Container summary for ses/7.1/ceph/haproxy

SUSE-CU-2023:3072-1

This update for libzypp fixes the following issues:

• Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
• Do not unconditionally release a medium if provideFile failed. [bsc#1211661]

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for vim fixes the following issues:

• CVE-2023-2426: Fixed out-of-range pointer offset (bsc#1210996).
• CVE-2023-2609: Fixed NULL pointer dereference (bsc#1211256).
• CVE-2023-2610: Fixed integer overflow or wraparound (bsc#1211257).

This update for yast2-pkg-bindings fixes the following issues:
libzypp was updated to version 17.31.14 (22):

• Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins.
• build: honor libproxy.pc's includedir (bsc#1212222)

• targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261)
• targetos: Update help and man page (bsc#1211261)

• Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
• Selected products are not installed after resetting the package manager internally (bsc#1202234)

• Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)

This update for openldap2 fixes the following issues:

• libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

This update for dbus-1 fixes the following issues:

• CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for glibc fixes the following issues:

• getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
• Exclude static archives from preparation for live patching (bsc#1208721)
• resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

This update for gpgme fixes the following issues:
gpgme:

• Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

• Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

This update for libcap fixes the following issues:

• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for openssl-1_1 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).
• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

• Update further expiring certificates that affect tests [bsc#1201627]

This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

This update for cryptsetup fixes the following issues:

• Handle system with low memory and no swap space (bsc#1211079)

This update for vim fixes the following issues:

• Calling vim on xterm leads to missing first character of the command prompt (bsc#1211461)

This update for shadow fixes the following issues:

• Prevent lock files from remaining after power interruptions (bsc#1213189)
• Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

This update for lvm2 fixes the following issues:

• blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

This update for haproxy fixes the following issues:

• CVE-2023-40225: Fixed request smuggling with empty content-length header value (bsc#1214102).

This update for libzypp, zypper fixes the following issues:

• Fix occasional isue with downloading very small files (bsc#1213673)
• Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
• Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
• Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
• Revised explanation of --force-resolution in man page (bsc#1213557)
• Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

• Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165).

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

SUSE-CU-2023:1837-1

This update for zlib fixes the following issues:

• Add DFLTCC support for using inflate() with a small window (bsc#1206513)

This update for curl fixes the following issues:

• CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).

This update for vim fixes the following issues:

• Make xxd conflict with the previous vim packages to avoid a file conflict during migration (bsc#1211144)

This update for libzypp, zypper fixes the following issues:

• Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
• multicurl: propagate ssl settings stored in repo url (bsc#1127591)
• MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
• zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
• Teach MediaNetwork to retry on HTTP2 errors.
• Fix selecting installed patterns from picklist (bsc#1209406)
• man: better explanation of --priority

This update for zlib fixes the following issue:

• Fix function calling order to avoid crashes (bsc#1210593)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

This update for util-linux fixes the following issues:

• Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164)

This update for openldap2 fixes the following issues:

• CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

SUSE-CU-2023:1459-1

This update for rpm fixes the following issues:

• Fix missing python(abi) for 3.XX versions (bsc#1207294)

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for vim fixes the following issues:

• CVE-2023-0512: Fixed a divide By Zero (bsc#1207780).
• CVE-2023-1175: vim: an incorrect calculation of buffer size (bsc#1208957).
• CVE-2023-1170: Fixed a heap-based Buffer Overflow (bsc#1208959).
• CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).

• https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:

• Do not autouninstall SUSE PTF packages
• Ensure 'duplinvolvedmap_all' is reset when a solver is reused
• Fix 'keep installed' jobs not disabling 'best update' rules
• New '-P' and '-W' options for `testsolv`
• New introspection interface for weak dependencies similar to ruleinfos
• Ensure special case file dependencies are written correctly in the testcase writer
• Support better info about alternatives
• Support decision reason queries
• Support merging of related decisions
• Support stringification of multiple solvables
• Support stringification of ruleinfo, decisioninfo and decision reasons

• Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233)
• Avoid redirecting 'history.logfile=/dev/null' into the target
• Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
• Enhance yaml-cpp detection
• Improve download of optional files
• MultiCurl: Make sure to reset the progress function when falling back.
• Properly reset range requests (bsc#1204548)
• Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version.
• Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls.
• Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side.
• ProgressData: enforce reporting the INIT||END state (bsc#1206949)
• ps: fix service detection on newer Tumbleweed systems (bsc#1205636)

• Allow to (re)add a service with the same URL (bsc#1203715)
• Bump dependency requirement to libzypp-devel 17.31.7 or greater
• Explain outdatedness of repositories
• patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
• Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions.
• Update man page and explain '.no_auto_prune' (bsc#1204956)

This update for curl fixes the following issues:

• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

• Fix avx2 strncmp offset compare condition check (bsc#1208358)
• elf: Allow dlopen of filter object to work (bsc#1207571)
• powerpc: Fix unrecognized instruction errors with recent GCC
• x86: Cache computation for AMD architecture (bsc#1207957)

This update for systemd-presets-common-SUSE fixes the following issue:

• Enable systemd-pstore.service by default (jsc#PED-2663)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
• CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
• CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

This update for timezone fixes the following issues:

• Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later.

This update for elfutils fixes the following issues:

• go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed:

• Added W3C conformance tests to the testsuite (bsc#1204585).
• Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

This update for zstd fixes the following issues:

• CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

This update for glib2 fixes the following issues:

• CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
• CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).

• Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).

This update for vim fixes the following issues:
Updated to version 9.0 with patch level 1443, fixes the following security problems

• CVE-2023-1264: Fixed NULL Pointer Dereference (bsc#1209042).
• CVE-2023-1355: Fixed NULL Pointer Dereference (bsc#1209187).
• CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828).

This update for procps fixes the following issue:

• Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for haproxy fixes the following issues:
Update to version 2.0.31 (jsc#PED-3821):

• BUG/CRITICAL: http: properly reject empty http header field names
• CI: github: don't warn on deprecated openssl functions on windows
• DOC: proxy-protocol: fix wrong byte in provided example
• DOC: config: 'http-send-name-header' option may be used in default section
• DOC: config: fix option spop-check proxy compatibility
• BUG/MEDIUM: cache: use the correct time reference when comparing dates
• BUG/MEDIUM: stick-table: do not leave entries in end of window during purge
• BUG/MEDIUM: ssl: wrong eviction from the session cache tree
• BUG/MINOR: http-ana: make set-status also update txn->status
• BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state
• BUG/MINOR: promex: Don't forget to consume the request on error
• BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
• BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
• BUILD: makefile: sort the features list
• BUILD: makefile: build the features list dynamically
• BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats
• BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
• LICENSE: wurfl: clarify the dummy library license.
• BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout
• BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
• BUG/MINOR: ssl: Fix potential overflow
• BUG/MEDIUM: ssl: Verify error codes can exceed 63
• CI: github: change 'ubuntu-latest' to 'ubuntu-20.04'
• SCRIPTS: announce-release: add a link to the data plane API
• [RELEASE] Released version 2.0.30
• Revert 'CI: determine actual LibreSSL version dynamically'
• DOC: config: clarify the -m dir and -m dom pattern matching methods
• DOC: config: clarify the fact that 'retries' is not just for connections
• DOC: config: explain how default matching method for ACL works
• DOC: config: clarify the fact that SNI should not be used in HTTP scenarios
• DOC: config: provide some configuration hints for 'http-reuse'
• BUILD: listener: fix build warning on global_listener_rwlock without threads
• BUILD: peers: Remove unused variables
• BUG/MEDIUM: peers: messages about unkown tables not correctly ignored
• BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists
• BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task
• CI: emit the compiler's version in the build reports
• CI: add monthly gcc cross compile jobs
• BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task
• BUG/MAJOR: stick-table: don't process store-response rules for applets
• DOC: management: add forgotten 'show startup-logs'
• CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition
• CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py
• BUG/MAJOR: stick-tables: do not try to index a server name for applets
• DOC: configuration: missing 'if' in tcp-request content example
• BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os
• BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()
• BUG/MEDIUM: lua: handle stick table implicit arguments right.
• BUILD: cfgparse: Fix GCC warning about a variable used after realloc
• BUILD: fix compilation for OpenSSL-3.0.0-alpha17
• BUG/MINOR: log: improper behavior when escaping log data
• SCRIPTS: announce-release: update some URLs to https
• BUG/MEDIUM: captures: free() an error capture out of the proxy lock
• BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
• BUG/MINOR: signals/poller: ensure wakeup from signals
• BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals
• BUG/MINOR: h1: Support headers case adjustment for TCP proxies
• REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
• BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
• BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
• BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
• BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
• DOC: configuration: do-resolve doesn't work with a port in the string
• BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
• BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
• BUILD: http: silence an uninitialized warning affecting gcc-5
• BUG/MEDIUM: proxy: Perform a custom copy for default server settings
• REORG: server: Export srv_settings_cpy() function
• MINOR: server: Constify source server to copy its settings
• BUG/MINOR: peers: Use right channel flag to consider the peer as connected
• BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
• MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
• BUG/MINOR: ssl: free the fields in srv->ssl_ctx
• BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
• BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
• BUG/MINOR: peers: fix possible NULL dereferences at config parsing
• BUG/MINOR: peers/config: always fill the bind_conf's argument
• BUG/MINOR: http-fetch: Use integer value when possible in 'method' sample fetch
• BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
• BUG/MINOR: server: do not enable DNS resolution on disabled proxies
• BUILD: compiler: implement unreachable for older compilers too
• REGTESTS: http_request_buffer: Increase client timeout to wait 'slow' clients
• REGTESTS: abortonclose: Add a barrier to not mix up log messages
• BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
• DOC: peers: fix port number and addresses on new peers section format
• DOC: peers: clarify when entry expiration date is renewed.
• DOC: peers: indicate that some server settings are not usable
• SCRIPTS: make publish-release try to launch make-releases-json
• SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
• BUG/MEDIUM: sample: Fix adjusting size in word converter
• BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
• BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
• BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
• BUG/MINOR: peers: fix error reporting of 'bind' lines
• REGTESTS: abortonclose: Fix some race conditions
• BUILD: fix build warning on solaris based systems with __maybe_unused.
• CI: determine actual LibreSSL version dynamically
• [RELEASE] Released version 2.0.29
• BUG/MINOR: ssl: fix build on development versions of openssl-1.1.x
• CLEANUP: mux-h1: Fix comments and error messages for global options
• BUG/MEDIUM: wdt: don't trigger the watchdog when p is unitialized
• BUG/MINOR: server: Make SRV_STATE_LINE_MAXLEN value from 512 to 2kB (2000 bytes).
• DOC: fix typo 'ant' for 'and' in INSTALL
• BUG/MINOR: map/cli: make sure patterns don't vanish under 'show map''s init
• BUG/MINOR: map/cli: protect the backref list during 'show map' errors
• BUG/MEDIUM: cli: make 'show cli sockets' really yield
• BUG/MINOR: mux-h2: mark the stream as open before processing it not after
• SCRIPTS: announce-release: add URL of dev packages
• CI: github actions: update LibreSSL to 3.5.2
• BUILD: sockpair: do not set unused flag
• BUILD: proto_uxst: do not set unused flag
• BUG/MINOR: pools: make sure to also destroy shared pools in pool_destroy_all()
• REGTESTS: fix the race conditions in be2dec.vtc ad field.vtc
• DOC: remove my name from the config doc
• BUG/MINOR: cache: Disable cache if applet creation fails
• SCRIPTS: announce-release: add shortened links to pending issues
• DOC: lua: update a few doc URLs
• SCRIPTS: announce-release: update the doc's URL
• BUG/MEDIUM: compression: Don't forget to update htx_sl and http_msg flags
• BUG/MEDIUM: mux-h1: Don't request more room on partial trailers
• BUG/MINOR: mux-h2: use timeout http-request as a fallback for http-keep-alive
• BUG/MINOR: mux-h2: do not use timeout http-keep-alive on backend side
• BUG/MINOR: cache: do not display expired entries in 'show cache'
• BUG/MINOR: mux-h2: do not send GOAWAY if SETTINGS were not sent
• CI: Update to actions/cache@v3
• CI: Update to actions/checkout@v3
• BUG/MEDIUM: http-act: Don't replace URI if path is not found or invalid
• BUG/MAJOR: mux_pt: always report the connection error to the conn_stream
• DOC: reflect H2 timeout changes
• BUG/MEDIUM: mux-h2: make use of http-request and keep-alive timeouts
• MEDIUM: mux-h2: slightly relax timeout management rules
• BUG/MEDIUM: stream-int: do not rely on the connection error once established
• BUG/MINOR: tools: url2sa reads too far when no port nor path
• BUG/MEDIUM: mux-h1: only turn CO_FL_ERROR to CS_FL_ERROR with empty ibuf
• CI: github actions: switch to LibreSSL-3.5.1
• BUILD: dns: fix backport of previous dns fix
• BUG/MAJOR: dns: multi-thread concurrency issue on UDP socket
• Revert 'BUG/MAJOR: mux-pt: Always destroy the backend connection on detach'
• BUG/MINOR: tools: fix url2sa return value with IPv4
• [RELEASE] Released version 2.0.28
• DOC: Fix usage/examples of deprecated ACLs
• BUG/MINOR: stream: make the call_rate only count the no-progress calls
• DOC: use the req.ssl_sni in examples
• DOC: ssl: req_ssl_sni needs implicit TLS
• BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
• BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
• DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
• BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
• BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
• BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
• BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
• BUG/MINOR: cli: shows correct mode in 'show sess'
• BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks
• CLEANUP: atomic: add a fetch-and-xxx variant for common operations
• CI: github actions: use cache for SSL libs
• CI: github actions: add the output of $CC -dM -E-
• BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
• BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer
• BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer
• BUG/MINOR: tools: url2sa reads ipv4 too far
• BUG/MINOR: mailers: negotiate SMTP, not ESMTP
• CI: ssl: keep the old method for ancient OpenSSL versions
• CI: ssl: do not needlessly build the OpenSSL docs
• CI: ssl: enable parallel builds for OpenSSL on Linux
• BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
• BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
• BUG/MEDIUM: mworker: close unused transferred FDs on load failure
• MINOR: sock: move the unused socket cleaning code into its own function
• BUG/MAJOR: spoe: properly detach all agents when releasing the applet
• BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies
• BUG/MINOR: mworker: does not erase the pidfile upon reload
• BUG/MEDIUM: mworker: don't lose the stats socket on failed reload
• BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them
• BUG/MEDIUM: mcli: do not try to parse empty buffers
• BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands
• MINOR: channel: add new function co_getdelim() to support multiple delimiters
• MEDIUM: cli: yield between each pipelined command
• [RELEASE] Released version 2.0.27
• BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
• BUG/MEDIUM: cli: Never wait for more data on client shutdown
• BUILD/MINOR: fix solaris build with clang.
• BUG/MEDIUM: mworker: don't use _getsocks in wait mode
• BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
• BUG/MINOR: cli: fix _getsocks with musl libc
• CLEANUP: ssl: make ssl_sock_free_srv_ctx() zero the pointers after free
• BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning
• DOC: fix misspelled keyword 'resolve_retries' in resolvers
• BUILD: ssl: unbreak the build with newer libressl
• BUILD: cli: clear a maybe-unused warning on some older compilers
• BUG/MINOR: http: fix recent regression on authorization in legacy mode
• Revert 'BUG/MEDIUM: resolvers: always check a valid item in query_list'
• BUG/MINOR: backend: restore the SF_SRV_REUSED flag original purpose
• BUG/MINOR: backend: do not set sni on connection reuse
• BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode
• DOC: config: Specify %Ta is only available in HTTP mode
• DOC: spoe: Clarify use of the event directive in spoe-message section
• MINOR: ssl: make tlskeys_list_get_next() take a list element
• CLEANUP: ssl: Remove useless local variable in tlskeys_list_get_next()
• CLEANUP: ssl: Remove useless loop in tlskeys_list_get_next()
• BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time
• MINOR: cli: 'show version' displays the current process version
• BUILD: general: always pass unsigned chars to is* functions
• CLEANUP: peers: Remove unused static function `free_dcache_tx`
• CLEANUP: peers: Remove unused static function `free_dcache`
• REGTESTS: mark the abns test as broken again
• BUILD: scripts/build-ssl.sh: use 'uname' instead of ${TRAVIS_OS_NAME}
• BUILD: makefile: add entries to build common debugging tools
• CI: Github Actions: temporarily disable BoringSSL builds
• CI: Github Actions: switch to LibreSSL-3.3.3
• CI: github actions: update LibreSSL to 3.2.5
• Revert 'CI: Pin VTest to a known good commit'
• CI: github actions: switch to stable LibreSSL release
• CI: Fix the coverity builds
• CI: Fix DEBUG_STRICT definition for Coverity
• CI: Pin VTest to a known good commit
• CI: github actions: build several popular 'contrib' tools
• CI: GitHub Actions: enable daily Coverity scan
• CI: github actions: enable 51degrees feature
• CI: github actions: update LibreSSL to 3.3.0
• CI: Clean up Windows CI
• CI: Pass the github.event_name to matrix.py
• CI: Github Action: run 'apt-get update' before packages restore
• CI: Github Actions: enable BoringSSL builds
• CI: Github Actions: remove LibreSSL-3.0.2 builds
• CI: Github Actions: enable prometheus exporter
• CI: Stop hijacking the hosts file
• CI: Expand use of GitHub Actions for CI
• [RELEASE] Released version 2.0.26
• BUG/MEDIUM: ssl: abort with the correct SSL error when SNI not found
• BUG/MINOR: shctx: do not look for available blocks when the first one is enough
• BUG/MEDIUM: shctx: leave the block allocator when enough blocks are found
• BUG/MEDIUM: mux-h2: always process a pending shut read
• BUG/MEDIUM: ssl: backend TLS resumption with sni and TLSv1.3
• CLEANUP: ssl: Release cached SSL sessions on deinit
• MINOR: mux-h2: perform a full cycle shutdown+drain on close
• MINOR: connection: add a new CO_FL_WANT_DRAIN flag to force drain on close
• BUG/MINOR: stick-table/cli: Check for invalid ipv6 key
• BUG/MEDIUM: connection: make cs_shutr/cs_shutw//cs_close() idempotent
• BUG/MINOR: mux-h2: Fix H2_CF_DEM_SHORT_READ value
• BUG/MINOR: mworker: doesn't launch the program postparser
• BUG/MEDIUM: conn-stream: Don't reset CS flags on close
• BUG/MINOR: http-ana: Apply stop to the current section for http-response rules
• DOC: config: Fix typo in ssl_fc_unique_id description
• BUG/MEDIUM: mux-h1: Fix H1C_F_ST_SILENT_SHUT value
• BUG/MEDIUM: stream-int: Defrag HTX message in si_cs_recv() if necessary
• MINOR: htx: Add a function to know if the free space wraps
• MINOR: htx: Add an HTX flag to know when a message is fragmented
• BUG/MINOR: tcpcheck: Improve LDAP response parsing to fix LDAP check
• MINOR: stream: Improve dump of bogus streams
• DOC: config: Fix alphabetical order of fc_* samples
• BUG/MINOR: http: Authorization value can have multiple spaces after the scheme
• BUG/MEDIUM: http-ana: Drain request data waiting the tarpit timeout expiration
• CLEANUP: resolvers: replace all LIST_DELETE with LIST_DEL_INIT
• CLEANUP: always initialize the answer_list
• CLEANUP: resolvers: do not export resolv_purge_resolution_answer_records()
• BUG/MEDIUM: mux-h1: Perform a connection shutdown when the h1c is released
• BUG/MINOR: mux-h1: Save shutdown mode if the shutdown is delayed
• BUG/MINOR: mux-h2: do not prevent from sending a final GOAWAY frame
• BUG/MEDIUM: resolvers: always check a valid item in query_list
• BUILD: resolvers: avoid a possible warning on null-deref
• MINOR: resolvers: merge address and target into a union 'data'
• BUG/MEDIUM: resolvers: use correct storage for the target address
• BUG/MEDIUM: resolvers: fix truncated TLD consecutive to the API fix
• MINOR: resolvers: fix the resolv_dn_label_to_str() API about trailing zero
• BUG/MINOR: resolvers: do not reject host names of length 255 in SRV records
• BUG/MEDIUM: resolver: make sure to always use the correct hostname length
• MINOR: resolvers: fix the resolv_str_to_dn_label() API about trailing zero
• BUG/MEDIUM: sample: properly verify that variables cast to sample
• MINOR: sample: provide a generic var-to-sample conversion function
• CLEANUP: sample: uninline sample_conv_var2smp_str()
• CLEANUP: sample: rename sample_conv_var2smp() to *_sint
• BUG/MEDIUM: stream: Keep FLT_END analyzers if a stream detects a channel error
• BUG/MEDIUM: mux_h2: Handle others remaining read0 cases on partial frames
• BUG/MEDIUM: http-ana: Clear request analyzers when applying redirect rule
• BUG/MEDIUM: filters: Fix a typo when a filter is attached blocking the release
• BUG/MINOR: filters: Set right FLT_END analyser depending on channel
• BUG/MINOR: filters: Always set FLT_END analyser when CF_FLT_ANALYZE flag is set
• BUG/MEDIUM: http-ana: Reset channels analysers when returning an error
• BUG/MINOR: stream: Don't release a stream if FLT_END is still registered
• BUG/MINOR: tcp-rules: Stop content rules eval on read error and end-of-input
• BUG/MAJOR: lua: use task_wakeup() to properly run a task once
• BUG/MEDIUM: lua: fix wakeup condition from sleep()
• DOC: peers: fix doc 'enable' statement on 'peers' sections
• BUG/MINOR: mux-h1/mux-fcgi: Sanitize TE header to only send 'trailers'
• BUG/MEDIUM: stream: Stop waiting for more data if SI is blocked on RXBLK_ROOM
• BUG/MEDIUM: stream-int: Notify stream that the mux wants more room to xfer data
• BUG/MEDIUM: mux-h1: Adjust conditions to ask more space in the channel buffer
• BUG/MINOR: server: allow 'enable health' only if check configured
• Revert 'REGTESTS: mark http_abortonclose as broken'
• BUG/MEDIUM: stream-int: Don't block SI on a channel policy if EOI is reached
• MEDIUM: actions: Fix block ACL.
• BUG/MINOR: stats: fix the POST requests processing in legacy mode
• BUG/MEDIUM: http: check for a channel pending data before waiting
• BUG/MINOR: cli/payload: do not search for args inside payload
• BUG/MINOR: compat: make sure __WORDSIZE is always defined
• BUG/MINOR: systemd: ExecStartPre must use -Ws
• [RELEASE] Released version 2.0.25
• REGTESTS: mark http_abortonclose as broken
• MINOR: action: Use a generic function to check validity of an action rule list
• Revert 'BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive'
• BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
• CLEANUP: htx: remove comments about 'must be < 256 MB'
• BUG/MINOR: config: reject configs using HTTP with bufsize >= 256 MB
• DOC: configuration: remove wrong tcp-request examples in tcp-response
• CLEANUP: Add missing include guard to signal.h
• BUG/MINOR: tools: Fix loop condition in dump_text()
• BUG/MINOR threads: Use get_(local|gm)time instead of (local|gm)time
• BUG/MINOR: ebtree: remove dependency on incorrect macro for bits per long
• BUG/MINOR: lua: use strlcpy2() not strncpy() to copy sample keywords
• MINOR: compiler: implement an ONLY_ONCE() macro
• BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}
• REGTESTS: abortonclose: after retries, 503 is expected, not close
• BUG/MEDIUM: sock: really fix detection of early connection failures in for 2.3-
• [RELEASE] Released version 2.0.24
• REGTESTS: add a test to prevent h2 desync attacks
• BUG/MAJOR: h2: enforce stricter syntax checks on the :method pseudo-header
• DOC/MINOR: fix typo in management document
• MINOR: mux-h1/proxy: Add a proxy option to disable clear h2 upgrade
• DOC: config: Fix 'http-response send-spoe-group' documentation
• DOC: Improve the lua documentation
• BUG/MEDIUM: spoe: Fix policy to close applets when SPOE connections are queued
• BUG/MEDIUM: spoe: Create a SPOE applet if necessary when the last one is released
• MINOR: spoe: Add a pointer on the filter config in the spoe_agent structure
• BUG/MINOR: server: update last_change on maint->ready transitions too
• BUG/MINOR: connection: Add missing error labels to conn_err_code_str
• BUG/MEDIUM: mux-h2: Handle remaining read0 cases on partial frames
• BUG/MINOR: mux-h2: Obey dontlognull option during the preface
• BUG/MINOR: systemd: must check the configuration using -Ws
• BUG/MINOR: mworker: do not export HAPROXY_MWORKER_REEXEC across programs
• BUG/MEDIUM: mworker: do not register an exit handler if exit is expected
• BUILD: add detection of missing important CFLAGS
• BUG/MEDIUM: tcp-check: Do not dereference inexisting connection
• [RELEASE] Released version 2.0.23
• BUG/MINOR: server: Forbid to set fqdn on the CLI if SRV resolution is enabled
• BUG/MINOR: server-state: load SRV resolution only if params match the config
• CLEANUP: pools: remove now unused seq and pool_free_list
• BUG/MAJOR: pools: fix possible race with free() in the lockless variant
• MEDIUM: pools: use a single pool_gc() function for locked and lockless
• MEDIUM: memory: make pool_gc() run under thread isolation
• BUG/MEDIUM: pools: Always update free_list in pool_gc().
• MINOR: pools: do not maintain the lock during pool_flush()
• BUG/MINOR: pools: fix a possible memory leak in the lockless pool_flush()
• MINOR: pools/debug: slightly relax DEBUG_DONT_SHARE_POOLS
• Revert 'MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules'
• BUG/MINOR: peers: fix data_type bit computation more than 32 data_types
• MINOR: resolvers: Reset server IP on error in resolv_get_ip_from_response()
• BUG/MINOR: resolvers: Reset server IP when no ip is found in the response
• DOC: config: use CREATE USER for mysql-check
• DOC: peers: fix the protocol tag name in the doc
• DOC: stick-table: add missing documentation about gpt0 stored type
• BUG/MINOR: stick-table: fix several printf sign errors dumping tables
• BUG/MINOR: cli: fix server name output in 'show fd'
• BUG/MEDIUM: sock: make sure to never miss early connection failures
• BUG/MINOR: server/cli: Fix locking in function processing 'set server' command
• BUG/MEDIUM: server/cli: Fix ABBA deadlock when fqdn is set from the CLI
• BUG/MINOR: resolvers: answser item list was randomly purged or errors
• DOC: config: Add missing actions in 'tcp-request session' documentation
• MINOR: tcp-act: Add set-src/set-src-port for 'tcp-request content' rules
• BUG/MAJOR: server: fix deadlock when changing maxconn via agent-check
• BUG/MEDIUM: spoe: Register pre/post analyzers in start_analyze callback function
• BUG/MEDIUM: dns: send messages on closed/reused fd if fd was detected broken
• MINOR: mux-h2: obey http-ignore-probes during the preface
• BUG/MAJOR: queue: set SF_ASSIGNED when setting strm->target on dequeue
• BUG/MINOR: mworker: fix typo in chroot error message
• BUG/MINOR: ssl: use atomic ops to update global shctx stats
• BUG/MEDIUM: shctx: use at least thread-based locking on USE_PRIVATE_CACHE
• BUG/MINOR: stick-table: insert srv in used_name tree even with fixed id
• DOC: lua: Add a warning about buffers modification in HTTP
• BUG/MAJOR: htx: Fix htx_defrag() when an HTX block is expanded
• BUG/MEDIUM: dns: reset file descriptor if send returns an error
• BUG/MEDIUM: compression: Add a flag to know the filter is still processing data
• BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future
• BUG/MINOR: proxy: Missing calloc return value check in chash_init_server_tree
• BUG/MINOR: http: Missing calloc return value check in make_arg_list
• BUG/MINOR: http: Missing calloc return value check while parsing redirect rule
• BUG/MINOR: worker: Missing calloc return value check in mworker_env_to_proc_list
• BUG/MINOR: compression: Missing calloc return value check in comp_append_type/algo
• BUG/MINOR: http: Missing calloc return value check while parsing tcp-request rule
• BUG/MINOR: http: Missing calloc return value check while parsing tcp-request/tcp-response
• BUG/MINOR: proxy: Missing calloc return value check in proxy_defproxy_cpy
• BUG/MINOR: proxy: Missing calloc return value check in proxy_parse_declare
• BUG/MINOR: http: Missing calloc return value check in parse_http_req_capture
• BUG/MINOR: ssl: Missing calloc return value check in ssl_init_single_engine
• BUG/MINOR: peers: Missing calloc return value check in peers_register_table
• BUG/MINOR: server: Missing calloc return value check in srv_parse_source
• BUG/MINOR: http-ana: Handle L7 retries on refused early data before K/A aborts
• BUG/MINOR: http-comp: Preserve HTTP_MSGF_COMPRESSIONG flag on the response
• BUG/MEDIUM: filters: Exec pre/post analysers only one time per filter
• BUG/MAJOR: server: prevent deadlock when using 'set maxconn server'
• BUG/MEDIUM: ebtree: Invalid read when looking for dup entry
• REGTESTS: Add script to test abortonclose option
• MEDIUM: mux-h1: Don't block reads when waiting for the other side
• BUG/MINOR: stream-int: Don't block reads in si_update_rx() if chn may receive
• MINOR: channel: Rely on HTX version if appropriate in channel_may_recv()
• BUG/MINOR: http_fetch: fix possible uninit sockaddr in fetch_url_ip/port
• BUG/MINOR: stream: Reset stream final state and si error type on L7 retry
• BUG/MINOR: stream: properly clear the previous error mask on L7 retries
• BUG/MINOR: stream: Decrement server current session counter on L7 retry
• BUG/MEDIUM: cli: prevent memory leak on write errors
• BUG/MINOR: hlua: Don't rely on top of the stack when using Lua buffers
• MINOR: hlua: Add error message relative to the Channel manipulation and HTTP mode
• MINOR: peers: add informative flags about resync process for debugging
• BUG/MEDIUM: peers: reset tables stage flags stages on new conns
• BUG/MEDIUM: peers: re-work updates lookup during the sync on the fly
• BUG/MEDIUM: peers: reset commitupdate value in new conns
• BUG/MEDIUM: peers: reset starting point if peers appears longly disconnected
• BUG/MEDIUM: peers: stop considering ack messages teaching a full resync
• BUG/MEDIUM: peers: register last acked value as origin receiving a resync req
• BUG/MEDIUM: peers: initialize resync timer to get an initial full resync
• BUG/MINOR: applet: Notify the other side if data were consumed by an applet
• BUG/MINOR: htx: Preserve HTX flags when draining data from an HTX message
• BUG/MEDIUM: peers: re-work refcnt on table to protect against flush
• BUG/MEDIUM: peers: re-work connection to new process during reload.
• BUG/MINOR: peers: remove useless table check if initial resync is finished
• BUG/MEDIUM: mux-h2: Properly handle shutdowns when received with data
• BUG/MINOR: mworker: don't use oldpids[] anymore for reload
• BUG/MINOR: mworker/init: don't reset nb_oldpids in non-mworker cases
• BUG/MEDIUM: config: fix cpu-map notation with both process and threads
• BUG/MEDIUM: mux-h2: Fix dfl calculation when merging CONTINUATION frames
• BUG/MAJOR: mux-h2: Properly detect too large frames when decoding headers
• BUG/MINOR: server: free srv.lb_nodes in free_server
• BUG/MINOR: mux-h1: Release idle server H1 connection if data are received
• BUG/MINOR: logs: Report the true number of retries if there was no connection
• BUG/MINOR: http_htx: Remove BUG_ON() from http_get_stline() function
• BUG/MINOR: http-fetch: Make method smp safe if headers were already forwarded
• BUG/MEDIUM: threads: Ignore current thread to end its harmless period
• BUG/MEDIUM: sample: Fix adjusting size in field converter
• DOC: clarify that compression works for HTTP/2
• BUG/MINOR: tools: fix parsing 'us' unit for timers
• DOC: Explicitly state only IPv4 are supported by forwardfor/originalto options
• [RELEASE] Released version 2.0.22
• BUG/MEDIUM: resolvers: Don't release resolution from a requester callbacks
• MINOR: resolvers: Directly call srvrq_update_srv_state() when possible
• MINOR: resolvers: Add function to change the srv status based on SRV resolution
• MINOR: resolvers: Purge answer items when a SRV resolution triggers an error
• MINOR: resolvers: Use a function to remove answers attached to a resolution
• BUG/MINOR: resolvers: Unlink DNS resolution to set RMAINT on SRV resolution
• BUG/MAJOR: dns: disabled servers through SRV records never recover
• BUG/MAJOR: dns: fix null pointer dereference in snr_update_srv_status
• BUG/MINOR: http_fetch: make hdr_ip() resistant to empty fields
• BUILD: tcp: use IPPROTO_IPV6 instead of SOL_IPV6 on FreeBSD/MacOS
• BUG/MINOR: tcp: fix silent-drop workaround for IPv6
• BUG/MINOR: stats: Apply proper styles in HTML status page.
• BUG/MEDIUM: mux-h1: make h1_shutw_conn() idempotent
• BUG/MINOR: http_fetch: make hdr_ip() reject trailing characters
• MINOR: tools: make url2ipv4 return the exact number of bytes parsed
• BUG/MEDIUM: thread: Fix a deadlock if an isolated thread is marked as harmless
• BUG/MEDIUM: time: make sure to always initialize the global tick
• BUG/MEDIUM: lua: Always init the lua stack before referencing the context
• BUG/MEDIUM: debug/lua: Use internal hlua function to dump the lua traceback
• MINOR: lua: Slightly improve function dumping the lua traceback
• MINOR/BUG: mworker/cli: do not use the unix_bind prefix for the master CLI socket
• BUG/MEDIUM: freq_ctr/threads: use the global_now_ms variable
• MINOR: time: also provide a global, monotonic global_now_ms timer
• [RELEASE] Released version 2.0.21
• BUG/MINOR: freq_ctr/threads: make use of the last updated global time
• MINOR: time: export the global_now variable
• BUG/MINOR: resolvers: Add missing case-insensitive comparisons of DNS hostnames
• BUG/MINOR: resolvers: Reset server address on DNS error only on status change
• BUG/MINOR: resolvers: Consider server to have no IP on DNS resolution error
• CLEANUP: tcp-rules: add missing actions in the tcp-request error message
• BUG/MINOR: session: Add some forgotten tests on session's listener
• BUG/MINOR: proxy/session: Be sure to have a listener to increment its counters
• BUG/MEDIUM: filters: Set CF_FL_ANALYZE on channels when filters are attached
• BUG/MEDIUM: session: NULL dereference possible when accessing the listener
• BUG/MINOR: ssl: don't truncate the file descriptor to 16 bits in debug mode
• BUG/MINOR: hlua: Don't strip last non-LWS char in hlua_pushstrippedstring()
• BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
• BUG/MINOR: http-ana: Don't increment HTTP error counter on read error/timeout
• DOC: spoe: Add a note about fragmentation support in HAProxy
• BUG/MEDIUM: spoe: Kill applets if there are pending connections and nbthread > 1
• BUG/MINOR: connection: Use the client's dst family for adressless servers
• BUG/MINOR: tcp-act: Don't forget to set the original port for IPv4 set-dst rule
• BUG/MINOR: http-ana: Only consider dst address to process originalto option
• BUG/MINOR: mux-h1: Immediately report H1C errors from h1_snd_buf()
• BUG/MEDIUM: resolvers: Reset address for unresolved servers
• BUG/MEDIUM: resolvers: Reset server address and port for obselete SRV records
• BUG/MINOR: resolvers: new callback to properly handle SRV record errors
• BUG/MINOR: proxy: wake up all threads when sending the hard-stop signal
• BUG/MEDIUM: cli/shutdown sessions: make it thread-safe
• BUG/MEDIUM: proxy: use thread-safe stream killing on hard-stop
• BUG/MEDIUM: vars: make functions vars_get_by_{name,desc} thread-safe
• BUG/MINOR: sample: secure convs that accept base64 string and var name as args
• BUG/MEDIUM: mux-h1: Fix handling of responses to CONNECT other than 200-ok
• BUG/MINOR: server: Be sure to cut the last parsed field of a server-state line
• BUG/MINOR: server: Init params before parsing a new server-state line
• BUG/MINOR: sample: Always consider zero size string samples as unsafe
• BUG/MINOR: checks: properly handle wrapping time in __health_adjust()
• BUG/MINOR: session: atomically increment the tracked sessions counter
• BUG/MINOR: server: Remove RMAINT from admin state when loading server state
• CLEANUP: channel: fix comment in ci_putblk.
• BUG/MINOR: server: Don't call fopen() with server-state filepath set to NULL
• BUG/MINOR: cfgparse: do not mention 'addr:port' as supported on proxy lines
• BUG/MEDIUM: config: don't pick unset values from last defaults section
• CLEANUP: deinit: release global and per-proxy server-state variables on deinit
• BUG/MINOR: server: Fix server-state-file-name directive
• BUG/MINOR: backend: hold correctly lock when killing idle conn
• BUG/MINOR: tools: Fix a memory leak on error path in parse_dotted_uints()
• BUG/MINOR: server: re-align state file fields number
• BUG/MEDIUM: mux-h1: Always set CS_FL_EOI for response in MSG_DONE state
• BUG/MEDIUM: mux-h2: Be sure to enter in demux loop even if dbuf is empty
• BUG/MEDIUM: mux-h2: do not quit the demux loop before setting END_REACHED
• BUG/MEDIUM: mux-h2: handle remaining read0 cases
• BUILD: Makefile: move REGTESTST_TYPE default setting
• BUG/MINOR: xxhash: make sure armv6 uses memcpy()
• BUG/MEDIUM: ssl: check a connection's status before computing a handshake
• BUG/MINOR: stick-table: Always call smp_fetch_src() with a valid arg list
• DOC: management: fix 'show resolvers' alphabetical ordering
• BUG/MINOR: config: fix leak on proxy.conn_src.bind_hdr_name
• BUG/MEDIUM: filters/htx: Fix data forwarding when payload length is unknown
• BUG/MEDIUM: stats: add missing INF_BUILD_INFO definition
• BUILD/MINOR: lua: define _GNU_SOURCE for LLONG_MAX
• BUG/MEDIUM: mux-h2: fix read0 handling on partial frames
• BUG/MINOR: mworker: define _GNU_SOURCE for strsignal()
• BUG/MINOR: peers: Wrong 'new_conn' value for 'show peers' CLI command.
• BUG/MINOR: init: Use a dynamic buffer to set HAPROXY_CFGFILES env variable
• BUG/MINOR: sample: Memory leak of sample_expr structure in case of error
• BUG/MINOR: sample: check alloc_trash_chunk return value in concat()
• [RELEASE] Released version 2.0.20
• BUG/MINOR: sample: fix concat() converter's corruption with non-string variables
• DOC: Add maintainers for the Prometheus exporter
• SCRIPTS: announce-release: fix typo in help message
• DOC: fix some spelling issues over multiple files
• MINOR: contrib/prometheus-exporter: export build_info
• BUILD: Makefile: exclude broken tests by default
• BUG/MINOR: srv: do not init address if backend is disabled
• SCRIPTS: make announce release support preparing announces before tag exists
• SCRIPTS: improve announce-release to support different tag and versions
• BUG/MINOR: cfgparse: Fail if the strdup() for `rule->be.name` for `use_backend` fails
• MINOR: atomic: don't use ; to separate instruction on aarch64.
• BUILD: hpack: hpack-tbl-t.h uses VAR_ARRAY but does not include compiler.h
• BUILD: plock: remove dead code that causes a warning in gcc 11
• CONTRIB: halog: fix signed/unsigned build warnings on counts and timestamps
• CONTRIB: halog: mark the has_zero* functions unused
• CONTRIB: halog: fix build issue caused by %L printf format
• BUG/MEDIUM: http-ana: Never for sending data in TUNNEL mode
• BUG/MINOR: mux-h1: Don't set CS_FL_EOI too early for protocol upgrade requests
• BUILD: Makefile: have 'make clean' destroy .o/.a/.s in contrib subdirs as well
• REGTESTS: make use of HAPROXY_ARGS and pass -dM by default
• CLEANUP: contrib/prometheus-exporter: typo fixes for ssl reuse metric
• CLEANUP: lua: Remove declaration of an inexistant function
• BUG/MEDIUM: lb-leastconn: Reposition a server using the right eweight
• BUG/MINOR: tools: Reject size format not starting by a digit
• BUG/MINOR: tools: make parse_time_err() more strict on the timer validity
• DOC: email change of the DeviceAtlas maintainer
• BUG/MEDIUM: spoa/python: Fixing references to None
• BUG/MEDIUM: spoa/python: Fixing PyObject_Call positional arguments
• BUG/MINOR: spoa/python: Cleanup ipaddress objects if initialization fails
• BUG/MINOR: spoa/python: Cleanup references for failed Module Addobject operations
• DOC: spoa/python: Fixing typos in comments
• DOC: spoa/python: Rephrasing memory related error messages
• DOC: spoa/python: Fixing typo in IP related error messages
• BUG/MAJOR: spoa/python: Fixing return None
• DOC/MINOR: Fix formatting in Management Guide
• BUG/MINOR: lua: warn when registering action, conv, sf, cli or applet multiple times
• MINOR: cli: add a function to look up a CLI service description
• MINOR: actions: add a function returning a service pointer from its name
• MINOR: actions: Export actions lookup functions
• BUG/MINOR: lua: Some lua init operation are processed unsafe
• BUG/MINOR: lua: Post init register function are not executed beyond the first one
• BUG/MINOR: lua: lua-load doesn't check its parameters
• MINOR: plock: use an ARMv8 instruction barrier for the pause instruction
• DOC: config: Move req.hdrs and req.hdrs_bin in L7 samples fetches section
• BUG/MAJOR: peers: fix partial message decoding
• BUG/MAJOR: filters: Always keep all offsets up to date during data filtering
• BUG/MINOR: http-ana: Don't wait for the body of CONNECT requests
• BUG/MEDIUM: filters: Forward all filtered data at the end of http filtering
• BUILD: http-htx: fix build warning regarding long type in printf
• MINOR: cfgparse: tighten the scope of newnameserver variable, free it on error.
• MINOR: spoe: Don't close connection in sync mode on processing timeout
• BUG/MAJOR: spoe: Be sure to remove all references on a released spoe applet
• BUG/MINOR: http-fetch: Fix calls w/o parentheses of the cookie sample fetches
• BUG/MINOR: http-fetch: Extract cookie value even when no cookie name
• BUG/MEDIUM: peers: fix decoding of multi-byte length in stick-table messages
• BUG/MINOR: peers: Missing TX cache entries reset.
• BUG/MINOR: peers: Do not ignore a protocol error for dictionary entries.
• BUG/MINOR: lua: set buffer size during map lookups
• BUG/MINOR: pattern: a sample marked as const could be written
• [RELEASE] Released version 2.0.19
• BUG/MINOR: http-htx: Just warn if payload of an errorfile doesn't match the C-L
• MINOR: http-htx: Add understandable errors for the errorfiles parsing
• BUG/MEDIUM: stick-table: limit the time spent purging old entries
• BUG/MINOR: filters: Skip disabled proxies during startup only
• BUG/MEDIUM: mux-pt: Release the tasklet during an HTTP upgrade
• MINOR: server: Copy configuration file and line for server templates
• BUG/MINOR: server: Set server without addr but with dns in RMAINT on startup
• BUG/MEDIUM: filters: Don't try to init filters for disabled proxies
• BUG/MINOR: cache: Inverted variables in http_calc_maxage function
• BUG/MINOR: lua: initialize sample before using it
• BUG/MINOR: server: fix down_time report for stats
• BUG/MINOR: server: fix srv downtime calcul on starting
• BUG/MINOR: log: fix memory leak on logsrv parse error
• BUG/MINOR: extcheck: add missing checks on extchk_setenv()
• BUG/MAJOR: mux-h2: Don't try to send data if we know it is no longer possible
• BUG/MINOR: http-ana: Don't send payload for internal responses to HEAD requests
• BUG/MEDIUM: server: support changing the slowstart value from state-file
• BUG/MINOR: queue: properly report redistributed connections
• BUG/MINOR: peers: Possible unexpected peer seesion reset after collisions.
• BUG/MEDIUM: lb: Always lock the server when calling server_{take,drop}_conn
• BUG/MEDIUM: mux-h1: Get the session from the H1S when capturing bad messages
• BUG/MEDIUM: spoe: Unset variable instead of set it if no data provided
• BUG/MEDIUM: task: bound the number of tasks picked from the wait queue at once
• MINOR: fd: report an error message when failing initial allocations
• BUG/MINOR: mux-h2: do not stop outgoing connections on stopping
• BUG/MINOR: init: only keep rlim_fd_cur if max is unlimited
• BUG/MEDIUM: h1: Always try to receive more in h1_rcv_buf().
• BUG/MINOR: http-htx: Expect no body for 204/304 internal HTTP responses
• BUG/MEDIUM: mux-h2: Don't handle pending read0 too early on streams
• BUG/MINOR: mux-h1: Always set the session on frontend h1 stream
• BUG/MINOR: peers: Inconsistency when dumping peer status codes.
• MINOR: hlua: Display debug messages on stderr only in debug mode
• BUG/MINOR: stats: fix validity of the json schema
• MINOR: counters: fix a typo in comment
• BUG/MEDIUM: queue: make pendconn_cond_unlink() really thread-safe
• BUG/MINOR: Fix several leaks of 'log_tag' in init().
• BUILD: makefile: Fix building with closefrom() support enabled
• DOC: ssl: crt-list negative filters are only a hint
• [RELEASE] Released version 2.0.18
• REGTEST: make map_regm_with_backref require 1.7
• REGTEST: make abns_socket.vtc require 1.8
• REGTEST: fix host part in balance-uri-path-only.vtc
• REGTESTS: add a few load balancing tests
• DOC: agent-check: fix typo in 'fail' word expected reply
• DOC: spoa-server: fix false friends `actually`
• BUG/MEDIUM: listeners: do not pause foreign listeners
• BUG/MINOR: config: Fix memory leak on config parse listen
• BUG/MINOR: Fix memory leaks cfg_parse_peers
• BUG/MEDIUM: h2: report frame bits only for handled types
• BUG/MINOR: http-fetch: Don't set the sample type during the htx prefetch
• BUG/MINOR: server: report correct error message for invalid port on 'socks4'
• BUG/MINOR: ssl: verifyhost is case sensitive
• BUG/MEDIUM: ssl: does not look for all SNIs before chosing a certificate
• BUG/MEDIUM: http-ana: Don't wait to send 1xx responses received from servers
• BUG/MEDIUM: pattern: Renew the pattern expression revision when it is pruned
• BUILD: threads: better workaround for late loading of libgcc_s
• BUG/MEDIUM: mux-h1: always apply the timeout on half-closed connections
• BUG/MINOR: auth: report valid crypto(3) support depending on build options
• CLEANUP: Update .gitignore
• MINOR: Commit .gitattributes
• BUILD: thread: limit the libgcc_s workaround to glibc only
• BUG/MINOR: threads: work around a libgcc_s issue with chrooting
• BUG/MEDIUM: ssl: check OCSP calloc in ssl_sock_load_ocsp()
• BUG/MEDIUM: doc: Fix replace-path action description
• BUG/MINOR: startup: haproxy -s cause 100% cpu
• BUG/MEDIUM: contrib/spoa-server: Fix ipv4_address used instead of ipv6_address
• BUG/MINOR: contrib/spoa-server: Updating references to free in case of failure
• BUG/MINOR: contrib/spoa-server: Do not free reference to NULL
• BUG/MINOR: contrib/spoa-server: Ensure ip address references are freed
• BUG/MAJOR: contrib/spoa-server: Fix unhandled python call leading to memory leak
• DOC: cache: Use '' instead of '' in error message
• BUG/MINOR: reload: do not fail when no socket is sent
• BUG/MEDIUM: htx: smp_prefetch_htx() must always validate the direction
• BUG/MINOR: stats: use strncmp() instead of memcmp() on health states
• BUG/MINOR: snapshots: leak of snapshots on deinit()
• BUG/MINOR: lua: Check argument type to convert it to IP mask in arg validation
• BUG/MINOR: lua: Check argument type to convert it to IPv4/IPv6 arg validation
• BUG/MEDIUM: map/lua: Return an error if a map is loaded during runtime
• BUG/MEDIUM: mux-h1: Refresh H1 connection timeout after a synchronous send
• BUG/MEDIUM: mux-h2: Don't fail if nothing is parsed for a legacy chunk response
• SCRIPTS: git-show-backports: emit the shell command to backport a commit
• SCRIPTS: git-show-backports: make -m most only show the left branch
• [RELEASE] Released version 2.0.17
• SCRIPTS: announce-release: add the link to the wiki in the announce messages
• MINOR: stream-int: Be sure to have a mux to do sends and receives
• MINOR: connection: Preinstall the mux for non-ssl connect
• BUG/MINOR: tcp-rules: Set the inspect-delay when a tcp-response action yields
• BUG/MEDIUM: dns: Don't yield in do-resolve action on a final evaluation
• MEDIUM: lua: Add support for the Lua 5.4
• BUG/MINOR: debug: Don't dump the lua stack if it is not initialized
• BUG/MEDIUM: mux-h1: Disable the splicing when nothing is received
• BUG/MEDIUM: mux-h1: Wakeup the H1C in h1_rcv_buf() if more data are expected
• BUG/MEDIUM: dns: Release answer items when a DNS resolution is freed
• BUG/MAJOR: dns: Make the do-resolve action thread-safe
• BUG/MEDIUM: mux-h2: Emit an error if the response chunk formatting is incomplete
• BUG/MEDIUM: resolve: fix init resolving for ring and peers section.
• BUG/MINOR: cfgparse: don't increment linenum on incomplete lines
• BUILD: thread: add parenthesis around values of locking macros
• MINOR: pools: increase MAX_BASE_POOLS to 64
• BUG/MINOR: threads: Don't forget to init each thread toremove_lock.
• REGEST: Add reg tests about error files
• BUILD: ebtree: fix build on libmusl after recent introduction of eb_memcmp()
• [RELEASE] Released version 2.0.16
• BUG/MEDIUM: channel: Be aware of SHUTW_NOW flag when output data are peeked
• BUG/MEDIUM: log: issue mixing sampled to not sampled log servers.
• BUG/MEDIUM: mux-h1: Continue to process request when switching in tunnel mode
• CONTRIB: da: fix memory leak in dummy function da_atlas_open()
• BUG/MINOR: sample: Free str.area in smp_check_const_meth
• BUG/MINOR: sample: Free str.area in smp_check_const_bool
• DOC: configuration: remove obsolete mentions of H2 being converted to HTTP/1.x
• BUG/MEDIUM: stream-int: Disable connection retries on plain HTTP proxy mode
• BUG/MAJOR: stream: Mark the server address as unset on new outgoing connection
• MINOR: http: Add support for http 413 status
• BUG/MINOR: backend: Remove CO_FL_SESS_IDLE if a client remains on the last server
• BUG/MEDIUM: connection: Continue to recv data to a pipe when the FD is not ready
• MINOR: connection: move the CO_FL_WAIT_ROOM cleanup to the reader only
• BUG/MEDIUM: mux-h1: Subscribe rather than waking up in h1_rcv_buf()
• BUG/MEDIUM: mux-h1: Disable splicing for the conn-stream if read0 is received
• BUG/MINOR: mux-h1: Disable splicing only if input data was processed
• BUG/MINOR: mux-h1: Don't read data from a pipe if the mux is unable to receive
• BUG/MINOR: mux-h1: Fix the splicing in TUNNEL mode
• BUG/MINOR: http_act: don't check capture id in backend (2)
• DOC: configuration: fix alphabetical ordering for tune.pool-{high,low}-fd-ratio
• DOC: configuration: add missing index entries for tune.pool-{low,high}-fd-ratio
• BUG/MINOR: proxy: always initialize the trash in show servers state
• BUG/MINOR: proxy: fix dump_server_state()'s misuse of the trash
• BUG/MEDIUM: pattern: Add a trailing \0 to match strings only if possible
• DOC: ssl: add 'allow-0rtt' and 'ciphersuites' in crt-list
• MINOR: cli: make 'show sess' stop at the last known session
• BUG/MEDIUM: fetch: Fix hdr_ip misparsing IPv4 addresses due to missing NUL
• REGTEST: ssl: add some ssl_c_* sample fetches test
• REGTEST: ssl: tests the ssl_f_* sample fetches
• MINOR: spoe: Don't systematically create new applets if processing rate is low
• BUG/MINOR: http_ana: clarify connection pointer check on L7 retry
• BUG/MINOR: spoe: correction of setting bits for analyzer
• REGTEST: Add a simple script to tests errorfile directives in proxy sections
• BUG/MINOR: systemd: Wait for network to be online
• MEDIUM: map: make the 'clear map' operation yield
• REGTEST: http-rules: test spaces in ACLs with master CLI
• REGTEST: http-rules: test spaces in ACLs
• BUG/MINOR: mworker/cli: fix semicolon escaping in master CLI
• BUG/MINOR: mworker/cli: fix the escaping in the master CLI
• BUG/MINOR: cli: allow space escaping on the CLI
• BUG/MINOR: spoe: add missing key length check before checking key names
• BUG/MEDIUM: ebtree: use a byte-per-byte memcmp() to compare memory blocks
• BUG/MINOR: tcp-rules: tcp-response must check the buffer's fullness
• MINOR: http: Add 404 to http-request deny
• MINOR: http: Add 410 to http-request deny
• [RELEASE] Released version 2.0.15
• REGTESTS: checks: Fix tls_health_checks when IPv6 addresses are used
• BUG/MINOR: ssl: fix ssl-{min,max}-ver with openssl < 1.1.0
• REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for compression/lua_validation
• REGTESTS: Add missing OPENSSL to REQUIRE_OPTIONS for lua/txn_get_priv
• BUG/MEDIUM: pattern: fix thread safety of pattern matching
• BUG/MEDIUM: log: don't hold the log lock during writev() on a file descriptor
• BUG/MINOR: mworker: fix a memleak when execvp() failed
• BUG/MEDIUM: mworker: fix the reload with an -- option
• BUG/MINOR: init: -S can have a parameter starting with a dash
• BUG/MINOR: init: -x can have a parameter starting with a dash
• BUG/MEDIUM: mworker: fix the copy of options in copy_argv()
• BUILD: makefile: adjust the sed expression of 'make help' for solaris
• BUG/MINOR: proto-http: Fix detection of NTLM for the legacy HTTP version
• BUG/MEDIUM: logs: fix trailing zeros on log message.
• BUG/MINOR: logs: prevent double line returns in some events.
• BUG/MEDIUM: contrib/prometheus-exporter: Properly set flags to dump metrics
• BUG/MEDIUM: hlua: Lock pattern references to perform set/add/del operations
• BUG/MEDIUM: lua: Reset analyse expiration timeout before executing a lua action
• BUG/MINOR: peers: fix internal/network key type mapping.
• SCRIPTS: publish-release: pass -n to gzip to remove timestamp
• Revert 'BUG/MEDIUM: connections: force connections cleanup on server changes'
• BUG/MINOR: nameservers: fix error handling in parsing of resolv.conf
• BUG/MINOR: lua: Add missing string length for lua sticktable lookup
• BUG/MINOR: server: Fix server_finalize_init() to avoid unused variable
• BUG/MINOR: checks: Respect check-ssl param when a port or an addr is specified
• BUG/MINOR: cache: Don't needlessly test 'cache' keyword in parse_cache_flt()
• BUILD: select: only declare existing local labels to appease clang
• BUG/MINOR: soft-stop: always wake up waiting threads on stopping
• BUG/MINOR: pollers: remove uneeded free in global init
• BUG/MINOR: pools: use %u not %d to report pool stats in 'show pools'
• BUG/MINOR: cfgparse: Abort parsing the current line if an invalid \x sequence is encountered
• BUG/MEDIUM: http_ana: make the detection of NTLM variants safer
• BUG/MINOR: http-ana: fix NTLM response parsing again
• BUG/MINOR: config: Make use_backend and use-server post-parsing less obscur
• BUG/MEDIUM: lua: Fix dumping of stick table entries for STD_T_DICT
• BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_UPDATE_{MIN,MAX}()
• BUG/MINOR: threads: fix multiple use of argument inside HA_ATOMIC_CAS()
• BUG/MINOR: sample: Set the correct type when a binary is converted to a string
• CLEANUP: connections: align function declaration
• BUG/MEDIUM: ssl: fix the id length check within smp_fetch_ssl_fc_session_id()
• BUG/MEDIUM: connections: force connections cleanup on server changes
• BUG/MAJOR: stream-int: always detach a faulty endpoint on connect failure
• BUG/MEDIUM: stream: Only allow L7 retries when using HTTP.
• BUG/MEDIUM: streams: Remove SF_ADDR_SET if we're retrying due to L7 retry.
• BUG/MINOR: checks: Remove a warning about http health checks
• BUG/MINOR: checks: Compute the right HTTP request length for HTTP health checks
• BUG/MEDIUM: checks: Always initialize checks before starting them
• BUG/MINOR: checks/server: use_ssl member must be signed
• BUG/MEDIUM: server/checks: Init server check during config validity check
• Revert 'BUG/MINOR: connection: make sure to correctly tag local PROXY connections'
• BUG/MEDIUM: backend: don't access a non-existing mux from a previous connection
• REGTEST: ssl: test the client certificate authentication
• MINOR: stream: report the list of active filters on stream crashes
• BUG/MEDIUM: shctx: bound the number of loops that can happen around the lock
• BUG/MEDIUM: shctx: really check the lock's value while waiting
• BUG/MINOR: debug: properly use long long instead of long for the thread ID
• MINOR: threads: export the POSIX thread ID in panic dumps
• BUG/MEDIUM: listener: mark the thread as not stuck inside the loop
• BUG/MEDIUM: sample: make the CPU and latency sample fetches check for a stream
• BUG/MEDIUM: http: the 'unique-id' sample fetch could crash without a steeam
• BUG/MEDIUM: http: the 'http_first_req' sample fetch could crash without a steeam
• BUG/MEDIUM: capture: capture.{req,res}.* crash without a stream
• BUG/MEDIUM: capture: capture-req/capture-res converters crash without a stream
• BUG/MINOR: obj_type: Handle stream object in obj_base_ptr() function
• BUG/MINOR: checks: chained expect will not properly wait for enough data
• BUG/MINOR: checks: Respect the no-check-ssl option
• MINOR: checks: Add a way to send custom headers and payload during http chekcs
• BUG/MINOR: check: Update server address and port to execute an external check
• DOC: option logasap does not depend on mode
• BUG/MINOR: http: make url_decode() optionally convert '+' to SP
• BUG/MINOR: tools: fix the i386 version of the div64_32 function
• BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
• BUG/MINOR: ssl: default settings for ssl server options are not used
• DOC: Improve documentation on http-request set-src
• DOC: hashing: update link to hashing functions
• BUG/MINOR: peers: Incomplete peers sections should be validated.
• BUG/MINOR: protocol_buffer: Wrong maximum shifting.

SUSE-CU-2023:628-1

This update for libxml2 fixes the following issues:

• Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz

SUSE-CU-2023:499-1

This update for buildah fixes the following issues:

• CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
• CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
• CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

• run: add container gid to additional groups

• Add fix for CVE-2022-2990 / bsc#1202812

• Don't try to call runLabelStdioPipes if spec.Linux is not set
• build: support filtering cache by duration using --cache-ttl
• build: support building from commit when using git repo as build context
• build: clean up git repos correctly when using subdirs
• integration tests: quote '?' in shell scripts
• test: manifest inspect should have OCIv1 annotation
• vendor: bump to c/common@87fab4b7019a
• Failure to determine a file or directory should print an error
• refactor: remove unused CommitOptions from generateBuildOutput
• stage_executor: generate output for cases with no commit
• stage_executor, commit: output only if last stage in build
• Use errors.Is() instead of os.Is{Not,}Exist
• Minor test tweak for podman-remote compatibility
• Cirrus: Use the latest imgts container
• imagebuildah: complain about the right Dockerfile
• tests: don't try to wrap `nil` errors
• cmd/buildah.commitCmd: don't shadow 'err'
• cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
• Fix a copy/paste error message
• Fix a typo in an error message
• build,cache: support pulling/pushing cache layers to/from remote sources
• Update vendor of containers/(common, storage, image)
• Rename chroot/run.go to chroot/run_linux.go
• Don't bother telling codespell to skip files that don't exist
• Set user namespace defaults correctly for the library
• imagebuildah: optimize cache hits for COPY and ADD instructions
• Cirrus: Update VM images w/ updated bats
• docs, run: show SELinux label flag for cache and bind mounts
• imagebuildah, build: remove undefined concurrent writes
• bump github.com/opencontainers/runtime-tools
• Add FreeBSD support for 'buildah info'
• Vendor in latest containers/(storage, common, image)
• Add freebsd cross build targets
• Make the jail package build on 32bit platforms
• Cirrus: Ensure the build-push VM image is labeled
• GHA: Fix dynamic script filename
• Vendor in containers/(common, storage, image)
• Run codespell
• Remove import of github.com/pkg/errors
• Avoid using cgo in pkg/jail
• Rename footypes to fooTypes for naming consistency
• Move cleanupTempVolumes and cleanupRunMounts to run_common.go
• Make the various run mounts work for FreeBSD
• Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
• Move runSetupRunMounts to run_common.go
• Move cleanableDestinationListFromMounts to run_common.go
• Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
• Move setupMounts and runSetupBuiltinVolumes to run_common.go
• Tidy up - runMakeStdioPipe can't be shared with linux
• Move runAcceptTerminal to run_common.go
• Move stdio copying utilities to run_common.go
• Move runUsingRuntime and runCollectOutput to run_common.go
• Move fileCloser, waitForSync and contains to run_common.go
• Move checkAndOverrideIsolationOptions to run_common.go
• Move DefaultNamespaceOptions to run_common.go
• Move getNetworkInterface to run_common.go
• Move configureEnvironment to run_common.go
• Don't crash in configureUIDGID if Process.Capabilities is nil
• Move configureUIDGID to run_common.go
• Move runLookupPath to run_common.go
• Move setupTerminal to run_common.go
• Move etc file generation utilities to run_common.go
• Add run support for FreeBSD
• Add a simple FreeBSD jail library
• Add FreeBSD support to pkg/chrootuser
• Sync call signature for RunUsingChroot with chroot/run.go
• test: verify feature to resolve basename with args
• vendor: bump openshift/imagebuilder to master@4151e43
• GHA: Remove required reserved-name use
• buildah: set XDG_RUNTIME_DIR before setting default runroot
• imagebuildah: honor build output even if build container is not commited
• chroot: honor DefaultErrnoRet
• [CI:DOCS] improve pull-policy documentation
• tests: retrofit test since --file does not supports dir
• Switch to golang native error wrapping
• BuildDockerfiles: error out if path to containerfile is a directory
• define.downloadToDirectory: fail early if bad HTTP response
• GHA: Allow re-use of Cirrus-Cron fail-mail workflow
• add: fail on bad http response instead of writing to container
• [CI:DOCS] Update buildahimage comment
• lint: inspectable is never nil
• vendor: c/common to common@7e1563b
• build: support OCI hooks for ephemeral build containers
• [CI:BUILD] Install latest buildah instead of compiling
• Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
• Make sure cpp is installed in buildah images
• demo: use unshare for rootless invocations
• buildah.spec.rpkg: initial addition
• build: fix test for subid 4
• build, userns: add support for --userns=auto
• Fix building upstream buildah image
• Remove redundant buildahimages-are-sane validation
• Docs: Update multi-arch buildah images readme
• Cirrus: Migrate multiarch build off github actions
• retrofit-tests: we skip unused stages so use stages
• stage_executor: dont rely on stage while looking for additional-context
• buildkit, multistage: skip computing unwanted stages
• More test cleanup
• copier: work around freebsd bug for 'mkdir /'
• Replace $BUILDAH_BINARY with buildah() function
• Fix up buildah images
• Make util and copier build on FreeBSD
• Vendor in latest github.com/sirupsen/logrus
• Makefile: allow building without .git
• run_unix: don't return an error from getNetworkInterface
• run_unix: return a valid DefaultNamespaceOptions
• Update vendor of containers/storage
• chroot: use ActKillThread instead of ActKill
• use resolvconf package from c/common/libnetwork
• update c/common to latest main
• copier: add `NoOverwriteNonDirDir` option
• Sort buildoptions and move cli/build functions to internal
• Fix TODO: de-spaghettify run mounts
• Move options parsing out of build.go and into pkg/cli
• [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
• build, multiarch: support splitting build logs for --platform
• [CI:BUILD] WIP Cleanup Image Dockerfiles
• cli remove stutter
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• Fix use generic/ambiguous DEBUG name
• Cirrus: use Ubuntu 22.04 LTS
• Fix codespell errors
• Remove util.StringInSlice because it is defined in containers/common
• buildah: add support for renaming a device in rootless setups
• squash: never use build cache when computing last step of last stage
• Update vendor of containers/(common, storage, image)
• buildkit: supports additionalBuildContext in builds via --build-context
• buildah source pull/push: show progress bar
• run: allow resuing secret twice in different RUN steps
• test helpers: default to being rootless-aware
• Add --cpp-flag flag to buildah build
• build: accept branch and subdirectory when context is git repo
• Vendor in latest containers/common
• vendor: update c/storage and c/image
• Fix gentoo install docs
• copier: move NSS load to new process
• Add test for prevention of reusing encrypted layers
• Make `buildah build --label foo` create an empty 'foo' label again

• build, multiarch: support splitting build logs for --platform
• copier: add `NoOverwriteNonDirDir` option
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• buildkit: supports additionalBuildContext in builds via --build-context
• Add --cpp-flag flag to buildah build

• define.downloadToDirectory: fail early if bad HTTP response
• add: fail on bad http response instead of writing to container
• squash: never use build cache when computing last step of last stage
• run: allow resuing secret twice in different RUN steps
• integration tests: update expected error messages
• integration tests: quote '?' in shell scripts
• Use errors.Is() to check for storage errors
• lint: inspectable is never nil
• chroot: use ActKillThread instead of ActKill
• chroot: honor DefaultErrnoRet
• Set user namespace defaults correctly for the library
• contrib/rpm/buildah.spec: fix `rpm` parser warnings

• Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.

• buildah: add support for renaming a device in rootless setups

• Make `buildah build --label foo` create an empty 'foo' label again
• imagebuildah,build: move deepcopy of args before we spawn goroutine
• Vendor in containers/storage v1.40.2
• buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
• help output: get more consistent about option usage text
• Handle OS version and features flags
• buildah build: --annotation and --label should remove values
• buildah build: add a --env
• buildah: deep copy options.Args before performing concurrent build/stage
• test: inline platform and builtinargs behaviour
• vendor: bump imagebuilder to master/009dbc6
• build: automatically set correct TARGETPLATFORM where expected
• Vendor in containers/(common, storage, image)
• imagebuildah, executor: process arg variables while populating baseMap
• buildkit: add support for custom build output with --output
• Cirrus: Update CI VMs to F36
• fix staticcheck linter warning for deprecated function
• Fix docs build on FreeBSD
• copier.unwrapError(): update for Go 1.16
• copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
• copier.Put(): write to read-only directories
• Ed's periodic test cleanup
• using consistent lowercase 'invalid' word in returned err msg
• use etchosts package from c/common
• run: set actual hostname in /etc/hostname to match docker parity
• Update vendor of containers/(common,storage,image)
• manifest-create: allow creating manifest list from local image
• Update vendor of storage,common,image
• Initialize network backend before first pull
• oci spec: change special mount points for namespaces
• tests/helpers.bash: assert handle corner cases correctly
• buildah: actually use containers.conf settings
• integration tests: learn to start a dummy registry
• Fix error check to work on Podman
• buildah build should accept at most one arg
• tests: reduce concurrency for flaky bud-multiple-platform-no-run
• vendor in latest containers/common,image,storage
• manifest-add: allow override arch,variant while adding image
• Remove a stray `\` from .containerenv
• Vendor in latest opencontainers/selinux v1.10.1
• build, commit: allow removing default identity labels
• Create shorter names for containers based on image IDs
• test: skip rootless on cgroupv2 in root env
• fix hang when oci runtime fails
• Set permissions for GitHub actions
• copier test: use correct UID/GID in test archives
• run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

This update for permissions fixes the following issues:

• Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137)
• Fix regression introduced by backport of security fix (bsc#1203911)

This update for dbus-1 fixes the following issues:
- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).
Bugfixes:
- Disable asserts (bsc#1087072).

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

This update for openssl-1_1 fixes the following issues:

• Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)
• Fix memory leaks (bsc#1203046)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for protobuf fixes the following issues:

• CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).
• CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)
• CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• Fix file conflict during upgrade (bsc#1204211)
• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

This update for systemd fixes the following issues:

• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2 * 8a70235d8a core: Add trigger limit for path units * 93e544f3a0 core/mount: also add default before dependency for automount mount units * 5916a7748c logind: fix crash in logind on user-specified message string

• Document udev naming scheme (bsc#1204179).

This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

• Mexico will no longer observe DST except near the US border
• Chihuahua moves to year-round -06 on 2022-10-30
• Fiji no longer observes DST
• In vanguard form, GMT is now a Zone and Etc/GMT a link
• zic now supports links to links, and vanguard form uses this
• Simplify four Ontario zones
• Fix a Y2438 bug when reading TZif data
• Enable 64-bit time_t on 32-bit glibc platforms
• Omit large-file support when no longer needed
• Jordan and Syria switch from +02/+03 with DST to year-round +03
• Palestine transitions are now Saturdays at 02:00
• Simplify three Ukraine zones into one
• Improve tzselect on intercontinental Zones
• Chile's DST is delayed by a week in September 2022 (bsc#1202324)
• Iran no longer observes DST after 2022
• Rename Europe/Kiev to Europe/Kyiv
• New `zic -R` command option
• Vanguard form now uses %z

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for rpm fixes the following issues:

• Strip critical bit in signature subpackage parsing
• No longer deadlock DNF after pubkey import (bsc#1202750)

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for lvm2 fixes the following issues:

• Design changes to avoid kernel panic (bsc#1198523)
• Fix device-mapper rpm package versioning to prevent migration issues (bsc#1199074)
• killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216)

This update for vim fixes the following issues:
Updated to version 9.0 with patch level 0814:

• CVE-2021-3928: Fixed stack-based buffer overflow (bsc#1192478).
• CVE-2022-3234: Fixed heap-based buffer overflow (bsc#1203508).
• CVE-2022-3235: Fixed use-after-free (bsc#1203509).
• CVE-2022-3324: Fixed stack-based buffer overflow (bsc#1203820).
• CVE-2022-3705: Fixed use-after-free in function qf_update_buffer of the file quickfix.c (bsc#1204779).
• CVE-2022-2982: Fixed use-after-free in qf_fill_buffer() (bsc#1203152).
• CVE-2022-3296: Fixed stack out of bounds read in ex_finally() in ex_eval.c (bsc#1203796).
• CVE-2022-3297: Fixed use-after-free in process_next_cpt_value() at insexpand.c (bsc#1203797).
• CVE-2022-3099: Fixed use-after-free in ex_docmd.c (bsc#1203110).
• CVE-2022-3134: Fixed use-after-free in do_tag() (bsc#1203194).
• CVE-2022-3153: Fixed NULL pointer dereference (bsc#1203272).
• CVE-2022-3278: Fixed NULL pointer dereference in eval_next_non_blank() in eval.c (bsc#1203799).
• CVE-2022-3352: Fixed use-after-free (bsc#1203924).
• CVE-2022-2980: Fixed NULL pointer dereference in do_mouse() (bsc#1203155).
• CVE-2022-3037: Fixed use-after-free (bsc#1202962).

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

• Support by-path devlink for multipath nvme block devices (bsc#1200723).
• Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
• Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

This update for vim fixes the following issues:
Updated to version 9.0.1040:

• CVE-2022-3491: vim: Heap-based Buffer Overflow prior to 9.0.0742 (bsc#1206028).
• CVE-2022-3520: vim: Heap-based Buffer Overflow (bsc#1206071).
• CVE-2022-3591: vim: Use After Free (bsc#1206072).
• CVE-2022-4292: vim: Use After Free in GitHub repository vim/vim prior to 9.0.0882 (bsc#1206075).
• CVE-2022-4293: vim: Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804 (bsc#1206077).
• CVE-2022-4141: vim: heap-buffer-overflow in alloc.c 246:11 (bsc#1205797).
• CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c (bsc#1204779).

This update for curl fixes the following issues:

• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):

• In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
• Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time.
• Changes for pre-1996 northern Canada
• Update to past DST transition in Colombia (1993), Singapore (1981)
• 'timegm' is now supported by default

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

This update for util-linux fixes the following issues:

• libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646).
• Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt does not exist.
• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

This update for glib2 fixes the following issues:

• CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

This update for permissions fixes the following issues:
Update to version 20181225:

• Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issues

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

This update for vim fixes the following issues:

• Updated to version 9.0.1234: - CVE-2023-0433: Fixed an out of bounds memory access that could cause a crash (bsc#1207396). - CVE-2023-0288: Fixed an out of bounds memory access that could cause a crash (bsc#1207162). - CVE-2023-0054: Fixed an out of bounds memory write that could cause a crash or memory corruption (bsc#1206868). - CVE-2023-0051: Fixed an out of bounds memory access that could cause a crash (bsc#1206867). - CVE-2023-0049: Fixed an out of bounds memory access that could cause a crash (bsc#1206866).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
• FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)

This update for haproxy fixes the following issues:

• CVE-2023-25725: Fixed a serious vulnerability in the HTTP/1 parser (bsc#1208132).
• CVE-2023-0056: Fixed denial of service via crash in http_wait_for_response() (bsc#1207181).

SUSE-CU-2022:2686-1

SUSE-CU-2022:2685-1

SUSE-CU-2022:2660-1

This update for rpm fixes the following issues:

• Support Ed25519 RPM signatures [jsc#SLE-24714]

This update for libzypp, zypper fixes the following issues:
libzypp:

• Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
• Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
• Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
• Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

• Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
• Reject install/remove modifier without argument (bsc#1201576)
• zypper-download: Handle unresolvable arguments as errors
• Put signing key supplying repository name in quotes

This update for vim fixes the following issues:
Updated to version 9.0 with patch level 0313:

• CVE-2022-2183: Fixed out-of-bounds read through get_lisp_indent() (bsc#1200902).
• CVE-2022-2182: Fixed heap-based buffer overflow through parse_cmd_address() (bsc#1200903).
• CVE-2022-2175: Fixed buffer over-read through cmdline_insert_reg() (bsc#1200904).
• CVE-2022-2304: Fixed stack buffer overflow in spell_dump_compl() (bsc#1201249).
• CVE-2022-2343: Fixed heap-based buffer overflow in GitHub repository vim prior to 9.0.0044 (bsc#1201356).
• CVE-2022-2344: Fixed another heap-based buffer overflow vim prior to 9.0.0045 (bsc#1201359).
• CVE-2022-2345: Fixed use after free in GitHub repository vim prior to 9.0.0046. (bsc#1201363).
• CVE-2022-2819: Fixed heap-based Buffer Overflow in compile_lock_unlock() (bsc#1202414).
• CVE-2022-2874: Fixed NULL Pointer Dereference in generate_loadvar() (bsc#1202552).
• CVE-2022-1968: Fixed use after free in utf_ptr2char (bsc#1200270).
• CVE-2022-2124: Fixed out of bounds read in current_quote() (bsc#1200697).
• CVE-2022-2125: Fixed out of bounds read in get_lisp_indent() (bsc#1200698).
• CVE-2022-2126: Fixed out of bounds read in suggest_trie_walk() (bsc#1200700).
• CVE-2022-2129: Fixed out of bounds write in vim_regsub_both() (bsc#1200701).
• CVE-2022-1720: Fixed out of bounds read in grab_file_name() (bsc#1200732).
• CVE-2022-2264: Fixed out of bounds read in inc() (bsc#1201132).
• CVE-2022-2284: Fixed out of bounds read in utfc_ptr2len() (bsc#1201133).
• CVE-2022-2285: Fixed negative size passed to memmove() due to integer overflow (bsc#1201134).
• CVE-2022-2286: Fixed out of bounds read in ins_bytes() (bsc#1201135).
• CVE-2022-2287: Fixed out of bounds read in suggest_trie_walk() (bsc#1201136).
• CVE-2022-2231: Fixed null pointer dereference skipwhite() (bsc#1201150).
• CVE-2022-2210: Fixed out of bounds read in ml_append_int() (bsc#1201151).
• CVE-2022-2208: Fixed null pointer dereference in diff_check() (bsc#1201152).
• CVE-2022-2207: Fixed out of bounds read in ins_bs() (bsc#1201153).
• CVE-2022-2257: Fixed out of bounds read in msg_outtrans_special() (bsc#1201154).
• CVE-2022-2206: Fixed out of bounds read in msg_outtrans_attr() (bsc#1201155).
• CVE-2022-2522: Fixed out of bounds read via nested autocommand (bsc#1201863).
• CVE-2022-2571: Fixed heap-based buffer overflow related to ins_comp_get_next_word_or_line() (bsc#1202046).
• CVE-2022-2580: Fixed heap-based buffer overflow related to eval_string() (bsc#1202049).
• CVE-2022-2581: Fixed out-of-bounds read related to cstrchr() (bsc#1202050).
• CVE-2022-2598: Fixed undefined behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput() (bsc#1202051).
• CVE-2022-2817: Fixed use after gree in f_assert_fails() (bsc#1202420).
• CVE-2022-2816: Fixed out-of-bounds Read in check_vim9_unlet() (bsc#1202421).
• CVE-2022-2862: Fixed use-after-free in compile_nested_function() (bsc#1202511).
• CVE-2022-2849: Fixed invalid memory access related to mb_ptr2len() (bsc#1202512).
• CVE-2022-2845: Fixed buffer Over-read related to display_dollar() (bsc#1202515).
• CVE-2022-2889: Fixed use-after-free in find_var_also_in_script() in evalvars.c (bsc#1202599).
• CVE-2022-2923: Fixed NULL pointer dereference in GitHub repository vim/vim prior to 9.0.0240 (bsc#1202687).
• CVE-2022-2946: Fixed use after free in function vim_vsnprintf_typval (bsc#1202689).
• CVE-2022-3016: Fixed use after free in vim prior to 9.0.0285 (bsc#1202862).

• Fixing vim error on startup (bsc#1200884).
• Fixing vim SUSE Linux Enterprise Server 15 SP4 Basesystem plugin-tlib issue (bsc#1201620).

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

Implement ECO jsc#SLE-20950 to fix the channel configuration for libeconf-devel having L3 support (instead of unsupported).

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for glibc fixes the following issues:

• Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
• powerpc: Optimized memcmp for power10 (jsc#PED-987)

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for libzypp, zypper fixes the following issues:
libzypp:

• Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Remove migration code that is no longer needed (bsc#1203649)
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

• Fix contradiction in the man page: `--download-in-advance` option is the default behavior
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Fix tests to use locale 'C.UTF-8' rather than 'en_US'
• Make sure 'up' respects solver related CLI options (bsc#1201972)
• Remove unneeded code to compute the PPP status because it is now auto established
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

SUSE-CU-2022:2084-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for timezone fixes the following issues:

• timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

This update for gzip fixes the following issues:

• CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

This update for systemd fixes the following issues:

• tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
• journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
• tmpfiles: constify item_compatible() parameters
• test tmpfiles: add a test for 'w+'
• test: add test checking tmpfiles conf file precedence
• journald: make use of CLAMP() in cache_space_refresh()
• journal-file: port journal_file_open() to openat_report_new()
• fs-util: make sure openat_report_new() initializes return param also on shortcut
• fs-util: fix typos in comments
• fs-util: add openat_report_new() wrapper around openat()

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for curl fixes the following issues:

• CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
• CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
• CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issue:

• Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
• CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

This update for pcre2 fixes the following issues:

• CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for glibc fixes the following issues:

• Add the correct name for the IBM Z16 (bsc#1198751).

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for vim fixes the following issues:

• CVE-2017-17087: Fixed information leak via .swp files (bsc#1070955).
• CVE-2021-3875: Fixed heap-based buffer overflow (bsc#1191770).
• CVE-2021-3903: Fixed heap-based buffer overflow (bsc#1192167).
• CVE-2021-3968: Fixed heap-based buffer overflow (bsc#1192902).
• CVE-2021-3973: Fixed heap-based buffer overflow (bsc#1192903).
• CVE-2021-3974: Fixed use-after-free (bsc#1192904).
• CVE-2021-4069: Fixed use-after-free in ex_open()in src/ex_docmd.c (bsc#1193466).
• CVE-2021-4136: Fixed heap-based buffer overflow (bsc#1193905).
• CVE-2021-4166: Fixed out-of-bounds read (bsc#1194093).
• CVE-2021-4192: Fixed use-after-free (bsc#1194217).
• CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).
• CVE-2022-0128: Fixed out-of-bounds read (bsc#1194388).
• CVE-2022-0213: Fixed heap-based buffer overflow (bsc#1194885).
• CVE-2022-0261: Fixed heap-based buffer overflow (bsc#1194872).
• CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).
• CVE-2022-0359: Fixed heap-based buffer overflow in init_ccline() in ex_getln.c (bsc#1195203).
• CVE-2022-0392: Fixed heap-based buffer overflow (bsc#1195332).
• CVE-2022-0407: Fixed heap-based buffer overflow (bsc#1195354).
• CVE-2022-0696: Fixed NULL pointer dereference (bsc#1196361).
• CVE-2022-1381: Fixed global heap buffer overflow in skip_range (bsc#1198596).
• CVE-2022-1420: Fixed out-of-range pointer offset (bsc#1198748).
• CVE-2022-1616: Fixed use-after-free in append_command (bsc#1199331).
• CVE-2022-1619: Fixed heap-based Buffer Overflow in function cmdline_erase_chars (bsc#1199333).
• CVE-2022-1620: Fixed NULL pointer dereference in function vim_regexec_string (bsc#1199334).
• CVE-2022-1733: Fixed heap-based buffer overflow in cindent.c (bsc#1199655).
• CVE-2022-1735: Fixed heap-based buffer overflow (bsc#1199651).
• CVE-2022-1771: Fixed stack exhaustion (bsc#1199693).
• CVE-2022-1785: Fixed out-of-bounds write (bsc#1199745).
• CVE-2022-1796: Fixed use-after-free in find_pattern_in_path (bsc#1199747).
• CVE-2022-1851: Fixed out-of-bounds read (bsc#1199936).
• CVE-2022-1897: Fixed out-of-bounds write (bsc#1200010).
• CVE-2022-1898: Fixed use-after-free (bsc#1200011).
• CVE-2022-1927: Fixed buffer over-read (bsc#1200012).

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

This update for systemd-presets-branding-SLE fixes the following issues:

• Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

This update for curl fixes the following issues:

• CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
• CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for systemd fixes the following issues:

• Allow control characters in environment variable values (bsc#1200170)
• Call pam_loginuid when creating user@.service (bsc#1198507)
• Fix parsing error in s390 udev rules conversion script (bsc#1198732)
• Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
• Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit
• Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed'
• basic/env-util: (mostly) follow POSIX for what variable names are allowed
• basic/env-util: make function shorter
• basic/escape: add mode where empty arguments are still shown as ''
• basic/escape: always escape newlines in shell_escape()
• basic/escape: escape control characters, but not utf-8, in shell quoting
• basic/escape: use consistent location for '*' in function declarations
• basic/string-util: inline iterator variable declarations
• basic/string-util: simplify how str_realloc() is used
• basic/string-util: split out helper function
• core/device: device_coldplug(): don't set DEVICE_DEAD
• core/device: do not downgrade device state if it is already enumerated
• core/device: drop unnecessary condition
• string-util: explicitly cast character to unsigned
• string-util: fix build error on aarch64
• test-env-util: Verify that \r is disallowed in env var values
• test-env-util: print function headers

This update for glibc fixes the following issues:

• Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
• i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
• Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125)

This update for libzypp, zypper fixes the following issues:
libzypp:

• appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
• zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
• PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
• Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
• singletrans: no dry-run commit if doing just download-only
• Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo.
• Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

• Basic JobReport for 'cmdout/monitor'
• versioncmp: if verbose, also print the edition 'parts' which are compared
• Make sure MediaAccess is closed on exception (bsc#1194550)
• Display plus-content hint conditionally
• Honor the NO_COLOR environment variable when auto-detecting whether to use color
• Define table columns which should be sorted natural [case insensitive]
• lr/ls: Use highlight color on name and alias as well

This update for dwarves and elfutils fixes the following issues:
elfutils was updated to version 0.177 (jsc#SLE-24501):

• elfclassify: New tool to analyze ELF objects.
• readelf: Print DW_AT_data_member_location as decimal offset. Decode DW_AT_discr_list block attributes.
• libdw: Add DW_AT_GNU_numerator, DW_AT_GNU_denominator and DW_AT_GNU_bias.
• libdwelf: Add dwelf_elf_e_machine_string. dwelf_elf_begin now only returns NULL when there is an error reading or decompressing a file. If the file is not an ELF file an ELF handle of type ELF_K_NONE is returned.
• backends: Add support for C-SKY.

• build: Add new --enable-install-elfh option. Do NOT use this for system installs (it overrides glibc elf.h).
• backends: riscv improved core file and return value location support.
• Fixes: - CVE-2019-7146, CVE-2019-7148, CVE-2019-7149, CVE-2019-7664 - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (CVE is a bit misleading, as this is not a bug in libelf as described) (bsc#1125007)

• libdw: Added new DWARF5 attribute, tag, character encoding, language code, calling convention, defaulted member function and macro constants to dwarf.h.

• backends: Add support for EM_PPC64 GNU_ATTRIBUTES. Frame pointer unwinding fallback support for i386, x86_64, aarch64.
• translations: Update Polish translation. - CVE-2017-7611: elfutils: DoS (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033088) - CVE-2017-7610: elflint: heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7609: memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7607: heap-based buffer overflow in handle_gnu_hashi (readelf.c) (bsc#1033084) - CVE-2017-7608: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c) (bsc#1033085) - CVE-2017-7613: elfutils: denial of service (memory consumption) via a crafted ELF file (bsc#1033090) - CVE-2017-7612: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033089)
• Don't make elfutils recommend elfutils-lang as elfutils-lang already supplements elfutils.

This update for apparmor fixes the following issues:

• Add new rule to fix reported 'DENIED' audit records with Apparmor profile 'usr.sbin.smbd' (bsc#1196850)
• Add new rule to allow reading of openssl.cnf (bsc#1195463)

This update for pcre2 fixes the following issues:

• CVE-2019-20454: Fixed out-of-bounds read in JIT mode when \X is used in non-UTF mode (bsc#1164384).
• CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for systemd-presets-common-SUSE fixes the following issues:

• CVE-2022-1706: Fixed accessible configs from unprivileged containers in VMs running on VMware products (bsc#1199524).

• Modify branding-preset-states to fix systemd-presets-common-SUSE not enabling new user systemd service preset configuration just as it handles system service presets. By passing an (optional) second parameter 'user', the save/apply-changes commands now work with user services instead of system ones (bsc#1200485)

• Add the wireplumber user service preset to enable it by default in SLE15-SP4 where it replaced pipewire-media-session, but keep pipewire-media-session preset so we don't have to branch the systemd-presets-common-SUSE package for SP4 (bsc#1200485)

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for systemd fixes the following issues:

• Drop or soften some of the deprecation warnings (jsc#PED-944)
• Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
• tmpfiles: check for the correct directory

This update for timezone fixes the following issue:

• Reflect new Chile DST change (bsc#1202310)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for curl fixes the following issues:

• CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593).

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

SUSE-CU-2022:880-1

This update for protobuf fixes the following issues:

• CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

This update for yaml-cpp fixes the following issues:

• CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
• CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
• CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
• CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

This update for aaa_base fixes the following issues:

• Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
• Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

This update for util-linux fixes the following issue:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

• Harden package signature checks (bsc#1184501).

• reworked choice rule generation to cover more usecases
• support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
• support parsing of Debian's Multi-Arch indicator
• fix segfault on conflict resolution when using bindings
• fix split provides not working if the update includes a forbidden vendor change
• support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
• support zstd compressed control files in debian packages
• add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
• support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
• support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
• support solv files with an idarray block
• allow accessing the toolversion at runtime

• ZConfig: Update solver settings if target changes (bsc#1196368)
• Fix possible hang in singletrans mode (bsc#1197134)
• Do 2 retries if mount is still busy.
• Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
• Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
• Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
• Fix handling of ISO media in releaseAll (bsc#1196061)
• Hint on common ptf resolver conflicts (bsc#1194848)
• Hint on ptf<>patch resolver conflicts (bsc#1194848)

• info: print the packages upstream URL if available (fixes #426)
• info: Fix SEGV with not installed PTFs (bsc#1196317)
• Don't prevent less restrictive umasks (bsc#1195999)

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for systemd fixes the following issues:

• Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
• When migrating from sysvinit to systemd (it probably won't happen anymore), let's use the default systemd target, which is the graphical.target one.
• Don't open /var journals in volatile mode when runtime_journal==NULL
• udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
• man: tweak description of auto/noauto (bsc#1191502)
• shared/install: ignore failures for auxiliary files
• install: make UnitFileChangeType enum anonymous
• shared/install: reduce scope of iterator variables
• systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
• Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
• Drop or soften some of the deprecation warnings (bsc#1193086)

This update for lvm2 fixes the following issues:

• udev: create symlinks and watch even in suspended state (bsc#1195231)

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for e2fsprogs fixes the following issues:

• Add support for 'libreadline7' for Leap. (bsc#1196939)

This update for openldap2 fixes the following issues:

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for systemd-presets-common-SUSE fixes the following issue:

• enable vgauthd service for VMWare by default (bsc#1195251)

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

SUSE-CU-2022:326-1

This update for e2fsprogs fixes the following issues:
Security issues fixed:

• CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402).
• CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).

• bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system.
• bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system.
• bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.

This update for zlib provides the following fixes:

• Speedup zlib on power8. (fate#325307)
• Add safeguard against negative values in uInt. (bsc#1071321)

This update for openldap2 provides the following fix:

• Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)

This update for libxml2 fixes the following security issues:

• CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)
• CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166)
• CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)

This update for aaa_base provides the following fixes:

• Let bash.bashrc work even for (m)ksh. (bsc#1104531)
• Fix an error at login if java system directory is empty. (bsc#1102310)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for itstool and python-libxml2-python fixes the following issues:
Package: itstool - Updated version to support Python3. (bnc#1111019)
Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for aaa_base fixes the following issues:

• Restore old position of ssh/sudo source of profile (bsc#1118364).
• Update logic for JRE_HOME env variable (bsc#1128246)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for zlib fixes the following issues:

• Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

This update for aaa_base fixes the following issue:
* Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191)

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for vim fixes the following issue:
Security issue fixed:

• CVE-2019-12735: Fixed a potential arbitrary code execution vulnerability in getchar.c (bsc#1137443).

This update for e2fsprogs fixes the following issues:

• Check and fix tails of all bitmap blocks (bsc#1128383)

This update for elfutils fixes the following issues:
Security issues fixed:

• CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084)
• CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085)
• CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086)
• CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087)
• CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088)
• CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089)
• CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090)
• CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
• CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066)
• CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067)
• CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973)
• CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726)
• CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
• CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
• CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007)

This update for dbus-1 fixes the following issues:
Security issue fixed:

• CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832).

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for libssh fixes the following issue:
Issue addressed:

• Added support for new AES-GCM encryption types (bsc#1134193).

This update for libgcrypt fixes the following issues:

• Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).

This update for libgcrypt fixes the following issues:
Security issue fixed:

• CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939).

This update for libxml2 fixes the following issues:

• Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123)

This update for bzip2 fixes the following issues:

• Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083).

This update for libgcrypt fixes the following issues:

• Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073).

This update for zlib fixes the following issues:

• Update the s390 patchset. (bsc#1137624)
• Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
• Use FAT LTO objects in order to provide proper static library.
• Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
• Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)

This update for aaa_base fixes the following issues:

• Make systemd detection cgroup oblivious. (bsc#1140647)

This update for pinentry fixes the following issues:

• Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)

This update for openldap2 fixes the following issues:
Security issue fixed:

• CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
• CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
• CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313)

• Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
• Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
• Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).

This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):

• net.ipv4.conf.all.accept_redirects
• net.ipv4.conf.default.accept_redirects
• net.ipv4.conf.default.accept_source_route
• net.ipv6.conf.all.accept_redirects
• net.ipv6.conf.default.accept_redirects

This update for expat fixes the following issues:
Security issues fixed:

• CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429)

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for e2fsprogs fixes the following issues:
Security issue fixed:

• CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)

• libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)

This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

• library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures
• library: Just check for SIGLOST and don't delete it
• library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
• library: Use size_t for alloc functions CVE-2018-1126
• library: Increase comm size to 64
• pgrep: Fix stack-based buffer overflow CVE-2018-1125
• pgrep: Remove >15 warning as comm can be longer
• ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
• ps: Increase command name selection field to 64
• top: Don't use cwd for location of config CVE-2018-1122
• update translations
• library: build on non-glibc systems
• free: fix scaling on 32-bit systems
• Revert 'Support running with child namespaces'
• library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
• doc: Document I idle state in ps.1 and top.1
• free: fix some of the SI multiples
• kill: -l space between name parses correctly
• library: dont use vm_min_free on non Linux
• library: don't strip off wchan prefixes (ps & top)
• pgrep: warn about 15+ char name only if -f not used
• pgrep/pkill: only match in same namespace by default
• pidof: specify separator between pids
• pkill: Return 0 only if we can kill process
• pmap: fix duplicate output line under '-x' option
• ps: avoid eip/esp address truncations
• ps: recognizes SCHED_DEADLINE as valid CPU scheduler
• ps: display NUMA node under which a thread ran
• ps: Add seconds display for cputime and time
• ps: Add LUID field
• sysctl: Permit empty string for value
• sysctl: Don't segv when file not available
• sysctl: Read and write large buffers
• top: add config file support for XDG specification
• top: eliminated minor libnuma memory leak
• top: show fewer memory decimal places (configurable)
• top: provide command line switch for memory scaling
• top: provide command line switch for CPU States
• top: provides more accurate cpu usage at startup
• top: display NUMA node under which a thread ran
• top: fix argument parsing quirk resulting in SEGV
• top: delay interval accepts non-locale radix point
• top: address a wishlist man page NLS suggestion
• top: fix potential distortion in 'Mem' graph display
• top: provide proper multi-byte string handling
• top: startup defaults are fully customizable
• watch: define HOST_NAME_MAX where not defined
• vmstat: Fix alignment for disk partition format
• watch: Support ANSI 39,49 reset sequences

This update for aaa_base provides the following fixes:

• Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869)
• Add s390x compressed kernel support. (bsc#1151023)
• service: Check if there is a second argument before using it. (bsc#1051143)

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update for cpio fixes the following issues:

• CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past.

This update for e2fsprogs fixes the following issues:

• Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)

This update for aaa_base fixes the following issues:

• Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
• Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
• Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

This update for libgcrypt fixes the following issues:
Security issues fixed:

• CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).

• Added CMAC AES self test (bsc#1155339).
• Added CMAC TDES self test missing (bsc#1155338).
• Fix test dsa-rfc6979 in FIPS mode.

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for aaa_base fixes the following issues:

• Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
• Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)