs: Escape windows newline into single newline
* Loki: Add unpack to autocomplete suggestions
* Loki: Use millisecond steps in Grafana 8.5.x.
* Playlists: Enable sharing direct links to playlists
* Plugins: Allow using both Function and Class components for app plugins
* Plugins: Expose emotion/react to plugins to prevent load failures
* Plugins: Introduce HTTP 207 Multi Status response to api/ds/query
* Rendering: Add support for renderer token
* Setting: Support configuring feature toggles with bools instead of just passing an array
* SQLStore: Prevent concurrent migrations
* SSE: Add Mode to drop NaN/Inf/Null in Reduction operations
* Tempo: Switch out Select with AsyncSelect component to get loading state in Tempo Search
* TimeSeries: Add migration for Graph panel's transform series override
* TimeSeries: Add support for negative Y and constant transform
* TimeSeries: Preserve null/undefined values when performing negative y transform
* Traces: Filter by service/span name and operation in Tempo and Jaeger
* Transformations: Add 'JSON' field type to ConvertFieldTypeTransformer
* Transformations: Add an All Unique Values Reducer
* Transformers: avoid error when the ExtractFields source field is missing
- Breaking changes:
* For a data source query made via /api/ds/query:
+ If the DatasourceQueryMultiStatus feature is enabled and the data source response has an error set as part of the
DataResponse, the resulting HTTP status code is now '207 Multi Status' instead of '400 Bad gateway'
+ If the DatasourceQueryMultiStatus feature is not enabled and the data source response has an error set as part of
the DataResponse, the resulting HTTP status code is '400 BadRequest' (no breaking change)
* For a proxied request, e.g. Grafana's datasource or plugin proxy:
+ If the request is cancelled, e.g. from the browser/by the client, the HTTP status code is now '499 Client closed'
request instead of 502 Bad gateway If the request times out, e.g. takes longer time than allowed, the HTTP status
code is now '504 Gateway timeout' instead of '502 Bad gateway'.
+ The change in behavior is that negative-valued series are now stacked downwards from 0 (in their own stacks),
rather than downwards from the top of the positive stacks. We now automatically group stacks by Draw style, Line
interpolation, and Bar alignment, making it impossible to stack bars on top of lines, or smooth lines on top of
stepped lines
+ The meaning of the default data source has now changed from being a persisted property in a panel. Before when
you selected the default data source for a panel and later changed the default data source to another data source
it would change all panels who were configured to use the default data source. From now on the default data
source is just the default for new panels and changing the default will not impact any currently saved dashboards
+ The Tooltip component provided by @grafana/ui is no longer automatically interactive (that is you can hover onto
it and click a link or select text). It will from now on by default close automatically when you mouse out
from the trigger element. To make tooltips behave like before set the new interactive property to true.
- Deprecations:
* /api/tsdb/query API has been deprecated, please use /api/ds/query instead
* AngularJS plugin support is now in a deprecated state. The documentation site has an article with more details on why, when, and how
- Bug fixes:
* Alerting: Add contact points provisioning API
* Alerting: add field for custom slack endpoint
* Alerting: Add resolved count to notification title when both firing and resolved present
* Alerting: Alert rule should wait For duration when execution error state is Alerting
* Alerting: Allow disabling override timings for notification policies
* Alerting: Allow serving images from custom url path
* Alerting: Apply Custom Headers to datasource queries
* Alerting: Classic conditions can now display multiple values
* Alerting: correctly show all alerts in a folder
* Alerting: Display query from grafana-managed alert rules on /api/v1/rules
* Alerting: Do not overwrite existing alert rule condition
* Alerting: Enhance support for arbitrary group names in managed alerts
* Alerting: Fix access to alerts for viewer with editor permissions when RBAC is disabled
* Alerting: Fix anonymous access to alerting
* Alerting: Fix migrations by making send_alerts_to field nullable
* Alerting: Fix RBAC actions for notification policies
* Alerting: Fix use of > instead of >= when checking the For duration
* Alerting: Remove double quotes from matchers
* API: Include userId, orgId, uname in request logging middleware
* Auth: Guarantee consistency of signed SigV4 headers
* Azure Monitor : Adding json formatting of error messages in Panel Header Corner and Inspect Error Tab
* Azure Monitor: Add 2 more Curated Dashboards for VM Insights
* Azure Monitor: Bug Fix for incorrect variable cascading for template variables
* Azure Monitor: Fix space character encoding for metrics query link to Azure Portal
* Azure Monitor: Fixes broken log queries that use workspace
* Azure Monitor: Small bug fixes for Resource Picker
* AzureAd Oauth: Fix strictMode to reject users without an assigned role
* AzureMonitor: Fixes metric definition for Azure Storage queue/file/blob/table resources
* Cloudwatch : Fixed reseting metric name when changing namespace in Metric Query
* CloudWatch: Added missing MemoryDB Namespace metrics
* CloudWatch: Fix MetricName resetting on Namespace change.
* Cloudwatch: Fix template variables in variable queries.
* CloudWatch: Fix variable query tag migration
* CloudWatch: Handle new error codes for MetricInsights
* CloudWatch: List all metrics properly in SQL autocomplete
* CloudWatch: Prevent log groups from being removed on query change
* CloudWatch: Remove error message when using multi-valued template vars in region field
* CloudWatch: Run query on blur in logs query field
* CloudWatch: Use default http client from aws-sdk-go
* Dashboard: Fix dashboard update permission check
* Dashboard: Fixes random scrolling on time range change
* Dashboard: Template variables are now correctly persisted when clicking breadcrumb links
* DashboardExport: Fix exporting and importing dashboards where query data source ended up as incorrect
* DashboardPage: Remember scroll position when coming back panel edit / view panel
* Dashboards: Fixes repeating by row and no refresh
* Dashboards: Show changes in save dialog
* DataSource: Default data source is no longer a persisted state but just the default data source for new panels
* DataSourcePlugin API: Allow queries import when changing data source type
* Elasticsearch: Respect maxConcurrentShardRequests datasource setting
* Explore: Allow users to save Explore state to a new panel in a new dashboard
* Explore: Avoid locking timepicker when range is inverted.
* Explore: Fix closing split pane when logs panel is used
* Explore: Prevent direct access to explore if disabled via feature toggle
* Explore: Remove return to panel button
* FileUpload: clicking the Upload file button now opens their modal correctly
* Gauge: Fixes blank viz when data link exists and orientation was horizontal
* GrafanaUI: Fix color of links in error Tooltips in light theme
* Histogram Panel: Take decimal into consideration
* InfluxDB: Fixes invalid no data alerts. #48295, @yesoreyeram
* Instrumentation: Fix HTTP request instrumentation of authentication failures
* Instrumentation: Make backend plugin metrics endpoints available with optional authentication
* Instrumentation: Proxy status code correction and various improvements
* LibraryPanels: Fix library panels not connecting properly in imported dashboards
* LibraryPanels: Prevent long descriptions and names from obscuring the delete button
* Logger: Use specified format for file logger
* Logging: Introduce feature toggle to activate gokit/log format
* Logs: Handle missing fields in dataframes better
* Loki: Improve unpack parser handling
* ManageDashboards: Fix error when deleting all dashboards from folder view
* Middleware: Fix IPv6 host parsing in CSRF check
* Navigation: Prevent navbar briefly showing on login
* NewsPanel: Add support for Atom feeds. #45390, @kaydelaney
* OAuth: Fix parsing of ID token if header contains non-string value
* Panel Edit: Options search now works correctly when a logarithmic scale option is set
* Panel Edit: Visualization search now works correctly with special characters
* Plugins Catalog: Fix styling of hyperlinks
* Plugins: Add deprecation notice for /api/tsdb/query endpoint
* Plugins: Adding support for traceID field to accept variables
* Plugins: Ensure catching all appropriate 4xx api/ds/query scenarios
* Postgres: Return tables with hyphenated schemes
* PostgreSQL: __unixEpochGroup to support arithmetic expression as argument
* Profile/Help: Expose option to disable profile section and help menu
* Prometheus: Enable new visual query builder by default
* Provisioning: Fix duplicate validation when multiple organizations have been configured inserted
* RBAC: Fix Anonymous Editors missing dashboard controls
* RolePicker: Fix menu position on smaller screens
* SAML: Allow disabling of SAML signups
* Search: Sort results correctly when using postgres
* Security: Fixes minor code scanning security warnings in old vendored javascript libs
* Table panel: Fix horizontal scrolling when pagination is enabled
* Table panel: Show datalinks for cell display modes JSON View and Gauge derivates
* Table: Fix filter crashes table
* Table: New pagination option
* TablePanel: Add cell inspect option
* TablePanel: Do not prefix columns with frame name if multipleframes and override active
* TagsInput: Fix tags remove button accessibility issues
* Tempo / Trace Viewer: Support Span Links in Trace Viewer
* Tempo: Download span references in data inspector
* Tempo: Separate trace to logs and loki search datasource config
* TextPanel: Sanitize after markdown has been rendered to html
* TimeRange: Fixes updating time range from url and browser history
* TimeSeries: Fix detection & rendering of sparse datapoints
* Timeseries: Fix outside range stale state
* TimeSeries: Properly stack series with missing datapoints
* TimeSeries: Sort tooltip values based on raw values
* Tooltip: Fix links not legible in Tooltips when using light theme
* Tooltip: Sort decimals using standard numeric compare
* Trace View: Show number of child spans
* Transformations: Support escaped characters in key-value pair parsing
* Transforms: Labels to fields, fix label picker layout
* Variables: Ensure variables in query params are correctly recognised
* Variables: Fix crash when changing query variable datasource
* Variables: Fixes issue with data source variables not updating queries with variable
* Visualizations: Stack negative-valued series downwards
- Plugin development fixes:
* Card: Increase clickable area when meta items are present.
* ClipboardButton: Use a fallback when the Clipboard API is unavailable
* Loki: Fix operator description propup from being shortened.
* OAuth: Add setting to skip org assignment for external users
* Tooltips: Make tooltips non interactive by default
* Tracing: Add option to map tag names to log label names in trace to logs settings
| Advisory ID | SUSE-SU-2022:4628-1
|
| Released | Wed Dec 28 09:23:13 2022 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1206337,CVE-2022-46908 |
Description:
This update for sqlite3 fixes the following issues:
- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism,
when relying on --safe for execution of an untrusted CLI script (bsc#1206337).
| Advisory ID | SUSE-SU-2022:4630-1
|
| Released | Wed Dec 28 09:25:18 2022 |
| Summary | Security update for systemd |
| Type | security |
| Severity | important |
| References | 1200723,1203857,1204423,1205000,CVE-2022-4415 |
Description:
This update for systemd fixes the following issues:
- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).
Bug fixes:
- Support by-path devlink for multipath nvme block devices (bsc#1200723).
- Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
- Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).
| Advisory ID | SUSE-SU-2022:4633-1
|
| Released | Wed Dec 28 09:32:15 2022 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1206309,CVE-2022-43552 |
Description:
This update for curl fixes the following issues:
- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
| Advisory ID | SUSE-RU-2023:25-1
|
| Released | Thu Jan 5 09:51:41 2023 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1177460 |
Description:
This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):
- In the Mexican state of Chihuahua:
* The border strip near the US will change to agree with nearby US locations on 2022-11-30.
* The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,
like El Paso, TX.
* The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.
* A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving
time becomes standard time.
- Changes for pre-1996 northern Canada
- Update to past DST transition in Colombia (1993), Singapore (1981)
- 'timegm' is now supported by default
| Advisory ID | SUSE-RU-2023:48-1
|
| Released | Mon Jan 9 10:37:54 2023 |
| Summary | Recommended update for libtirpc |
| Type | recommended |
| Severity | moderate |
| References | 1199467 |
Description:
This update for libtirpc fixes the following issues:
- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)
| Advisory ID | SUSE-SU-2023:56-1
|
| Released | Mon Jan 9 11:13:43 2023 |
| Summary | Security update for libksba |
| Type | security |
| Severity | moderate |
| References | 1206579,CVE-2022-47629 |
Description:
This update for libksba fixes the following issues:
- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL
signature parser (bsc#1206579).
| Advisory ID | SUSE-RU-2023:157-1
|
| Released | Thu Jan 26 15:54:43 2023 |
| Summary | Recommended update for util-linux |
| Type | recommended |
| Severity | moderate |
| References | 1194038,1205646 |
Description:
This update for util-linux fixes the following issues:
- libuuid continuous clock handling for time based UUIDs:
Prevent use of the new libuuid ABI by uuidd %post before update
of libuuid1 (bsc#1205646).
- Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt
does not exist.
- Fix tests not passing when '@' character is in build path:
Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
| Advisory ID | SUSE-SU-2023:174-1
|
| Released | Thu Jan 26 20:52:38 2023 |
| Summary | Security update for glib2 |
| Type | security |
| Severity | low |
| References | 1183533,CVE-2021-28153 |
Description:
This update for glib2 fixes the following issues:
- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).
| Advisory ID | SUSE-RU-2023:176-1
|
| Released | Thu Jan 26 20:56:20 2023 |
| Summary | Recommended update for permissions |
| Type | recommended |
| Severity | moderate |
| References | 1206738 |
Description:
This update for permissions fixes the following issues:
Update to version 20181225:
- Backport postfix permissions to SLE 15 SP2 (bsc#1206738)
| Advisory ID | SUSE-RU-2023:181-1
|
| Released | Thu Jan 26 21:55:43 2023 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | low |
| References | 1206412 |
Description:
This update for procps fixes the following issues:
- Improve memory handling/usage (bsc#1206412)
- Make sure that correct library version is installed (bsc#1206412)
| Advisory ID | SUSE-RU-2023:188-1
|
| Released | Fri Jan 27 12:07:19 2023 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | important |
| References | 1203652 |
Description:
This update for zlib fixes the following issues:
- Follow up fix for bug bsc#1203652 due to libxml2 issues
| Advisory ID | SUSE-SU-2023:198-1
|
| Released | Fri Jan 27 14:26:54 2023 |
| Summary | Security update for krb5 |
| Type | security |
| Severity | important |
| References | 1205126,CVE-2022-42898 |
Description:
This update for krb5 fixes the following issues:
- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).
| Advisory ID | SUSE-SU-2023:310-1
|
| Released | Tue Feb 7 17:35:34 2023 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | important |
| References | 1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
- CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
- FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)
| Advisory ID | SUSE-SU-2023:362-1
|
| Released | Fri Feb 10 15:15:36 2023 |
| Summary | Security update for grafana |
| Type | security |
| Severity | moderate |
| References | 1204302,1204303,1204304,1204305,1205225,1205227,CVE-2022-31123,CVE-2022-31130,CVE-2022-39201,CVE-2022-39229,CVE-2022-39306,CVE-2022-39307 |
Description:
This update for grafana fixes the following issues:
- Version update from 8.5.13 to 8.5.15 (jsc#PED-2617):
* CVE-2022-39306: Security fix for privilege escalation (bsc#1205225)
* CVE-2022-39307: Omit error from http response when user does not exists (bsc#1205227)
* CVE-2022-39201: Do not forward login cookie in outgoing requests (bsc#1204303)
* CVE-2022-31130: Make proxy endpoints not leak sensitive HTTP headers (bsc#1204305)
* CVE-2022-31123: Fix plugin signature bypass (bsc#1204302)
* CVE-2022-39229: Fix blocking other users from signing in (bsc#1204304)
SUSE-CU-2022:2809-1
| Container Advisory ID | SUSE-CU-2022:2809-1 |
| Container Tags | ses/7.1/ceph/grafana:8.3.10 , ses/7.1/ceph/grafana:8.3.10.2.2.285 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.285 |
The following patches have been included in this update:
| Advisory ID | SUSE-SU-2022:3765-1
|
| Released | Wed Oct 26 11:17:18 2022 |
| Summary | Security update for grafana |
| Type | security |
| Severity | important |
| References | 1195726,1195727,1195728,1201535,1201539,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713,CVE-2022-31097,CVE-2022-31107 |
Description:
This update for grafana fixes the following issues:
Updated to version 8.3.10 (jsc#SLE-24565, jsc#SLE-23422, jsc#SLE-23439):
- CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting (bsc#1201535).
- CVE-2022-31107: Fixed OAuth account takeover vulnerability (bsc#1201539).
- CVE-2022-21702: Fixed XSS through attacker-controlled data source (bsc#1195726).
- CVE-2022-21703: Fixed Cross Site Request Forgery (bsc#1195727).
- CVE-2022-21713: Fixed Teams API IDOR (bsc#1195728).
| Advisory ID | SUSE-SU-2022:3766-1
|
| Released | Wed Oct 26 11:38:01 2022 |
| Summary | Security update for buildah |
| Type | security |
| Severity | important |
| References | 1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990 |
Description:
This update for buildah fixes the following issues:
- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812
Buildah was updated to version 1.27.1:
- run: add container gid to additional groups
- Add fix for CVE-2022-2990 / bsc#1202812
Update to version 1.27.0:
- Don't try to call runLabelStdioPipes if spec.Linux is not set
- build: support filtering cache by duration using --cache-ttl
- build: support building from commit when using git repo as build context
- build: clean up git repos correctly when using subdirs
- integration tests: quote '?' in shell scripts
- test: manifest inspect should have OCIv1 annotation
- vendor: bump to c/common@87fab4b7019a
- Failure to determine a file or directory should print an error
- refactor: remove unused CommitOptions from generateBuildOutput
- stage_executor: generate output for cases with no commit
- stage_executor, commit: output only if last stage in build
- Use errors.Is() instead of os.Is{Not,}Exist
- Minor test tweak for podman-remote compatibility
- Cirrus: Use the latest imgts container
- imagebuildah: complain about the right Dockerfile
- tests: don't try to wrap `nil` errors
- cmd/buildah.commitCmd: don't shadow 'err'
- cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
- Fix a copy/paste error message
- Fix a typo in an error message
- build,cache: support pulling/pushing cache layers to/from remote sources
- Update vendor of containers/(common, storage, image)
- Rename chroot/run.go to chroot/run_linux.go
- Don't bother telling codespell to skip files that don't exist
- Set user namespace defaults correctly for the library
- imagebuildah: optimize cache hits for COPY and ADD instructions
- Cirrus: Update VM images w/ updated bats
- docs, run: show SELinux label flag for cache and bind mounts
- imagebuildah, build: remove undefined concurrent writes
- bump github.com/opencontainers/runtime-tools
- Add FreeBSD support for 'buildah info'
- Vendor in latest containers/(storage, common, image)
- Add freebsd cross build targets
- Make the jail package build on 32bit platforms
- Cirrus: Ensure the build-push VM image is labeled
- GHA: Fix dynamic script filename
- Vendor in containers/(common, storage, image)
- Run codespell
- Remove import of github.com/pkg/errors
- Avoid using cgo in pkg/jail
- Rename footypes to fooTypes for naming consistency
- Move cleanupTempVolumes and cleanupRunMounts to run_common.go
- Make the various run mounts work for FreeBSD
- Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
- Move runSetupRunMounts to run_common.go
- Move cleanableDestinationListFromMounts to run_common.go
- Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
- Move setupMounts and runSetupBuiltinVolumes to run_common.go
- Tidy up - runMakeStdioPipe can't be shared with linux
- Move runAcceptTerminal to run_common.go
- Move stdio copying utilities to run_common.go
- Move runUsingRuntime and runCollectOutput to run_common.go
- Move fileCloser, waitForSync and contains to run_common.go
- Move checkAndOverrideIsolationOptions to run_common.go
- Move DefaultNamespaceOptions to run_common.go
- Move getNetworkInterface to run_common.go
- Move configureEnvironment to run_common.go
- Don't crash in configureUIDGID if Process.Capabilities is nil
- Move configureUIDGID to run_common.go
- Move runLookupPath to run_common.go
- Move setupTerminal to run_common.go
- Move etc file generation utilities to run_common.go
- Add run support for FreeBSD
- Add a simple FreeBSD jail library
- Add FreeBSD support to pkg/chrootuser
- Sync call signature for RunUsingChroot with chroot/run.go
- test: verify feature to resolve basename with args
- vendor: bump openshift/imagebuilder to master@4151e43
- GHA: Remove required reserved-name use
- buildah: set XDG_RUNTIME_DIR before setting default runroot
- imagebuildah: honor build output even if build container is not commited
- chroot: honor DefaultErrnoRet
- [CI:DOCS] improve pull-policy documentation
- tests: retrofit test since --file does not supports dir
- Switch to golang native error wrapping
- BuildDockerfiles: error out if path to containerfile is a directory
- define.downloadToDirectory: fail early if bad HTTP response
- GHA: Allow re-use of Cirrus-Cron fail-mail workflow
- add: fail on bad http response instead of writing to container
- [CI:DOCS] Update buildahimage comment
- lint: inspectable is never nil
- vendor: c/common to common@7e1563b
- build: support OCI hooks for ephemeral build containers
- [CI:BUILD] Install latest buildah instead of compiling
- Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
- Make sure cpp is installed in buildah images
- demo: use unshare for rootless invocations
- buildah.spec.rpkg: initial addition
- build: fix test for subid 4
- build, userns: add support for --userns=auto
- Fix building upstream buildah image
- Remove redundant buildahimages-are-sane validation
- Docs: Update multi-arch buildah images readme
- Cirrus: Migrate multiarch build off github actions
- retrofit-tests: we skip unused stages so use stages
- stage_executor: dont rely on stage while looking for additional-context
- buildkit, multistage: skip computing unwanted stages
- More test cleanup
- copier: work around freebsd bug for 'mkdir /'
- Replace $BUILDAH_BINARY with buildah() function
- Fix up buildah images
- Make util and copier build on FreeBSD
- Vendor in latest github.com/sirupsen/logrus
- Makefile: allow building without .git
- run_unix: don't return an error from getNetworkInterface
- run_unix: return a valid DefaultNamespaceOptions
- Update vendor of containers/storage
- chroot: use ActKillThread instead of ActKill
- use resolvconf package from c/common/libnetwork
- update c/common to latest main
- copier: add `NoOverwriteNonDirDir` option
- Sort buildoptions and move cli/build functions to internal
- Fix TODO: de-spaghettify run mounts
- Move options parsing out of build.go and into pkg/cli
- [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
- build, multiarch: support splitting build logs for --platform
- [CI:BUILD] WIP Cleanup Image Dockerfiles
- cli remove stutter
- docker-parity: ignore sanity check if baseImage history is null
- build, commit: allow disabling image history with --omit-history
- Fix use generic/ambiguous DEBUG name
- Cirrus: use Ubuntu 22.04 LTS
- Fix codespell errors
- Remove util.StringInSlice because it is defined in containers/common
- buildah: add support for renaming a device in rootless setups
- squash: never use build cache when computing last step of last stage
- Update vendor of containers/(common, storage, image)
- buildkit: supports additionalBuildContext in builds via --build-context
- buildah source pull/push: show progress bar
- run: allow resuing secret twice in different RUN steps
- test helpers: default to being rootless-aware
- Add --cpp-flag flag to buildah build
- build: accept branch and subdirectory when context is git repo
- Vendor in latest containers/common
- vendor: update c/storage and c/image
- Fix gentoo install docs
- copier: move NSS load to new process
- Add test for prevention of reusing encrypted layers
- Make `buildah build --label foo` create an empty 'foo' label again
Update to version 1.26.4:
- build, multiarch: support splitting build logs for --platform
- copier: add `NoOverwriteNonDirDir` option
- docker-parity: ignore sanity check if baseImage history is null
- build, commit: allow disabling image history with --omit-history
- buildkit: supports additionalBuildContext in builds via --build-context
- Add --cpp-flag flag to buildah build
Update to version 1.26.3:
- define.downloadToDirectory: fail early if bad HTTP response
- add: fail on bad http response instead of writing to container
- squash: never use build cache when computing last step of last stage
- run: allow resuing secret twice in different RUN steps
- integration tests: update expected error messages
- integration tests: quote '?' in shell scripts
- Use errors.Is() to check for storage errors
- lint: inspectable is never nil
- chroot: use ActKillThread instead of ActKill
- chroot: honor DefaultErrnoRet
- Set user namespace defaults correctly for the library
- contrib/rpm/buildah.spec: fix `rpm` parser warnings
Drop requires on apparmor pattern, should be moved elsewhere
for systems which want AppArmor instead of SELinux.
- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file
is required to build.
Update to version 1.26.2:
- buildah: add support for renaming a device in rootless setups
Update to version 1.26.1:
- Make `buildah build --label foo` create an empty 'foo' label again
- imagebuildah,build: move deepcopy of args before we spawn goroutine
- Vendor in containers/storage v1.40.2
- buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
- help output: get more consistent about option usage text
- Handle OS version and features flags
- buildah build: --annotation and --label should remove values
- buildah build: add a --env
- buildah: deep copy options.Args before performing concurrent build/stage
- test: inline platform and builtinargs behaviour
- vendor: bump imagebuilder to master/009dbc6
- build: automatically set correct TARGETPLATFORM where expected
- Vendor in containers/(common, storage, image)
- imagebuildah, executor: process arg variables while populating baseMap
- buildkit: add support for custom build output with --output
- Cirrus: Update CI VMs to F36
- fix staticcheck linter warning for deprecated function
- Fix docs build on FreeBSD
- copier.unwrapError(): update for Go 1.16
- copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
- copier.Put(): write to read-only directories
- Ed's periodic test cleanup
- using consistent lowercase 'invalid' word in returned err msg
- use etchosts package from c/common
- run: set actual hostname in /etc/hostname to match docker parity
- Update vendor of containers/(common,storage,image)
- manifest-create: allow creating manifest list from local image
- Update vendor of storage,common,image
- Initialize network backend before first pull
- oci spec: change special mount points for namespaces
- tests/helpers.bash: assert handle corner cases correctly
- buildah: actually use containers.conf settings
- integration tests: learn to start a dummy registry
- Fix error check to work on Podman
- buildah build should accept at most one arg
- tests: reduce concurrency for flaky bud-multiple-platform-no-run
- vendor in latest containers/common,image,storage
- manifest-add: allow override arch,variant while adding image
- Remove a stray `\` from .containerenv
- Vendor in latest opencontainers/selinux v1.10.1
- build, commit: allow removing default identity labels
- Create shorter names for containers based on image IDs
- test: skip rootless on cgroupv2 in root env
- fix hang when oci runtime fails
- Set permissions for GitHub actions
- copier test: use correct UID/GID in test archives
- run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM
| Advisory ID | SUSE-SU-2022:3773-1
|
| Released | Wed Oct 26 12:19:29 2022 |
| Summary | Security update for curl |
| Type | security |
| Severity | important |
| References | 1204383,CVE-2022-32221 |
Description:
This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
| Advisory ID | SUSE-RU-2022:3776-1
|
| Released | Wed Oct 26 14:06:43 2022 |
| Summary | Recommended update for permissions |
| Type | recommended |
| Severity | important |
| References | 1203911,1204137 |
Description:
This update for permissions fixes the following issues:
- Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't
properly support ICMP_PROTO sockets feature yet (bsc#1204137)
- Fix regression introduced by backport of security fix (bsc#1203911)
| Advisory ID | SUSE-RU-2022:3792-1
|
| Released | Thu Oct 27 10:09:11 2022 |
| Summary | Recommended update for grafana-piechart-panel |
| Type | recommended |
| Severity | moderate |
| References | 1200501 |
Description:
This update for grafana-piechart-panel fixes the following issues:
- Update grafana-piechart-panel to version 1.6.2 that is signed for use with Grafana v8.x (bsc#1200501)
SUSE-CU-2022:2684-1
| Container Advisory ID | SUSE-CU-2022:2684-1 |
| Container Tags | ses/7.1/ceph/grafana:8.3.5 , ses/7.1/ceph/grafana:8.3.5.2.2.273 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.273 |
The following patches have been included in this update:
SUSE-CU-2022:2683-1
| Container Advisory ID | SUSE-CU-2022:2683-1 |
| Container Tags | ses/7.1/ceph/grafana:8.3.5 , ses/7.1/ceph/grafana:8.3.5.2.2.273 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.273 |
The following patches have been included in this update:
SUSE-CU-2022:2659-1
| Container Advisory ID | SUSE-CU-2022:2659-1 |
| Container Tags | ses/7.1/ceph/grafana:8.3.5 , ses/7.1/ceph/grafana:8.3.5.2.2.270 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.270 |
The following patches have been included in this update:
| Advisory ID | SUSE-RU-2022:3215-1
|
| Released | Thu Sep 8 15:58:27 2022 |
| Summary | Recommended update for rpm |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for rpm fixes the following issues:
- Support Ed25519 RPM signatures [jsc#SLE-24714]
| Advisory ID | SUSE-RU-2022:3223-1
|
| Released | Fri Sep 9 04:33:35 2022 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1199895,1200993,1201092,1201576,1201638 |
Description:
This update for libzypp, zypper fixes the following issues:
libzypp:
- Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
- Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
- Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test
the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.
zypper:
- Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
- Reject install/remove modifier without argument (bsc#1201576)
- zypper-download: Handle unresolvable arguments as errors
- Put signing key supplying repository name in quotes
| Advisory ID | SUSE-RU-2022:3262-1
|
| Released | Tue Sep 13 15:34:29 2022 |
| Summary | Recommended update for gcc11 |
| Type | recommended |
| Severity | moderate |
| References | 1199140 |
Description:
This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)
| Advisory ID | SUSE-SU-2022:3271-1
|
| Released | Wed Sep 14 06:45:39 2022 |
| Summary | Security update for perl |
| Type | security |
| Severity | moderate |
| References | 1047178,CVE-2017-6512 |
Description:
This update for perl fixes the following issues:
- CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).
| Advisory ID | SUSE-RU-2022:3276-1
|
| Released | Thu Sep 15 06:15:29 2022 |
| Summary | This update fixes the following issues: |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
Implement ECO jsc#SLE-20950 to fix the channel configuration for libeconf-devel having L3 support (instead of unsupported).
| Advisory ID | SUSE-RU-2022:3304-1
|
| Released | Mon Sep 19 11:43:25 2022 |
| Summary | Recommended update for libassuan |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for libassuan fixes the following issues:
- Add a timeout for writing to a SOCKS5 proxy
- Add workaround for a problem with LD_LIBRARY_PATH on newer systems
- Fix issue in the logging code
- Fix some build trivialities
- Upgrade autoconf
| Advisory ID | SUSE-SU-2022:3305-1
|
| Released | Mon Sep 19 11:45:57 2022 |
| Summary | Security update for libtirpc |
| Type | security |
| Severity | important |
| References | 1201680,CVE-2021-46828 |
Description:
This update for libtirpc fixes the following issues:
- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).
| Advisory ID | SUSE-SU-2022:3307-1
|
| Released | Mon Sep 19 13:26:51 2022 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 |
Description:
This update for sqlite3 fixes the following issues:
- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).
| Advisory ID | SUSE-SU-2022:3394-1
|
| Released | Mon Sep 26 16:05:19 2022 |
| Summary | Security update for permissions |
| Type | security |
| Severity | moderate |
| References | 1203018,CVE-2022-31252 |
Description:
This update for permissions fixes the following issues:
- CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).
| Advisory ID | SUSE-RU-2022:3452-1
|
| Released | Wed Sep 28 12:13:43 2022 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1201942 |
Description:
This update for glibc fixes the following issues:
- Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
- powerpc: Optimized memcmp for power10 (jsc#PED-987)
| Advisory ID | SUSE-RU-2022:3555-1
|
| Released | Mon Oct 10 14:05:12 2022 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | important |
| References | 1199492 |
Description:
This update for aaa_base fixes the following issues:
- The wrapper rootsh is not a restricted shell. (bsc#1199492)
| Advisory ID | SUSE-RU-2022:3565-1
|
| Released | Tue Oct 11 16:17:38 2022 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | critical |
| References | 1189282,1201972,1203649 |
Description:
This update for libzypp, zypper fixes the following issues:
libzypp:
- Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Remove migration code that is no longer needed (bsc#1203649)
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined
zypper:
- Fix contradiction in the man page: `--download-in-advance` option is the default behavior
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Fix tests to use locale 'C.UTF-8' rather than 'en_US'
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Remove unneeded code to compute the PPP status because it is now auto established
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined
| Advisory ID | SUSE-SU-2022:3683-1
|
| Released | Fri Oct 21 11:48:39 2022 |
| Summary | Security update for libksba |
| Type | security |
| Severity | critical |
| References | 1204357,CVE-2022-3515 |
Description:
This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).
SUSE-CU-2022:2083-1
| Container Advisory ID | SUSE-CU-2022:2083-1 |
| Container Tags | ses/7.1/ceph/grafana:8.3.5 , ses/7.1/ceph/grafana:8.3.5.2.2.217 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.217 |
The following patches have been included in this update:
| Advisory ID | SUSE-RU-2018:1332-1
|
| Released | Tue Jul 17 09:01:19 2018 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1073299,1093392 |
Description:
This update for timezone provides the following fixes:
- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST offset to standard time used
in Winter. (bsc#1073299)
- yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd
timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid
setting an incorrect timezone. (bsc#1093392)
| Advisory ID | SUSE-RU-2018:2463-1
|
| Released | Thu Oct 25 14:48:34 2018 |
| Summary | Recommended update for timezone, timezone-java |
| Type | recommended |
| Severity | moderate |
| References | 1104700,1112310 |
Description:
This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:
- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates
Other bugfixes:
- Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)
| Advisory ID | SUSE-RU-2018:2550-1
|
| Released | Wed Oct 31 16:16:56 2018 |
| Summary | Recommended update for timezone, timezone-java |
| Type | recommended |
| Severity | moderate |
| References | 1113554 |
Description:
This update provides the latest time zone definitions (2018g), including the following change:
- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)
| Advisory ID | SUSE-RU-2019:102-1
|
| Released | Tue Jan 15 18:02:58 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1120402 |
Description:
This update for timezone fixes the following issues:
- Update 2018i:
São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
Metlakatla, Alaska observes PST this winter only
Guess Morocco will continue to adjust clocks around Ramadan
Add predictions for Iran from 2038 through 2090
| Advisory ID | SUSE-RU-2019:790-1
|
| Released | Thu Mar 28 12:06:17 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1130557 |
Description:
This update for timezone fixes the following issues:
timezone was updated 2019a:
- Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
- Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
- Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
- zic now has an -r option to limit the time range of output data
| Advisory ID | SUSE-RU-2019:1815-1
|
| Released | Thu Jul 11 07:47:55 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1140016 |
Description:
This update for timezone fixes the following issues:
- Timezone update 2019b. (bsc#1140016):
- Brazil no longer observes DST.
- 'zic -b slim' outputs smaller TZif files.
- Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
- Add info about the Crimea situation.
| Advisory ID | SUSE-RU-2019:2762-1
|
| Released | Thu Oct 24 07:08:44 2019 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1150451 |
Description:
This update for timezone fixes the following issues:
- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.
| Advisory ID | SUSE-RU-2020:1303-1
|
| Released | Mon May 18 09:40:36 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1169582 |
Description:
This update for timezone fixes the following issues:
- timezone update 2020a. (bsc#1169582)
* Morocco springs forward on 2020-05-31, not 2020-05-24.
* Canada's Yukon advanced to -07 year-round on 2020-03-08.
* America/Nuuk renamed from America/Godthab.
* zic now supports expiration dates for leap second lists.
| Advisory ID | SUSE-RU-2020:1542-1
|
| Released | Thu Jun 4 13:24:37 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1172055 |
Description:
This update for timezone fixes the following issue:
- zdump --version reported 'unknown' (bsc#1172055)
| Advisory ID | SUSE-RU-2020:3099-1
|
| Released | Thu Oct 29 19:33:41 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1177460 |
Description:
This update for timezone fixes the following issues:
- timezone update 2020b (bsc#1177460)
* Revised predictions for Morocco's changes starting in 2023.
* Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
* Macquarie Island has stayed in sync with Tasmania since 2011.
* Casey, Antarctica is at +08 in winter and +11 in summer.
* zic no longer supports -y, nor the TYPE field of Rules.
| Advisory ID | SUSE-RU-2020:3123-1
|
| Released | Tue Nov 3 09:48:13 2020 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | important |
| References | 1177460,1178346,1178350,1178353 |
Description:
This update for timezone fixes the following issues:
- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)
| Advisory ID | SUSE-RU-2021:179-1
|
| Released | Wed Jan 20 13:38:51 2021 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1177460 |
Description:
This update for timezone fixes the following issues:
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
| Advisory ID | SUSE-RU-2021:301-1
|
| Released | Thu Feb 4 08:46:27 2021 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1177460 |
Description:
This update for timezone fixes the following issues:
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
| Advisory ID | SUSE-RU-2021:2573-1
|
| Released | Thu Jul 29 14:21:52 2021 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1188127 |
Description:
This update for timezone fixes the following issue:
- From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by
the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are
now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127).
| Advisory ID | SUSE-RU-2021:3883-1
|
| Released | Thu Dec 2 11:47:07 2021 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1177460 |
Description:
This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)
- Palestine will fall back 10-29 (not 10-30) at 01:00
- Fiji suspends DST for the 2021/2022 season
- 'zic -r' marks unspecified timestamps with '-00'
- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
- Refresh timezone info for china
| Advisory ID | SUSE-SU-2022:1040-1
|
| Released | Wed Mar 30 09:40:58 2022 |
| Summary | Security update for protobuf |
| Type | security |
| Severity | moderate |
| References | 1195258,CVE-2021-22570 |
Description:
This update for protobuf fixes the following issues:
- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).
| Advisory ID | SUSE-RU-2022:1047-1
|
| Released | Wed Mar 30 16:20:56 2022 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1196093,1197024 |
Description:
This update for pam fixes the following issues:
- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.
This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)
| Advisory ID | SUSE-SU-2022:1061-1
|
| Released | Wed Mar 30 18:27:06 2022 |
| Summary | Security update for zlib |
| Type | security |
| Severity | important |
| References | 1197459,CVE-2018-25032 |
Description:
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
| Advisory ID | SUSE-SU-2022:1073-1
|
| Released | Fri Apr 1 11:45:01 2022 |
| Summary | Security update for yaml-cpp |
| Type | security |
| Severity | moderate |
| References | 1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292 |
Description:
This update for yaml-cpp fixes the following issues:
- CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
- CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
- CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
- CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).
| Advisory ID | SUSE-RU-2022:1099-1
|
| Released | Mon Apr 4 12:53:05 2022 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1194883 |
Description:
This update for aaa_base fixes the following issues:
- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8
multi byte characters as well as support the vi mode of readline library
| Advisory ID | SUSE-RU-2022:1107-1
|
| Released | Mon Apr 4 17:49:17 2022 |
| Summary | Recommended update for util-linux |
| Type | recommended |
| Severity | moderate |
| References | 1194642 |
Description:
This update for util-linux fixes the following issue:
- Improve throughput and reduce clock sequence increments for high load situation with time based
version 1 uuids. (bsc#1194642)
| Advisory ID | SUSE-RU-2022:1118-1
|
| Released | Tue Apr 5 18:34:06 2022 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | moderate |
| References | 1177460 |
Description:
This update for timezone fixes the following issues:
- timezone update 2022a (bsc#1177460):
* Palestine will spring forward on 2022-03-27, not on 03-26
* `zdump -v` now outputs better failure indications
* Bug fixes for code that reads corrupted TZif data
| Advisory ID | SUSE-SU-2022:1157-1
|
| Released | Tue Apr 12 13:26:19 2022 |
| Summary | Security update for libsolv, libzypp, zypper |
| Type | security |
| Severity | important |
| References | 1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134 |
Description:
This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:
- Harden package signature checks (bsc#1184501).
libsolv update to 0.7.22:
- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
- support parsing of Debian's Multi-Arch indicator
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden vendor change
- support strict repository priorities
new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
- support setting/reading userdata in solv files
new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime
libzypp update to 17.30.0:
- ZConfig: Update solver settings if target changes (bsc#1196368)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- Fix package signature check (bsc#1184501)
Pay attention that header and payload are secured by a valid
signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
A previously released ISO image may need a bit more time to
release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)
zypper update to 1.14.52:
- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)
| Advisory ID | SUSE-SU-2022:1158-1
|
| Released | Tue Apr 12 14:44:43 2022 |
| Summary | Security update for xz |
| Type | security |
| Severity | important |
| References | 1198062,CVE-2022-1271 |
Description:
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
| Advisory ID | SUSE-RU-2022:1170-1
|
| Released | Tue Apr 12 18:20:07 2022 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1191502,1193086,1195247,1195529,1195899,1196567 |
Description:
This update for systemd fixes the following issues:
- Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
- When migrating from sysvinit to systemd (it probably won't happen anymore),
let's use the default systemd target, which is the graphical.target one.
- Don't open /var journals in volatile mode when runtime_journal==NULL
- udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
- man: tweak description of auto/noauto (bsc#1191502)
- shared/install: ignore failures for auxiliary files
- install: make UnitFileChangeType enum anonymous
- shared/install: reduce scope of iterator variables
- systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
- Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
- Drop or soften some of the deprecation warnings (bsc#1193086)
| Advisory ID | SUSE-RU-2022:1281-1
|
| Released | Wed Apr 20 12:26:38 2022 |
| Summary | Recommended update for libtirpc |
| Type | recommended |
| Severity | moderate |
| References | 1196647 |
Description:
This update for libtirpc fixes the following issues:
- Add option to enforce connection via protocol version 2 first (bsc#1196647)
| Advisory ID | SUSE-RU-2022:1302-1
|
| Released | Fri Apr 22 10:04:46 2022 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1196939 |
Description:
This update for e2fsprogs fixes the following issues:
- Add support for 'libreadline7' for Leap. (bsc#1196939)
| Advisory ID | SUSE-RU-2022:1374-1
|
| Released | Mon Apr 25 15:02:13 2022 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1191157,1197004 |
Description:
This update for openldap2 fixes the following issues:
- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)
| Advisory ID | SUSE-RU-2022:1409-1
|
| Released | Tue Apr 26 12:54:57 2022 |
| Summary | Recommended update for gcc11 |
| Type | recommended |
| Severity | moderate |
| References | 1195628,1196107 |
Description:
This update for gcc11 fixes the following issues:
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
packages provided by older GCC work. Add a requires from that
package to the corresponding libstc++6 package to keep those
at the same version. [bsc#1196107]
- Fixed memory corruption when creating dependences with the D language frontend.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
to Recommends.
| Advisory ID | SUSE-feature-2022:1419-1
|
| Released | Wed Apr 27 09:20:06 2022 |
| Summary | Feature update for grafana |
| Type | feature |
| Severity | moderate |
| References | 1194873,1195726,1195727,1195728,CVE-2021-36222,CVE-2021-3711,CVE-2021-39226,CVE-2021-41174,CVE-2021-41244,CVE-2021-43798,CVE-2021-43813,CVE-2021-43815,CVE-2022-21673,CVE-2022-21702,CVE-2022-21703,CVE-2022-21713 |
Description:
This update for grafana fixes the following issues:
Update from version 7.5.12 to version 8.3.5 (jsc#SLE-23422)
* CVE-2022-21702: XSS vulnerability in handling data sources (bsc#1195726)
* CVE-2022-21703: cross-origin request forgery vulnerability (bsc#1195727)
* CVE-2022-21713: Insecure Direct Object Reference vulnerability in Teams API (bsc#1195728)
* CVE-2022-21673: GetUserInfo: return an error if no user was found (bsc#1194873)
* CVE-2021-43813, CVE-2021-43815, CVE-2021-41244, CVE-2021-41174, CVE-2021-43798, CVE-2021-39226.
* Upgrade Docker base image to Alpine 3.14.3.
* CVE-2021-3711: Docker: Force use of libcrypto1.1 and libssl1.1 versions
* Update dependencies to fix CVE-2021-36222.
* Upgrade Go to 1.17.2.
* Fix stylesheet injection vulnerability.
* Fix short URL vulnerability.
- License update:
* AGPL License: Update license from Apache 2.0 to the GNU Affero General Public License (AGPL).
- Breaking changes:
* Grafana 8 Alerting enabled by default for installations that do not use legacy alerting.
* Keep Last State for 'If execution error or timeout' when upgrading to Grafana 8 alerting.
* Fix No Data behaviour in Legacy Alerting.
* The following endpoints were deprecated for Grafana v5.0 and
support for them has now been removed:
* `GET /dashboards/db/:slug`
* `GET /dashboard-solo/db/:slug`
* `GET /api/dashboard/db/:slug`
* `DELETE /api/dashboards/db/:slug`
* The default HTTP method for Prometheus data source is now POST.
* Removes the never refresh option for Query variables.
* Removes the experimental Tags feature for Variables.
- Deprecations:
* The InfoBox & FeatureInfoBox are now deprecated please use
the Alert component instead with severity info.
- Bug fixes:
* Azure Monitor: Bug fix for variable interpolations in metrics dropdowns.
* Azure Monitor: Improved error messages for variable queries.
* CloudMonitoring: Fixes broken variable queries that use group bys.
* Configuration: You can now see your expired API keys if you have no active ones.
* Elasticsearch: Fix handling multiple datalinks for a single field.
* Export: Fix error when exporting dashboards using query variables that reference the default datasource.
* ImportDashboard: Fixes issue with importing dashboard and name ending up in uid.
* Login: Page no longer overflows on mobile.
* Plugins: Set backend metadata property for core plugins.
* Prometheus: Fill missing steps with null values.
* Prometheus: Fix interpolation of `$__rate_interval` variable.
* Prometheus: Interpolate variables with curly brackets syntax.
* Prometheus: Respect the http-method data source setting.
* Table: Fixes issue with field config applied to wrong fields when hiding columns.
* Toolkit: Fix bug with rootUrls not being properly parsed when signing a private plugin.
* Variables: Fix so data source variables are added to adhoc configuration.
* AnnoListPanel: Fix interpolation of variables in tags.
* CloudWatch: Allow queries to have no dimensions specified.
* CloudWatch: Fix broken queries for users migrating from 8.2.4/8.2.5 to 8.3.0.
* CloudWatch: Make sure MatchExact flag gets the right value.
* Dashboards: Fix so that empty folders can be deleted from the manage dashboards/folders page.
* InfluxDB: Improve handling of metadata query errors in InfluxQL.
* Loki: Fix adding of ad hoc filters for queries with parser and line_format expressions.
* Prometheus: Fix running of exemplar queries for non-histogram metrics.
* Prometheus: Interpolate template variables in interval.
* StateTimeline: Fix toolitp not showing when for frames with multiple fields.
* TraceView: Fix virtualized scrolling when trace view is opened in right pane in Explore.
* Variables: Fix repeating panels for on time range changed variables.
* Variables: Fix so queryparam option works for scoped variables.
* Alerting: Clear alerting rule evaluation errors after intermittent failures.
* Alerting: Fix refresh on legacy Alert List panel.
* Dashboard: Fix queries for panels with non-integer widths.
* Explore: Fix url update inconsistency.
* Prometheus: Fix range variables interpolation for time ranges smaller than 1 second.
* ValueMappings: Fixes issue with regex value mapping that only sets color.
* AccessControl: Renamed orgs roles, removed fixed:orgs:reader introduced in beta1.
* Azure Monitor: Add trap focus for modals in grafana/ui and other small a11y fixes for Azure Monitor.
* CodeEditor: Prevent suggestions from being clipped.
* Dashboard: Fix cache timeout persistence.
* Datasource: Fix stable sort order of query responses.
* Explore: Fix error in query history when removing last item.
* Logs: Fix requesting of older logs when flipped order.
* Prometheus: Fix running of health check query based on access mode.
* TextPanel: Fix suggestions for existing panels.
* Tracing: Fix incorrect indentations due to reoccurring spanIDs.
* Tracing: Show start time of trace with milliseconds precision.
* Variables: Make renamed or missing variable section expandable.
* API: Fix dashboard quota limit for imports.
* Alerting: Fix rule editor issues with Azure Monitor data source.
* Azure monitor: Make sure alert rule editor is not enabled when template variables are being used.
* CloudMonitoring: Fix annotation queries.
* CodeEditor: Trigger the latest getSuggestions() passed to CodeEditor.
* Dashboard: Remove the current panel from the list of options in the Dashboard datasource.
* Encryption: Fix decrypting secrets in alerting migration.
* InfluxDB: Fix corner case where index is too large in ALIAS field.
* NavBar: Order App plugins alphabetically.
* NodeGraph: Fix zooming sensitivity on touchpads.
* Plugins: Add OAuth pass-through logic to api/ds/query endpoint.
* Snapshots: Fix panel inspector for snapshot data.
* Tempo: Fix basic auth password reset on adding tag.
* ValueMapping: Fixes issue with regex mappings.
* TimeSeries: Fix fillBelowTo wrongly affecting fills of unrelated series.
* Alerting: Fix a bug where the metric in the evaluation string was not correctly populated.
* Alerting: Fix no data behaviour in Legacy Alerting for alert rules using the AND operator.
* CloudMonitoring: Ignore min and max aggregation in MQL queries.
* Dashboards: 'Copy' is no longer added to new dashboard titles.
* DataProxy: Fix overriding response body when response is a WebSocket upgrade.
* Elasticsearch: Use field configured in query editor as field for date_histogram aggregations.
* Explore: Fix running queries without a datasource property set.
* InfluxDB: Fix numeric aliases in queries.
* Plugins: Ensure consistent plugin settings list response.
* Tempo: Fix validation of float durations.
* Tracing: Correct tags for each span are shown.
* Alerting: Fix panic when Slack's API sends unexpected response.
* Alerting: The Create Alert button now appears on the dashboard panel when you are working with a default
datasource.
* Explore: We fixed the problem where the Explore log panel disappears when an Elasticsearch logs query returns no
results.
* Graph: You can now see annotation descriptions on hover.
* Logs: The system now uses the JSON parser only if the line is parsed to an object.
* Prometheus: the system did not reuse TCP connections when querying from Grafana alerting.
* Prometheus: error when a user created a query with a `$__interval` min step.
* RowsToFields: the system was not properly interpreting number values.
* Scale: We fixed how the system handles NaN percent when data min = data max.
* Table panel: You can now create a filter that includes special characters.
* Dashboard: Fix rendering of repeating panels.
* Datasources: Fix deletion of data source if plugin is not found.
* Packaging: Remove systemcallfilters sections from systemd unit files.
* Prometheus: Add Headers to HTTP client options.
* CodeEditor: Ensure that we trigger the latest onSave callback provided to the component.
* DashboardList/AlertList: Fix for missing All folder value.
* Alerting: Fixed an issue where the edit page crashes if you tried to preview an alert without a condition set.
* Alerting: Fixed rules migration to keep existing Grafana 8 alert rules.
* Alerting: Fixed the silence file content generated during migration.
* Analytics: Fixed an issue related to interaction event propagation in Azure Application Insights.
* BarGauge: Fixed an issue where the cell color was lit even though there was no data.
* BarGauge: Improved handling of streaming data.
* CloudMonitoring: Fixed INT64 label unmarshal error.
* ConfirmModal: Fixes confirm button focus on modal open.
* Dashboard: Add option to generate short URL for variables with values containing spaces.
* Explore: No longer hides errors containing refId property.
* Fixed an issue that produced State timeline panel tooltip error when data was not in sync.
* InfluxDB: InfluxQL query editor is set to always use resultFormat.
* Loki: Fixed creating context query for logs with parsed labels.
* PageToolbar: Fixed alignment of titles.
* Plugins Catalog: Update to the list of available panels after an install, update or uninstall.
* TimeSeries: Fixed an issue where the shared cursor was not showing when hovering over in old Graph panel.
* Variables: Fixed issues related to change of focus or refresh pages when pressing enter in a text box variable
input.
* Variables: Panel no longer crash when using the adhoc variable in data links.
* Admin: Prevent user from deleting user's current/active organization.
* LibraryPanels: Fix library panel getting saved in the dashboard's folder.
* OAuth: Make generic teams URL and JMES path configurable.
* QueryEditor: Fix broken copy-paste for mouse middle-click
* Thresholds: Fix undefined color in 'Add threshold'.
* Timeseries: Add wide-to-long, and fix multi-frame output.
* TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip is set to All.
* Alerting: Fix alerts with evaluation interval more than 30
seconds resolving before notification.
* Elasticsearch/Prometheus: Fix usage of proper SigV4 service
namespace.
* BarChart: Fixes panel error that happens on second refresh.
* Alerting: Fix notification channel migration.
* Annotations: Fix blank panels for queries with unknown data
sources.
* BarChart: Fix stale values and x axis labels.
* Graph: Make old graph panel thresholds work even if ngalert
is enabled.
* InfluxDB: Fix regex to identify / as separator.
* LibraryPanels: Fix update issues related to library panels in
rows.
* Variables: Fix variables not updating inside a Panel when the
preceding Row uses 'Repeat For'.
* Alerting: Fix alert flapping in the internal alertmanager.
* Alerting: Fix request handler failed to convert dataframe
'results' to plugins.DataTimeSeriesSlice: input frame is not
recognized as a time series.
* Dashboard: Fix UIDs are not preserved when importing/creating
dashboards thru importing .json file.
* Dashboard: Forces panel re-render when exiting panel edit.
* Dashboard: Prevent folder from changing when navigating to
general settings.
* Elasticsearch: Fix metric names for alert queries.
* Elasticsearch: Limit Histogram field parameter to numeric values.
* Elasticsearch: Prevent pipeline aggregations to show up in
terms order by options.
* LibraryPanels: Prevent duplicate repeated panels from being created.
* Loki: Fix ad-hoc filter in dashboard when used with parser.
* Plugins: Track signed files + add warn log for plugin assets
which are not signed.
* Postgres/MySQL/MSSQL: Fix region annotations not displayed correctly.
* Prometheus: Fix validate selector in metrics browser.
* Alerting: Fix saving LINE contact point.
* Annotations: Fix alerting annotation coloring.
* Annotations: Alert annotations are now visible in the correct
Panel.
* Auth: Hide SigV4 config UI and disable middleware when its
config flag is disabled.
* Dashboard: Prevent incorrect panel layout by comparing window
width against theme breakpoints.
* Elasticsearch: Fix metric names for alert queries.
* Explore: Fix showing of full log context.
* PanelEdit: Fix 'Actual' size by passing the correct panel
size to Dashboard.
* Plugins: Fix TLS datasource settings.
* Variables: Fix issue with empty drop downs on navigation.
* Variables: Fix URL util converting false into true.
* CloudWatch Logs: Fix crash when no region is selected.
* Annotations: Correct annotations that are displayed upon page refresh.
* Annotations: Fix Enabled button that disappeared from Grafana v8.0.6.
* Annotations: Fix data source template variable that was not available for annotations.
* AzureMonitor: Fix annotations query editor that does not load.
* Geomap: Fix scale calculations.
* GraphNG: Fix y-axis autosizing.
* Live: Display stream rate and fix duplicate channels in list response.
* Loki: Update labels in log browser when time range changes in dashboard.
* NGAlert: Send resolve signal to alertmanager on alerting -> Normal.
* PasswordField: Prevent a password from being displayed when you click the Enter button.
* Renderer: Remove debug.log file when Grafana is stopped.
* Docker: Fix builds by delaying go mod verify until all required files are copied over.
* Exemplars: Fix disable exemplars only on the query that failed.
* SQL: Fix SQL dataframe resampling (fill mode + time intervals).
* Alerting: Handle marshaling Inf values.
* AzureMonitor: Fix macro resolution for template variables.
* AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes
resources.
* AzureMonitor: Request and concat subsequent resource pages.
* Bug: Fix parse duration for day.
* Datasources: Improve error handling for error messages.
* Explore: Correct the functionality of shift-enter shortcut
across all uses.
* Explore: Show all dataFrames in data tab in Inspector.
* GraphNG: Fix Tooltip mode 'All' for XYChart.
* Loki: Fix highlight of logs when using filter expressions
with backticks.
* Modal: Force modal content to overflow with scroll.
* Plugins: Ignore symlinked folders when verifying plugin
signature.
* Alerting: Fix improper alert by changing the handling of
empty labels.
* CloudWatch/Logs: Reestablish Cloud Watch alert behavior.
* Dashboard: Avoid migration breaking on fieldConfig without
defaults field in folded panel.
* DashboardList: Fix issue not re-fetching dashboard list after
variable change.
* Database: Fix incorrect format of isolation level
configuration parameter for MySQL.
* InfluxDB: Correct tag filtering on InfluxDB data.
* Links: Fix links that caused a full page reload.
* Live: Fix HTTP error when InfluxDB metrics have an incomplete
or asymmetrical field set.
* Postgres/MySQL/MSSQL: Change time field to 'Time' for time
series queries.
* Postgres: Fix the handling of a null return value in query
results.
* Tempo: Show hex strings instead of uints for IDs.
* TimeSeries: Improve tooltip positioning when tooltip
overflows.
* Transformations: Add 'prepare time series' transformer.
* AzureMonitor: Fix issue where resource group name is missing
on the resource picker button.
* Chore: Fix AWS auth assuming role with workspace IAM.
* DashboardQueryRunner: Fixes unrestrained subscriptions being
created.
* DateFormats: Fix reading correct setting key for
use_browser_locale.
* Links: Fix links to other apps outside Grafana when under sub
path.
* Snapshots: Fix snapshot absolute time range issue.
* Table: Fix data link color.
* Time Series: Fix X-axis time format when tick increment is
larger than a year.
* Tooltip Plugin: Prevent tooltip render if field is undefined.
* Elasticsearch: Allow case sensitive custom options in
date_histogram interval.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* Explore: Fix import of queries between SQL data sources.
* InfluxDB: InfluxQL query editor: fix retention policy
handling.
* Loki: Send correct time range in template variable queries.
* TimeSeries: Preserve RegExp series overrides when migrating
from old graph panel.
* Annotations: Fix annotation line and marker colors.
* AzureMonitor: Fix KQL template variable queries without
default workspace.
* CloudWatch/Logs: Fix missing response data for log queries.
* Elasticsearch: Restore previous field naming strategy when
using variables.
* LibraryPanels: Fix crash in library panels list when panel
plugin is not found.
* LogsPanel: Fix performance drop when moving logs panel in
dashboard.
* Loki: Parse log levels when ANSI coloring is enabled.
* MSSQL: Fix issue with hidden queries still being executed.
* PanelEdit: Display the VisualizationPicker that was not
displayed if a panel has an unknown panel plugin.
* Plugins: Fix loading symbolically linked plugins.
* Prometheus: Fix issue where legend name was replaced with
name Value in stat and gauge panels.
* State Timeline: Fix crash when hovering over panel.
* Configuration: Fix changing org preferences in FireFox.
* PieChart: Fix legend dimension limits.
* Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.
* Variables: Hide default data source if missing from regex.
* Alerting/SSE: Fix 'count_non_null' reducer validation.
* Cloudwatch: Fix duplicated time series.
* Cloudwatch: Fix missing defaultRegion.
* Dashboard: Fix Dashboard init failed error on dashboards with
old singlestat panels in collapsed rows.
* Datasource: Fix storing timeout option as numeric.
* Postgres/MySQL/MSSQL: Fix annotation parsing for empty
responses.
* Postgres/MySQL/MSSQL: Numeric/non-string values are now
returned from query variables.
* Postgres: Fix an error that was thrown when the annotation
query did not return any results.
* StatPanel: Fix an issue with the appearance of the graph when
switching color mode.
* Visualizations: Fix an issue in the
Stat/BarGauge/Gauge/PieChart panels where all values mode
were showing the same name if they had the same value.
* AzureMonitor: Fix Azure Resource Graph queries in Azure
China.
* Checkbox: Fix vertical layout issue with checkboxes due to
fixed height.
* Dashboard: Fix Table view when editing causes the panel data
to not update.
* Dashboard: Fix issues where unsaved-changes warning is not
displayed.
* Login: Fixes Unauthorized message showing when on login page
or snapshot page.
* NodeGraph: Fix sorting markers in grid view.
* Short URL: Include orgId in generated short URLs.
* Variables: Support raw values of boolean type.
* Admin: Fix infinite loading edit on the profile page.
* Color: Fix issues with random colors in string and date
fields.
* Dashboard: Fix issue with title or folder change has no
effect after exiting settings view.
* DataLinks: Fix an issue __series.name is not working in data
link.
* Datasource: Fix dataproxy timeout should always be applied
for outgoing data source HTTP requests.
* Elasticsearch: Fix NewClient not passing httpClientProvider
to client impl.
* Explore: Fix Browser title not updated on Navigation to
Explore.
* GraphNG: Remove fieldName and hideInLegend properties from
UPlotSeriesBuilder.
* OAuth: Fix fallback to auto_assign_org_role setting for Azure
AD OAuth when no role claims exists.
* PanelChrome: Fix issue with empty panel after adding a non
data panel and coming back from panel edit.
* StatPanel: Fix data link tooltip not showing for single
value.
* Table: Fix sorting for number fields.
* Table: Have text underline for datalink, and add support for
image datalink.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* Transformations: Prevent FilterByValue transform from
crashing panel edit.
* Annotations panel: Remove subpath from dashboard links.
* Content Security Policy: Allow all image sources by default.
* Content Security Policy: Relax default template wrt. loading
of scripts, due to nonces not working.
* Datasource: Fix tracing propagation for alert execution by
introducing HTTP client outgoing tracing middleware.
* InfluxDB: InfluxQL always apply time interval end.
* Library Panels: Fixes 'error while loading library panels'.
* NewsPanel: Fixes rendering issue in Safari.
* PanelChrome: Fix queries being issued again when scrolling in
and out of view.
* Plugins: Fix Azure token provider cache panic and auth param
nil value.
* Snapshots: Fix key and deleteKey being ignored when creating
an external snapshot.
* Table: Fix issue with cell border not showing with colored
background cells.
* Table: Makes tooltip scrollable for long JSON values.
* TimeSeries: Fix for Connected null values threshold toggle
during panel editing.
* Variables: Fixes inconsistent selected states on dashboard
load.
* Variables: Refreshes all panels even if panel is full screen.
* APIKeys: Fixes issue with adding first api key.
* Alerting: Add checks for non supported units - disable
defaulting to seconds.
* Alerting: Fix issue where Slack notifications won't link to
user IDs.
* Alerting: Omit empty message in PagerDuty notifier.
* AzureMonitor: Fix migration error from older versions of App
Insights queries.
* CloudWatch: Fix AWS/Connect dimensions.
* CloudWatch: Fix broken AWS/MediaTailor dimension name.
* Dashboards: Allow string manipulation as advanced variable
format option.
* DataLinks: Includes harmless extended characters like
Cyrillic characters.
* Drawer: Fixes title overflowing its container.
* Explore: Fix issue when some query errors were not shown.
* Generic OAuth: Prevent adding duplicated users.
* Graphite: Handle invalid annotations.
* Graphite: Fix autocomplete when tags are not available.
* InfluxDB: Fix Cannot read property 'length' of undefined in
when parsing response.
* Instrumentation: Enable tracing when Jaeger host and port are
set.
* Instrumentation: Prefix metrics with grafana.
* MSSQL: By default let driver choose port.
* OAuth: Add optional strict parsing of role_attribute_path.
* Panel: Fixes description markdown with inline code being
rendered on newlines and full width.
* PanelChrome: Ignore data updates & errors for non data
panels.
* Permissions: Fix inherited folder permissions can prevent new
permissions being added to a dashboard.
* Plugins: Remove pre-existing plugin installs when installing
with grafana-cli.
* Plugins: Support installing to folders with whitespace and
fix pluginUrl trailing and leading whitespace failures.
* Postgres/MySQL/MSSQL: Don't return connection failure details
to the client.
* Postgres: Fix ms precision of interval in time group macro
when TimescaleDB is enabled.
* Provisioning: Use dashboard checksum field as change
indicator.
* SQL: Fix so that all captured errors are returned from sql
engine.
* Shortcuts: Fixes panel shortcuts so they always work.
* Table: Fixes so border is visible for cells with links.
* Variables: Clear query when data source type changes.
* Variables: Filters out builtin variables from unknown list.
* Variables: Refreshes all panels even if panel is full screen.
* Alerting: Fix NoDataFound for alert rules using AND operator.
- Features and enhancements:
* Alerting: Allow configuration of non-ready alertmanagers.
* Alerting: Allow customization of Google chat message.
* AppPlugins: Support app plugins with only default nav.
* InfluxDB: query editor: skip fields in metadata queries.
* Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user cancels query in grafana.
* Prometheus: Forward oauth tokens after prometheus datasource migration.
* BarChart: Use new data error view component to show actions in panel edit.
* CloudMonitor: Iterate over pageToken for resources.
* Macaron: Prevent WriteHeader invalid HTTP status code panic
* Alerting: Prevent folders from being deleted when they contain alerts.
* Alerting: Show full preview value in tooltip.
* BarGauge: Limit title width when name is really long.
* CloudMonitoring: Avoid to escape regexps in filters.
* CloudWatch: Add support for AWS Metric Insights.
* TooltipPlugin: Remove other panels' shared tooltip in edit panel.
* Visualizations: Limit y label width to 40% of visualization width.
* Alerting: Create DatasourceError alert if evaluation returns error.
* Alerting: Make Unified Alerting enabled by default for those who do not use legacy alerting.
* Alerting: Support mute timings configuration through the api for the embedded alert manager.
* CloudWatch: Add missing AWS/Events metrics.
* Docs: Add easier to find deprecation notices to certain data sources and to the changelog.
* Plugins Catalog: Enable install controls based on the pluginAdminEnabled flag.
* Table: Add space between values for the DefaultCell and JSONViewCell.
* Tracing: Make query editors available in dashboard for Tempo and Zipkin.
* Alerting: Add UI for contact point testing with custom annotations and labels.
* Alerting: Make alert state indicator in panel header work with Grafana 8 alerts.
* Alerting: Option for Discord notifier to use webhook name.
* Annotations: Deprecate AnnotationsSrv.
* Auth: Omit all base64 paddings in JWT tokens for the JWT auth.
* Azure Monitor: Clean up fields when editing Metrics.
* AzureMonitor: Add new starter dashboards.
* AzureMonitor: Add starter dashboard for app monitoring with Application Insights.
* Barchart/Time series: Allow x axis label.
* CLI: Improve error handling for installing plugins.
* CloudMonitoring: Migrate to use backend plugin SDK contracts.
* CloudWatch Logs: Add retry strategy for hitting max concurrent queries.
* CloudWatch: Add AWS RoboMaker metrics and dimension.
* CloudWatch: Add AWS Transfer metrics and dimension.
* Dashboard: replace datasource name with a reference object.
* Dashboards: Show logs on time series when hovering.
* Elasticsearch: Add support for Elasticsearch 8.0 (Beta).
* Elasticsearch: Add time zone setting to Date Histogram aggregation.
* Elasticsearch: Enable full range log volume histogram.
* Elasticsearch: Full range logs volume.
* Explore: Allow changing the graph type.
* Explore: Show ANSI colors when highlighting matched words in the logs panel.
* Graph(old) panel: Listen to events from Time series panel.
* Import: Load gcom dashboards from URL.
* LibraryPanels: Improves export and import of library panels between orgs.
* OAuth: Support PKCE.
* Panel edit: Overrides now highlight correctly when searching.
* PanelEdit: Display drag indicators on draggable sections.
* Plugins: Refactor Plugin Management.
* Prometheus: Add custom query parameters when creating PromLink url.
* Prometheus: Remove limits on metrics, labels, and values in Metrics Browser.
* StateTimeline: Share cursor with rest of the panels.
* Tempo: Add error details when json upload fails.
* Tempo: Add filtering for service graph query.
* Tempo: Add links to nodes in Service Graph pointing to Prometheus metrics.
* Time series/Bar chart panel: Add ability to sort series via legend.
* TimeSeries: Allow multiple axes for the same unit.
* TraceView: Allow span links defined on dataFrame.
* Transformations: Support a rows mode in labels to fields.
* ValueMappings: Don't apply field config defaults to time fields.
* Variables: Only update panels that are impacted by variable change.
* Annotations: We have improved tag search performance.
* Application: You can now configure an error-template title.
* AzureMonitor: We removed a restriction from the resource filter query.
* Packaging: We removed the ProcSubset option in systemd. This option prevented Grafana from starting in
LXC environments.
* Prometheus: We removed the autocomplete limit for metrics.
* Table: We improved the styling of the type icons to make them more distinct from column / field name.
* ValueMappings: You can now use value mapping in stat, gauge, bar gauge, and pie chart visualizations.
* AWS: Updated AWS authentication documentation.
* Alerting: Added support Alertmanager data source for upstream Prometheus AM implementation.
* Alerting: Allows more characters in label names so notifications are sent.
* Alerting: Get alert rules for a dashboard or a panel using `/api/v1/rules` endpoints.
* Annotations: Improved rendering performance of event markers.
* CloudWatch Logs: Skip caching for log queries.
* Explore: Added an opt-in configuration for Node Graph in Jaeger, Zipkin, and Tempo.
* Packaging: Add stricter systemd unit options.
* Prometheus: Metrics browser can now handle label values with special characters.
* AccessControl: Document new permissions restricting data source access.
* TimePicker: Add fiscal years and search to time picker.
* Alerting: Added support for Unified Alerting with Grafana HA.
* Alerting: Added support for tune rule evaluation using configuration options.
* Alerting: Cleanups alertmanager namespace from key-value store when disabling Grafana 8 alerts.
* Alerting: Remove ngalert feature toggle and introduce two new settings for enabling Grafana 8 alerts and
disabling them for specific organisations.
* CloudWatch: Introduced new math expression where it is necessary to specify the period field.
* InfluxDB: Added support for `$__interval` and `$__interval_ms` inFlux queries for alerting.
* InfluxDB: Flux queries can use more precise start and end timestamps with nanosecond-precision.
* Plugins Catalog: Make the catalog the default way to interact with plugins.
* Prometheus: Removed autocomplete limit for metrics.
* AccessControl: Introduce new permissions to restrict access for reloading provisioning configuration.
* Alerting: Add UI to edit Cortex/Loki namespace, group names, and group evaluation interval.
* Alerting: Add a Test button to test contact point.
* Alerting: Allow creating/editing recording rules for Loki and Cortex.
* Alerting: Metrics should have the label org instead of user.
* Alerting: Sort notification channels by name to make them easier to locate.
* Alerting: Support org level isolation of notification configuration.
* AzureMonitor: Add data links to deep link to Azure Portal Azure Resource Graph.
* AzureMonitor: Add support for annotations from Azure Monitor Metrics and Azure Resource Graph services.
* AzureMonitor: Show error message when subscriptions request fails in ConfigEditor.
* CloudWatch Logs: Add link to X-Ray data source for trace IDs in logs.
* CloudWatch Logs: Disable query path using websockets (Live) feature.
* CloudWatch/Logs: Don't group dataframes for non time series queries.
* Cloudwatch: Migrate queries that use multiple stats to one query per stat.
* Dashboard: Keep live timeseries moving left (v2).
* Datasources: Introduce response_limit for datasource responses.
* Explore: Add filter by trace or span ID to trace to logs feature.
* Explore: Download traces as JSON in Explore Inspector.
* Explore: Reuse Dashboard's QueryRows component.
* Explore: Support custom display label for derived fields buttons for Loki datasource.
* Grafana UI: Update monaco-related dependencies.
* Graphite: Deprecate browser access mode.
* InfluxDB: Improve handling of intervals in alerting.
* InfluxDB: InfluxQL query editor: Handle unusual characters in tag values better.
* Jaeger: Add ability to upload JSON file for trace data.
* LibraryElements: Enable specifying UID for new and existing library elements.
* LibraryPanels: Remove library panel icon from the panel header so you can no longer tell that a panel is a
library panel from the dashboard view.
* Logs panel: Scroll to the bottom on page refresh when sorting in ascending order.
* Loki: Add fuzzy search to label browser.
* Navigation: Implement active state for items in the Sidemenu.
* Packaging: Add stricter systemd unit options.
* Packaging: Update PID file location from /var/run to /run.
* Plugins: Add Hide OAuth Forward config option.
* Postgres/MySQL/MSSQL: Add setting to limit the maximum number of rows processed.
* Prometheus: Add browser access mode deprecation warning.
* Prometheus: Add interpolation for built-in-time variables to backend.
* Tempo: Add ability to upload trace data in JSON format.
* TimeSeries/XYChart: Allow grid lines visibility control in XYChart and TimeSeries panels.
* Transformations: Convert field types to time string number or boolean.
* Value mappings: Add regular-expression based value mapping.
* Zipkin: Add ability to upload trace JSON.
* Explore: Ensure logs volume bar colors match legend colors.
* LDAP: Search all DNs for users.
* AzureMonitor: Add support for PostgreSQL and MySQL Flexible Servers.
* Datasource: Change HTTP status code for failed datasource
health check to 400.
* Explore: Add span duration to left panel in trace viewer.
* Plugins: Use file extension allowlist when serving plugin
assets instead of checking for UNIX executable.
* Profiling: Add support for binding pprof server to custom
network interfaces.
* Search: Make search icon keyboard navigable.
* Template variables: Keyboard navigation improvements.
* Tooltip: Display ms within minute time range.
* Alerting: Deduplicate receivers during migration.
* ColorPicker: Display colors as RGBA.
* Select: Make portalling the menu opt-in, but opt-in everywhere.
* TimeRangePicker: Improve accessibility.
* Alerting: Support label matcher syntax in alert rule list filter.
* IconButton: Put tooltip text as aria-label.
* Live: Experimental HA with Redis.
* UI: FileDropzone component.
* CloudWatch: Add AWS LookoutMetrics.
* Alerting: Expand the value string in alert annotations and labels.
* Auth: Add Azure HTTP authentication middleware.
* Auth: Auth: Pass user role when using the authentication proxy.
* Gazetteer: Update countries.json file to allow for linking to 3-letter country codes.
* Alerting: Add Alertmanager notifications tab.
* Alerting: Add button to deactivate current Alertmanager
configuration.
* Alerting: Add toggle in Loki/Prometheus data source
configuration to opt out of alerting UI.
* Alerting: Allow any 'evaluate for' value >=0 in the alert
rule form.
* Alerting: Load default configuration from status endpoint, if
Cortex Alertmanager returns empty user configuration.
* Alerting: view to display alert rule and its underlying data.
* Annotation panel: Release the annotation panel.
* Annotations: Add typeahead support for tags in built-in
annotations.
* AzureMonitor: Add curated dashboards for Azure services.
* AzureMonitor: Add support for deep links to Microsoft Azure
portal for Metrics.
* AzureMonitor: Remove support for different credentials for
Azure Monitor Logs.
* AzureMonitor: Support querying any Resource for Logs queries.
* Elasticsearch: Add frozen indices search support.
* Elasticsearch: Name fields after template variables values
instead of their name.
* Elasticsearch: add rate aggregation.
* Email: Allow configuration of content types for email
notifications.
* Explore: Add more meta information when line limit is hit.
* Explore: UI improvements to trace view.
* FieldOverrides: Added support to change display name in an
override field and have it be matched by a later rule.
* HTTP Client: Introduce dataproxy_max_idle_connections config
variable.
* InfluxDB: InfluxQL: adds tags to timeseries data.
* InfluxDB: InfluxQL: make measurement search case insensitive.
Legacy Alerting: Replace simplejson with a struct in webhook
notification channel.
* Legend: Updates display name for Last (not null) to just
Last*.
* Logs panel: Add option to show common labels.
* Loki: Add $__range variable.
* Loki: Add support for 'label_values(log stream selector,
label)' in templating.
* Loki: Add support for ad-hoc filtering in dashboard.
* MySQL Datasource: Add timezone parameter.
* NodeGraph: Show gradient fields in legend.
* PanelOptions: Don't mutate panel options/field config object
when updating.
* PieChart: Make pie gradient more subtle to match other
charts.
* Prometheus: Update PromQL typeahead and highlighting.
* Prometheus: interpolate variable for step field.
* Provisioning: Improve validation by validating across all
dashboard providers.
* SQL Datasources: Allow multiple string/labels columns with
time series.
* Select: Portal select menu to document.body.
* Team Sync: Add group mapping to support team sync in the
Generic OAuth provider.
* Tooltip: Make active series more noticeable.
* Tracing: Add support to configure trace to logs start and end
time.
* Transformations: Skip merge when there is only a single data
frame.
* ValueMapping: Added support for mapping text to color,
boolean values, NaN and Null. Improved UI for value mapping.
* Visualizations: Dynamically set any config (min, max, unit,
color, thresholds) from query results.
* live: Add support to handle origin without a value for the
port when matching with root_url.
* Alerting: Add annotation upon alert state change.
* Alerting: Allow space in label and annotation names.
* InfluxDB: Improve legend labels for InfluxDB query results.
* Cloudwatch Logs: Send error down to client.
* Folders: Return 409 Conflict status when folder already
exists.
* TimeSeries: Do not show series in tooltip if it's hidden in
the viz.
* Live: Rely on app url for origin check.
* PieChart: Sort legend descending, update placeholder.
* TimeSeries panel: Do not reinitialize plot when thresholds
mode change.
* Alerting: Increase alertmanager_conf column if MySQL.
* Time series/Bar chart panel: Handle infinite numbers as nulls
when converting to plot array.
* TimeSeries: Ensure series overrides that contain color are
migrated, and migrate the previous fieldConfig when changing
the panel type.
* ValueMappings: Improve singlestat value mappings migration.
* Datasource: Add support for max_conns_per_host in dataproxy
settings.
* AzureMonitor: Require default subscription for workspaces()
template variable query.
* AzureMonitor: Use resource type display names in the UI.
* Dashboard: Remove support for loading and deleting dashboard
by slug.
* InfluxDB: Deprecate direct browser access in data source.
* VizLegend: Add a read-only property.
* API: Support folder UID in dashboards API.
* Alerting: Add support for configuring avatar URL for the
Discord notifier.
* Alerting: Clarify that Threema Gateway Alerts support only
Basic IDs.
* Azure: Expose Azure settings to external plugins.
* AzureMonitor: Deprecate using separate credentials for Azure
Monitor Logs.
* AzureMonitor: Display variables in resource picker for Azure
Monitor Logs.
* AzureMonitor: Hide application insights for data sources not
using it.
* AzureMonitor: Support querying subscriptions and resource
groups in Azure Monitor Logs.
* AzureMonitor: remove requirement for default subscription.
* CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.
* CloudWatch: Add missing AWS AppSync metrics.
* ConfirmModal: Auto focus delete button.
* Explore: Add caching for queries that are run from logs
navigation.
* Loki: Add formatting for annotations.
* Loki: Bring back processed bytes as meta information.
* NodeGraph: Display node graph collapsed by default with trace
view.
* Overrides: Include a manual override option to hide something
from visualization.
* PieChart: Support row data in pie charts.
* Prometheus: Update default HTTP method to POST for existing
data sources.
* Time series panel: Position tooltip correctly when window is
scrolled or resized.
* AppPlugins: Expose react-router to apps.
* AzureMonitor: Add Azure Resource Graph.
* AzureMonitor: Managed Identity configuration UI.
* AzureMonitor: Token provider with support for Managed
Identities.
* AzureMonitor: Update Logs workspace() template variable query
to return resource URIs.
* BarChart: Value label sizing.
* CloudMonitoring: Add support for preprocessing.
* CloudWatch: Add AWS/EFS StorageBytes metric.
* CloudWatch: Allow use of missing AWS namespaces using custom
metrics.
* Datasource: Shared HTTP client provider for core backend data
sources and any data source using the data source proxy.
* InfluxDB: InfluxQL: allow empty tag values in the query
editor.
* Instrumentation: Instrument incoming HTTP request with
histograms by default.
* Library Panels: Add name endpoint & unique name validation to
AddLibraryPanelModal.
* Logs panel: Support details view.
* PieChart: Always show the calculation options dropdown in the
editor.
* PieChart: Remove beta flag.
* Plugins: Enforce signing for all plugins.
* Plugins: Remove support for deprecated backend plugin
protocol version.
* Tempo/Jaeger: Add better display name to legend.
* Timeline: Add time range zoom.
* Timeline: Adds opacity & line width option.
* Timeline: Value text alignment option.
* ValueMappings: Add duplicate action, and disable dismiss on
backdrop click.
* Zipkin: Add node graph view to trace response.
* API: Add org users with pagination.
* API: Return 404 when deleting nonexistent API key.
* API: Return query results as JSON rather than base64 encoded
Arrow.
* Alerting: Allow sending notification tags to Opsgenie as
extra properties.
* Alerts: Replaces all uses of InfoBox & FeatureInfoBox with
Alert.
* Auth: Add support for JWT Authentication.
* AzureMonitor: Add support for
Microsoft.SignalRService/SignalR metrics.
* AzureMonitor: Azure settings in Grafana server config.
* AzureMonitor: Migrate Metrics query editor to React.
* BarChart panel: enable series toggling via legend.
* BarChart panel: Adds support for Tooltip in BarChartPanel.
* PieChart panel: Change look of highlighted pie slices.
* CloudMonitoring: Migrate config editor from angular to react.
* CloudWatch: Add Amplify Console metrics and dimensions.
* CloudWatch: Add missing Redshift metrics to CloudWatch data
source.
* CloudWatch: Add metrics for managed RabbitMQ service.
* DashboardList: Enable templating on search tag input.
* Datasource config: correctly remove single custom http
header.
* Elasticsearch: Add generic support for template variables.
* Elasticsearch: Allow omitting field when metric supports
inline script.
* Elasticsearch: Allow setting a custom limit for log queries.
* Elasticsearch: Guess field type from first non-empty value.
* Elasticsearch: Use application/x-ndjson content type for
multisearch requests.
* Elasticsearch: Use semver strings to identify ES version.
* Explore: Add logs navigation to request more logs.
* Explore: Map Graphite queries to Loki.
* Explore: Scroll split panes in Explore independently.
* Explore: Wrap each panel in separate error boundary.
* FieldDisplay: Smarter naming of stat values when visualising
row values (all values) in stat panels.
* Graphite: Expand metric names for variables.
* Graphite: Handle unknown Graphite functions without breaking
the visual editor.
* Graphite: Show graphite functions descriptions.
* Graphite: Support request cancellation properly (Uses new
backendSrv.fetch Observable request API).
* InfluxDB: Flux: Improve handling of complex
response-structures.
* InfluxDB: Support region annotations.
* Inspector: Download logs for manual processing.
* Jaeger: Add node graph view for trace.
* Jaeger: Search traces.
* Loki: Use data source settings for alerting queries.
* NodeGraph: Exploration mode.
* OAuth: Add support for empty scopes.
* PanelChrome: New logic-less emotion based component with no
dependency on PanelModel or DashboardModel.
* PanelEdit: Adds a table view toggle to quickly view data in
table form.
* PanelEdit: Highlight matched words when searching options.
* PanelEdit: UX improvements.
* Plugins: PanelRenderer and simplified QueryRunner to be used
from plugins.
* Plugins: AuthType in route configuration and params
interpolation.
* Plugins: Enable plugin runtime install/uninstall
capabilities.
* Plugins: Support set body content in plugin routes.
* Plugins: Introduce marketplace app.
* Plugins: Moving the DataSourcePicker to grafana/runtime so it
can be reused in plugins.
* Prometheus: Add custom query params for alert and exemplars
queries.
* Prometheus: Use fuzzy string matching to autocomplete metric
names and label.
* Routing: Replace Angular routing with react-router.
* Slack: Use chat.postMessage API by default.
* Tempo: Search for Traces by querying Loki directly from
Tempo.
* Tempo: Show graph view of the trace.
* Themes: Switch theme without reload using global shortcut.
* TimeSeries panel: Add support for shared cursor.
* TimeSeries panel: Do not crash the panel if there is no time
series data in the response.
* Variables: Do not save repeated panels, rows and scopedVars.
* Variables: Removes experimental Tags feature.
* Variables: Removes the never refresh option.
* Visualizations: Unify tooltip options across visualizations.
* Visualizations: Refactor and unify option creation between
new visualizations.
* Visualizations: Remove singlestat panel.
- Plugin development fixes & changes:
* Toolkit: Revert build config so tslib is bundled with plugins to prevent plugins from crashing.
* Select: Select menus now properly scroll during keyboard navigation.
* grafana/ui: Enable slider marks display.
* Plugins: Create a mock icon component to prevent console errors.
* Grafana UI: Fix TS error property css is missing in type.
* Toolkit: Fix matchMedia not found error.
* Toolkit: Improve error messages when tasks fail.
* Toolkit: Resolve external fonts when Grafana is served from a
sub path.
* QueryField: Remove carriage return character from pasted text.
* Button: Introduce buttonStyle prop.
* DataQueryRequest: Remove deprecated props showingGraph and showingTabel and exploreMode.
* grafana/ui: Update React Hook Form to v7.
* IconButton: Introduce variant for red and blue icon buttons.
* Plugins: Expose the getTimeZone function to be able to get the current selected timeZone.
* TagsInput: Add className to TagsInput.
* VizLegend: Move onSeriesColorChanged to PanelContext (breaking change).
* Update to Go 1.17.
* Add build-time dependency on `wire`.
| Advisory ID | SUSE-RU-2022:1451-1
|
| Released | Thu Apr 28 10:47:22 2022 |
| Summary | Recommended update for perl |
| Type | recommended |
| Severity | moderate |
| References | 1193489 |
Description:
This update for perl fixes the following issues:
- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)
| Advisory ID | SUSE-RU-2022:1626-1
|
| Released | Tue May 10 15:55:13 2022 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1198090,1198114 |
Description:
This update for systemd fixes the following issues:
- tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
- journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
- tmpfiles: constify item_compatible() parameters
- test tmpfiles: add a test for 'w+'
- test: add test checking tmpfiles conf file precedence
- journald: make use of CLAMP() in cache_space_refresh()
- journal-file: port journal_file_open() to openat_report_new()
- fs-util: make sure openat_report_new() initializes return param also on shortcut
- fs-util: fix typos in comments
- fs-util: add openat_report_new() wrapper around openat()
| Advisory ID | SUSE-RU-2022:1655-1
|
| Released | Fri May 13 15:36:10 2022 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1197794 |
Description:
This update for pam fixes the following issue:
- Do not include obsolete header files (bsc#1197794)
| Advisory ID | SUSE-SU-2022:1657-1
|
| Released | Fri May 13 15:39:07 2022 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1198614,1198723,1198766,CVE-2022-22576,CVE-2022-27775,CVE-2022-27776 |
Description:
This update for curl fixes the following issues:
- CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
- CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
- CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)
| Advisory ID | SUSE-RU-2022:1658-1
|
| Released | Fri May 13 15:40:20 2022 |
| Summary | Recommended update for libpsl |
| Type | recommended |
| Severity | important |
| References | 1197771 |
Description:
This update for libpsl fixes the following issues:
- Fix libpsl compilation issues (bsc#1197771)
| Advisory ID | SUSE-SU-2022:1670-1
|
| Released | Mon May 16 10:06:30 2022 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1199240,CVE-2022-29155 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
| Advisory ID | SUSE-SU-2022:1688-1
|
| Released | Mon May 16 14:02:49 2022 |
| Summary | Security update for e2fsprogs |
| Type | security |
| Severity | important |
| References | 1198446,CVE-2022-1304 |
Description:
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
| Advisory ID | SUSE-RU-2022:1691-1
|
| Released | Mon May 16 15:13:39 2022 |
| Summary | Recommended update for augeas |
| Type | recommended |
| Severity | moderate |
| References | 1197443 |
Description:
This update for augeas fixes the following issue:
- Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)
| Advisory ID | SUSE-SU-2022:1750-1
|
| Released | Thu May 19 15:28:20 2022 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | important |
| References | 1196490,1199132,CVE-2022-23308,CVE-2022-29824 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).
| Advisory ID | SUSE-SU-2022:1870-1
|
| Released | Fri May 27 10:03:40 2022 |
| Summary | Security update for curl |
| Type | security |
| Severity | important |
| References | 1199223,1199224,CVE-2022-27781,CVE-2022-27782 |
Description:
This update for curl fixes the following issues:
- CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
- CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)
| Advisory ID | SUSE-RU-2022:1887-1
|
| Released | Tue May 31 09:24:18 2022 |
| Summary | Recommended update for grep |
| Type | recommended |
| Severity | moderate |
| References | 1040589 |
Description:
This update for grep fixes the following issues:
- Make profiling deterministic. (bsc#1040589, SLE-24115)
| Advisory ID | SUSE-RU-2022:1899-1
|
| Released | Wed Jun 1 10:43:22 2022 |
| Summary | Recommended update for libtirpc |
| Type | recommended |
| Severity | important |
| References | 1198176 |
Description:
This update for libtirpc fixes the following issues:
- Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)
| Advisory ID | SUSE-RU-2022:1909-1
|
| Released | Wed Jun 1 16:25:35 2022 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1198751 |
Description:
This update for glibc fixes the following issues:
- Add the correct name for the IBM Z16 (bsc#1198751).
| Advisory ID | SUSE-RU-2022:2019-1
|
| Released | Wed Jun 8 16:50:07 2022 |
| Summary | Recommended update for gcc11 |
| Type | recommended |
| Severity | moderate |
| References | 1192951,1193659,1195283,1196861,1197065 |
Description:
This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.
- includes SLS hardening backport on x86_64. [bsc#1195283]
- includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
- fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
- use --with-cpu rather than specifying --with-arch/--with-tune
- Fix D memory corruption in -M output.
- Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
- fixes issue with debug dumping together with -o /dev/null
- fixes libgccjit issue showing up in emacs build [bsc#1192951]
- Package mwaitintrin.h
| Advisory ID | SUSE-RU-2022:2025-1
|
| Released | Thu Jun 9 10:13:50 2022 |
| Summary | Recommended update for grafana-status-panel |
| Type | recommended |
| Severity | low |
| References | 1198768 |
Description:
This update for grafana-status-panel fixes the following issues:
- Update to version 1.0.11, signed for use with grafana v8.x (bsc#1198768)
| Advisory ID | SUSE-SU-2022:2251-1
|
| Released | Mon Jul 4 09:52:25 2022 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | moderate |
| References | 1185637,1199166,1200550,CVE-2022-1292,CVE-2022-2068 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
| Advisory ID | SUSE-SU-2022:2327-1
|
| Released | Thu Jul 7 15:06:13 2022 |
| Summary | Security update for curl |
| Type | security |
| Severity | important |
| References | 1200735,1200737,CVE-2022-32206,CVE-2022-32208 |
Description:
This update for curl fixes the following issues:
- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
| Advisory ID | SUSE-SU-2022:2328-1
|
| Released | Thu Jul 7 15:07:35 2022 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | important |
| References | 1201099,CVE-2022-2097 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).
| Advisory ID | SUSE-SU-2022:2361-1
|
| Released | Tue Jul 12 12:05:01 2022 |
| Summary | Security update for pcre |
| Type | security |
| Severity | important |
| References | 1199232,CVE-2022-1586 |
Description:
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
| Advisory ID | SUSE-RU-2022:2406-1
|
| Released | Fri Jul 15 11:49:01 2022 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1197718,1199140,1200334,1200855 |
Description:
This update for glibc fixes the following issues:
- powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
- Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
- i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
- rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)
This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit).
| Advisory ID | SUSE-RU-2022:2470-1
|
| Released | Thu Jul 21 04:40:14 2022 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | important |
| References | 1137373,1181658,1194708,1195157,1197570,1198507,1198732,1200170 |
Description:
This update for systemd fixes the following issues:
- Allow control characters in environment variable values (bsc#1200170)
- Call pam_loginuid when creating user@.service (bsc#1198507)
- Fix parsing error in s390 udev rules conversion script (bsc#1198732)
- Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
- Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit
- Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed'
- basic/env-util: (mostly) follow POSIX for what variable names are allowed
- basic/env-util: make function shorter
- basic/escape: add mode where empty arguments are still shown as ''
- basic/escape: always escape newlines in shell_escape()
- basic/escape: escape control characters, but not utf-8, in shell quoting
- basic/escape: use consistent location for '*' in function declarations
- basic/string-util: inline iterator variable declarations
- basic/string-util: simplify how str_realloc() is used
- basic/string-util: split out helper function
- core/device: device_coldplug(): don't set DEVICE_DEAD
- core/device: do not downgrade device state if it is already enumerated
- core/device: drop unnecessary condition
- string-util: explicitly cast character to unsigned
- string-util: fix build error on aarch64
- test-env-util: Verify that \r is disallowed in env var values
- test-env-util: print function headers
| Advisory ID | SUSE-RU-2022:2494-1
|
| Released | Thu Jul 21 15:16:42 2022 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | important |
| References | 1200855,1201560,1201640 |
Description:
This update for glibc fixes the following issues:
- Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
- i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)
| Advisory ID | SUSE-SU-2022:2546-1
|
| Released | Mon Jul 25 14:43:22 2022 |
| Summary | Security update for gpg2 |
| Type | security |
| Severity | important |
| References | 1196125,1201225,CVE-2022-34903 |
Description:
This update for gpg2 fixes the following issues:
- CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
- Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125)
| Advisory ID | SUSE-RU-2022:2572-1
|
| Released | Thu Jul 28 04:22:33 2022 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1194550,1197684,1199042 |
Description:
This update for libzypp, zypper fixes the following issues:
libzypp:
- appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
- PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
- Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only
- Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were
removed at the beginning of the repo.
- Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER
zypper:
- Basic JobReport for 'cmdout/monitor'
- versioncmp: if verbose, also print the edition 'parts' which are compared
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally
- Honor the NO_COLOR environment variable when auto-detecting whether to use color
- Define table columns which should be sorted natural [case insensitive]
- lr/ls: Use highlight color on name and alias as well
| Advisory ID | SUSE-SU-2022:2614-1
|
| Released | Mon Aug 1 10:41:04 2022 |
| Summary | Security update for dwarves and elfutils |
| Type | security |
| Severity | moderate |
| References | 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1082318,1104264,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7146,CVE-2019-7148,CVE-2019-7149,CVE-2019-7150,CVE-2019-7664,CVE-2019-7665 |
Description:
This update for dwarves and elfutils fixes the following issues:
elfutils was updated to version 0.177 (jsc#SLE-24501):
- elfclassify: New tool to analyze ELF objects.
- readelf: Print DW_AT_data_member_location as decimal offset.
Decode DW_AT_discr_list block attributes.
- libdw: Add DW_AT_GNU_numerator, DW_AT_GNU_denominator and DW_AT_GNU_bias.
- libdwelf: Add dwelf_elf_e_machine_string.
dwelf_elf_begin now only returns NULL when there is an error
reading or decompressing a file. If the file is not an ELF file
an ELF handle of type ELF_K_NONE is returned.
- backends: Add support for C-SKY.
Update to version 0.176:
- build: Add new --enable-install-elfh option.
Do NOT use this for system installs (it overrides glibc elf.h).
- backends: riscv improved core file and return value location support.
- Fixes:
- CVE-2019-7146, CVE-2019-7148, CVE-2019-7149, CVE-2019-7664 - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (CVE is a bit misleading, as this is not a bug in libelf as described) (bsc#1125007)
Update to version 0.175:
readelf: Handle mutliple .debug_macro sections.
Recognize and parse GNU Property, NT_VERSION and
GNU Build Attribute ELF Notes.
strip: Handle SHT_GROUP correctly.
Add strip --reloc-debug-sections-only option.
Handle relocations against GNU compressed sections.
libdwelf: New function dwelf_elf_begin.
libcpu: Recognize bpf jump variants BPF_JLT, BPF_JLE, BPF_JSLT
and BPF_JSLE.
backends: RISCV handles ADD/SUB relocations.
Handle SHT_X86_64_UNWIND.
- CVE-2018-18521: arlib: Divide-by-zero vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
- CVE-2018-18310: Invalid Address Read problem in dwfl_segment_report_module.c (bsc#1111973)
- CVE-2018-18520: eu-size: Bad handling of ar files inside are files (bsc#1112726)
Update to version 0.174:
libelf, libdw and all tools now handle extended shnum and
shstrndx correctly.
elfcompress: Don't rewrite input file if no section data needs
updating. Try harder to keep same file mode bits
(suid) on rewrite.
strip: Handle mixed (out of order) allocated/non-allocated sections.
unstrip: Handle SHT_GROUP sections.
backends: RISCV and M68K now have backend implementations to
generate CFI based backtraces.
Fixes:
- CVE-2018-16402: libelf: denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) Double-free crash in nm and readelf
- CVE-2018-16403: heap buffer overflow in readelf (bsc#1107067)
- CVE-2018-16062: heap-buffer-overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
Update to version 0.173:
More fixes for crashes and hangs found by afl-fuzz. In particular various
functions now detect and break infinite loops caused by bad DIE tree cycles.
readelf: Will now lookup the size and signedness of constant value types
to display them correctly (and not just how they were encoded).
libdw: New function dwarf_next_lines to read CU-less .debug_line data.
dwarf_begin_elf now accepts ELF files containing just .debug_line
or .debug_frame sections (which can be read without needing a DIE
tree from the .debug_info section).
Removed dwarf_getscn_info, which was never implemented.
backends: Handle BPF simple relocations.
The RISCV backends now handles ABI specific CFI and knows about
RISCV register types and names.
Update to version 0.172:
Various bug fixes in libdw and eu-readelf dealing with bad DWARF5 data.
Thanks to running the afl fuzzer on eu-readelf and various testcases.
Update to version 0.171:
DWARF5 and split dwarf, including GNU DebugFission, are supported now.
Data can be read from the new DWARF sections .debug_addr, .debug_line_str,
.debug_loclists, .debug_str_offsets and .debug_rnglists. Plus the new
DWARF5 and GNU DebugFission encodings of the existing .debug sections.
Also in split DWARF .dwo (DWARF object) files. This support is mostly
handled by existing functions (dwarf_getlocation*, dwarf_getsrclines,
dwarf_ranges, dwarf_form*, etc.) now returning the data from the new
sections and data formats. But some new functions have been added
to more easily get information about skeleton and split compile units
(dwarf_get_units and dwarf_cu_info), handle new attribute data
(dwarf_getabbrevattr_data) and to keep references to Dwarf_Dies
that might come from different sections or files (dwarf_die_addr_die).
Not yet supported are .dwp (Dwarf Package) and .sup (Dwarf Supplementary)
files, the .debug_names index, the .debug_cu_index and .debug_tu_index
sections. Only a single .debug_info (and .debug_types) section are
currently handled.
readelf: Handle all new DWARF5 sections.
--debug-dump=info+ will show split unit DIEs when found.
--dwarf-skeleton can be used when inspecting a .dwo file.
Recognizes GNU locviews with --debug-dump=loc.
libdw: New functions dwarf_die_addr_die, dwarf_get_units,
dwarf_getabbrevattr_data and dwarf_cu_info.
libdw will now try to resolve the alt file on first use of
an alt attribute FORM when not set yet with dwarf_set_alt.
dwarf_aggregate_size() now works with multi-dimensional arrays.
libdwfl: Use process_vm_readv when available instead of ptrace.
backends: Add a RISC-V backend.
There were various improvements to build on Windows.
The sha1 and md5 implementations have been removed, they weren't used.
Update to version 0.170:
- libdw: Added new DWARF5 attribute, tag, character encoding, language code,
calling convention, defaulted member function and macro constants
to dwarf.h.
New functions dwarf_default_lower_bound and dwarf_line_file.
dwarf_peel_type now handles DWARF5 immutable, packed and shared tags.
dwarf_getmacros now handles DWARF5 .debug_macro sections.
strip: Add -R, --remove-section=SECTION and --keep-section=SECTION.
backends: The bpf disassembler is now always build on all platforms.
Update to version 0.169:
- backends: Add support for EM_PPC64 GNU_ATTRIBUTES.
Frame pointer unwinding fallback support for i386, x86_64, aarch64.
- translations: Update Polish translation.
- CVE-2017-7611: elfutils: DoS (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033088)
- CVE-2017-7610: elflint: heap-based buffer overflow in check_group (bsc#1033087)
- CVE-2017-7609: memory allocation failure in __libelf_decompress (bsc#1033086)
- CVE-2017-7607: heap-based buffer overflow in handle_gnu_hashi (readelf.c) (bsc#1033084)
- CVE-2017-7608: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c) (bsc#1033085)
- CVE-2017-7613: elfutils: denial of service (memory consumption) via a crafted ELF file (bsc#1033090)
- CVE-2017-7612: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033089)
- Don't make elfutils recommend elfutils-lang as elfutils-lang
already supplements elfutils.
dwarves is shipped new in version 1.22 to provide tooling for use by the Linux Kernel BTF verification framework.
| Advisory ID | SUSE-SU-2022:2717-1
|
| Released | Tue Aug 9 12:54:16 2022 |
| Summary | Security update for ncurses |
| Type | security |
| Severity | moderate |
| References | 1198627,CVE-2022-29458 |
Description:
This update for ncurses fixes the following issues:
- CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).
| Advisory ID | SUSE-OU-2022:2795-1
|
| Released | Fri Aug 12 12:50:56 2022 |
| Summary | Optional update for SUSE Package Hub |
| Type | optional |
| Severity | moderate |
| References | 1201760 |
Description:
This optional update provides the following changes:
- Fix grafana missing binaries in SUSE Linux Enterprise Desktop 15 Service Pack 4 via PackageHub (bsc#1201055)
- Affected source packages: grafana grafana-piechart-panel grafana-status-panel system-user-grafana
| Advisory ID | SUSE-SU-2022:2817-1
|
| Released | Tue Aug 16 12:03:46 2022 |
| Summary | Security update for ceph |
| Type | security |
| Severity | important |
| References | 1194131,1194875,1195359,1196044,1196733,1196785,1200064,1200553,CVE-2021-3979 |
Description:
This update for ceph fixes the following issues:
- Update to 16.2.9-536-g41a9f9a5573:
+ (bsc#1195359, bsc#1200553) rgw: check bucket shard init status in RGWRadosBILogTrimCR
+ (bsc#1194131) ceph-volume: honour osd_dmcrypt_key_size option (CVE-2021-3979)
- Update to 16.2.9-158-gd93952c7eea:
+ cmake: check for python(\d)\.(\d+) when building boost
+ make-dist: patch boost source to support python 3.10
- Update to ceph-16.2.9-58-ge2e5cb80063:
+ (bsc#1200064, pr#480) Remove last vestiges of docker.io image paths
- Update to 16.2.9.50-g7d9f12156fb:
+ (jsc#SES-2515) High-availability NFS export
+ (bsc#1196044) cephadm: prometheus: The generatorURL in alerts is only using hostname
+ (bsc#1196785) cephadm: avoid crashing on expected non-zero exit
- Update to 16.2.7-969-g6195a460d89
+ (jsc#SES-2515) High-availability NFS export
- Update to v16.2.7-654-gd5a90ff46f0
+ (bsc#1196733) remove build directory during %clean
- Update to v16.2.7-652-gf5dc462fdb5
+ (bsc#1194875) [SES7P] include/buffer: include memory
| Advisory ID | SUSE-RU-2022:2904-1
|
| Released | Fri Aug 26 05:28:34 2022 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1198341 |
Description:
This update for openldap2 fixes the following issues:
- Prevent memory reuse which may lead to instability (bsc#1198341)
| Advisory ID | SUSE-RU-2022:2921-1
|
| Released | Fri Aug 26 15:17:43 2022 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | important |
| References | 1195059 |
Description:
This update for systemd fixes the following issues:
- Drop or soften some of the deprecation warnings (jsc#PED-944)
- Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
- tmpfiles: check for the correct directory
| Advisory ID | SUSE-RU-2022:2929-1
|
| Released | Mon Aug 29 11:21:47 2022 |
| Summary | Recommended update for timezone |
| Type | recommended |
| Severity | important |
| References | 1202310 |
Description:
This update for timezone fixes the following issue:
- Reflect new Chile DST change (bsc#1202310)
| Advisory ID | SUSE-RU-2022:2944-1
|
| Released | Wed Aug 31 05:39:14 2022 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | important |
| References | 1181475 |
Description:
This update for procps fixes the following issues:
- Fix 'free' command reporting misleading 'used' value (bsc#1181475)
| Advisory ID | SUSE-SU-2022:2947-1
|
| Released | Wed Aug 31 09:16:21 2022 |
| Summary | Security update for zlib |
| Type | security |
| Severity | important |
| References | 1202175,CVE-2022-37434 |
Description:
This update for zlib fixes the following issues:
- CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).
| Advisory ID | SUSE-RU-2022:2982-1
|
| Released | Thu Sep 1 12:33:47 2022 |
| Summary | Recommended update for util-linux |
| Type | recommended |
| Severity | moderate |
| References | 1197178,1198731,1200842 |
Description:
This update for util-linux fixes the following issues:
- su: Change owner and mode for pty (bsc#1200842)
- agetty: Resolve tty name even if stdin is specified (bsc#1197178)
- libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
- mesg: use only stat() to get the current terminal status (bsc#1200842)
| Advisory ID | SUSE-RU-2022:2994-1
|
| Released | Fri Sep 2 10:44:54 2022 |
| Summary | Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame |
| Type | recommended |
| Severity | moderate |
| References | 1198925 |
Description:
This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.
| Advisory ID | SUSE-SU-2022:3004-1
|
| Released | Fri Sep 2 15:02:14 2022 |
| Summary | Security update for curl |
| Type | security |
| Severity | low |
| References | 1202593,CVE-2022-35252 |
Description:
This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters
into cookies, which could be exploited by sister sites to cause a
denial of service (bsc#1202593).
| Advisory ID | SUSE-RU-2022:3127-1
|
| Released | Wed Sep 7 04:36:10 2022 |
| Summary | Recommended update for libtirpc |
| Type | recommended |
| Severity | moderate |
| References | 1198752,1200800 |
Description:
This update for libtirpc fixes the following issues:
- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
- Fix memory leak in params.r_addr assignement (bsc#1198752)
SUSE-CU-2022:325-1
| Container Advisory ID | SUSE-CU-2022:325-1 |
| Container Tags | ses/7.1/ceph/grafana:7.5.12 , ses/7.1/ceph/grafana:7.5.12.2.2.13 , ses/7.1/ceph/grafana:latest , ses/7.1/ceph/grafana:sle15.3.pacific |
| Container Release | 2.2.13 |
The following patches have been included in this update:
| Advisory ID | SUSE-SU-2018:1353-1
|
| Released | Thu Jul 19 09:50:32 2018 |
| Summary | Security update for e2fsprogs |
| Type | security |
| Severity | moderate |
| References | 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 |
Description:
This update for e2fsprogs fixes the following issues:
Security issues fixed:
- CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402).
- CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).
Bug fixes:
- bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system.
- bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system.
- bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.
| Advisory ID | SUSE-RU-2018:1999-1
|
| Released | Tue Sep 25 08:20:35 2018 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1071321 |
Description:
This update for zlib provides the following fixes:
- Speedup zlib on power8. (fate#325307)
- Add safeguard against negative values in uInt. (bsc#1071321)
| Advisory ID | SUSE-RU-2018:2055-1
|
| Released | Thu Sep 27 14:30:14 2018 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1089640 |
Description:
This update for openldap2 provides the following fix:
- Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)
| Advisory ID | SUSE-SU-2018:2182-1
|
| Released | Tue Oct 9 11:08:36 2018 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 |
Description:
This update for libxml2 fixes the following security issues:
- CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a
denial of service (infinite loop) via a crafted XML file that triggers
LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)
- CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML
file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint
(bsc#1105166)
- CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval()
function when parsing an invalid XPath expression in the XPATH_OP_AND or
XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)
| Advisory ID | SUSE-RU-2018:2370-1
|
| Released | Mon Oct 22 14:02:01 2018 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1102310,1104531 |
Description:
This update for aaa_base provides the following fixes:
- Let bash.bashrc work even for (m)ksh. (bsc#1104531)
- Fix an error at login if java system directory is empty. (bsc#1102310)
| Advisory ID | SUSE-RU-2018:2569-1
|
| Released | Fri Nov 2 19:00:18 2018 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1110700 |
Description:
This update for pam fixes the following issues:
- Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)
| Advisory ID | SUSE-RU-2018:2607-1
|
| Released | Wed Nov 7 15:42:48 2018 |
| Summary | Optional update for gcc8 |
| Type | recommended |
| Severity | low |
| References | 1084812,1084842,1087550,1094222,1102564 |
Description:
The GNU Compiler GCC 8 is being added to the Development Tools Module by this
update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html
| Advisory ID | SUSE-SU-2018:2825-1
|
| Released | Mon Dec 3 15:35:02 2018 |
| Summary | Security update for pam |
| Type | security |
| Severity | important |
| References | 1115640,CVE-2018-17953 |
Description:
This update for pam fixes the following issue:
Security issue fixed:
- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).
| Advisory ID | SUSE-SU-2018:2861-1
|
| Released | Thu Dec 6 14:32:01 2018 |
| Summary | Security update for ncurses |
| Type | security |
| Severity | important |
| References | 1103320,1115929,CVE-2018-19211 |
Description:
This update for ncurses fixes the following issues:
Security issue fixed:
- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).
Non-security issue fixed:
- Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).
| Advisory ID | SUSE-RU-2019:44-1
|
| Released | Tue Jan 8 13:07:32 2019 |
| Summary | Recommended update for acl |
| Type | recommended |
| Severity | low |
| References | 953659 |
Description:
This update for acl fixes the following issues:
- test: Add helper library to fake passwd/group files.
- quote: Escape literal backslashes. (bsc#953659)
| Advisory ID | SUSE-SU-2019:247-1
|
| Released | Wed Feb 6 07:18:45 2019 |
| Summary | Security update for lua53 |
| Type | security |
| Severity | moderate |
| References | 1123043,CVE-2019-6706 |
Description:
This update for lua53 fixes the following issues:
Security issue fixed:
- CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)
| Advisory ID | SUSE-RU-2019:369-1
|
| Released | Wed Feb 13 14:01:42 2019 |
| Summary | Recommended update for itstool |
| Type | recommended |
| Severity | moderate |
| References | 1065270,1111019 |
Description:
This update for itstool and python-libxml2-python fixes the following issues:
Package: itstool
- Updated version to support Python3. (bnc#1111019)
Package: python-libxml2-python
- Fix segfault when parsing invalid data. (bsc#1065270)
| Advisory ID | SUSE-SU-2019:571-1
|
| Released | Thu Mar 7 18:13:46 2019 |
| Summary | Security update for file |
| Type | security |
| Severity | moderate |
| References | 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 |
Description:
This update for file fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in
readelf.c, which allowed remote attackers to cause a denial of service
(application crash) via a crafted ELF file (bsc#1096974)
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
(bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
(bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
(bsc#1126117)
| Advisory ID | SUSE-RU-2019:732-1
|
| Released | Mon Mar 25 14:10:04 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1088524,1118364,1128246 |
Description:
This update for aaa_base fixes the following issues:
- Restore old position of ssh/sudo source of profile (bsc#1118364).
- Update logic for JRE_HOME env variable (bsc#1128246)
| Advisory ID | SUSE-SU-2019:788-1
|
| Released | Thu Mar 28 11:55:06 2019 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1119687,CVE-2018-20346 |
Description:
This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:
- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
Release notes: https://www.sqlite.org/releaselog/3_27_2.html
| Advisory ID | SUSE-RU-2019:1002-1
|
| Released | Wed Apr 24 10:13:34 2019 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1110304,1129576 |
Description:
This update for zlib fixes the following issues:
- Fixes a segmentation fault error (bsc#1110304, bsc#1129576)
| Advisory ID | SUSE-SU-2019:1127-1
|
| Released | Thu May 2 09:39:24 2019 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1130325,1130326,CVE-2019-9936,CVE-2019-9937 |
Description:
This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:
- CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix
queries inside transaction (bsc#1130326).
- CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in
a single transaction with an fts5 virtual table (bsc#1130325).
| Advisory ID | SUSE-SU-2019:1206-1
|
| Released | Fri May 10 14:01:55 2019 |
| Summary | Security update for bzip2 |
| Type | security |
| Severity | low |
| References | 985657,CVE-2016-3189 |
Description:
This update for bzip2 fixes the following issues:
Security issue fixed:
- CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).
| Advisory ID | SUSE-RU-2019:1312-1
|
| Released | Wed May 22 12:19:12 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1096191 |
Description:
This update for aaa_base fixes the following issue:
* Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers
(bsc#1096191)
| Advisory ID | SUSE-SU-2019:1368-1
|
| Released | Tue May 28 13:15:38 2019 |
| Summary | Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root |
| Type | security |
| Severity | important |
| References | 1134524,CVE-2019-5021 |
Description:
This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:
- CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)
| Advisory ID | SUSE-RU-2019:1484-1
|
| Released | Thu Jun 13 07:46:46 2019 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1128383 |
Description:
This update for e2fsprogs fixes the following issues:
- Check and fix tails of all bitmap blocks (bsc#1128383)
| Advisory ID | SUSE-SU-2019:1486-1
|
| Released | Thu Jun 13 09:40:24 2019 |
| Summary | Security update for elfutils |
| Type | security |
| Severity | moderate |
| References | 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 |
Description:
This update for elfutils fixes the following issues:
Security issues fixed:
- CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084)
- CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085)
- CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086)
- CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087)
- CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088)
- CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089)
- CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090)
- CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
- CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066)
- CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067)
- CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973)
- CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726)
- CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
- CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
- CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007)
| Advisory ID | SUSE-RU-2019:1631-1
|
| Released | Fri Jun 21 11:17:21 2019 |
| Summary | Recommended update for xz |
| Type | recommended |
| Severity | low |
| References | 1135709 |
Description:
This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma,
xz, xzdec, lzmadec, documentation, translated messages, tests,
debug, extra directory) are in public domain licence [bsc#1135709]
| Advisory ID | SUSE-RU-2019:1700-1
|
| Released | Tue Jun 25 13:19:21 2019 |
| Summary | Security update for libssh |
| Type | recommended |
| Severity | moderate |
| References | 1134193 |
Description:
This update for libssh fixes the following issue:
Issue addressed:
- Added support for new AES-GCM encryption types (bsc#1134193).
| Advisory ID | SUSE-RU-2019:1808-1
|
| Released | Wed Jul 10 13:16:29 2019 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1133808 |
Description:
This update for libgcrypt fixes the following issues:
- Fixed redundant fips tests in some situations causing sudo to stop
working when pam-kwallet is installed. bsc#1133808
| Advisory ID | SUSE-SU-2019:1846-1
|
| Released | Mon Jul 15 11:36:33 2019 |
| Summary | Security update for bzip2 |
| Type | security |
| Severity | important |
| References | 1139083,CVE-2019-12900 |
Description:
This update for bzip2 fixes the following issues:
Security issue fixed:
- CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
| Advisory ID | SUSE-SU-2019:1971-1
|
| Released | Thu Jul 25 14:58:52 2019 |
| Summary | Security update for libgcrypt |
| Type | security |
| Severity | moderate |
| References | 1138939,CVE-2019-12904 |
Description:
This update for libgcrypt fixes the following issues:
Security issue fixed:
- CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939).
| Advisory ID | SUSE-RU-2019:1994-1
|
| Released | Fri Jul 26 16:12:05 2019 |
| Summary | Recommended update for libxml2 |
| Type | recommended |
| Severity | moderate |
| References | 1135123 |
Description:
This update for libxml2 fixes the following issues:
- Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123)
| Advisory ID | SUSE-SU-2019:2004-1
|
| Released | Mon Jul 29 13:01:59 2019 |
| Summary | Security update for bzip2 |
| Type | security |
| Severity | important |
| References | 1139083,CVE-2019-12900 |
Description:
This update for bzip2 fixes the following issues:
- Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities
with files that used many selectors (bsc#1139083).
| Advisory ID | SUSE-RU-2019:2097-1
|
| Released | Fri Aug 9 09:31:17 2019 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | important |
| References | 1097073 |
Description:
This update for libgcrypt fixes the following issues:
- Fixed a regression where system were unable to boot in fips mode, caused by an
incomplete implementation of previous change (bsc#1097073).
| Advisory ID | SUSE-RU-2019:2134-1
|
| Released | Wed Aug 14 11:54:56 2019 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1136717,1137624,1141059,SLE-5807 |
Description:
This update for zlib fixes the following issues:
- Update the s390 patchset. (bsc#1137624)
- Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
- Use FAT LTO objects in order to provide proper static library.
- Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
- Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)
| Advisory ID | SUSE-RU-2019:2188-1
|
| Released | Wed Aug 21 10:10:29 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1140647 |
Description:
This update for aaa_base fixes the following issues:
- Make systemd detection cgroup oblivious. (bsc#1140647)
| Advisory ID | SUSE-RU-2019:2218-1
|
| Released | Mon Aug 26 11:29:57 2019 |
| Summary | Recommended update for pinentry |
| Type | recommended |
| Severity | moderate |
| References | 1141883 |
Description:
This update for pinentry fixes the following issues:
- Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)
| Advisory ID | SUSE-SU-2019:2395-1
|
| Released | Wed Sep 18 08:31:38 2019 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | moderate |
| References | 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 |
Description:
This update for openldap2 fixes the following issues:
Security issue fixed:
- CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
- CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
- CVE-2017-17740: When both the nops module and the member of overlay
are enabled, attempts to free a buffer that was allocated on the stack,
which allows remote attackers to cause a denial of service (slapd crash)
via a member MODDN operation. (bsc#1073313)
Non-security issues fixed:
- Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
- Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
- Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).
| Advisory ID | SUSE-RU-2019:2423-1
|
| Released | Fri Sep 20 16:41:45 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1146866,SLE-9132 |
Description:
This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
- net.ipv4.conf.default.accept_source_route
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
| Advisory ID | SUSE-SU-2019:2533-1
|
| Released | Thu Oct 3 15:02:50 2019 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | moderate |
| References | 1150137,CVE-2019-16168 |
Description:
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).
| Advisory ID | SUSE-RU-2019:2676-1
|
| Released | Tue Oct 15 21:06:54 2019 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1145716,1152101,CVE-2019-5094 |
Description:
This update for e2fsprogs fixes the following issues:
Security issue fixed:
- CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)
Non-security issue fixed:
- libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)
| Advisory ID | SUSE-SU-2019:2730-1
|
| Released | Mon Oct 21 16:04:57 2019 |
| Summary | Security update for procps |
| Type | security |
| Severity | important |
| References | 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 |
Description:
This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:
- CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top
with HOME unset in an attacker-controlled directory, the attacker could have
achieved privilege escalation by exploiting one of several vulnerabilities in
the config_file() function (bsc#1092100).
- CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow.
Inbuilt protection in ps maped a guard page at the end of the overflowed
buffer, ensuring that the impact of this flaw is limited to a crash (temporary
denial of service) (bsc#1092100).
- CVE-2018-1124: Prevent multiple integer overflows leading to a heap
corruption in file2strvec function. This allowed a privilege escalation for a
local attacker who can create entries in procfs by starting processes, which
could result in crashes or arbitrary code execution in proc utilities run by
other users (bsc#1092100).
- CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was
mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
- CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent
truncation/integer overflow issues (bsc#1092100).
Also this non-security issue was fixed:
- Fix CPU summary showing old data. (bsc#1121753)
The update to 3.3.15 contains the following fixes:
- library: Increment to 8:0:1
No removals, no new functions
Changes: slab and pid structures
- library: Just check for SIGLOST and don't delete it
- library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
- library: Use size_t for alloc functions CVE-2018-1126
- library: Increase comm size to 64
- pgrep: Fix stack-based buffer overflow CVE-2018-1125
- pgrep: Remove >15 warning as comm can be longer
- ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
- ps: Increase command name selection field to 64
- top: Don't use cwd for location of config CVE-2018-1122
- update translations
- library: build on non-glibc systems
- free: fix scaling on 32-bit systems
- Revert 'Support running with child namespaces'
- library: Increment to 7:0:1
No changes, no removals
New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
- doc: Document I idle state in ps.1 and top.1
- free: fix some of the SI multiples
- kill: -l space between name parses correctly
- library: dont use vm_min_free on non Linux
- library: don't strip off wchan prefixes (ps & top)
- pgrep: warn about 15+ char name only if -f not used
- pgrep/pkill: only match in same namespace by default
- pidof: specify separator between pids
- pkill: Return 0 only if we can kill process
- pmap: fix duplicate output line under '-x' option
- ps: avoid eip/esp address truncations
- ps: recognizes SCHED_DEADLINE as valid CPU scheduler
- ps: display NUMA node under which a thread ran
- ps: Add seconds display for cputime and time
- ps: Add LUID field
- sysctl: Permit empty string for value
- sysctl: Don't segv when file not available
- sysctl: Read and write large buffers
- top: add config file support for XDG specification
- top: eliminated minor libnuma memory leak
- top: show fewer memory decimal places (configurable)
- top: provide command line switch for memory scaling
- top: provide command line switch for CPU States
- top: provides more accurate cpu usage at startup
- top: display NUMA node under which a thread ran
- top: fix argument parsing quirk resulting in SEGV
- top: delay interval accepts non-locale radix point
- top: address a wishlist man page NLS suggestion
- top: fix potential distortion in 'Mem' graph display
- top: provide proper multi-byte string handling
- top: startup defaults are fully customizable
- watch: define HOST_NAME_MAX where not defined
- vmstat: Fix alignment for disk partition format
- watch: Support ANSI 39,49 reset sequences
| Advisory ID | SUSE-RU-2019:2870-1
|
| Released | Thu Oct 31 08:09:14 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1051143,1138869,1151023 |
Description:
This update for aaa_base provides the following fixes:
- Check if variables can be set before modifying them to avoid warnings on login with a
restricted shell. (bsc#1138869)
- Add s390x compressed kernel support. (bsc#1151023)
- service: Check if there is a second argument before using it. (bsc#1051143)
| Advisory ID | SUSE-SU-2019:2997-1
|
| Released | Mon Nov 18 15:16:38 2019 |
| Summary | Security update for ncurses |
| Type | security |
| Severity | moderate |
| References | 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 |
Description:
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).
Non-security issue fixed:
- Removed screen.xterm from terminfo database (bsc#1103320).
| Advisory ID | SUSE-SU-2019:3059-1
|
| Released | Mon Nov 25 17:33:07 2019 |
| Summary | Security update for cpio |
| Type | security |
| Severity | moderate |
| References | 1155199,CVE-2019-14866 |
Description:
This update for cpio fixes the following issues:
- CVE-2019-14866: Fixed an improper validation of the values written
in the header of a TAR file through the to_oct() function which could
have led to unexpected TAR generation (bsc#1155199).
| Advisory ID | SUSE-SU-2019:3061-1
|
| Released | Mon Nov 25 17:34:22 2019 |
| Summary | Security update for gcc9 |
| Type | security |
| Severity | moderate |
| References | 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 |
Description:
This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html
The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
| Advisory ID | SUSE-SU-2019:3086-1
|
| Released | Thu Nov 28 10:02:24 2019 |
| Summary | Security update for libidn2 |
| Type | security |
| Severity | moderate |
| References | 1154884,1154887,CVE-2019-12290,CVE-2019-18224 |
Description:
This update for libidn2 to version 2.2.0 fixes the following issues:
- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).
| Advisory ID | SUSE-SU-2019:3087-1
|
| Released | Thu Nov 28 10:03:00 2019 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | low |
| References | 1123919 |
Description:
This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
| Advisory ID | SUSE-RU-2019:3118-1
|
| Released | Fri Nov 29 14:41:35 2019 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1154295 |
Description:
This update for e2fsprogs fixes the following issues:
- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)
| Advisory ID | SUSE-RU-2019:3166-1
|
| Released | Wed Dec 4 11:24:42 2019 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1007715,1084934,1157278 |
Description:
This update for aaa_base fixes the following issues:
- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)
| Advisory ID | SUSE-SU-2019:3267-1
|
| Released | Wed Dec 11 11:19:53 2019 |
| Summary | Security update for libssh |
| Type | security |
| Severity | important |
| References | 1158095,CVE-2019-14889 |
Description:
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).
| Advisory ID | SUSE-SU-2019:3392-1
|
| Released | Fri Dec 27 13:33:29 2019 |
| Summary | Security update for libgcrypt |
| Type | security |
| Severity | moderate |
| References | 1148987,1155338,1155339,CVE-2019-13627 |
Description:
This update for libgcrypt fixes the following issues:
Security issues fixed:
- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).
Bug fixes:
- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.
| Advisory ID | SUSE-SU-2020:129-1
|
| Released | Mon Jan 20 09:21:13 2020 |
| Summary | Security update for libssh |
| Type | security |
| Severity | important |
| References | 1158095,CVE-2019-14889 |
Description:
This update for libssh fixes the following issues:
- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).
| Advisory ID | SUSE-RU-2020:225-1
|
| Released | Fri Jan 24 06:49:07 2020 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | moderate |
| References | 1158830 |
Description:
This update for procps fixes the following issues:
- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)
| Advisory ID | SUSE-RU-2020:256-1
|
| Released | Wed Jan 29 09:39:17 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1157794,1160970 |
Description:
This update for aaa_base fixes the following issues:
- Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
- Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)
| Advisory ID | SUSE-SU-2020:265-1
|
| Released | Thu Jan 30 14:05:34 2020 |
| Summary | Security update for e2fsprogs |
| Type | security |
| Severity | moderate |
| References | 1160571,CVE-2019-5188 |
Description:
This update for e2fsprogs fixes the following issues:
- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).
| Advisory ID | SUSE-RU-2020:339-1
|
| Released | Thu Feb 6 13:03:22 2020 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | low |
| References | 1158921 |
Description:
This update for openldap2 provides the following fix:
- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)
| Advisory ID | SUSE-RU-2020:451-1
|
| Released | Tue Feb 25 10:50:35 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1155337,1161215,1161216,1161218,1161219,1161220 |
Description:
This update for libgcrypt fixes the following issues:
- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]
| Advisory ID | SUSE-RU-2020:480-1
|
| Released | Tue Feb 25 17:38:22 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1160735 |
Description:
This update for aaa_base fixes the following issues:
- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)
| Advisory ID | SUSE-RU-2020:525-1
|
| Released | Fri Feb 28 11:49:36 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1164562 |
Description:
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
| Advisory ID | SUSE-RU-2020:597-1
|
| Released | Thu Mar 5 15:24:09 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1164950 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: Run the self-tests from the constructor [bsc#1164950]
| Advisory ID | SUSE-RU-2020:633-1
|
| Released | Tue Mar 10 16:23:08 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1139939,1151023 |
Description:
This update for aaa_base fixes the following issues:
- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues
| Advisory ID | SUSE-RU-2020:689-1
|
| Released | Fri Mar 13 17:09:01 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1166510 |
Description:
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
| Advisory ID | SUSE-RU-2020:846-1
|
| Released | Thu Apr 2 07:24:07 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1164950,1166748,1167674 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]
* Set up global_init as the constructor function:
* Relax the entropy requirements on selftest. This is especially
important for virtual machines to boot properly before the RNG
is available:
| Advisory ID | SUSE-RU-2020:917-1
|
| Released | Fri Apr 3 15:02:25 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1166510 |
Description:
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
| Advisory ID | SUSE-SU-2020:948-1
|
| Released | Wed Apr 8 07:44:21 2020 |
| Summary | Security update for gmp, gnutls, libnettle |
| Type | security |
| Severity | moderate |
| References | 1152692,1155327,1166881,1168345,CVE-2020-11501 |
Description:
This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:
- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)
FIPS related bugfixes:
- FIPS: Install checksums for binary integrity verification which are
required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)
| Advisory ID | SUSE-RU-2020:961-1
|
| Released | Wed Apr 8 13:34:06 2020 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | moderate |
| References | 1160979 |
Description:
This update for e2fsprogs fixes the following issues:
- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)
| Advisory ID | SUSE-SU-2020:967-1
|
| Released | Thu Apr 9 11:41:53 2020 |
| Summary | Security update for libssh |
| Type | security |
| Severity | moderate |
| References | 1168699,CVE-2020-1730 |
Description:
This update for libssh fixes the following issues:
- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).
| Advisory ID | SUSE-RU-2020:1063-1
|
| Released | Wed Apr 22 10:46:50 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1165539,1169569 |
Description:
This update for libgcrypt fixes the following issues:
This update for libgcrypt fixes the following issues:
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)
| Advisory ID | SUSE-RU-2020:1214-1
|
| Released | Thu May 7 11:20:34 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1169944 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)
| Advisory ID | SUSE-SU-2020:1219-1
|
| Released | Thu May 7 17:10:42 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1170771,CVE-2020-12243 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).
| Advisory ID | SUSE-RU-2020:1226-1
|
| Released | Fri May 8 10:51:05 2020 |
| Summary | Recommended update for gcc9 |
| Type | recommended |
| Severity | moderate |
| References | 1149995,1152590,1167898 |
Description:
This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.
- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go
| Advisory ID | SUSE-SU-2020:1294-1
|
| Released | Mon May 18 07:38:36 2020 |
| Summary | Security update for file |
| Type | security |
| Severity | moderate |
| References | 1154661,1169512,CVE-2019-18218 |
Description:
This update for file fixes the following issues:
Security issues fixed:
- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).
Non-security issue fixed:
- Fixed broken '--help' output (bsc#1169512).
| Advisory ID | SUSE-SU-2020:1299-1
|
| Released | Mon May 18 07:43:21 2020 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2019-19956: Fixed a memory leak (bsc#1159928).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
| Advisory ID | SUSE-RU-2020:1328-1
|
| Released | Mon May 18 17:16:04 2020 |
| Summary | Recommended update for grep |
| Type | recommended |
| Severity | moderate |
| References | 1155271 |
Description:
This update for grep fixes the following issues:
- Update testsuite expectations, no functional changes (bsc#1155271)
| Advisory ID | SUSE-RU-2020:1361-1
|
| Released | Thu May 21 09:31:18 2020 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1171872 |
Description:
This update for libgcrypt fixes the following issues:
- FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)
| Advisory ID | SUSE-RU-2020:1404-1
|
| Released | Mon May 25 15:32:34 2020 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1138793,1166260 |
Description:
This update for zlib fixes the following issues:
- Including the latest fixes from IBM (bsc#1166260)
IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
deflate algorithm in hardware with estimated compression and decompression performance
orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
The fix will avoid to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime.
| Advisory ID | SUSE-RU-2020:1506-1
|
| Released | Fri May 29 17:22:11 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1087982,1170527 |
Description:
This update for aaa_base fixes the following issues:
- Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
- Better support of Midnight Commander. (bsc#1170527)
| Advisory ID | SUSE-SU-2020:1532-1
|
| Released | Thu Jun 4 10:16:12 2020 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1172021,CVE-2019-19956 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).
| Advisory ID | SUSE-SU-2020:1733-1
|
| Released | Wed Jun 24 09:43:36 2020 |
| Summary | Security update for curl |
| Type | security |
| Severity | important |
| References | 1173026,1173027,CVE-2020-8169,CVE-2020-8177 |
Description:
This update for curl fixes the following issues:
- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious
server to overwrite a local file when using the -J option (bsc#1173027).
- CVE-2020-8169: Fixed an issue where could have led to partial password leak
over DNS on HTTP redirect (bsc#1173026).
| Advisory ID | SUSE-SU-2020:1742-1
|
| Released | Wed Jun 24 17:56:59 2020 |
| Summary | Security update for grafana, grafana-piechart-panel, grafana-status-panel |
| Type | security |
| Severity | moderate |
| References | 1170557,CVE-2019-15043,CVE-2020-12245,CVE-2020-13379 |
Description:
This update for grafana, grafana-piechart-panel, grafana-status-panel fixes the following issues:
grafana was updated to version 7.0.3:
- Stats: include all fields. #24829, @ryantxu
- Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
- Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
- Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
- Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
- Do not show alerts tab when alerting is disabled. #25285, @dprokop
- Jaeger: fixes cascader option label duration value. #25129, @Estrax
- Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
Update to version 7.0.2
- Security: Urgent security patch release to fix CVE-2020-13379
Update to version 7.0.1
- Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
- Download CSV: Add date and time formatting. #24992, @ryantxu
- Table: Make last cell value visible when right aligned. #24921, @peterholmberg
- TablePanel: Adding sort order persistance. #24705, @torkelo
- Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
- Transformations: Allow custom number input for binary operations. #24752, @ryantxu
- Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
- Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
- Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
- DataLinks: Bring back variables interpolation in title. #24970, @dprokop
- Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
- Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
- Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
- Explore: fix undo in query editor. #24797, @zoltanbedi
- Explore: fix word break in type head info. #25014, @zoltanbedi
- Graph: Legend decimals now work as expected. #24931, @torkelo
- LoginPage: Fix hover color for service buttons. #25009, @tskarhed
- LogsPanel: Fix scrollbar. #24850, @ivanahuckova
- MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
- Organize transformer: Use display name in field order comparer. #24984, @dprokop
- Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
- PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
- PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
- PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
- PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
- PanelMenu: Make menu disappear on button press. #25015, @tskarhed
- Postgres: Fix add button. #25087, @phemmer
- Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
- Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
Update to version 7.0.0
- Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
- Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
- Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
- Datasource/Loki: Support for deprecated Loki endpoints has been removed.
- Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
- @grafana/ui: Forms migration notice, see @grafana/ui changelog
- @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
+ Deprecation warnings
- Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
- The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
- Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
- Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
- Loki: Allow multiple derived fields with the same name. #24437, @aocenas
- Orgs: Add future deprecation notice. #24502, @torkelo
- @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
- Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
- Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
- Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
- Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
- Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
- Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
- Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
- Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
- Data source: Fixes async mount errors. #24579, @Estrax
- Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
- Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
- Explore: Fix rendering of react query editors. #24593, @ivanahuckova
- Explore: Fixes loading more logs in logs context view. #24135, @Estrax
- Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
- Graphite: Makes query annotations work again. #24556, @hugohaggmark
- Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
- Logs: Fix total bytes process calculation. #24691, @davkal
- Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
- Plugins: Fix manifest validation. #24573, @aknuds1
- Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
- Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
- Search: Save folder expanded state. #24496, @Clarity-89
- Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
- Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
- Table: Fixed persisting column resize for time series fields. #24505, @torkelo
- Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
- Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
- Transformations: Make transform dropdowns not cropped. #24615, @dprokop
- Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
- Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
- Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
- Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
- Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
- SAML: Switch from email to login for user login attribute mapping (Enterprise)
| Advisory ID | SUSE-SU-2020:1396-1
|
| Released | Fri Jul 3 12:33:05 2020 |
| Summary | Security update for zstd |
| Type | security |
| Severity | moderate |
| References | 1082318,1133297 |
Description:
This update for zstd fixes the following issues:
- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
| Advisory ID | SUSE-SU-2020:1856-1
|
| Released | Mon Jul 6 17:05:51 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1172698,1172704,CVE-2020-8023 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
| Advisory ID | SUSE-RU-2020:1938-1
|
| Released | Thu Jul 16 14:43:32 2020 |
| Summary | Recommended update for libsolv, libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1169947,1170801,1172925,1173106 |
Description:
This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to:
- Enable zstd compression support for sle15
zypper was updated to version 1.14.37:
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)
libzypp was updated to 17.24.0
- Fix core dump with corrupted history file (bsc#1170801)
- Enable zchunk metadata download if libsolv supports it.
- Better handling of the purge-kernels algorithm. (bsc#1173106)
| Advisory ID | SUSE-RU-2020:1954-1
|
| Released | Sat Jul 18 03:07:15 2020 |
| Summary | Recommended update for cracklib |
| Type | recommended |
| Severity | moderate |
| References | 1172396 |
Description:
This update for cracklib fixes the following issues:
- Fixed a buffer overflow when processing long words.
| Advisory ID | SUSE-RU-2020:1987-1
|
| Released | Tue Jul 21 17:02:15 2020 |
| Summary | Recommended update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings |
| Type | recommended |
| Severity | important |
| References | 1172477,1173336,1174011 |
Description:
This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues:
libsolv:
- No source changes, just shipping it as an installer update (required by yast2-pkg-bindings).
libzypp:
- Proactively send credentials if the URL specifes '?auth=basic' and a username.
(bsc#1174011)
- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)
yast2-packager:
- Handle variable expansion in repository name. (bsc#1172477)
- Improve medium type detection, do not report Online medium when the /media.1/products
file is missing in the repository, SMT does not mirror this file. (bsc#1173336)
yast2-pkg-bindings:
- Extensions to handle raw repository name. (bsc#1172477)
| Advisory ID | SUSE-RU-2020:2083-1
|
| Released | Thu Jul 30 10:27:59 2020 |
| Summary | Recommended update for diffutils |
| Type | recommended |
| Severity | moderate |
| References | 1156913 |
Description:
This update for diffutils fixes the following issue:
- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)
| Advisory ID | SUSE-RU-2020:2384-1
|
| Released | Sat Aug 29 00:57:13 2020 |
| Summary | Recommended update for e2fsprogs |
| Type | recommended |
| Severity | low |
| References | 1170964 |
Description:
This update for e2fsprogs fixes the following issues:
- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)
| Advisory ID | SUSE-RU-2020:2420-1
|
| Released | Tue Sep 1 13:48:35 2020 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1174551,1174736 |
Description:
This update for zlib provides the following fixes:
- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)
| Advisory ID | SUSE-SU-2020:2445-1
|
| Released | Wed Sep 2 09:33:02 2020 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1175109,CVE-2020-8231 |
Description:
This update for curl fixes the following issues:
- An application that performs multiple requests with libcurl's
multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
rare circumstances experience that when subsequently using the
setup connect-only transfer, libcurl will pick and use the wrong
connection and instead pick another one the application has
created since then. [bsc#1175109, CVE-2020-8231]
| Advisory ID | SUSE-SU-2020:2581-1
|
| Released | Wed Sep 9 13:07:07 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | moderate |
| References | 1174154,CVE-2020-15719 |
Description:
This update for openldap2 fixes the following issues:
- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
SAN's falling back to CN validation in violation of rfc6125.
| Advisory ID | SUSE-SU-2020:2612-1
|
| Released | Fri Sep 11 11:18:01 2020 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1176179,CVE-2020-24977 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
| Advisory ID | SUSE-RU-2020:2651-1
|
| Released | Wed Sep 16 14:42:55 2020 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1175811,1175830,1175831 |
Description:
This update for zlib fixes the following issues:
- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)
| Advisory ID | SUSE-SU-2020:2712-1
|
| Released | Tue Sep 22 17:08:03 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | moderate |
| References | 1175568,CVE-2020-8027 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).
| Advisory ID | SUSE-RU-2020:2819-1
|
| Released | Thu Oct 1 10:39:16 2020 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 |
Description:
This update for libzypp, zypper provides the following fixes:
Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.
Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
(bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.
| Advisory ID | SUSE-RU-2020:2852-1
|
| Released | Fri Oct 2 16:55:39 2020 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1173470,1175844 |
Description:
This update for openssl-1_1 fixes the following issues:
FIPS:
- Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
- Add shared secret KAT to FIPS DH selftest (bsc#1175844).
| Advisory ID | SUSE-RU-2020:2869-1
|
| Released | Tue Oct 6 16:13:20 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1011548,1153943,1153946,1161239,1171762 |
Description:
This update for aaa_base fixes the following issues:
- DIR_COLORS (bug#1006973):
- add screen.xterm-256color
- add TERM rxvt-unicode-256color
- sort and merge TERM entries in etc/DIR_COLORS
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)
| Advisory ID | SUSE-RU-2020:2893-1
|
| Released | Mon Oct 12 14:14:55 2020 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1177479 |
Description:
This update for openssl-1_1 fixes the following issues:
- Restore private key check in EC_KEY_check_key (bsc#1177479)
| Advisory ID | SUSE-SU-2020:2914-1
|
| Released | Tue Oct 13 17:25:20 2020 |
| Summary | Security update for bind |
| Type | security |
| Severity | moderate |
| References | 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 |
Description:
This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:
- bind is now more strict in regards to DNSSEC. If queries are not working,
check for DNSSEC issues. For instance, if bind is used in a namserver
forwarder chain, the forwarding DNS servers must support DNSSEC.
Fixing security issues:
- CVE-2020-8616: Further limit the number of queries that can be triggered from
a request. Root and TLD servers are no longer exempt
from max-recursion-queries. Fetches for missing name server. (bsc#1171740)
Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass
the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone content
and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
incorrectly treated as 'zonesub' rules, which allowed
keys used in 'subdomain' rules to update names outside
of the specified subdomains. The problem was fixed by
making sure 'subdomain' rules are again processed as
described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request (bsc#1175443).
Other issues fixed:
- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created
chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll ' did not limit the number of saved files to .
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
so that named, being a/the only member of the 'named' group
has full r/w access yet cannot change directories owned by root
in the case of a compromized named.
[bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
(init/named system/lwresd.init system/named.init in vendor-files)
as this option is deprecated and causes rndc-confgen to fail.
(bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
of /usr/sbin/dnssec-keygen as BIND now uses the random number
functions provided by the crypto library (i.e., OpenSSL or a
PKCS#11 provider) as a source of randomness rather than /dev/random.
Therefore the -r command line option no longer has any effect on
dnssec-keygen. Leaving the option in genDDNSkey as to not break
compatibility. Patch provided by Stefan Eisenwiener.
[bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
systemd context as well as legacy sysv, make use of start_daemon.
| Advisory ID | SUSE-SU-2020:2947-1
|
| Released | Fri Oct 16 15:23:07 2020 |
| Summary | Security update for gcc10, nvptx-tools |
| Type | security |
| Severity | moderate |
| References | 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 |
Description:
This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:
| Advisory ID | SUSE-RU-2020:2958-1
|
| Released | Tue Oct 20 12:24:55 2020 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | moderate |
| References | 1158830 |
Description:
This update for procps fixes the following issues:
- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)
| Advisory ID | SUSE-RU-2020:2983-1
|
| Released | Wed Oct 21 15:03:03 2020 |
| Summary | Recommended update for file |
| Type | recommended |
| Severity | moderate |
| References | 1176123 |
Description:
This update for file fixes the following issues:
- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)
| Advisory ID | SUSE-OU-2020:3026-1
|
| Released | Fri Oct 23 15:35:51 2020 |
| Summary | Optional update for the Public Cloud Module |
| Type | optional |
| Severity | moderate |
| References | |
Description:
This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398).
The following packages were included:
- python3-grpcio
- python3-protobuf
- python3-google-api-core
- python3-google-cloud-core
- python3-google-cloud-storage
- python3-google-resumable-media
- python3-googleapis-common-protos
- python3-grpcio-gcp
- python3-mock (updated to version 3.0.5)
| Advisory ID | SUSE-RU-2020:3048-1
|
| Released | Tue Oct 27 16:05:17 2020 |
| Summary | Recommended update for libsolv, libzypp, yaml-cpp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 |
Description:
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:
- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
kernel-default-base has new packaging, where the kernel uname -r
does not reflect the full package version anymore. This patch
adds additional logic to use the most generic/shortest edition
each package provides with %{packagename}= to group the
kernel packages instead of the rpm versions.
This also changes how the keep-spec for specific versions is
applied, instead of matching the package versions, each of the
package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
(as we link statically)
yaml-cpp:
- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
channels, and the INSTALLER channels, as a new libzypp dependency.
No source changes were done to yaml-cpp.
zypper was updated to 1.14.40:
libsolv was updated to 0.7.15 to fix:
- make testcase_mangle_repo_names deal correctly with freed repos
[bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function
| Advisory ID | SUSE-RU-2020:3249-1
|
| Released | Fri Nov 6 17:02:51 2020 |
| Summary | Recommended update for grafana |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for grafana fixes the following issues:
- Update to version 7.1.5:
* Features / Enhancements
- Stats: Stop counting the same user multiple times.
- Field overrides: Filter by field name using regex.
- AzureMonitor: map more units.
- Explore: Don't run queries on datasource change.
- Graph: Support setting field unit & override data source (automatic) unit.
- Explore: Unification of logs/metrics/traces user interface
- Table: JSON Cell should try to convert strings to JSON
- Variables: enables cancel for slow query variables queries.
- TimeZone: unify the time zone pickers to one that can rule them all.
- Search: support URL query params.
- Grafana-UI: Add FileUpload.
- TablePanel: Sort numbers correctly.
* Bug fixes
- Alerting: remove LongToWide call in alerting.
- AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used.
- Variables: Fixes issue with All variable not being resolved.
- Templating: Fixes so texts show in picker not the values.
- Templating: Templating: Fix undefined result when using raw interpolation format
- TextPanel: Fix content overflowing panel boundaries.
- StatPanel: Fix stat panel display name not showing when explicitly set.
- Query history: Fix search filtering if null value.
- Flux: Ensure connections to InfluxDB are closed.
- Dashboard: Fix for viewer can enter panel edit mode by modifying url (but cannot not save anything).
- Prometheus: Fix prom links in mixed mode.
- Sign In Use correct url for the Sign In button.
- StatPanel: Fixes issue with name showing for single series / field results
- BarGauge: Fix space bug in single series mode.
- Auth: Fix POST request failures with anonymous access
- Templating: Fix recursive loop of template variable queries when changing ad-hoc-variable
- Templating: Fixed recursive queries triggered when switching dashboard settings view
- GraphPanel: Fix annotations overflowing panels.
- Prometheus: Fix performance issue in processing of histogram labels.
- Datasources: Handle URL parsing error.
- Security: Use Header.Set and Header.Del for X-Grafana-User header.
* Changes in spec file
- Fix golang version = 1.14 to avoid dependency conflicts on some OBS projects
| Advisory ID | SUSE-SU-2020:3313-1
|
| Released | Thu Nov 12 16:07:37 2020 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1178387,CVE-2020-25692 |
Description:
This update for openldap2 fixes the following issues:
- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).
| Advisory ID | SUSE-RU-2020:3462-1
|
| Released | Fri Nov 20 13:14:35 2020 |
| Summary | Recommended update for pam and sudo |
| Type | recommended |
| Severity | moderate |
| References | 1174593,1177858,1178727 |
Description:
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
| Advisory ID | SUSE-RU-2020:3581-1
|
| Released | Tue Dec 1 14:40:22 2020 |
| Summary | Recommended update for libusb-1_0 |
| Type | recommended |
| Severity | moderate |
| References | 1178376 |
Description:
This update for libusb-1_0 fixes the following issues:
- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)
| Advisory ID | SUSE-RU-2020:3620-1
|
| Released | Thu Dec 3 17:03:55 2020 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `` characters length in
some form. This is enabled by the new parameter `usersubstr=`
| Advisory ID | SUSE-RU-2020:3703-1
|
| Released | Mon Dec 7 20:17:32 2020 |
| Summary | Recommended update for aaa_base |
| Type | recommended |
| Severity | moderate |
| References | 1179431 |
Description:
This update for aaa_base fixes the following issue:
- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)
| Advisory ID | SUSE-SU-2020:3721-1
|
| Released | Wed Dec 9 13:36:46 2020 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | important |
| References | 1179491,CVE-2020-1971 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).
| Advisory ID | SUSE-SU-2020:3735-1
|
| Released | Wed Dec 9 18:19:24 2020 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 |
Description:
This update for curl fixes the following issues:
- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
| Advisory ID | SUSE-RU-2020:3809-1
|
| Released | Tue Dec 15 13:46:05 2020 |
| Summary | Recommended update for glib2 |
| Type | recommended |
| Severity | moderate |
| References | 1178346 |
Description:
This update for glib2 fixes the following issues:
Update from version 2.62.5 to version 2.62.6:
- Support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)
- Fix SOCKS5 username/password authentication.
- Updated translations.
| Advisory ID | SUSE-RU-2020:3942-1
|
| Released | Tue Dec 29 12:22:01 2020 |
| Summary | Recommended update for libidn2 |
| Type | recommended |
| Severity | moderate |
| References | 1180138 |
Description:
This update for libidn2 fixes the following issues:
- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
adjusted the RPM license tags (bsc#1180138)
| Advisory ID | SUSE-RU-2020:3943-1
|
| Released | Tue Dec 29 12:24:45 2020 |
| Summary | Recommended update for libxml2 |
| Type | recommended |
| Severity | moderate |
| References | 1178823 |
Description:
This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
- key/unique/keyref schema attributes currently use quadratic loops
to check their various constraints (that keys are unique and that
keyrefs refer to existing keys).
- This fix uses a hash table to avoid the quadratic behaviour.
| Advisory ID | SUSE-SU-2021:109-1
|
| Released | Wed Jan 13 10:13:24 2021 |
| Summary | Security update for libzypp, zypper |
| Type | security |
| Severity | moderate |
| References | 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 |
Description:
This update for libzypp, zypper fixes the following issues:
Update zypper to version 1.14.41
Update libzypp to 17.25.4
- CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
- RepoManager: Force refresh if repo url has changed (bsc#1174016)
- RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
- RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
- RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat
symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
- Fixed update of gpg keys with elongated expire date (bsc#179222)
- needreboot: remove udev from the list (bsc#1179083)
- Fix lsof monitoring (bsc#1179909)
yast-installation was updated to 4.2.48:
- Do not cleanup the libzypp cache when the system has low memory,
incomplete cache confuses libzypp later (bsc#1179415)
| Advisory ID | SUSE-SU-2021:129-1
|
| Released | Thu Jan 14 12:26:15 2021 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | moderate |
| References | 1178909,1179503,CVE-2020-25709,CVE-2020-25710 |
Description:
This update for openldap2 fixes the following issues:
Security issues fixed:
- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
Non-security issue fixed:
- Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)
| Advisory ID | SUSE-RU-2021:169-1
|
| Released | Tue Jan 19 16:18:46 2021 |
| Summary | Recommended update for libsolv, libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1179816,1180077,1180663,1180721 |
Description:
This update for libsolv, libzypp, zypper fixes the following issues:
libzypp was updated to 17.25.6:
- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)
zypper was updated to 1.14.42:
- Fix source-download commnds help (bsc#1180663)
- man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
libsolv was updated to 0.7.16;
- do not ask the namespace callback for splitprovides when writing a testcase
- fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes
- improve choicerule generation so that package updates are prefered in more cases
| Advisory ID | SUSE-SU-2021:197-1
|
| Released | Fri Jan 22 15:17:42 2021 |
| Summary | Security update for permissions |
| Type | security |
| Severity | moderate |
| References | 1171883,CVE-2020-8025 |
Description:
This update for permissions fixes the following issues:
- Update to version 20181224:
* pcp: remove no longer needed / conflicting entries
(bsc#1171883, CVE-2020-8025)
| Advisory ID | SUSE-RU-2021:220-1
|
| Released | Tue Jan 26 14:00:51 2021 |
| Summary | Recommended update for keyutils |
| Type | recommended |
| Severity | moderate |
| References | 1180603 |
Description:
This update for keyutils fixes the following issues:
- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)
| Advisory ID | SUSE-RU-2021:293-1
|
| Released | Wed Feb 3 12:52:34 2021 |
| Summary | Recommended update for gmp |
| Type | recommended |
| Severity | moderate |
| References | 1180603 |
Description:
This update for gmp fixes the following issues:
- correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)
| Advisory ID | SUSE-RU-2021:294-1
|
| Released | Wed Feb 3 12:54:28 2021 |
| Summary | Recommended update for libprotobuf |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
libprotobuf was updated to fix:
- ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911)
| Advisory ID | SUSE-RU-2021:321-1
|
| Released | Mon Feb 8 10:29:48 2021 |
| Summary | Recommended update for grafana, system-user-grafana |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for grafana, system-user-grafana fixes the following issues:
- Update packaging
* avoid systemd and shadow hard requirements
* Require the user from a new dedicated 'system-user-grafana' sibling package
* avoid pinning to a specific Go version in the spec file
- Update to version 7.3.1:
* Breaking changes
- CloudWatch: The AWS CloudWatch data source's authentication scheme has changed. See the upgrade notes for details and how this may affect you.
- Units: The date time units `YYYY-MM-DD HH:mm:ss` and `MM/DD/YYYY h:mm:ss a` have been renamed to `Datetime ISO` and `Datetime US` respectively.
* Features / Enhancements
- AzureMonitor: Support decimal (as float64) type in analytics/logs.
- Add monitoring mixing for Grafana.
- CloudWatch: Missing Namespace AWS/EC2CapacityReservations.
- CloudWatch: Add support for AWS DirectConnect virtual interface metrics and add missing dimensions.
- CloudWatch: Adding support for Amazon ElastiCache Redis metrics.
- CloudWatch: Adding support for additional Amazon CloudFront metrics.
- CloudWatch: Re-implement authentication.
- Elasticsearch: Support multiple pipeline aggregations for a query.
- Prometheus: Add time range parameters to labels API.
- Loki: Visually distinguish error logs for LogQL2.
- Api: Add /healthz endpoint for health checks.
- API: Enrich add user to org endpoints with user ID in the response.
- API: Enrich responses and improve error handling for alerting API endpoints.
- Elasticsearch: Add support for date_nanos type.
- Elasticsearch: Allow fields starting with underscore.
- Elasticsearch: Increase maximum geohash aggregation precision to 12.
- Postgres: Support request cancellation properly (Uses new backendSrv.fetch Observable request API).
- Provisioning: Remove provisioned dashboards without parental reader.
- API: Return ID of the deleted resource for dashboard, datasource and folder DELETE endpoints.
- API: Support paging in the admin orgs list API.
- API: return resource ID for auth key creation, folder permissions update and user invite complete endpoints.
- BackendSrv: Uses credentials, deprecates withCredentials & defaults to same-origin.
- CloudWatch: Update list of AmazonMQ metrics and dimensions.
- Cloudwatch: Add Support for external ID in assume role.
- Cloudwatch: Add af-south-1 region.
- DateFormats: Default ISO & US formats never omit date part even if date is today (breaking change).
- Explore: Transform prometheus query to elasticsearch query.
- InfluxDB/Flux: Increase series limit for Flux datasource.
- InfluxDB: exclude result and table column from Flux table results.
- InfluxDB: return a table rather than an error when timeseries is missing time.
- Loki: Add scopedVars support in legend formatting for repeated variables.
- Loki: Re-introduce running of instant queries.
- Loki: Support request cancellation properly (Uses new backendSrv.fetch Observable request API).
- MixedDatasource: Shows retrieved data even if a data source fails.
- Postgres: Support Unix socket for host.
- Prometheus: Add scopedVars support in legend formatting for repeated variables.
- Prometheus: Support request cancellation properly (Uses new backendSrv.fetch Observable request API).
- Prometheus: add $__rate_interval variable.
- Table: Adds column filtering.
- grafana-cli: Add ability to read password from stdin to reset admin password.
- Variables: enables cancel for slow query variables queries.
- AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used.
- TextPanel: Fix content overflowing panel boundaries.
- Fix golang version = 1.14 to avoid dependency conflicts on some OBS projects
| Advisory ID | SUSE-OU-2021:339-1
|
| Released | Mon Feb 8 13:16:07 2021 |
| Summary | Optional update for pam |
| Type | optional |
| Severity | low |
| References | |
Description:
This update for pam fixes the following issues:
- Added rpm macros for this package, so that other packages can make use of it
This patch is optional to be installed - it doesn't fix any bugs.
| Advisory ID | SUSE-RU-2021:656-1
|
| Released | Mon Mar 1 09:34:21 2021 |
| Summary | Recommended update for protobuf |
| Type | recommended |
| Severity | moderate |
| References | 1177127 |
Description:
This update for protobuf fixes the following issues:
- Add missing dependency of python subpackages on python-six. (bsc#1177127)
| Advisory ID | SUSE-SU-2021:723-1
|
| Released | Mon Mar 8 16:45:27 2021 |
| Summary | Security update for openldap2 |
| Type | security |
| Severity | important |
| References | 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 |
Description:
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
| Advisory ID | SUSE-SU-2021:754-1
|
| Released | Tue Mar 9 17:10:49 2021 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | moderate |
| References | 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
- Fixed unresolved error codes in FIPS (bsc#1182959).
| Advisory ID | SUSE-SU-2021:778-1
|
| Released | Fri Mar 12 17:42:25 2021 |
| Summary | Security update for glib2 |
| Type | security |
| Severity | important |
| References | 1182328,1182362,CVE-2021-27218,CVE-2021-27219 |
Description:
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if
the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
| Advisory ID | SUSE-RU-2021:786-1
|
| Released | Mon Mar 15 11:19:23 2021 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1176201 |
Description:
This update for zlib fixes the following issues:
- Fixed hw compression on z15 (bsc#1176201)
| Advisory ID | SUSE-RU-2021:874-1
|
| Released | Thu Mar 18 09:41:54 2021 |
| Summary | Recommended update for libsolv, libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1179847,1181328,1181622,1182629 |
Description:
This update for libsolv, libzypp, zypper fixes the following issues:
- support multiple collections in updateinfo parser
- Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328)
- Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
- Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847)
- Fix '%posttrans' script execution. (fixes #265)
- Repo: Allow multiple baseurls specified on one line (fixes #285)
- Regex: Fix memory leak and undefined behavior.
- Add rpm buildrequires for test suite (fixes #279)
- Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use.
- doc: give more details about creating versioned package locks. (bsc#1181622)
- man: Document synonymously used patch categories (bsc#1179847)
| Advisory ID | SUSE-RU-2021:924-1
|
| Released | Tue Mar 23 10:00:49 2021 |
| Summary | Recommended update for filesystem |
| Type | recommended |
| Severity | moderate |
| References | 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 |
Description:
This update for filesystem the following issues:
- Remove duplicate line due to merge error
- Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
- Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
- Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
- Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)
This update for systemd fixes the following issues:
- Fix for a possible memory leak. (bsc#1180020)
- Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
- Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
- Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
- Don't use shell redirections when calling a rpm macro. (bsc#1183094)
- 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)
| Advisory ID | SUSE-SU-2021:930-1
|
| Released | Wed Mar 24 12:09:23 2021 |
| Summary | Security update for nghttp2 |
| Type | security |
| Severity | important |
| References | 1172442,1181358,CVE-2020-11080 |
Description:
This update for nghttp2 fixes the following issues:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)
| Advisory ID | SUSE-SU-2021:948-1
|
| Released | Wed Mar 24 14:31:34 2021 |
| Summary | Security update for zstd |
| Type | security |
| Severity | moderate |
| References | 1183370,1183371,CVE-2021-24031,CVE-2021-24032 |
Description:
This update for zstd fixes the following issues:
- CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
- CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).
| Advisory ID | SUSE-SU-2021:955-1
|
| Released | Thu Mar 25 16:11:48 2021 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | important |
| References | 1183852,CVE-2021-3449 |
Description:
This update for openssl-1_1 fixes the security issue:
- CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted
renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation
ClientHello omits the signature_algorithms extension but includes a
signature_algorithms_cert extension, then a NULL pointer dereference will
result, leading to a crash and a denial of service attack. OpenSSL TLS
clients are not impacted by this issue. [bsc#1183852]
| Advisory ID | SUSE-RU-2021:1004-1
|
| Released | Thu Apr 1 15:07:09 2021 |
| Summary | Recommended update for libcap |
| Type | recommended |
| Severity | moderate |
| References | 1180073 |
Description:
This update for libcap fixes the following issues:
- Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
- Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)
| Advisory ID | SUSE-SU-2021:1006-1
|
| Released | Thu Apr 1 17:44:57 2021 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1183933,1183934,CVE-2021-22876,CVE-2021-22890 |
Description:
This update for curl fixes the following issues:
- CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934)
- CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933)
| Advisory ID | SUSE-RU-2021:1141-1
|
| Released | Mon Apr 12 13:13:36 2021 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | low |
| References | 1182791 |
Description:
This update for openldap2 fixes the following issues:
- Improved the proxy connection timeout options to prune connections properly (bsc#1182791)
| Advisory ID | SUSE-RU-2021:1169-1
|
| Released | Tue Apr 13 15:01:42 2021 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | low |
| References | 1181976 |
Description:
This update for procps fixes the following issues:
- Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)
| Advisory ID | SUSE-OU-2021:1296-1
|
| Released | Wed Apr 21 14:09:28 2021 |
| Summary | Optional update for e2fsprogs |
| Type | optional |
| Severity | low |
| References | 1183791 |
Description:
This update for e2fsprogs fixes the following issues:
- Fixed an issue when building e2fsprogs (bsc#1183791)
This patch does not fix any user visible issues and is therefore optional to install.
| Advisory ID | SUSE-OU-2021:1299-1
|
| Released | Wed Apr 21 14:11:41 2021 |
| Summary | Optional update for gpgme |
| Type | optional |
| Severity | low |
| References | 1183801 |
Description:
This update for gpgme fixes the following issues:
- Fixed a bug in test cases (bsc#1183801)
This patch is optional to install and does not provide any user visible bug fixes.
| Advisory ID | SUSE-RU-2021:1407-1
|
| Released | Wed Apr 28 15:49:02 2021 |
| Summary | Recommended update for libcap |
| Type | recommended |
| Severity | important |
| References | 1184690 |
Description:
This update for libcap fixes the following issues:
- Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)
| Advisory ID | SUSE-RU-2021:1426-1
|
| Released | Thu Apr 29 06:23:13 2021 |
| Summary | Recommended update for libsolv |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for libsolv fixes the following issues:
- Fix rare segfault in resolve_jobrules() that could happen if new rules are learnt.
- Fix a couple of memory leaks in error cases.
- Fix error handling in solv_xfopen_fd()
- Fixed 'regex' code on win32.
- Fixed memory leak in choice rule generation
| Advisory ID | SUSE-SU-2021:1466-1
|
| Released | Tue May 4 08:30:57 2021 |
| Summary | Security update for permissions |
| Type | security |
| Severity | important |
| References | 1182899 |
Description:
This update for permissions fixes the following issues:
- etc/permissions: remove unnecessary entries (bsc#1182899)
| Advisory ID | SUSE-SU-2021:1523-1
|
| Released | Wed May 5 18:24:20 2021 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
| Advisory ID | SUSE-RU-2021:1526-1
|
| Released | Thu May 6 08:57:30 2021 |
| Summary | Recommended update for bash |
| Type | recommended |
| Severity | important |
| References | 1183064 |
Description:
This update for bash fixes the following issues:
- Fixed a segmentation fault that used to occur when bash read a history file
that was malformed in a very specific way. (bsc#1183064)
| Advisory ID | SUSE-RU-2021:1528-1
|
| Released | Thu May 6 15:31:23 2021 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1161276 |
Description:
This update for openssl-1_1 fixes the following issues:
- Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276)
| Advisory ID | SUSE-RU-2021:1543-1
|
| Released | Fri May 7 15:16:33 2021 |
| Summary | Recommended update for patterns-microos |
| Type | recommended |
| Severity | moderate |
| References | 1184435 |
Description:
This update for patterns-microos provides the following fix:
- Require the libvirt-daemon-qemu package and include the needed dependencies in the
product. (bsc#1184435)
| Advisory ID | SUSE-RU-2021:1544-1
|
| Released | Fri May 7 16:34:41 2021 |
| Summary | Recommended update for libzypp |
| Type | recommended |
| Severity | moderate |
| References | 1180851,1181874,1182936,1183628,1184997,1185239 |
Description:
This update for libzypp fixes the following issues:
Upgrade from version 17.25.8 to version 17.25.10
- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.
| Advisory ID | SUSE-RU-2021:1549-1
|
| Released | Mon May 10 13:48:00 2021 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | moderate |
| References | 1185417 |
Description:
This update for procps fixes the following issues:
- Support up to 2048 CPU as well. (bsc#1185417)
| Advisory ID | SUSE-RU-2021:1612-1
|
| Released | Fri May 14 17:09:39 2021 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1184614 |
Description:
This update for openldap2 fixes the following issue:
- Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)
| Advisory ID | SUSE-RU-2021:1643-1
|
| Released | Wed May 19 13:51:48 2021 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | important |
| References | 1181443,1184358,1185562 |
Description:
This update for pam fixes the following issues:
- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)
| Advisory ID | SUSE-SU-2021:1654-1
|
| Released | Wed May 19 16:43:36 2021 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | important |
| References | 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
| Advisory ID | SUSE-SU-2021:1762-1
|
| Released | Wed May 26 12:30:01 2021 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1186114,CVE-2021-22898 |
Description:
This update for curl fixes the following issues:
- CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
- Allow partial chain verification [jsc#SLE-17956]
* Have intermediate certificates in the trust store be treated
as trust-anchors, in the same way as self-signed root CA
certificates are. This allows users to verify servers using
the intermediate cert only, instead of needing the whole chain.
* Set FLAG_TRUSTED_FIRST unconditionally.
* Do not check partial chains with CRL check.
| Advisory ID | SUSE-SU-2021:1825-1
|
| Released | Tue Jun 1 16:24:01 2021 |
| Summary | Security update for lz4 |
| Type | security |
| Severity | important |
| References | 1185438,CVE-2021-3520 |
Description:
This update for lz4 fixes the following issues:
- CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).
| Advisory ID | SUSE-RU-2021:1833-1
|
| Released | Wed Jun 2 15:32:28 2021 |
| Summary | Recommended update for zypper |
| Type | recommended |
| Severity | moderate |
| References | 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 |
Description:
This update for zypper fixes the following issues:
zypper was upgraded to 1.14.44:
- man page: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)
libzypp was upgraded from version 17.25.8 to version 17.25.10
- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.
| Advisory ID | SUSE-RU-2021:1861-1
|
| Released | Fri Jun 4 09:59:40 2021 |
| Summary | Recommended update for gcc10 |
| Type | recommended |
| Severity | moderate |
| References | 1029961,1106014,1178577,1178624,1178675,1182016 |
Description:
This update for gcc10 fixes the following issues:
- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)
| Advisory ID | SUSE-RU-2021:1879-1
|
| Released | Tue Jun 8 09:16:09 2021 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | important |
| References | 1184326,1184399,1184997,1185325 |
Description:
This update for libzypp, zypper fixes the following issues:
libzypp was updated to 17.26.0:
- Work around download.o.o broken https redirects.
- Allow trusted repos to add additional signing keys (bsc#1184326)
Repositories signed with a trusted gpg key may import additional
package signing keys. This is needed if different keys were used
to sign the the packages shipped by the repository.
- MediaCurl: Fix logging of redirects.
- Use 15.3 resolver problem and solution texts on all distros.
- $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the
zypp lock (bsc#1184399)
Helps boot time services like 'zypper purge-kernels' to wait for
the zypp lock until other services using zypper have completed.
- Fix purge-kernels is broken in Leap 15.3 (bsc#1185325)
Leap 15.3 introduces a new kernel package called
kernel-flavour-extra, which contain kmp's. Currently kmp's are
detected by name '.*-kmp(-.*)?' but this does not work which
those new packages. This patch fixes the problem by checking
packages for kmod(*) and ksym(*) provides and only falls back to
name checking if the package in question does not provide one of
those.
- Introduce zypp-runpurge, a tool to run purge-kernels on
testcases.
zypper was updated to 1.14.45:
- Fix service detection with cgroupv2 (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Add report when receiving new package signing keys from a
trusted repo (bsc#1184326)
- Added translation using Weblate (Kabyle)
| Advisory ID | SUSE-SU-2021:1917-1
|
| Released | Wed Jun 9 14:48:05 2021 |
| Summary | Security update for libxml2 |
| Type | security |
| Severity | moderate |
| References | 1186015,CVE-2021-3541 |
Description:
This update for libxml2 fixes the following issues:
- CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)
| Advisory ID | SUSE-RU-2021:1937-1
|
| Released | Thu Jun 10 10:47:09 2021 |
| Summary | Recommended update for nghttp2 |
| Type | recommended |
| Severity | moderate |
| References | 1186642 |
Description:
This update for nghttp2 fixes the following issue:
- The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
| Advisory ID | SUSE-SU-2021:2157-1
|
| Released | Thu Jun 24 15:40:14 2021 |
| Summary | Security update for libgcrypt |
| Type | security |
| Severity | important |
| References | 1187212,CVE-2021-33560 |
Description:
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
| Advisory ID | SUSE-RU-2021:2173-1
|
| Released | Mon Jun 28 14:59:45 2021 |
| Summary | Recommended update for automake |
| Type | recommended |
| Severity | moderate |
| References | 1040589,1047218,1182604,1185540,1186049 |
Description:
This update for automake fixes the following issues:
- Implement generated autoconf makefiles reproducible (bsc#1182604)
- Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
- Avoid bashisms in test-driver script. (bsc#1185540)
This update for pcre fixes the following issues:
- Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)
This update for brp-check-suse fixes the following issues:
- Add fixes to support reproducible builds. (bsc#1186049)
| Advisory ID | SUSE-SU-2021:2196-1
|
| Released | Tue Jun 29 09:41:39 2021 |
| Summary | Security update for lua53 |
| Type | security |
| Severity | moderate |
| References | 1175448,1175449,CVE-2020-24370,CVE-2020-24371 |
Description:
This update for lua53 fixes the following issues:
Update to version 5.3.6:
- CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
- CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
- Long brackets with a huge number of '=' overflow some internal buffer arithmetic.
| Advisory ID | SUSE-RU-2021:2205-1
|
| Released | Wed Jun 30 09:17:41 2021 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | important |
| References | 1187210 |
Description:
This update for openldap2 fixes the following issues:
- Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)
| Advisory ID | SUSE-RU-2021:2241-1
|
| Released | Mon Jul 5 08:48:47 2021 |
| Summary | Recommended update for grafana-status-panel |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for grafana-status-panel fixes the following issues:
- Update plugin to version 1.0.10 to fix compatibility issues with Grafana versions higher than v6.7.x.
| Advisory ID | SUSE-RU-2021:2273-1
|
| Released | Thu Jul 8 09:48:48 2021 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1186447,1186503 |
Description:
This update for libzypp, zypper fixes the following issues:
- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -PIE (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default (jsc#PM-2645)
- Add 'Solvable::isBlacklisted' as superset of retracted and ptf packages (bsc#1186503)
- Fix segv if 'ZYPP_FULLOG' is set.
| Advisory ID | SUSE-RU-2021:2316-1
|
| Released | Wed Jul 14 13:49:55 2021 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1185807,1185828,1185958,1186411,1187154,1187292 |
Description:
This update for systemd fixes the following issues:
- Restore framebuffer devices as possible master of seat. Until simpledrm driver is released, this change is prematured as some graphical chips don't have DRM driver and fallback to framebuffer. (bsc#1187154)
- Fixed an issue when '/var/lock/subsys' dropped when the creation of 'filesystem' package took the initialization of the generic paths over. (bsc#1187292)
- 'udev' requires systemd in its %post (bsc#1185958)
nspawn: turn on higher optimization level in seccomp
nspawn: return ENOSYS by default, EPERM for 'known' calls (bsc#1186411)
shared/seccomp-util: added functionality to make list of filtred syscalls
hared/syscall-list: filter out some obviously platform-specific syscalls
shared/seccomp: reduce scope of indexing variables
generate-syscall-list: require python3
shared: add @known syscall list
meson: add syscall-names-update target
shared/seccomp: use _cleanup_ in one more place
home: fix homed.conf install location
- We need to make sure that the creation of the symlinks is done after updating udev DB so if worker A is preempted by worker B before A updates the DB but after it creates the symlinks, worker B won't
manage to overwrite the freshly created symlinks (by A) because A
has still yet not registered the symlinks in the DB. (bsc#1185828)
- Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
| Advisory ID | SUSE-SU-2021:2320-1
|
| Released | Wed Jul 14 17:01:06 2021 |
| Summary | Security update for sqlite3 |
| Type | security |
| Severity | important |
| References | 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 |
Description:
This update for sqlite3 fixes the following issues:
- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener
optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
(bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with
a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated
columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)
| Advisory ID | SUSE-RU-2021:2399-1
|
| Released | Mon Jul 19 19:06:22 2021 |
| Summary | Recommended update for release packages |
| Type | recommended |
| Severity | moderate |
| References | 1099521 |
Description:
This update for the release packages provides the following fix:
- Fix grub menu entries after migration from SLE-12*. (bsc#1099521)
| Advisory ID | SUSE-SU-2021:2410-1
|
| Released | Tue Jul 20 14:41:26 2021 |
| Summary | Security update for systemd |
| Type | security |
| Severity | important |
| References | 1188063,CVE-2021-33910 |
Description:
This update for systemd fixes the following issues:
- CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)
| Advisory ID | SUSE-SU-2021:2439-1
|
| Released | Wed Jul 21 13:46:48 2021 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 |
Description:
This update for curl fixes the following issues:
- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)
| Advisory ID | SUSE-RU-2021:2626-1
|
| Released | Thu Aug 5 12:10:35 2021 |
| Summary | Recommended maintenance update for libeconf |
| Type | recommended |
| Severity | moderate |
| References | 1188348 |
Description:
This update for libeconf fixes the following issue:
- Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)
| Advisory ID | SUSE-SU-2021:2662-1
|
| Released | Thu Aug 12 12:01:41 2021 |
| Summary | Security update for grafana |
| Type | security |
| Severity | important |
| References | 1183803,1183809,1183811,1183813,1184371,CVE-2021-27358,CVE-2021-27962,CVE-2021-28146,CVE-2021-28147,CVE-2021-28148 |
Description:
This update for grafana fixes the following issues:
- CVE-2021-27358: unauthenticated remote attackers to trigger a Denial of Service via a remote API call (bsc#1183803)
- Update to version 7.5.7:
* Updated relref to 'Configuring exemplars' section (#34240) (#34243)
* Added exemplar topic (#34147) (#34226)
* Quota: Do not count folders towards dashboard quota (#32519) (#34025)
* Instructions to separate emails with semicolons (#32499) (#34138)
* Docs: Remove documentation of v8 generic OAuth feature (#34018)
* Annotations: Prevent orphaned annotation tags cleanup when no annotations were cleaned (#33957) (#33975)
* [GH-33898] Add missing --no-cache to Dockerfile. (#33906) (#33935)
* ReleaseNotes: Updated changelog and release notes for 7.5.6 (#33932) (#33936)
* Stop hoisting @icons/material (#33922)
* Chore: fix react-color version in yarn.lock (#33914)
* 'Release: Updated versions in package to 7.5.6' (#33909)
* Loki: fix label browser crashing when + typed (#33900) (#33901)
* Document `hide_version` flag (#33670) (#33881)
* Add isolation level db configuration parameter (#33830) (#33878)
* Sanitize PromLink button (#33874) (#33876)
* Removed content as per MarcusE's suggestion in https://github.com/grafana/grafana/issues/33822. (#33870) (#33872)
* Docs feedback: /administration/provisioning.md (#33804) (#33842)
* Docs: delete from high availability docs references to removed configurations related to session storage (#33827) (#33851)
* Docs: Update _index.md (#33797) (#33799)
* Docs: Update installation.md (#33656) (#33703)
* GraphNG: uPlot 1.6.9 (#33598) (#33612)
* dont consider invalid email address a failed email (#33671) (#33681)
* InfluxDB: Improve measurement-autocomplete behavior in query editor (#33494) (#33625)
* add template for dashboard url parameters (#33549) (#33588)
* Add note to Snapshot API doc to specify that user has to provide the entire dashboard model (#33572) (#33586)
* Update team.md (#33454) (#33536)
* Removed duplicate file 'dashboard_folder_permissions.md (#33497)
* Document customQueryParameters for prometheus datasource provisioning (#33440) (#33495)
* ReleaseNotes: Updated changelog and release notes for 7.5.5 (#33473) (#33492)
* Documentation: Update developer-guide.md (#33478) (#33490)
* add closed parenthesis to fix a hyperlink (#33471) (#33481)
- Update to version 7.5.5:
* 'Release: Updated versions in package to 7.5.5' (#33469)
* GraphNG: Fix exemplars window position (#33427) (#33462)
* Remove field limitation from slack notification (#33113) (#33455)
* Prometheus: Support POST in template variables (#33321) (#33441)
* Instrumentation: Add success rate metrics for email notifications (#33359) (#33409)
* Use either moment objects (for absolute times in the datepicker) or string (for relative time) (#33315) (#33406)
* Docs: Removed type from find annotations example. (#33399) (#33403)
* [v7.5.x]: FrontendMetrics: Adds new backend api that frontend can use to push frontend measurements and counters to prometheus (#33255)
* Updated label for add panel. (#33285) (#33286)
* Bug: Add git to Dockerfile.ubuntu (#33247) (#33248)
* Docs: Sync latest master docs with 7.5.x (#33156)
* Docs: Update getting-started-influxdb.md (#33234) (#33241)
* Doc: Document the X-Grafana-Org-Id HTTP header (#32478) (#33239)
* Minor Changes in Auditing.md (#31435) (#33238)
* Docs: Add license check endpoint doc (#32987) (#33236)
* Postgres: Fix time group macro when TimescaleDB is enabled and interval is less than a second (#33153) (#33219)
* Docs: InfluxDB doc improvements (#32815) (#33185)
* [v7.5.x] Loki: Pass Skip TLS Verify setting to alert queries (#33031)
* update cla (#33181)
* Fix inefficient regular expression (#33155) (#33159)
* Auth: Don't clear auth token cookie when lookup token fails (#32999) (#33136)
* Elasticsearch: Add documentation for supported Elasticsearch query transformations (#33072) (#33128)
* Update team.md (#33060) (#33084)
* GE issue 1268 (#33049) (#33081)
* Fixed some formatting issues for PRs from yesterday. (#33078) (#33079)
* Explore: Load default data source in Explore when the provided source does not exist (#32992) (#33061)
* Docs: Replace next with latest in aliases (#33054) (#33059)
* Added missing link item. (#33052) (#33055)
* Backport 33034 (#33038)
* Docs: Backport 32916 to v7.5x (#33008)
* ReleaseNotes: Updated changelog and release notes for 7.5.4 (#32973) (#32998)
* Elasticsearch: Force re-rendering of each editor row type change (#32993) (#32996)
* Docs: Sync release branch with latest docs (#32986)
- Update to version 7.5.4:
* 'Release: Updated versions in package to 7.5.4' (#32971)
* fix(datasource_srv): prevent infinite loop where default datasource is named default (#32949) (#32967)
* Added Azure Monitor support for Microsoft.AppConfiguration/configurationStores namespace (#32123) (#32968)
* fix sqlite3 tx retry condition operator precedence (#32897) (#32952)
* AzureMonitor: Add support for Virtual WAN namespaces (#32935) (#32947)
* Plugins: Allow a non-dashboard page to be the default home page (#32926) (#32945)
* GraphNG: uPlot 1.6.8 (#32859) (#32863)
* Alerting: Add ability to include aliases with dashes (/) and at (@) signs in InfluxDB (#32844)
* Prometheus: Allow exemplars endpoint in data source proxy (#32802) (#32804)
* [v7.5.x] Table: Fixes table data links so they refer to correct row after sorting (#32758)
* TablePanel: Makes sorting case-insensitive (#32435) (#32752)
- Update to version 7.5.3:
* 'Release: Updated versions in package to 7.5.3' (#32745)
* FolderPicker: Prevent dropdown menu from disappearing off screen (#32603) (#32741)
* Loki: Remove empty annotations tags (#32359) (#32490)
* SingleStat: fix wrong call to getDataLinkUIModel (#32721) (#32739)
* Prometheus: Fix instant query to run two times when exemplars enabled (#32508) (#32726)
* Elasticsearch: Fix bucket script variable duplication in UI (#32705) (#32714)
* Variables: Confirms selection before opening new picker (#32586) (#32710)
* CloudWarch: Fix service quotas link (#32686) (#32689)
* Configuration: Prevent browser hanging / crashing with large number of org users (#32546) (#32598)
* chore: bump execa to v2.1.0 (#32543) (#32592)
* Explore: Fix bug where navigating to explore would result in wrong query and datasource to be shown (#32558)
* Fix broken gtime tests (#32582) (#32587)
* resolve conflicts (#32567)
* gtime: Make ParseInterval deterministic (#32539) (#32560)
* Dashboard: No longer includes default datasource when externally exporting dashboard with row (#32494) (#32535)
* TextboxVariable: Limits the length of the preview value (#32472) (#32530)
* AdHocVariable: Adds default data source (#32470) (#32476)
* Variables: Fixes Unsupported data format error for null values (#32480) (#32487)
* Prometheus: align exemplars check to latest api change (#32513) (#32515)
* 'Release: Updated versions in package to 7.5.2' (#32502)
* SigV4: Add support EC2 IAM role auth and possibility to toggle auth providers (#32444) (#32488)
* Set spanNulls to default (#32471) (#32486)
* Graph: Fix setting right y-axis when standard option unit is configured (#32426) (#32442)
* API: Return 409 on datasource version conflict (#32425) (#32433)
* API: Return 400 on invalid Annotation requests (#32429) (#32431)
* Variables: Fixes problem with data source variable when default ds is selected (#32384) (#32424)
* Table: Fixes so links work for image cells (#32370) (#32410)
* Variables: Fixes error when manually non-matching entering custom value in variable input/picker (#32390) (#32394)
* DashboardQueryEditor: Run query after selecting source panel (#32383) (#32395)
* API: Datasource endpoint should return 400 bad request if id and orgId is invalid (#32392) (#32397)
* 'Release: Updated versions in package to 7.5.1' (#32362)
* MSSQL: Upgrade go-mssqldb (#32347) (#32361)
* GraphNG: Fix tooltip displaying wrong or no data (#32312) (#32348)
* 'Release: Updated versions in package to 7.5.0' (#32308)
* Loki: Fix text search in Label browser (#32293) (#32306)
* Explore: Show all dataFrames in data tab in Inspector (#32161) (#32299)
* PieChartV2: Add migration from old piechart (#32259) (#32291)
* LibraryPanels: Adds Type and Description to DB (#32258) (#32288)
* LibraryPanels: Prevents deletion of connected library panels (#32277) (#32284)
* Library Panels: Add 'Discard' button to panel save modal (#31647) (#32281)
* LibraryPanels: Changes to non readonly reducer (#32193) (#32200)
* Notifications: InfluxDB - Fix regex to include metrics with hyphen in aliases (#32224) (#32262)
* SSE/InfluxDB: Change InfluxQL to work with server side expressions (#31691) (#32102)
* DashboardSettings: Fixes issue with tags list not updating when changes are made (#32241) (#32247)
* Logs: If log message missing, use empty string (#32080) (#32243)
* CloudWatch: Use latest version of aws sdk (#32217) (#32223)
* Release: Updated versions in package to 7.5.0-beta.2 (#32158)
* HttpServer: Make read timeout configurable but disabled by default (#31575) (#32154)
* GraphNG: Ignore string fields when building data for uPlot in GraphNG (#32150) (#32151)
* Fix loading timezone info on windows (#32029) (#32149)
* SQLStore: Close session in withDbSession (#31775) (#32108)
* Remove datalink template suggestions for accessing specific fields when there are multiple dataframes. (#32057) (#32148)
* GraphNG: make sure dataset and config are in sync when initializing and re-initializing uPlot (#32106) (#32125)
* MixedDataSource: Name is updated when data source variable changes (#32090) (#32144)
* Backport 32005 to v7.5.x #32128 (#32130)
* Loki: Label browser UI updates (#31737) (#32119)
* ValueMappings: Fixes value 0 not being mapped (#31924) (#31929)
* GraphNG: Fix tooltip series color for multi data frame scenario (#32098) (#32103)
* LibraryPanels: Improves the Get All experience (#32028) (#32093)
* Grafana/ui: display all selected levels for selected value when searching (#32030) (#32032)
* Exemplars: always query exemplars (#31673) (#32024)
* [v7.5.x] TimePicker: Fixes hidden time picker shown in kiosk TV mode (#32055)
* Chore: Collect elasticsearch version usage stats (#31787) (#32063)
* Chore: Tidy up Go deps (#32053)
* GraphNG: Fix PlotLegend field display name being outdated (#32064) (#32066)
* Data proxy: Fix encoded characters in URL path should be proxied encoded (#30597) (#32060)
* [v7.5.x] Auth: Allow soft token revocation (#32037)
* Snapshots: Fix usage of sign in link from the snapshot page (#31986) (#32036)
* Make master green (#32011) (#32015)
* Query editor: avoid avoiding word wrap on query editor components (#31949) (#31982)
* Variables: Fixes filtering in picker with null items (#31979) (#31995)
* TooltipContainer - use resize observer instead of getClientBoundingRect (#31937) (#32003)
* Loki: Fix autocomplete when re-editing Loki label values (#31828) (#31987)
* Loki: Fix type errors in language_provider (#31902) (#31945)
* PanelInspect: Interpolates variables in CSV file name (#31936) (#31977)
* Cloudwatch: use shared library for aws auth (#29550) (#31946)
* Tooltip: partial perf improvement (#31774) (#31837) (#31957)
* Backport 31913 to v7.5.x (#31955)
* Grafana/ui: fix searchable options for Cascader with options update (#31906) (#31938)
* Variables: Do not reset description on variable type change (#31933) (#31939)
* [v7.5.x] AnnotationList: Adds spacing to UI (#31888) (#31894)
* Elasticseach: Support histogram fields (#29079) (#31914)
* Chore: upgrade eslint and fork-ts-checker-webpack-plugin (#31854) (#31896)
* Update scripts and Dockerfiles to use Go 1.16.1 (#31881) (#31891)
* Templating: use dashboard timerange when variables are set to refresh 'On Dashboard Load' (#31721) (#31801)
* [v7.5.x] Tempo: Add test for backend data source (#31835) (#31882)
* Run go mod tidy to update go.mod and go.sum (#31859)
* Grafana/ui: display all selected levels for Cascader (#31729) (#31862)
* CloudWatch: Consume the grafana/aws-sdk (#31807) (#31861)
* Cloudwatch: ListMetrics API page limit (#31788) (#31851)
* Remove invalid attribute (#31848) (#31850)
* CloudWatch: Restrict auth provider and assume role usage according to… (#31845)
* CloudWatch: Add support for EC2 IAM role (#31804) (#31841)
* Loki, Prometheus: Change the placement for query type explanation (#31784) (#31819)
* Variables: Improves inspection performance and unknown filtering (#31811) (#31813)
* Change piechart plugin state to beta (#31797) (#31798)
* ReduceTransform: Include series with numeric string names (#31763) (#31794)
* Annotations: Make the annotation clean up batch size configurable (#31487) (#31769)
* Fix escaping in ANSI and dynamic button removal (#31731) (#31767)
* DataLinks: Bring back single click links for Stat, Gauge and BarGauge panel (#31692) (#31718)
* log skipped, performed and duration for migrations (#31722) (#31754)
* Search: Make items more compact (#31734) (#31750)
* loki_datasource: add documentation to label_format and line_format (#31710) (#31746)
* Tempo: Convert tempo to backend data source2 (#31733)
* Elasticsearch: Fix script fields in query editor (#31681) (#31727)
* Elasticsearch: revert to isoWeek when resolving weekly indices (#31709) (#31717)
* Admin: Keeps expired api keys visible in table after delete (#31636) (#31675)
* Tempo: set authentication header properly (#31699) (#31701)
* Tempo: convert to backend data source (#31618) (#31695)
* Update package.json (#31672)
* Release: Bump version to 7.5.0-beta.1 (#31664)
* Fix whatsNewUrl version to 7.5 (#31666)
* Chore: add alias for what's new 7.5 (#31669)
* Docs: Update doc for PostgreSQL authentication (#31434)
* Docs: document report template variables (#31637)
* AzureMonitor: Add deprecation message for App Insights/Insights Analytics (#30633)
* Color: Fixes issue where colors where reset to gray when switch panels (#31611)
* Live: Use pure WebSocket transport (#31630)
* Docs: Fix broken image link (#31661)
* Docs: Add Whats new in 7.5 (#31659)
* Docs: Fix links for 7.5 (#31658)
* Update enterprise-configuration.md (#31656)
* Explore/Logs: Escaping of incorrectly escaped log lines (#31352)
* Tracing: Small improvements to trace types (#31646)
* Update _index.md (#31645)
* AlertingNG: code refactoring (#30787)
* Remove pkill gpg-agent (#31169)
* Remove format for plugin routes (#31633)
* Library Panels: Change unsaved change detection logic (#31477)
* CloudWatch: Added AWS Timestream Metrics and Dimensions (#31624)
* add new metrics and dimensions (#31595)
* fix devenv dashboard content typo (#31583)
* DashList: Sort starred and searched dashboard alphabetically (#31605)
* Docs: Update whats-new-in-v7-4.md (#31612)
* SSE: Add 'Classic Condition' on backend (#31511)
* InfluxDB: Improve maxDataPoints error-message in Flux-mode, raise limits (#31259)
* Alerting: PagerDuty: adding current state to the payload (#29270)
* devenv: Fix typo (#31589)
* Loki: Label browser (#30351)
* LibraryPanels: No save modal when user is on same dashboard (#31606)
* Bug: adding resolution for `react-use-measure` to prevent plugin tests from failing. (#31603)
* Update node-graph.md (#31571)
* test: pass Cypress options objects into selector wrappers (#31567)
* Loki: Add support for alerting (#31424)
* Tracing: Specify type of the data frame that is expected for TraceView (#31465)
* LibraryPanels: Adds version column (#31590)
* PieChart: Add color changing options to pie chart (#31588)
* Explore: keep enabled/disabled state in angular based QueryEditors correctly (#31558)
* Bring back correct legend sizing afer PlotLegend refactor (#31582)
* Alerting: Fix bug in Discord for when name for metric value is absent (#31257)
* LibraryPanels: Deletes library panels during folder deletion (#31572)
* chore: bump lodash to 4.17.21 (#31549)
* Elasticsearch: Fix impossibility to perform non-logs queries after importing queries from loki or prometheus in explore (#31518)
* TestData: Fixes never ending annotations scenario (#31573)
* CloudWatch: Added AWS Network Firewall metrics and dimensions (#31498)
* propagate plugin unavailable message to UI (#31560)
* ConfirmButton: updates story from knobs to controls (#31476)
* Loki: Refactor line limit to use grafana/ui component (#31509)
* LibraryPanels: Adds folder checks and permissions (#31473)
* Add guide on custom option editors (#31254)
* PieChart: Update text color and minor changes (#31546)
* Grafana-data: bump markedjs to v2.x to resolve vulnerability (#31036)
* Chore(deps): Bump google.golang.org/api from 0.39.0 to 0.40.0 (#31210)
* PieChart: Improve piechart legend and options (#31446)
* Chore(deps): Bump google.golang.org/grpc from 1.35.0 to 1.36.0 (#31541)
* Chore(deps): Bump github.com/aws/aws-sdk-go from 1.37.7 to 1.37.20 (#31538)
* Chore(deps): Bump github.com/prometheus/common from 0.17.0 to 0.18.0 (#31539)
* Add multiselect options ui (#31501)
* Profile: Fixes profile preferences being accessible when anonymous access was enabled (#31516)
* Variables: Fixes error with: cannot read property length of undefined (#31458)
* Explore: Show ANSI colored logs in logs context (#31510)
* LogsPanel: Show all received logs (#31505)
* AddPanel: Design polish (#31484)
* TimeSeriesPanel: Remove unnecessary margin from legend (#31467)
* influxdb: flux: handle is-hidden (#31324)
* Graph: Fix tooltip not showing when close to the edge of viewport (#31493)
* FolderPicker: Remove useNewForms from FolderPicker (#31485)
* Add reportVariables feature toggle (#31469)
* Grafana datasource: support multiple targets (#31495)
* Update license-restrictions.md (#31488)
* Docs: Derived fields links in logs detail view (#31482)
* Docs: Add new data source links to Enterprise page (#31480)
* Convert annotations to dataframes (#31400)
* ReleaseNotes: Updated changelog and release notes for v7.4.2 (#31475)
* GrafanaUI: Fixes typescript error for missing css prop (#31479)
* Login: handle custom token creation error messages (#31283)
* Library Panels: Don't list current panel in available panels list (#31472)
* DashboardSettings: Migrate Link Settings to React (#31150)
* Frontend changes for library panels feature (#30653)
* Alerting notifier SensuGo: improvements in default message (#31428)
* AppPlugins: Options to disable showing config page in nav (#31354)
* add aws config (#31464)
* Heatmap: Fix missing/wrong value in heatmap legend (#31430)
* Chore: Fixes small typos (#31461)
* Graphite/SSE: update graphite to work with server side expressions (#31455)
* update the lastest version to 7.4.3 (#31457)
* ReleaseNotes: Updated changelog and release notes for 7.4.3 (#31454)
* AWS: Add aws plugin configuration (#31312)
* Revert ''Release: Updated versions in package to 7.4.3' (#31444)' (#31452)
* Remove UserSyncInfo.tsx (#31450)
* Elasticsearch: Add word highlighting to search results (#30293)
* Chore: Fix eslint react hook warnings in grafana-ui (#31092)
* CloudWatch: Make it possible to specify custom api endpoint (#31402)
* Chore: fixed incorrect naming for disable settings (#31448)
* TraceViewer: Fix show log marker in spanbar (#30742)
* LibraryPanels: Adds permissions to getAllHandler (#31416)
* NamedColorsPalette: updates story from knobs to controls (#31443)
* 'Release: Updated versions in package to 7.4.3' (#31444)
* ColorPicker: updates story from knobs to controls (#31429)
* Streaming: Fixes an issue with time series panel and streaming data source when scrolling back from being out of view (#31431)
* ClipboardButton: updates story from knobs to controls (#31422)
* we should never log unhashed tokens (#31432)
* CI: Upgrade Dockerfiles wrt. Go, Node, Debian (#31407)
* Elasticsearch: Fix query initialization logic & query transformation from Promethous/Loki (#31322)
* Postgres: allow providing TLS/SSL certificates as text in addition to file paths (#30353)
* CloudWatch: Added AWS Ground Station metrics and dimensions (#31362)
* TraceViewer: Fix trace to logs icon to show in right pane (#31414)
* add hg team as migrations code owners (#31420)
* Remove tidy-check script (#31423)
* InfluxDB: handle columns named 'table' (#30985)
* Prometheus: Use configured HTTP method for /series and /labels endpoints (#31401)
* Devenv: Add gdev-influxdb2 data source (#31250)
* Update grabpl from 0.5.38 to 0.5.42 version (#31419)
* Move NOOP_CONTROL to storybook utils and change to a standalone file (#31421)
* remove squadcast details from docs (#31413)
* Add new Cloudwatch AWS/DDoSProtection metrics and dimensions (#31297)
* Logging: add frontend logging helpers to @grafana/runtime package (#30482)
* CallToActionCard: updates story from knobs to controls (#31393)
* Add eu-south-1 cloudwatch region, closes #31197 (#31198)
* Chore: Upgrade eslint packages (#31408)
* Cascader: updates story from knobs to controls (#31399)
* addressed issues 28763 and 30314. (#31404)
* Added section Query a time series database by id (#31337)
* Prometheus: Change default httpMethod for new instances to POST (#31292)
* Data source list: Use Card component (#31326)
* Chore: Remove gotest.tools dependency (#31391)
* Revert 'StoryBook: Introduces Grafana Controls (#31351)' (#31388)
* Chore(deps): Bump github.com/prometheus/common from 0.15.0 to 0.17.0 (#31387)
* AdHocVariables: Fixes crash when values are stored as numbers (#31382)
* Chore(deps): Bump github.com/golang/mock from 1.4.4 to 1.5.0 (#31379)
* Chore: Fix strict errors, down to 416 (#31365)
* Chore(deps): Bump github.com/getsentry/sentry-go from 0.9.0 to 0.10.0 (#31378)
* StoryBook: Introduces Grafana Controls (#31351)
* ReleaseNotes: Updated changelog and release notes for 7.4.2 (#31313)
* Theming: Support for runtime theme switching and hooks for custom themes (#31301)
* Devenv: Remove old-versioned loki blocks and update prometheus2 block (#31282)
* Zipkin: Show success on test data source (#30829)
* Update grot template (needs more info) (#31350)
* DatasourceSrv: Fix instance retrieval when datasource variable value set to 'default' (#31347)
* TimeSeriesPanel: Fixes overlapping time axis ticks (#31332)
* Grafana/UI: Add basic legend to the PieChart (#31278)
* SAML: single logout only enabled in enterprise (#31325)
* QueryEditor: handle query.hide changes in angular based query-editors (#31336)
* DashboardLinks: Fixes another issue where dashboard links cause full page reload (#31334)
* LibraryPanels: Syncs panel title with name (#31311)
* Chore: Upgrade golangci-lint (#31330)
* Add info to docs about concurrent session limits (#31333)
* Table: Fixes issue with fixed min and auto max with bar gauge cell (#31316)
* BarGuage: updates story from knobs to controls (#31223)
* Docs: Clarifies how to add Key/Value pairs (#31303)
* Usagestats: Exclude folders from total dashboard count (#31320)
* ButtonCascader: updates story from knobs to controls (#31288)
* test: allow check for Table as well as Graph for Explore e2e flow (#31290)
* Grafana-UI: Update tooltip type (#31310)
* fix 7.4.2 release note (#31299)
* Add `--tries 3` arg when triggering e2e-tests upon releasing (#31285)
* Chore: reduce strict errors for variables (#31241)
* update latest release version (#31296)
* ReleaseNotes: Updated changelog and release notes for 7.4.2 (#31291)
* Correct name of Discord notifier tests (#31277)
* Docs: Clarifies custom date formats for variables (#31271)
* BigValue: updates story from knobs to controls (#31240)
* Docs: Annotations update (#31194)
* Introduce functions for interacting with library panels API (#30993)
* Search: display sort metadata (#31167)
* Folders: Editors should be able to edit name and delete folders (#31242)
* Make Datetime local (No date if today) working (#31274)
* UsageStats: Purpose named variables (#31264)
* Snapshots: Disallow anonymous user to create snapshots (#31263)
* only update usagestats every 30min (#31131)
* Chore: grafana-toolkit uses grafana-ui and grafana-data workspaces (#30701)
* Grafana-UI: Add id to Select to make it easier to test (#31230)
* Prometheus: Fix enabling of disabled queries when editing in dashboard (#31055)
* UI/Card: Fix handling of 'onClick' callback (#31225)
* Loki: Add line limit for annotations (#31183)
* Remove deprecated and breaking loki config field (#31227)
* SqlDataSources: Fixes the Show Generated SQL button in query editors (#31236)
* LibraryPanels: Disconnect before connect during dashboard save (#31235)
* Disable Change Password for OAuth users (#27886)
* TagsInput: Design update and component refactor (#31163)
* Variables: Adds back default option for data source variable (#31208)
* IPv6: Support host address configured with enclosing square brackets (#31226)
* Postgres: Fix timeGroup macro converts long intervals to invalid numbers when TimescaleDB is enabled (#31179)
* GraphNG: refactor core to class component (#30941)
* Remove last synchronisation field from LDAP debug view (#30984)
* Chore: Upgrade grafana-plugin-sdk-go to v0.88.0 (#30975)
* Graph: Make axes unit option work even when field option unit is set (#31205)
* AlertingNG: Test definition (#30886)
* Docs: Update Influx config options (#31146)
* WIP: Skip this call when we skip migrations (#31216)
* use 0.1.0 (#31215)
* DataSourceSrv: Filter out non queryable data sources by default (#31144)
* QueryEditors: Fixes issue that happens after moving queries then editing would update other queries (#31193)
* Chore: report eslint no-explicit-any errors to metrics (#31182)
* Chore(deps): Bump cloud.google.com/go/storage from 1.12.0 to 1.13.0 (#31211)
* Chore(deps): Bump xorm.io/xorm from 0.8.1 to 0.8.2 (#30773)
* Alerting: Fix modal text for deleting obsolete notifier (#31171)
* Chore(deps): Bump github.com/linkedin/goavro/v2 from 2.9.7 to 2.10.0 (#31204)
* Variables: Fixes missing empty elements from regex filters (#31156)
* StatPanels: Fixes to palette color scheme is not cleared when loading panel (#31126)
* Fixed the typo. (#31189)
* Docs: Rewrite preferences docs (#31154)
* Explore/Refactor: Simplify URL handling (#29173)
* DashboardLinks: Fixes links always cause full page reload (#31178)
* Replace PR with Commit truncated hash when build fails (#31177)
* Alert: update story to use controls (#31145)
* Permissions: Fix team and role permissions on folders/dashboards not displayed for non Grafana Admin users (#31132)
* CloudWatch: Ensure empty query row errors are not passed to the panel (#31172)
* Update prometheus.md (#31173)
* Variables: Extend option pickers to accept custom onChange callback (#30913)
* Prometheus: Multiply exemplars timestamp to follow api change (#31143)
* DashboardListPanel: Fixes issue with folder picker always showing All and using old form styles (#31160)
* Add author name and pr number in drone pipeline notifications (#31124)
* Prometheus: Add documentation for ad-hoc filters (#31122)
* DataSourceSettings: Fixes add header button, it should not trigger a save & test action (#31135)
* Alerting: Fix so that sending an alert with the Alertmanager notifier doesn't fail when one of multiple configured URL's are down (#31079)
* Chore: Update latest.json (#31139)
* Docs: add 7.4.1 relese notes link (#31137)
* PieChart: Progress on new core pie chart (#28020)
* ReleaseNotes: Updated changelog and release notes for 7.4.1 (#31133)
* Eslint: no-duplicate-imports rule (bump grafana-eslint-config) (#30989)
* Transforms: Fixes Outer join issue with duplicate field names not getting the same unique field names as before (#31121)
* MuxWriter: Handle error for already closed file (#31119)
* Logging: sourcemap transform asset urls from CDN in logged stacktraces (#31115)
* Search: add sort information in dashboard results (#30609)
* area/grafana/e2e: ginstall should pull version specified (#31056)
* Exemplars: Change CTA style (#30880)
* Influx: Make max series limit configurable and show the limiting message if applied (#31025)
* Docs: request security (#30937)
* update configurePanel for 7.4.0 changes (#31093)
* Elasticsearch: fix log row context erroring out (#31088)
* Prometheus: Fix issues with ad-hoc filters (#30931)
* LogsPanel: Add deduplication option for logs (#31019)
* Drone: Make sure CDN upload is ok before pushing docker images (#31075)
* PluginManager: Remove some global state (#31081)
* test: update addDashboard flow for v7.4.0 changes (#31059)
* Transformations: Fixed typo in FilterByValue transformer description. (#31078)
* Docs: Group id should be 0 instead of 1 in Docker upgrade notes (#31074)
* Usage stats: Adds source/distributor setting (#31039)
* CDN: Add CDN upload step to enterprise and release pipelines (#31058)
* Chore: Replace native select with grafana ui select (#31030)
* Docs: Update json-model.md (#31066)
* Docs: Update whats-new-in-v7-4.md (#31069)
* Added hyperlinks to Graphite documentation (#31064)
* DashboardSettings: Update to new form styles (#31022)
* CDN: Fixing drone CI config (#31052)
* convert path to posix by default (#31045)
* DashboardLinks: Fixes crash when link has no title (#31008)
* Alerting: Fixes so notification channels are properly deleted (#31040)
* Explore: Remove emotion error when displaying logs (#31026)
* Elasticsearch: Fix alias field value not being shown in query editor (#30992)
* CDN: Adds uppload to CDN step to drone CI (#30879)
* Improved glossary (#31004)
* BarGauge: Improvements to value sizing and table inner width calculations (#30990)
* Drone: Fix deployment image (#31027)
* ColorPicker: migrated styles from sass to emotion (#30909)
* Dashboard: Migrate general settings to react (#30914)
* Chore(deps): Bump github.com/jung-kurt/gofpdf from 1.10.1 to 1.16.2 (#30586)
* Chore(deps): Bump github.com/aws/aws-sdk-go from 1.36.31 to 1.37.7 (#31018)
* Prometheus: Min step defaults to seconds when no unit is set to prevent errors when running alerts. (#30966)
* Chore(deps): Bump github.com/magefile/mage from 1.10.0 to 1.11.0 (#31017)
* Chore(deps): Bump github.com/grpc-ecosystem/go-grpc-middleware (#31013)
* Graph: Fixes so graph is shown for non numeric time values (#30972)
* CloudMonitoring: Prevent resource type variable function from crashing (#30901)
* Chore(deps): Bump google.golang.org/api from 0.33.0 to 0.39.0 (#30971)
* Build: Releases e2e and e2e-selectors too (#31006)
* TextPanel: Fixes so panel title is updated when variables change (#30884)
* Docs: Update configuration.md (login_maximum_inactive_lifetime_duration, login_maximum_lifetime_duration) (#31000)
* instrumentation: make the first database histogram bucket smaller (#30995)
* Grafana/UI: Remove DismissableFeatureInfoBox and replace with LocalSt… (#30988)
* StatPanel: Fixes issue formatting date values using unit option (#30979)
* Chore(deps): Bump actions/cache from v2 to v2.1.4 (#30973)
* Units: Fixes formatting of duration units (#30982)
* Elasticsearch: Show Size setting for raw_data metric (#30980)
* Alerts: Dedupe alerts so that we do not fill the screen with the same alert messsage (#30935)
* make sure service and slo display name is passed to segment comp (#30900)
* assign changes in cloud datasources to the new cloud datasources team (#30645)
* Table: Updates devenv test dashboard after change to TestData Randrom Table response (#30927)
* Theme: Use higher order theme color variables rather then is light/dark logic (#30939)
* Docs: Add alias for what's new in 7.4 (#30945)
* e2e: extends selector factory to plugins (#30932)
* Chore: Upgrade docker build image (#30820)
* Docs: updated developer guide (#29978)
* Alerts: Update Alert storybook to show more states (#30908)
* Variables: Adds queryparam formatting option (#30858)
* Chore: pad unknown values with undefined (#30808)
* Transformers: add search to transform selection (#30854)
* Exemplars: change api to reflect latest changes (#30910)
* docs: use selinux relabelling on docker containers (#27685)
* Docs: Fix bad image path for alert notification template (#30911)
* Make value mappings correctly interpret numeric-like strings (#30893)
* Chore: Update latest.json (#30905)
* Docs: Update whats-new-in-v7-4.md (#30882)
* Dashboard: Ignore changes to dashboard when the user session expires (#30897)
* ReleaseNotes: Updated changelog and release notes for 7.4.0 (#30902)
* test: add support for timeout to be passed in for addDatasource (#30736)
* increase page size and make sure the cache supports query params (#30892)
* DataSourceSettings: Adds info box and link to Grafana Cloud (#30891)
* OAuth: custom username docs (#28400)
* Panels: Remove value mapping of values that have been formatted #26763 (#30868)
* Alerting: Fixes alert panel header icon not showing (#30840)
* AlertingNG: Edit Alert Definition (#30676)
* Logging: sourcemap support for frontend stacktraces (#30590)
* Added 'Restart Grafana' topic. (#30844)
* Docs: Org, Team, and User Admin (#30756)
* bump grabpl version to 0.5.36 (#30874)
* Plugins: Requests validator (#30445)
* Docs: Update whats-new-in-v7-4.md (#30876)
* Docs: Add server view folder (#30849)
* Fixed image name and path (#30871)
* Grafana-ui: fixes closing modals with escape key (#30745)
* InfluxDB: Add http configuration when selecting InfluxDB v2 flavor (#30827)
* TestData: Fixes issue with for ever loading state when all queries are hidden (#30861)
* Chart/Tooltip: refactored style declaration (#30824)
* ReleaseNotes: Updated changelog and release notes for 7.4.0-beta1 (#30853)
* Grafana-ui: fixes no data message in Table component (#30821)
* grafana/ui: Update pagination component for large number of pages (#30151)
* Alerting: Customise OK notification priorities for Pushover notifier (#30169)
* DashboardLinks: Support variable expression in to tooltip - Issue #30409 (#30569)
* Chore: Remove panelTime.html, closes #30097 (#30842)
* Docs: Time series panel, bar alignment docs (#30780)
* Chore: add more docs annotations (#30847)
* Transforms: allow boolean in field calculations (#30802)
* Prometheus: Add tooltip to explain possibility to use patterns in text and title fields in annotations (#30825)
* Update prometheus.md with image link fix (#30833)
* BarChart: inside-align strokes, upgrade uPlot to 1.6.4. (#30806)
* Update license-expiration.md (#30839)
* Explore rewrite (#30804)
* Prometheus: Set type of labels to string (#30831)
* GrafanaUI: Add a way to persistently close InfoBox (#30716)
* Fix typo in transformer registry (#30712)
* Elasticsearch: Display errors with text responses (#30122)
* CDN: Fixes cdn path when Grafana is under sub path (#30822)
* TraceViewer: Fix lazy loading (#30700)
* FormField: migrated sass styling to emotion (#30392)
* AlertingNG: change API permissions (#30781)
* Variables: Clears drop down state when leaving dashboard (#30810)
* Grafana-UI: Add story/docs for ErrorBoundary (#30304)
* Add missing callback dependency (#30797)
* PanelLibrary: Adds library panel meta information to dashboard json (#30770)
* Chore(deps): Bump gonum.org/v1/gonum from 0.6.0 to 0.8.2 (#30343)
* Chore(deps): Bump gopkg.in/yaml.v2 from 2.3.0 to 2.4.0 (#30771)
* GraphNG: improve behavior when switching between solid/dash/dots (#30796)
* Chore(deps): Bump github.com/hashicorp/go-hclog from 0.14.1 to 0.15.0 (#30778)
* Add width for Variable Editors (#30791)
* Chore: Remove warning when calling resource (#30752)
* Auth: Use SigV4 lib from grafana-aws-sdk (#30713)
* Panels: Fixes so panels are refreshed when scrolling past them fast (#30784)
* GraphNG: add bar alignment option (#30499)
* Expressions: Measure total transformation requests and elapsed time (#30514)
* Menu: Mark menu components as internal (#30740)
* TableInputCSV: migrated styles from sass to emotion (#30554)
* CDN: Fix passing correct prefix to GetContentDeliveryURL (#30777)
* Chore(deps): Bump gopkg.in/ini.v1 from 1.57.0 to 1.62.0 (#30772)
* CDN: Adds support for serving assets over a CDN (#30691)
* PanelEdit: Trigger refresh when changing data source (#30744)
* Chore: remove __debug_bin (#30725)
* BarChart: add alpha bar chart panel (#30323)
* Docs: Time series panel (#30690)
* Backend Plugins: Convert test data source to use SDK contracts (#29916)
* Docs: Update whats-new-in-v7-4.md (#30747)
* Add link to Elasticsearch docs. (#30748)
* Mobile: Fixes issue scrolling on mobile in chrome (#30746)
* TagsInput: Make placeholder configurable (#30718)
* Docs: Add config settings for fonts in reporting (#30421)
* Add menu.yaml to .gitignore (#30743)
* bump cypress to 6.3.0 (#30644)
* Datasource: Use json-iterator configuration compatible with standard library (#30732)
* AlertingNG: Update UX to use new PageToolbar component (#30680)
* Docs: Add usage insights export feature (#30376)
* skip symlinks to directories when generating plugin manifest (#30721)
* PluginCiE2E: Upgrade base images (#30696)
* Variables: Fixes so text format will show All instead of custom all (#30730)
* PanelLibrary: better handling of deleted panels (#30709)
* Added section 'Curated dashboards for Google Cloud Monitoring' for 7.4 What's New (#30724)
* Added 'curated dashboards' information and broke down, rearranged topics. (#30659)
* Transform: improve the 'outer join' performance/behavior (#30407)
* Add alt text to plugin logos (#30710)
* Deleted menu.yaml file (#30717)
* Dashboard: Top Share URL icon should share panel URL when on viewPanel page (#30000)
* Added entry for web server. (#30715)
* DashboardPicker: switch to promise-based debounce, return dashboard UID (#30706)
* Use connected GraphNG in Explore (#30707)
* Fix documentation for streaming data sources (#30704)
* PanelLibrary: changes casing of responses and adds meta property (#30668)
* Influx: Show all datapoints for dynamically windowed flux query (#30688)
* Trace: trace to logs design update (#30637)
* DeployImage: Switch base images to Debian (#30684)
* Chore: remove CSP debug logging line (#30689)
* Docs: 7.4 documentation for expressions (#30524)
* PanelEdit: Get rid of last remaining usage of navbar-button (#30682)
* Grafana-UI: Fix setting default value for MultiSelect (#30671)
* CustomScrollbar: migrated styles from sass to emotion (#30506)
* DashboardSettings & PanelEdit: Use new PageToolbar (#30675)
* Explore: Fix jumpy live tailing (#30650)
* ci(npm-publish): add missing github package token to env vars (#30665)
* PageToolbar: Extracting navbar styles & layout into a modern emotion based component (#30588)
* AlertingNG: pause/unpause definitions via the API (#30627)
* Docs: Refer to product docs in whats new for alerting templating feature (#30652)
* ReleaseNotes: Updated changelog and release notes for 7.4.0-beta1 (#30666)
* Variables: Fixes display value when using capture groups in regex (#30636)
* Docs: Update _index.md (#30655)
* Docs: Auditing updates (#30433)
* Docs: add hidden_users configuration field (#30435)
* Docs: Define TLS/SSL terminology (#30533)
* Docs: Fix expressions enabled description (#30589)
* Docs: Update ES screenshots (#30598)
* Licensing Docs: Adding license restrictions docs (#30216)
* Update documentation-style-guide.md (#30611)
* Docs: Update queries.md (#30616)
* chore(grafana-ui): bump storybook to 6.1.15 (#30642)
* DashboardSettings: fixes vertical scrolling (#30640)
* Usage Stats: Remove unused method for getting user stats (#30074)
* Grafana/UI: Unit picker should not set a category as unit (#30638)
* Graph: Fixes auto decimals issue in legend and tooltip (#30628)
* AlertingNG: List saved Alert definitions in Alert Rule list (#30603)
* chore: bump redux toolkit to 1.5.0 for immer 8.0.1 vulnerability fix (#30605)
* Grafana/UI: Add disable prop to Segment (#30539)
* Variables: Fixes so queries work for numbers values too (#30602)
* Admin: Fixes so form values are filled in from backend (#30544)
* Docs: Add new override info and add whats new 7.4 links (#30615)
* TestData: Improve what's new in v7.4 (#30612)
* Docs: Update 7.4 What's New to use more correct description of alerting notification template feature (#30502)
* NodeGraph: Add docs (#30504)
* Loki: Improve live tailing errors and fix Explore's logs container type errors (#30517)
* TimeRangePicker: Updates components to use new ToolbarButton & ButtonGroup (#30570)
* Update styling.md guide (#30594)
* TestData: Adding what's new in v7.4 to the devenv dashboards (#30568)
* Chore(deps): Bump github.com/aws/aws-sdk-go from 1.35.5 to 1.36.31 (#30583)
* Chore(deps): Bump github.com/prometheus/client_golang (#30585)
* Chore(deps): Bump gopkg.in/macaron.v1 from 1.3.9 to 1.4.0 (#30587)
* Chore(deps): Bump github.com/google/uuid from 1.1.5 to 1.2.0 (#30584)
* Explore: Fix logs hover state so that it is visible and in dark mode & simply hover code (#30572)
* RefreshPicker: Fixes so valid intervals in url are visible in RefreshPicker (#30474)
* Add documentation for Exemplars (#30317)
* OldGraph: Fix height issue in Firefox (#30565)
* XY Chart: fix editor error with empty frame (no fields) (#30573)
* ButtonSelect & RefreshPicker: Rewrite of components to use new emotion based ToolbarButton & Menu (#30510)
* XY Chart: share legend config with timeseries (#30559)
* configuration.md: Document Content Security Policy options (#30413)
* DataFrame: cache frame/field index in field state (#30529)
* List + before -; rm old Git ref; reformat. (#30543)
* Expressions: Add option to disable feature (#30541)
* Explore: Fix loading visualisation on the top of the new time series panel (#30553)
* Prometheus: Fix show query instead of Value if no __name__ and metric (#30511)
* Decimals: Big Improvements to auto decimals and fixes to auto decimals bug found in 7.4-beta1 (#30519)
* Postgres: Convert tests to stdlib (#30536)
* Storybook: Migrate card story to use controls (#30535)
* AlertingNG: Enable UI to Save Alert Definitions (#30394)
* Postgres: Be consistent about TLS/SSL terminology (#30532)
* Loki: Append refId to logs uid (#30418)
* Postgres: Fix indentation (#30531)
* GraphNG: uPlot 1.6.3 (fix bands not filling below 0). close #30523. (#30527)
* updates for e2e docker image (#30465)
* GraphNG: uPlot 1.6.2 (#30521)
* Docs: Update whats-new-in-v7-4.md (#30520)
* Prettier: ignore build and devenv dirs (#30501)
* Chore: Upgrade grabpl version (#30486)
* Explore: Update styling of buttons (#30493)
* Cloud Monitoring: Fix legend naming with display name override (#30440)
* GraphNG: Disable Plot logging by default (#30390)
* Admin: Fixes so whole org drop down is visible when adding users to org (#30481)
* Docs: include Makefile option for local assets (#30455)
* Footer: Fixes layout issue in footer (#30443)
* TimeSeriesPanel: Fixed default value for gradientMode (#30484)
* Docs: fix typo in what's new doc (#30489)
* Chore: adds wait to e2e test (#30488)
* chore: update packages dependent on dot-prop to fix security vulnerability (#30432)
* Dashboard: Remove Icon and change copy -> Copy to clipboard in the share embedded panel modal (#30480)
* Chore: fix spelling mistake (#30473)
* Chore: Restrict internal imports from other packages (#30453)
* Docs: What's new fixes and improvements (#30469)
* Timeseries: only migrage point size when configured (#30461)
* Alerting: Hides threshold handle for percentual thresholds (#30431)
* Graph: Fixes so only users with correct permissions can add annotations (#30419)
* Chore: update latest version to 7.4.0-beta1 (#30452)
* Docs: Add whats new 7.4 links (#30463)
* Update whats-new-in-v7-4.md (#30460)
* docs: 7.4 what's new (Add expressions note) (#30446)
* Chore: Upgrade build pipeline tool (#30456)
* PanelModel: Make sure the angular options are passed to react panel type changed handler (#30441)
* Expressions: Fix button icon (#30444)
* ReleaseNotes: Updated changelog and release notes for 7.4.0-beta1 (#30449)
* Docs: Fix img link for alert notification template (#30436)
* grafana/ui: Fix internal import from grafana/data (#30439)
* prevent field config from being overwritten (#30437)
* PanelOptions: Refactoring applying panel and field options out of PanelModel and add property clean up for properties not in field config registry (#30389)
* Dashboard: Remove template variables option from ShareModal (#30395)
* Added doc content for variables inspector code change by Hugo (#30408)
* Docs: update license expiration behavior for reporting (#30420)
* Chore: use old version format in package.json (#30430)
* Chore: upgrade NPM security vulnerabilities (#30397)
* 'Release: Updated versions in package to 7.5.0-pre.0' (#30428)
* contribute: Add backend and configuration guidelines for PRs (#30426)
* Chore: Update what's new URL (#30424)
- Update to version 7.4.5
- CVE-2021-28146, CVE-2021-28147: Fix API permissions issues related to team-sync. (Enterprise) (bsc#1183811, bsc#1183809)
- CVE-2021-28148: Usage insights requires signed in users. (Enterprise) (bsc#1183813)
- CVE-2021-27962: Do not allow editors to incorrectly bypass permissions on the default data source. (Enterprise) (bsc#1184371)
| Advisory ID | SUSE-SU-2021:2682-1
|
| Released | Thu Aug 12 20:06:19 2021 |
| Summary | Security update for rpm |
| Type | security |
| Severity | important |
| References | 1179416,1181805,1183543,1183545,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 |
Description:
This update for rpm fixes the following issues:
- Changed default package verification level to 'none' to be compatible to rpm-4.14.1
- Made illegal obsoletes a warning
- Fixed a potential access of freed mem in ndb's glue code (bsc#1179416)
- Added support for enforcing signature policy and payload verification step to
transactions (jsc#SLE-17817)
- Added :humansi and :hmaniec query formatters for human readable output
- Added query selectors for whatobsoletes and whatconflicts
- Added support for sorting caret higher than base version
- rpm does no longer require the signature header to be in a contiguous
region when signing (bsc#1181805)
Security fixes:
- CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an
attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM
repository, to cause RPM database corruption. The highest threat from this vulnerability is to
data integrity (bsc#1183543)
- CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file.
This flaw allows an attacker who can convince a victim to install a seemingly verifiable package,
whose signature header was modified, to cause RPM database corruption and execute code. The highest
threat from this vulnerability is to data integrity, confidentiality, and system availability (bsc#1183545)
- CVE-2021-20266: A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker
who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability
is to system availability.
| Advisory ID | SUSE-SU-2021:2689-1
|
| Released | Mon Aug 16 10:54:52 2021 |
| Summary | Security update for cpio |
| Type | security |
| Severity | important |
| References | 1189206,CVE-2021-38185 |
Description:
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
| Advisory ID | SUSE-RU-2021:2763-1
|
| Released | Tue Aug 17 17:16:22 2021 |
| Summary | Recommended update for cpio |
| Type | recommended |
| Severity | critical |
| References | 1189465 |
Description:
This update for cpio fixes the following issues:
- A regression in last update would cause builds to hang on various architectures(bsc#1189465)
| Advisory ID | SUSE-RU-2021:2780-1
|
| Released | Thu Aug 19 16:09:15 2021 |
| Summary | Recommended update for cpio |
| Type | recommended |
| Severity | critical |
| References | 1189465,CVE-2021-38185 |
Description:
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
| Advisory ID | SUSE-RU-2021:2786-1
|
| Released | Fri Aug 20 02:02:23 2021 |
| Summary | Recommended update for bash |
| Type | recommended |
| Severity | important |
| References | 1057452,1188287 |
Description:
This update for bash fixes the following issues:
- Allow process group assignment even for modern kernels (bsc#1057452, bsc#1188287)
| Advisory ID | SUSE-SU-2021:2809-1
|
| Released | Mon Aug 23 12:12:31 2021 |
| Summary | Security update for systemd |
| Type | security |
| Severity | moderate |
| References | 1166028,1171962,1184994,1185972,1188063,CVE-2020-13529,CVE-2021-33910 |
Description:
This update for systemd fixes the following issues:
- Updated to version 246.15
- CVE-2021-33910: Fixed a denial of service issue in systemd. (bsc#1188063)
- CVE-2020-13529: Fixed an issue that allows crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. (bsc#1185972)
| Advisory ID | SUSE-SU-2021:2830-1
|
| Released | Tue Aug 24 16:20:18 2021 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | important |
| References | 1189520,1189521,CVE-2021-3711,CVE-2021-3712 |
Description:
This update for openssl-1_1 fixes the following security issues:
- CVE-2021-3711: A bug in the implementation of the SM2 decryption code
could lead to buffer overflows. [bsc#1189520]
- CVE-2021-3712: a bug in the code for printing certificate details could
lead to a buffer overrun that a malicious actor could exploit to crash
the application, causing a denial-of-service attack. [bsc#1189521]
| Advisory ID | SUSE-RU-2021:2938-1
|
| Released | Fri Sep 3 09:19:36 2021 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1184614 |
Description:
This update for openldap2 fixes the following issue:
- openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)
| Advisory ID | SUSE-SU-2021:2966-1
|
| Released | Tue Sep 7 09:49:14 2021 |
| Summary | Security update for openssl-1_1 |
| Type | security |
| Severity | low |
| References | 1189521,CVE-2021-3712 |
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
| Advisory ID | SUSE-RU-2021:3013-1
|
| Released | Thu Sep 9 16:55:40 2021 |
| Summary | Recommended update for patterns-base, patterns-server-enterprise, sles15-image |
| Type | recommended |
| Severity | moderate |
| References | 1183154,1189550 |
Description:
This update for patterns-base, patterns-server-enterprise, sles15-image fixes the following issues:
- Add pattern to install necessary packages for FIPS (bsc#1183154)
- Add patterns-base-fips to work also in FIPS environments (bsc#1183154)
- Use the same icon in the fips pattern as the previous pattern had (bsc#1189550)
| Advisory ID | SUSE-SU-2021:3175-1
|
| Released | Tue Sep 21 16:27:50 2021 |
| Summary | Security update for grafana-piechart-panel |
| Type | security |
| Severity | moderate |
| References | 1172125,CVE-2020-13429 |
Description:
This update for grafana-piechart-panel fixes the following issues:
- CVE-2020-13429: Fixed XSS via the Values Header option in the piechart-panel (bsc#1172125).
| Advisory ID | SUSE-RU-2021:3182-1
|
| Released | Tue Sep 21 17:04:26 2021 |
| Summary | Recommended update for file |
| Type | recommended |
| Severity | moderate |
| References | 1189996 |
Description:
This update for file fixes the following issues:
- Fixes exception thrown by memory allocation problem (bsc#1189996)
| Advisory ID | SUSE-SU-2021:3291-1
|
| Released | Wed Oct 6 16:45:36 2021 |
| Summary | Security update for glibc |
| Type | security |
| Severity | moderate |
| References | 1186489,1187911,CVE-2021-33574,CVE-2021-35942 |
Description:
This update for glibc fixes the following issues:
- CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489).
- CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911).
| Advisory ID | SUSE-SU-2021:3298-1
|
| Released | Wed Oct 6 16:54:52 2021 |
| Summary | Security update for curl |
| Type | security |
| Severity | moderate |
| References | 1190373,1190374,CVE-2021-22946,CVE-2021-22947 |
Description:
This update for curl fixes the following issues:
- CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
- CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).
| Advisory ID | SUSE-RU-2021:3310-1
|
| Released | Wed Oct 6 18:12:41 2021 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1134353,1184994,1188291,1188588,1188713,1189446,1189480 |
Description:
This update for systemd fixes the following issues:
- Switch I/O scheduler from 'mq-deadline' to 'bfq' for rotating disks(HD's) (jsc#SLE-21032, bsc#1134353).
- Multipath: Rules weren't applied to dm devices (bsc#1188713).
- Ignore obsolete 'elevator' kernel parameter (bsc#1184994).
- Remove kernel unsupported single-queue block I/O.
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
- Avoid error message when updating active udev on sockets restart (bsc#1188291).
- Merge of v246.16, for a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/8d8f5fc31eece95644b299b784bbfb8f836d0108...f5c33d9f82d3d782d28938df9ff09484360c540d
- Drop 1007-tmpfiles-follow-SUSE-policies.patch:
Since most of the tmpfiles config files shipped by upstream are
ignored (see previous commit 'Drop most of the tmpfiles that deal
with generic paths'), this patch is no more relevant.
Additional fixes:
- core: make sure cgroup_oom_queue is flushed on manager exit.
- cgroup: do 'catchup' for unit cgroup inotify watch files.
- journalctl: never fail at flushing when the flushed flag is set (bsc#1188588).
- manager: reexecute on SIGRTMIN+25, user instances only.
- manager: fix HW watchdog when systemd starts before driver loaded (bsc#1189446).
- pid1: watchdog modernizations.
| Advisory ID | SUSE-OU-2021:3327-1
|
| Released | Mon Oct 11 11:44:50 2021 |
| Summary | Optional update for coreutils |
| Type | optional |
| Severity | low |
| References | 1189454 |
Description:
This optional update for coreutils fixes the following issue:
- Provide coreutils documentation, 'coreutils-doc', with 'L2' support level. (bsc#1189454)
| Advisory ID | SUSE-SU-2021:3445-1
|
| Released | Fri Oct 15 09:03:39 2021 |
| Summary | Security update for rpm |
| Type | security |
| Severity | important |
| References | 1183659,1185299,1187670,1188548 |
Description:
This update for rpm fixes the following issues:
Security issues fixed:
- PGP hardening changes (bsc#1185299)
Maintaince issues fixed:
- Fixed zstd detection (bsc#1187670)
- Added ndb rofs support (bsc#1188548)
- Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659)
| Advisory ID | SUSE-SU-2021:3474-1
|
| Released | Wed Oct 20 08:41:31 2021 |
| Summary | Security update for util-linux |
| Type | security |
| Severity | moderate |
| References | 1178236,1188921,CVE-2021-37600 |
Description:
This update for util-linux fixes the following issues:
- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921)
| Advisory ID | SUSE-RU-2021:3480-1
|
| Released | Wed Oct 20 11:24:10 2021 |
| Summary | Recommended update for yast2-network |
| Type | recommended |
| Severity | moderate |
| References | 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 |
Description:
This update for yast2-network fixes the following issues:
- Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
- Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
- Consider aliases sections as case insensitive (bsc#1190739).
- Display user defined device name in the devices overview (bnc#1190645).
- Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
- Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
- Fix desktop file so the control center tooltip is translated (bsc#1187270).
- Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
- Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).
| Advisory ID | SUSE-SU-2021:3490-1
|
| Released | Wed Oct 20 16:31:55 2021 |
| Summary | Security update for ncurses |
| Type | security |
| Severity | moderate |
| References | 1190793,CVE-2021-39537 |
Description:
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)
| Advisory ID | SUSE-RU-2021:3494-1
|
| Released | Wed Oct 20 16:48:46 2021 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | moderate |
| References | 1190052 |
Description:
This update for pam fixes the following issues:
- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)
| Advisory ID | SUSE-RU-2021:3501-1
|
| Released | Fri Oct 22 10:42:46 2021 |
| Summary | Recommended update for libzypp, zypper, libsolv, protobuf |
| Type | recommended |
| Severity | moderate |
| References | 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 |
Description:
This update for libzypp, zypper, libsolv and protobuf fixes the following issues:
- Choice rules: treat orphaned packages as newest (bsc#1190465)
- Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)
- Do not check of signatures and keys two times(redundant) (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)
- Show key fpr from signature when signature check fails (bsc#1187224)
- Fix solver jobs for PTFs (bsc#1186503)
- Fix purge-kernels fails (bsc#1187738)
- Fix obs:// platform guessing for Leap (bsc#1187425)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Manpage: Improve description about patch updates(bsc#1187466)
- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix crashes in logging code when shutting down (bsc#1189031)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Add need reboot/restart hint to XML install summary (bsc#1188435)
- Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)
- Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862)
| Advisory ID | SUSE-RU-2021:3510-1
|
| Released | Tue Oct 26 11:22:15 2021 |
| Summary | Recommended update for pam |
| Type | recommended |
| Severity | important |
| References | 1191987 |
Description:
This update for pam fixes the following issues:
- Fixed a bad directive file which resulted in
the 'securetty' file to be installed as 'macros.pam'.
(bsc#1191987)
| Advisory ID | SUSE-SU-2021:3529-1
|
| Released | Wed Oct 27 09:23:32 2021 |
| Summary | Security update for pcre |
| Type | security |
| Severity | moderate |
| References | 1172973,1172974,CVE-2019-20838,CVE-2020-14155 |
Description:
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)
| Advisory ID | SUSE-RU-2021:3564-1
|
| Released | Wed Oct 27 16:12:08 2021 |
| Summary | Recommended update for rpm-config-SUSE |
| Type | recommended |
| Severity | moderate |
| References | 1190850 |
Description:
This update for rpm-config-SUSE fixes the following issues:
- Support ZSTD compressed kernel modules. (bsc#1190850)
| Advisory ID | SUSE-RU-2021:3786-1
|
| Released | Wed Nov 24 05:59:13 2021 |
| Summary | Recommended update for rpm-config-SUSE |
| Type | recommended |
| Severity | important |
| References | 1192160 |
Description:
This update for rpm-config-SUSE fixes the following issues:
- Add support for the kernel xz-compressed firmware files (bsc#1192160)
| Advisory ID | SUSE-RU-2021:3799-1
|
| Released | Wed Nov 24 18:07:54 2021 |
| Summary | Recommended update for gcc11 |
| Type | recommended |
| Severity | moderate |
| References | 1187153,1187273,1188623 |
Description:
This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:
- gcc11
- gcc-c++11
- and others with 11 prefix.
to select them for building:
The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.
| Advisory ID | SUSE-RU-2021:3808-1
|
| Released | Fri Nov 26 00:30:54 2021 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1186071,1190440,1190984,1192161 |
Description:
This update for systemd fixes the following issues:
- Add timestamp to D-Bus events to improve traceability (jsc#SLE-17798)
- Fix fd_is_mount_point() when both the parent and directory are network file systems (bsc#1190984)
- Support detection for ARM64 Hyper-V guests (bsc#1186071)
- Fix systemd-detect-virt not detecting Amazon EC2 Nitro instance (bsc#1190440)
- Enable support for Portable Services in openSUSE Leap only (jsc#SLE-21694)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
| Advisory ID | SUSE-RU-2021:3870-1
|
| Released | Thu Dec 2 07:11:50 2021 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1190356,1191286,1191324,1191370,1191609,1192337,1192436 |
Description:
This update for libzypp, zypper fixes the following issues:
libzypp:
- Check log writer before accessing it (bsc#1192337)
- Zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Fixed slowdowns when rlimit is too high by using procfs to detect niumber of
open file descriptors (bsc#1191324)
- Fixed zypper incomplete messages when using non English localization (bsc#1191370)
- RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286)
- Disable logger in the child process after fork (bsc#1192436)
zypper:
- Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418)
| Advisory ID | SUSE-RU-2021:3872-1
|
| Released | Thu Dec 2 07:25:55 2021 |
| Summary | Recommended update for cracklib |
| Type | recommended |
| Severity | moderate |
| References | 1191736 |
Description:
This update for cracklib fixes the following issues:
- Enable build time tests (bsc#1191736)
| Advisory ID | SUSE-RU-2021:3891-1
|
| Released | Fri Dec 3 10:21:49 2021 |
| Summary | Recommended update for keyutils |
| Type | recommended |
| Severity | moderate |
| References | 1029961,1113013,1187654 |
Description:
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
- Revert the change notifications that were using /dev/watch_queue.
- Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
- Allow 'keyctl supports' to retrieve raw capability data.
- Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
- Allow 'keyctl new_session' to name the keyring.
- Allow 'keyctl add/padd/etc.' to take hex-encoded data.
- Add 'keyctl watch*' to expose kernel change notifications on keys.
- Add caps for namespacing and notifications.
- Set a default TTL on keys that upcall for name resolution.
- Explicitly clear memory after it's held sensitive information.
- Various manual page fixes.
- Fix C++-related errors.
- Add support for keyctl_move().
- Add support for keyctl_capabilities().
- Make key=val list optional for various public-key ops.
- Fix system call signature for KEYCTL_PKEY_QUERY.
- Fix 'keyctl pkey_query' argument passing.
- Use keyctl_read_alloc() in dump_key_tree_aux().
- Various manual page fixes.
Updated to 1.6:
- Apply various specfile cleanups from Fedora.
- request-key: Provide a command line option to suppress helper execution.
- request-key: Find least-wildcard match rather than first match.
- Remove the dependency on MIT Kerberos.
- Fix some error messages
- keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
- Fix doc and comment typos.
- Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
- Add pkg-config support for finding libkeyutils.
- upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
- Add keyring restriction support.
- Add KDF support to the Diffie-Helman function.
- DNS: Add support for AFS config files and SRV records
| Advisory ID | SUSE-SU-2021:3899-1
|
| Released | Fri Dec 3 11:27:41 2021 |
| Summary | Security update for aaa_base |
| Type | security |
| Severity | moderate |
| References | 1162581,1174504,1191563,1192248 |
Description:
This update for aaa_base fixes the following issues:
- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)
| Advisory ID | SUSE-RU-2021:3917-1
|
| Released | Fri Dec 3 14:18:08 2021 |
| Summary | Recommended update for grafana |
| Type | recommended |
| Severity | low |
| References | |
Description:
This update for grafana fixes the following issue:
- Add URL to package source code in the login page footer.
| Advisory ID | SUSE-SU-2021:3946-1
|
| Released | Mon Dec 6 14:57:42 2021 |
| Summary | Security update for gmp |
| Type | security |
| Severity | moderate |
| References | 1192717,CVE-2021-43618 |
Description:
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
| Advisory ID | SUSE-RU-2021:3963-1
|
| Released | Mon Dec 6 19:57:39 2021 |
| Summary | Recommended update for system-users |
| Type | recommended |
| Severity | moderate |
| References | 1190401 |
Description:
This update for system-users fixes the following issues:
- system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401)
| Advisory ID | SUSE-RU-2021:3980-1
|
| Released | Thu Dec 9 16:42:19 2021 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | 1191592 |
Description:
glibc was updated to fix the following issue:
- Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)
| Advisory ID | SUSE-RU-2021:4145-1
|
| Released | Wed Dec 22 05:27:48 2021 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1161276 |
Description:
This update for openssl-1_1 fixes the following issues:
- Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)
| Advisory ID | SUSE-RU-2021:4175-1
|
| Released | Thu Dec 23 11:22:33 2021 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | important |
| References | 1192423,1192858,1193759 |
Description:
This update for systemd fixes the following issues:
- Bump the max number of inodes for /dev to a million (bsc#1192858)
- sleep: don't skip resume device with low priority/available space (bsc#1192423)
- test: use kbd-mode-map we ship in one more test case
- test-keymap-util: always use kbd-model-map we ship
- Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759)
| Advisory ID | SUSE-RU-2021:4182-1
|
| Released | Thu Dec 23 11:51:51 2021 |
| Summary | Recommended update for zlib |
| Type | recommended |
| Severity | moderate |
| References | 1192688 |
Description:
This update for zlib fixes the following issues:
- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)
| Advisory ID | SUSE-SU-2021:4192-1
|
| Released | Tue Dec 28 10:39:50 2021 |
| Summary | Security update for permissions |
| Type | security |
| Severity | moderate |
| References | 1174504 |
Description:
This update for permissions fixes the following issues:
- Update to version 20181225:
* drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)
| Advisory ID | SUSE-RU-2022:4-1
|
| Released | Mon Jan 3 08:28:54 2022 |
| Summary | Recommended update for libgcrypt |
| Type | recommended |
| Severity | moderate |
| References | 1193480 |
Description:
This update for libgcrypt fixes the following issues:
- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)
| Advisory ID | SUSE-SU-2022:43-1
|
| Released | Tue Jan 11 08:50:13 2022 |
| Summary | Security update for systemd |
| Type | security |
| Severity | moderate |
| References | 1178561,1190515,1194178,CVE-2021-3997 |
Description:
This update for systemd fixes the following issues:
- CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles which could cause a minor denial of service. (bsc#1194178)
| Advisory ID | SUSE-RU-2022:93-1
|
| Released | Tue Jan 18 05:11:58 2022 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | important |
| References | 1192489 |
Description:
This update for openssl-1_1 fixes the following issues:
- Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489)
| Advisory ID | SUSE-RU-2022:96-1
|
| Released | Tue Jan 18 05:14:44 2022 |
| Summary | Recommended update for rpm |
| Type | recommended |
| Severity | important |
| References | 1180125,1190824,1193711 |
Description:
This update for rpm fixes the following issues:
- Fix header check so that old rpms no longer get rejected (bsc#1190824)
- Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)
| Advisory ID | SUSE-SU-2022:140-1
|
| Released | Thu Jan 20 13:25:11 2022 |
| Summary | Security update for grafana |
| Type | security |
| Severity | important |
| References | 1191454,1193688,CVE-2021-39226,CVE-2021-43813 |
Description:
This update for grafana fixes the following issues:
- CVE-2021-39226: Fixed snapshot authentication bypass (bsc#1191454)
- CVE-2021-43813: Fixed markdown path traversal (bsc#1193688)
| Advisory ID | SUSE-SU-2022:141-1
|
| Released | Thu Jan 20 13:47:16 2022 |
| Summary | Security update for permissions |
| Type | security |
| Severity | moderate |
| References | 1169614 |
Description:
This update for permissions fixes the following issues:
- Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614).
| Advisory ID | SUSE-RU-2022:207-1
|
| Released | Thu Jan 27 09:24:49 2022 |
| Summary | Recommended update for glibc |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for glibc fixes the following issues:
- Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).
| Advisory ID | SUSE-RU-2022:228-1
|
| Released | Mon Jan 31 06:07:52 2022 |
| Summary | Recommended update for boost |
| Type | recommended |
| Severity | moderate |
| References | 1194522 |
Description:
This update for boost fixes the following issues:
- Fix compilation errors (bsc#1194522)
| Advisory ID | SUSE-SU-2022:330-1
|
| Released | Fri Feb 4 09:29:08 2022 |
| Summary | Security update for glibc |
| Type | security |
| Severity | important |
| References | 1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 |
Description:
This update for glibc fixes the following issues:
- CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
Features added:
- IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)
| Advisory ID | SUSE-RU-2022:335-1
|
| Released | Fri Feb 4 10:24:02 2022 |
| Summary | Recommended update for coreutils |
| Type | recommended |
| Severity | moderate |
| References | 1189152 |
Description:
This update for coreutils fixes the following issues:
- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
| Advisory ID | SUSE-RU-2022:343-1
|
| Released | Mon Feb 7 15:16:58 2022 |
| Summary | Recommended update for systemd |
| Type | recommended |
| Severity | moderate |
| References | 1193086 |
Description:
This update for systemd fixes the following issues:
- disable DNSSEC until the following issue is solved: https://github.com/systemd/systemd/issues/10579
- disable fallback DNS servers and fail when no DNS server info could be obtained from the links.
- DNSSEC support requires openssl therefore document this build dependency in systemd-network sub-package.
- Improve warning messages (bsc#1193086).
| Advisory ID | SUSE-RU-2022:348-1
|
| Released | Tue Feb 8 13:02:20 2022 |
| Summary | Recommended update for libzypp |
| Type | recommended |
| Severity | important |
| References | 1193007,1193488,1194597,1194898,954813 |
Description:
This update for libzypp fixes the following issues:
- RepoManager: remember execution errors in exception history (bsc#1193007)
- Fix exception handling when reading or writing credentials (bsc#1194898)
- Fix install path for parser (bsc#1194597)
- Fix Legacy include (bsc#1194597)
- Public header files on older distros must use c++11 (bsc#1194597)
- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
- Fix wrong encoding of URI compontents of ISO images (bsc#954813)
- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
- Introduce zypp-curl as a sublibrary for CURL related code
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
- Save all signatures associated with a public key in its PublicKeyData
| Advisory ID | SUSE-SU-2022:283-1
|
| Released | Tue Feb 8 16:10:39 2022 |
| Summary | Security update for samba |
| Type | security |
| Severity | critical |
| References | 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048,CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336 |
Description:
- CVE-2021-44141: Information leak via symlinks of existance of
files or directories outside of the exported share; (bso#14911);
(bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
in VFS module vfs_fruit allows code execution; (bso#14914);
(bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
account can impersonate arbitrary services; (bso#14950);
(bsc#1195048);
samba was updated to 4.15.4 (jsc#SLE-23329);
- Duplicate SMB file_ids leading to Windows client cache
poisoning; (bso#14928);
- Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
- kill_tcp_connections does not work; (bso#14934);
- Can't connect to Windows shares not requiring authentication
using KDE/Gnome; (bso#14935);
- smbclient -L doesn't set 'client max protocol' to NT1 before
calling the 'Reconnecting with SMB1 for workgroup listing'
path; (bso#14939);
- Cross device copy of the crossrename module always fails;
(bso#14940);
- symlinkat function from VFS cap module always fails with an
error; (bso#14941);
- Fix possible fsp pointer deference; (bso#14942);
- Missing pop_sec_ctx() in error path inside close_directory();
(bso#14944);
- 'smbd --build-options' no longer works without an smb.conf file;
(bso#14945);
Samba was updated to version 4.15.3
- CVE-2021-43566: Symlink race error can allow directory creation
outside of the exported share; (bsc#1139519);
- CVE-2021-20316: Symlink race error can allow metadata read and
modify outside of the exported share; (bsc#1191227);
- Reorganize libs packages. Split samba-libs into samba-client-libs,
samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
public libraries depending on internal samba libraries into these
packages as there were dependency problems everytime one of these
public libraries changed its version (bsc#1192684). The devel
packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Update the symlink create by samba-dsdb-modules to private samba
ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
/usr/lib64/ldb2/modules/ldb/samba
krb5 was updated to 1.16.3 to 1.19.2
- Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222);
- Fix a memory leak when gss_inquire_cred() is called without a credential handle.
Changes from 1.19.1:
- Fix a linking issue with Samba.
- Better support multiple pkinit_identities values by checking whether
certificates can be loaded for each value.
Changes from 1.19
Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience
* gss_acquire_cred_from() now supports the 'password' and 'verify'
options, allowing credentials to be acquired via password and
verified using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set
in issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password().
Protocol evolution
* Added client and KDC support for Microsoft's Resource-Based Constrained
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by default.
The client will still try the host-based form as a fallback.
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
extension, which causes channel bindings to be required for the
initiator if the acceptor provided them. The client will send this
option if the client_aware_gss_bindings profile option is set.
User experience
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
used in the reply. This encryption type will be deprecated and removed
in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only
(inspired by Heimdal's kgetcred).
Changes from 1.18.3
- Fix a denial of service vulnerability when decoding Kerberos
protocol messages.
- Fix a locking issue with the LMDB KDB module which could cause
KDC and kadmind processes to lose access to the database.
- Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
and unloaded while libkrb5support remains loaded.
Changes from 1.18.2
- Fix a SPNEGO regression where an acceptor using the default credential
would improperly filter mechanisms, causing a negotiation failure.
- Fix a bug where the KDC would fail to issue tickets if the local krbtgt
principal's first key has a single-DES enctype.
- Add stub functions to allow old versions of OpenSSL libcrypto to link
against libkrb5.
- Fix a NegoEx bug where the client name and delegated credential might
not be reported.
Changes from 1.18.1
- Fix a crash when qualifying short hostnames when the system has
no primary DNS domain.
- Fix a regression when an application imports 'service@' as a GSS
host-based name for its acceptor credential handle.
- Fix KDC enforcement of auth indicators when they are modified by
the KDB module.
- Fix removal of require_auth string attributes when the LDAP KDB
module is used.
- Fix a compile error when building with musl libc on Linux.
- Fix a compile error when building with gcc 4.x.
- Change the KDC constrained delegation precedence order for consistency
with Windows KDCs.
Changes from 1.18
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with '.rcache2'
by default.
* setuid programs will automatically ignore environment variables
that normally affect krb5 API functions, even if the caller does
not use krb5_init_secure_context().
* Add an 'enforce_ok_as_delegate' krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ('draft 9') variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
User experience:
* Add support for 'dns_canonicalize_hostname=fallback', causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names
when DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a 'qualify_shortname' krb5.conf relation
to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers,
eliminating the requirement to configure capaths on servers in some
scenarios.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
can always be tested.
Changes from 1.17.1
- Fix a bug preventing 'addprinc -randkey -kvno' from working in kadmin.
- Fix a bug preventing time skew correction from working when a KCM
credential cache is used.
Changes from 1.17:
Administrator experience:
- A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
- 'kdb5_util dump' will no longer dump policy entries when specific
principal names are requested.
Developer experience:
The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
Python test scripts now use Python 3.
Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Build with full Cyrus SASL support. Negotiating SASL credentials with
an EXTERNAL bind mechanism requires interaction. Kerberos provides its
own interaction function that skips all interaction, thus preventing the
mechanism from working.
ldb was updated to version 2.4.1 (jsc#SLE-23329);
+ Corrected python behaviour for 'in' for LDAP attributes
contained as part of ldb.Message; (bso#14845);
+ Fix memory handling in ldb.msg_diff; (bso#14836);
+ pyldb: Fix Message.items() for a message containing elements
+ pyldb: Add test for Message.items()
+ tests: Use ldbsearch '--scope instead of '-s'
+ Change page size of guidindexpackv1.ldb
+ Use a 1MiB lmdb so the test also passes on aarch64 CentOS stream
+ attrib_handler casefold: simplify space dropping
+ fix ldb_comparison_fold off-by-one overrun
+ CVE-2020-27840: pytests: move Dn.validate test to ldb
+ CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
+ CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
+ CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
+ improve comments for ldb_module_connect_backend()
+ test/ldb_tdb: correct introductory comments
+ ldb.h: remove undefined async_ctx function signatures
+ correct comments in attrib_handers val_to_int64
+ dn tests use cmocka print functions
+ ldb_match: remove redundant check
+ add tests for ldb_wildcard_compare
+ ldb_match: trailing chunk must match end of string
+ pyldb: catch potential overflow error in py_timestring
+ ldb: remove some 'if PY3's in tests
talloc was updated to 2.3.3:
- various bugfixes
- python: Ensure reference counts are properly incremented
- Change pytalloc source to LGPL
- Upgrade waf to 2.0.18 to fix a cross-compilation issue;
(bso#13846).
tdb was updated to version 1.4.4:
tevent was updated to version 0.11.0:
- Add custom tag to events
- Add event trace api
sssd was updated to:
- Fix tests test_copy_ccache & test_copy_keytab for later versions of krb5
- Update the private ldb modules installation following libldb2
changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba
apparmor was updated to:
- Cater for changes to ldb packaging to allow parallel installation with libldb (bsc#1192684).
- add profile for samba-bgqd (bsc#1191532).
| Advisory ID | SUSE-RU-2022:383-1
|
| Released | Tue Feb 15 17:47:36 2022 |
| Summary | Recommended update for cyrus-sasl |
| Type | recommended |
| Severity | moderate |
| References | 1194265 |
Description:
This update for cyrus-sasl fixes the following issues:
- Fixed an issue when in postfix 'sasl' authentication with password fails. (bsc#1194265)
- Add config parameter '--with-dblib=gdbm'
- Avoid converting of '/etc/sasldb2 by every update. Convert '/etc/sasldb2' only if it is a Berkeley DB.
| Advisory ID | SUSE-RU-2022:520-1
|
| Released | Fri Feb 18 12:45:19 2022 |
| Summary | Recommended update for rpm |
| Type | recommended |
| Severity | moderate |
| References | 1194968 |
Description:
This update for rpm fixes the following issues:
- Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968)
| Advisory ID | SUSE-SU-2022:539-1
|
| Released | Mon Feb 21 13:47:51 2022 |
| Summary | Security update for systemd |
| Type | security |
| Severity | moderate |
| References | 1191826,1192637,1194178,CVE-2021-3997 |
Description:
This update for systemd fixes the following issues:
- CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles (bsc#1194178).
The following non-security bugs were fixed:
- udev/net_id: don't generate slot based names if multiple devices might claim the same slot (bsc#1192637)
- localectl: don't omit keymaps files that are symlinks (bsc#1191826)
| Advisory ID | SUSE-RU-2022:674-1
|
| Released | Wed Mar 2 13:24:38 2022 |
| Summary | Recommended update for yast2-network |
| Type | recommended |
| Severity | moderate |
| References | 1187512 |
Description:
This update for yast2-network fixes the following issues:
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)
| Advisory ID | SUSE-RU-2022:692-1
|
| Released | Thu Mar 3 15:46:47 2022 |
| Summary | Recommended update for filesystem |
| Type | recommended |
| Severity | moderate |
| References | 1190447 |
Description:
This update for filesystem fixes the following issues:
- Release ported filesystem to LTSS channels (bsc#1190447).
| Advisory ID | SUSE-SU-2022:727-1
|
| Released | Fri Mar 4 10:39:21 2022 |
| Summary | Security update for libeconf, shadow and util-linux |
| Type | security |
| Severity | moderate |
| References | 1188507,1192954,1193632,1194976,CVE-2021-3995,CVE-2021-3996 |
Description:
This security update for libeconf, shadow and util-linux fix the following issues:
libeconf:
- Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow'
to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
Issues fixed in libeconf:
- Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
- Fixed different issues while writing string values to file.
- Writing comments to file too.
- Fixed crash while merging values.
- Added econftool cat option (#146)
- new API call: econf_readDirsHistory (showing ALL locations)
- new API call: econf_getPath (absolute path of the configuration file)
- Man pages libeconf.3 and econftool.8.
- Handling multiline strings.
- Added libeconf_ext which returns more information like
line_nr, comments, path of the configuration file,...
- Econftool, an command line interface for handling configuration
files.
- Generating HTML API documentation with doxygen.
- Improving error handling and semantic file check.
- Joining entries with the same key to one single entry if
env variable ECONF_JOIN_SAME_ENTRIES has been set.
shadow:
- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to
read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
util-linux:
- The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to
read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
- Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
- Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
- CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
- CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
| Advisory ID | SUSE-SU-2022:743-1
|
| Released | Mon Mar 7 22:08:12 2022 |
| Summary | Security update for cyrus-sasl |
| Type | security |
| Severity | important |
| References | 1194265,1196036,CVE-2022-24407 |
Description:
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
The following non-security bugs were fixed:
- postfix: sasl authentication with password fails (bsc#1194265).
| Advisory ID | SUSE-RU-2022:787-1
|
| Released | Thu Mar 10 11:20:13 2022 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | |
Description:
This update for openldap2 fixes the following issue:
- restore CLDAP functionality in CLI tools (jsc#PM-3288)
| Advisory ID | SUSE-RU-2022:788-1
|
| Released | Thu Mar 10 11:21:04 2022 |
| Summary | Recommended update for libzypp, zypper |
| Type | recommended |
| Severity | moderate |
| References | 1195326 |
Description:
This update for libzypp, zypper fixes the following issues:
- Fix handling of redirected command in-/output (bsc#1195326)
This fixes delays at the end of zypper operations, where
zypper unintentionally waits for appdata plugin scripts to
complete.
| Advisory ID | SUSE-RU-2022:808-1
|
| Released | Fri Mar 11 06:07:58 2022 |
| Summary | Recommended update for procps |
| Type | recommended |
| Severity | moderate |
| References | 1195468 |
Description:
This update for procps fixes the following issues:
- Stop registering signal handler for SIGURG, to avoid `ps` failure if
someone sends such signal. Without the signal handler, SIGURG will
just be ignored. (bsc#1195468)
| Advisory ID | SUSE-SU-2022:845-1
|
| Released | Tue Mar 15 11:40:52 2022 |
| Summary | Security update for chrony |
| Type | security |
| Severity | moderate |
| References | 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367 |
Description:
This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Ensure the correct pool packages are installed for openSUSE
and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
over chrony-pool-empty. (bsc#1194229)
- Enable syscallfilter unconditionally [bsc#1181826].
Update to 4.0
- Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and 'reload sources' command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get 'maxsources'
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add 'add pool' command
- Add 'reset sources' command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option 'version 3')
- Drop support for line editing with GNU Readline
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Update to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
Update to 3.5:
- Add support for more accurate reading of PHC on Linux 5.0
- Add support for hardware timestamping on interfaces with read-only timestamping configuration
- Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
- Update seccomp filter to work on more architectures
- Validate refclock driver options
- Fix bindaddress directive on FreeBSD
- Fix transposition of hardware RX timestamp on Linux 4.13 and later
- Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service
(bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers to
fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
should be no executables in /usr/share.
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
| Advisory ID | SUSE-RU-2022:861-1
|
| Released | Tue Mar 15 23:30:48 2022 |
| Summary | Recommended update for openssl-1_1 |
| Type | recommended |
| Severity | moderate |
| References | 1182959,1195149,1195792,1195856 |
Description:
This update for openssl-1_1 fixes the following issues:
openssl-1_1:
- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
glibc:
- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
linux-glibc-devel:
- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1
libxcrypt:
- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1
zlib:
- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1
| Advisory ID | SUSE-RU-2022:874-1
|
| Released | Wed Mar 16 10:40:52 2022 |
| Summary | Recommended update for openldap2 |
| Type | recommended |
| Severity | moderate |
| References | 1197004 |
Description:
This update for openldap2 fixes the following issue:
- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)
| Advisory ID | SUSE-RU-2022:905-1
|
| Released | Mon Mar 21 08:46:09 2022 |
| Summary | Recommended update for util-linux |
| Type | recommended |
| Severity | important |
| References | 1172427,1194642 |
Description:
This update for util-linux fixes the following issues:
- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
- Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)
- Fix `su -s` bash completion. (bsc#1172427)
| Advisory ID | SUSE-RU-2022:936-1
|
| Released | Tue Mar 22 18:10:17 2022 |
| Summary | Recommended update for filesystem and systemd-rpm-macros |
| Type | recommended |
| Severity | moderate |
| References | 1196275,1196406 |
Description:
This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:
- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)
systemd-rpm-macros:
- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)
| Advisory ID | SUSE-SU-2022:4167-1
|
| Released | Tue Nov 22 12:18:49 2022 |
| Summary | Security update for krb5 |
| Type | security |
| Severity | important |
| References | 1205126,CVE-2022-42898 |
Description:
This update for krb5 fixes the following issues:
- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).