Container summary for ses/7.1/ceph/ceph

SUSE-CU-2024:154-1

This update for glibc fixes the following issues:

• nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415)
• Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457)
• elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688)
• elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676)
• ld.so: Always use MAP_COPY to map the first segment (BZ #30452)
• add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

This update for binutils fixes the following issues:
Update to version 2.41 [jsc#PED-5778]:

• The MIPS port now supports the Sony Interactive Entertainment Allegrex processor, used with the PlayStation Portable, which implements the MIPS II ISA along with a single-precision FPU and a few implementation-specific integer instructions.
• Objdump's --private option can now be used on PE format files to display the fields in the file header and section headers.
• New versioned release of libsframe: libsframe.so.1. This release introduces versioned symbols with version node name LIBSFRAME_1.0. This release also updates the ABI in an incompatible way: this includes removal of sframe_get_funcdesc_with_addr API, change in the behavior of sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
• SFrame Version 2 is now the default (and only) format version supported by gas, ld, readelf and objdump.
• Add command-line option, --strip-section-headers, to objcopy and strip to remove ELF section header from ELF file.
• The RISC-V port now supports the following new standard extensions:

• The RISC-V port now supports the following vendor-defined extensions: - XVentanaCondOps
• Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
• A new .insn directive is recognized by x86 gas.
• Add SME2 support to the AArch64 port.
• The linker now accepts a command line option of --remap-inputs = to relace any input file that matches with . In addition the option --remap-inputs-file= can be used to specify a file containing any number of these remapping directives.
• The linker command line option --print-map-locals can be used to include local symbols in a linker map. (ELF targets only).
• For most ELF based targets, if the --enable-linker-version option is used then the version of the linker will be inserted as a string into the .comment section.
• The linker script syntax has a new command for output sections: ASCIZ 'string' This will insert a zero-terminated string at the current location.
• Add command-line option, -z nosectionheader, to omit ELF section header.

• Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md): * bsc#1209642 aka CVE-2023-1579 aka PR29988 * bsc#1210297 aka CVE-2023-1972 aka PR30285 * bsc#1210733 aka CVE-2023-2222 aka PR29936 * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc) * bsc#1214565 aka CVE-2020-19726 aka PR26240 * bsc#1214567 aka CVE-2022-35206 aka PR29290 * bsc#1214579 aka CVE-2022-35205 aka PR29289 * bsc#1214580 aka CVE-2022-44840 aka PR29732 * bsc#1214604 aka CVE-2022-45703 aka PR29799 * bsc#1214611 aka CVE-2022-48065 aka PR29925 * bsc#1214619 aka CVE-2022-48064 aka PR29922 * bsc#1214620 aka CVE-2022-48063 aka PR29924 * bsc#1214623 aka CVE-2022-47696 aka PR29677 * bsc#1214624 aka CVE-2022-47695 aka PR29846 * bsc#1214625 aka CVE-2022-47673 aka PR29876

• This only existed only for a very short while in SLE-15, as the main variant in devel:gcc subsumed this in binutils-revert-rela.diff. Hence:

• Document fixed CVEs:

• Enable bpf-none cross target and add bpf-none to the multitarget set of supported targets.
• Disable packed-relative-relocs for old codestreams. They generate buggy relocations when binutils-revert-rela.diff is active. [bsc#1206556]
• Disable ZSTD debug section compress by default.
• Enable zstd compression algorithm (instead of zlib) for debug info sections by default.
• Pack libgprofng only for supported platforms.
• Move libgprofng-related libraries to the proper locations (packages).
• Add --without=bootstrap for skipping of bootstrap (faster testing of the package).

• Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]

• Objdump has a new command line option --show-all-symbols which will make it display all symbols that match a given address when disassembling. (Normally only the first symbol that matches an address is shown).
• Add --enable-colored-disassembly configure time option to enable colored disassembly output by default, if the output device is a terminal. Note, this configure option is disabled by default.
• DCO signed contributions are now accepted.
• objcopy --decompress-debug-sections now supports zstd compressed debug sections. The new option --compress-debug-sections=zstd compresses debug sections with zstd.
• addr2line and objdump --dwarf now support zstd compressed debug sections.
• The dlltool program now accepts --deterministic-libraries and --non-deterministic-libraries as command line options to control whether or not it generates deterministic output libraries. If neither of these options are used the default is whatever was set when the binutils were configured.
• readelf and objdump now have a newly added option --sframe which dumps the SFrame section.
• Add support for Intel RAO-INT instructions.
• Add support for Intel AVX-NE-CONVERT instructions.
• Add support for Intel MSRLIST instructions.
• Add support for Intel WRMSRNS instructions.
• Add support for Intel CMPccXADD instructions.
• Add support for Intel AVX-VNNI-INT8 instructions.
• Add support for Intel AVX-IFMA instructions.
• Add support for Intel PREFETCHI instructions.
• Add support for Intel AMX-FP16 instructions.
• gas now supports --compress-debug-sections=zstd to compress debug sections with zstd.
• Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections.
• Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs, XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx, XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head ISA manual, which are implemented in the Allwinner D1.
• Add support for the RISC-V Zawrs extension, version 1.0-rc4.
• Add support for Cortex-X1C for Arm.
• New command line option --gsframe to generate SFrame unwind information on x86_64 and aarch64 targets.
• The linker has a new command line option to suppress the generation of any warning or error messages. This can be useful when there is a need to create a known non-working binary. The option is -w or --no-warnings.
• ld now supports zstd compressed debug sections. The new option --compress-debug-sections=zstd compresses debug sections with zstd.
• Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections.
• Remove support for -z bndplt (MPX prefix instructions).

• Includes fixes for these CVEs:

• Enable by default: --enable-colored-disassembly.
• fix build on x86_64_vX platforms

This update for python3 fixes the following issues:

• CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692).

This update for nghttp2 fixes the following issues:

• CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713).

This update for zypper fixes the following issues:

• Fix name of the bash completion script (bsc#1215007)
• Update notes about failing signature checks (bsc#1214395)
• Improve the SIGINT handler to be signal safe (bsc#1214292)
• Update to version 1.14.64
• Changed location of bash completion script (bsc#1213854).

This update for shadow fixes the following issues:

• CVE-2023-4641: Fixed potential password leak (bsc#1214806).

This update for curl fixes the following issues:

• CVE-2023-38546: Fixed a cookie injection with none file (bsc#1215889).

This update ships missing babeltrace-devel to the Basesystem module to allow building gdb source rpms. (bsc#1209275)

This update for python-urllib3 fixes the following issues:

• CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if the user manually set the corresponding header (bsc#1215968).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

• elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676)

This update for aaa_base fixes the following issues:

• Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

This update for suse-module-tools fixes the following issues:

• Updated to version 15.3.17:

• Updated to version 15.3.16:

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for nghttp2 fixes the following issues:

• CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

This update for openssl-1_1 fixes the following issues:

• Displays 'fips' in the version string (bsc#1215215)

This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage
Update to 1.3.3:

• Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
• _rpc_dtablesize: use portable system call
• libtirpc: Fix use-after-free accessing the error number
• Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch
• rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
• Eliminate deadlocks in connects with an MT environment
• clnt_dg_freeres() uncleared set active state may deadlock
• thread safe clnt destruction
• SUNRPC: mutexed access blacklist_read state variable
• SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

• Replace the final SunRPC licenses with BSD licenses
• blacklist: Add a few more well known ports
• libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

• Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors.
• svc_dg: Free xp_netid during destroy
• Fix memory management issues of fd locks
• libtirpc: replace array with list for per-fd locks
• __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
• __rpc_dtbsize: rlim_cur instead of rlim_max
• pkg-config: use the correct replacements for libdir/includedir

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

This update for python-urllib3 fixes the following issues:

• CVE-2023-45803: Fix a request body leak that could occur when receiving a 303 HTTP response (bsc#1216377).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

This update for libzypp, zypper fixes the following issues:

• Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091)
• Fix comment typo on zypp.conf (bsc#1215979)
• Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742)
• Make sure the old target is deleted before a new one is created (bsc#1203760)
• Return 104 also if info suggests near matches
• Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
• commit: Insert a headline to separate output of different rpm scripts (bsc#1041742)

This update for python-psutil, python-requests fixes the following issues:

• update python-psutil to 5.9.1 (bsc#1199282, bsc#1184753, jsc#SLE-24629, jsc#PM-3243, gh#giampaolo/psutil#2043)
• Fix tests: setuptools changed the builddir library path and does not find the module from it. Use the installed platlib instead and exclude psutil.tests only later.
• remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS

• Update python-requests to 2.25.1 (bsc#1176785, bsc#1170175, jsc#ECO-3105, jsc#PM-2352, jsc#PED-7192)
• Fixed bug with unintended Authorization header stripping for redirects using default ports (bsc#1111622).

This update of icu fixes the following issue:

• missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

This update for sqlite3 fixes the following issues:

• CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

This update for psmisc fixes the following issues:

• Fix version number when building the package

This update for gpg2 fixes the following issues:

• `dirmngr-client --validate` is broken for DER-encoded files (bsc#1217212)

This update for curl fixes the following issues:

• CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).

This update for libtirpc fixes the following issue:

• fix sed parsing in specfile (bsc#1216862)

This update for python-websocket-client fixes the following issues:

• Re-enable Python 3.6 to fix pip3 install (bsc#1215314)

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
• Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

This update for openssh fixes the following issues:

• CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950).

• Fix the 'no route to host' error when connecting via ProxyJump

This update for python-cryptography fixes the following issues:

• CVE-2023-49083: Fixed a NULL pointer dereference when loading certificates from a PKCS#7 bundle (bsc#1217592).

This update for curl fixes the following issues:

• libssh: Implement SFTP packet size limit (bsc#1216987)

This update for procps fixes the following issues:

• Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369)

• For support up to 2048 CPU as well (bsc#1185417)
• Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122)
• Get the first CPU summary correct (bsc#1121753)
• Enable pidof for SLE-15 as this is provided by sysvinit-tools
• Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build
• Do not truncate output of w with option -n
• Prefer logind over utmp (jsc#PED-3144)
• Don't install translated man pages for non-installed binaries (uptime, kill).
• Fix directory for Ukrainian man pages translations.
• Move localized man pages to lang package.

• Update to procps-ng-3.3.17

• Package translations in procps-lang.

• Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited.

• Enable pidof by default

• Update to procps-ng-3.3.16

This update for python-instance-billing-flavor-check fixes the following issues:

• Run the command as sudo only (bsc#1217696, bsc#1217695)
• Handle exception for Python 3.4

This update for libxcrypt fixes the following issues:

• fix variable name for datamember [bsc#1215496]
• added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

This update for ceph fixes the following issues:

• Fix build versioning to resolve installation conflicts (no source code changes)

SUSE-CU-2023:3073-1

This update for libzypp fixes the following issues:

• Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
• Do not unconditionally release a medium if provideFile failed. [bsc#1211661]

This update for python3 fixes the following issues:

• CVE-2007-4559: Fixed filter for tarfile.extractall (bsc#1203750).

• Fixed unittest.mock.patch.dict returns function when applied to coroutines (bsc#1211158).

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for yast2-pkg-bindings fixes the following issues:
libzypp was updated to version 17.31.14 (22):

• Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins.
• build: honor libproxy.pc's includedir (bsc#1212222)

• targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261)
• targetos: Update help and man page (bsc#1211261)

• Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
• Selected products are not installed after resetting the package manager internally (bsc#1202234)

• Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)

This update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets fixes the following issues:
grpc:

• Update in SLE-15 (bsc#1197726, bsc#1144068)

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331) * SECURITY ISSUE: Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows. CVE-2020-36242

• update to 3.2 (bsc#1178168, CVE-2020-25659): * CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability. * Support for OpenSSL 1.0.2 has been removed. * Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.
• update to 3.3.2 (bsc#1198331)

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• update to 1.2.13:

• Update to 1.14.2

• Update to 1.6.0

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Update to 10.0

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Update to version 1.3.0

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Update to version 0.9.0

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Disable Python2 build
• Update to 0.8.0

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Initial build version 0.1.2

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Version update to 1.5.0

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• update to 5.9.1
• remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS. (bsc#1184753)
• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• Update to 1.43.5:

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• Initial release of python-pytest-asyncio 0.8.0

• Include in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
• update to 9.1:

This update for openldap2 fixes the following issues:

• libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

This update for python-requests fixes the following issues:

• CVE-2023-32681: Fixed unintended leak of Proxy-Authorization header (bsc#1211674).

This update for dbus-1 fixes the following issues:

• CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for glibc fixes the following issues:

• getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
• Exclude static archives from preparation for live patching (bsc#1208721)
• resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

This update for gpgme fixes the following issues:
gpgme:

• Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

• Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

This update for openssh fixes the following issues:

• CVE-2023-38408: Fixed a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if those libraries were present on the victim's system and if the agent was forwarded to an attacker-controlled system. [bsc#1213504, CVE-2023-38408]

• Close the right filedescriptor and also close fdh in read_hmac to avoid file descriptor leaks. [bsc#1209536]

• Attempts to mitigate instances of secrets lingering in memory after a session exits. [bsc#1186673, bsc#1213004, bsc#1213008]

This update for libcap fixes the following issues:

• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for nfs-utils fixes the following issues:

• SLE15-SP5 and earlier don't use /usr/lib/modprobe.d (bsc#1200710)
• Avoid unhelpful warnings (bsc#1157881)
• Fix rpc.nfsd man pages (bsc#1209859)
• Allow scope to be set in sysconfig: NFSD_SCOPE

This update for openssl-1_1 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).
• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

• Update further expiring certificates that affect tests [bsc#1201627]

This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

This update for cryptsetup fixes the following issues:

• Handle system with low memory and no swap space (bsc#1211079)

This update for shadow fixes the following issues:

• Prevent lock files from remaining after power interruptions (bsc#1213189)
• Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

This update for python-apipkg provides python3-apipkg to SUSE Linux Enterprise Micro 5.2.

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

This update for python-pyasn1 fixes the following issues:

• To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805)

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for binutils fixes the following issues:

• Add `binutils-disable-dt-relr.sh` to address compatibility problems with the glibc version included in future SUSE Linux Enterprise releases (bsc#1213282, jsc#PED-1435)

This update for gawk fixes the following issues:

• CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

This update for ca-certificates-mozilla fixes the following issues:

• Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1

This update for icu fixes the following issues:

• Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)

This update for parted fixes the following issues:

• fix null pointer dereference (bsc#1193412)
• update mkpart options in manpage (bsc#1182142)

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

This update for lvm2 fixes the following issues:

• blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

This update for libzypp, zypper fixes the following issues:

• Fix occasional isue with downloading very small files (bsc#1213673)
• Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
• Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
• Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
• Revised explanation of --force-resolution in man page (bsc#1213557)
• Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

This update for python-iniconfig provides python3-iniconfig to SUSE Linux Enterprise Micro 5.2.

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

• Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165).

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

SUSE-CU-2023:1838-1

This update for nfs-utils fixes the following issues:

• Rename all drop-in options.conf files as 10-options.conf This makes it easier for other packages to over-ride with a drop-in with a later sequence number (bsc#1207843)
• Avoid modprobe errors when sysctl is not installed (bsc#1200710 bsc#1207022 bsc#1206781)
• Add '-S scope' option to rpc.nfsd to simplify fail-over cluster configuration (bsc#1203746)

This update for python-Werkzeug fixes the following issues:

• CVE-2023-25577: Fixed high resource usage when parsing multipart form data with many fields (bsc#1208283).

This update for sudo fixes the following issue:
Security fixes:

• CVE-2023-28486: Fixed missing control characters escaping in log messages (bsc#1209362).
• CVE-2023-28487: Fixed missing control characters escaping in sudoreplay output (bsc#1209361).

• Fix a situation where 'sudo -U otheruser -l' would dereference a NULL pointer (bsc#1206483).
• Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201).

This update for curl fixes the following issues:

• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

• Fix avx2 strncmp offset compare condition check (bsc#1208358)
• elf: Allow dlopen of filter object to work (bsc#1207571)
• powerpc: Fix unrecognized instruction errors with recent GCC
• x86: Cache computation for AMD architecture (bsc#1207957)

This update for systemd-presets-common-SUSE fixes the following issue:

• Enable systemd-pstore.service by default (jsc#PED-2663)

This update for smartmontools fixes the following issues:

• Fix `smartctl` issue affecting NVMe on big endian systems (bsc#1208905)

This update for python-cryptography fixes the following issues:

• CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
• CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
• CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

This update for timezone fixes the following issues:

• Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later.

This update for elfutils fixes the following issues:

• go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)

This update for xmlsec1 fixes the following issue:

• Ship missing xmlsec1 to synchronize its version across different products (bsc#1201617)

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed:

• Added W3C conformance tests to the testsuite (bsc#1204585).
• Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

This update for zstd fixes the following issues:

• CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

This update for glib2 fixes the following issues:

• CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
• CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).

• Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).

This update for procps fixes the following issue:

• Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for openssh fixes the following issues:

• Remove some patches that cause invalid environment assignments (bsc#1207014).

This update for zlib fixes the following issues:

• Add DFLTCC support for using inflate() with a small window (bsc#1206513)

This update for python-packaging fixes the following issues:

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• Add patch to fix testsuite on big-endian targets
• Ignore python3.6.2 since the test doesn't support it.
• update to 21.3: * Add a pp3-none-any tag * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion * Fix a spelling mistake

• update to 21.2: * Update documentation entry for 21.1. * Update pin to pyparsing to exclude 3.0.0. * PEP 656: musllinux support * Drop support for Python 2.7, Python 3.4 and Python 3.5 * Replace distutils usage with sysconfig * Add support for zip files * Use cached hash attribute to short-circuit tag equality comparisons * Specify the default value for the 'specifier' argument to 'SpecifierSet' * Proper keyword-only 'warn' argument in packaging.tags * Correctly remove prerelease suffixes from ~= check * Fix type hints for 'Version.post' and 'Version.dev' * Use typing alias 'UnparsedVersion' * Improve type inference * Tighten the return typeo

• Add Provides: for python*dist(packaging). (bsc#1186870)

• add no-legacyversion-warning.patch to restore compatibility with 20.4

• update to 20.9: * Add support for the ``macosx_10_*_universal2`` platform tags * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``

• update to 20.8: * Revert back to setuptools for compatibility purposes for some Linux distros * Do not insert an underscore in wheel tags when the interpreter version number is more than 2 digits * Fix flit configuration, to include LICENSE files * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag * Add some missing type hints to `packaging.requirements` * Officially support Python 3.9 * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes * Handle ``OSError`` on non-dynamic executables when attempting to resolve the glibc version string.

• update to 20.4: * Canonicalize version before comparing specifiers. * Change type hint for ``canonicalize_name`` to return ``packaging.utils.NormalizedName``. This enables the use of static typing tools (like mypy) to detect mixing of normalized and un-normalized names.

This update for curl fixes the following issues:

• CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).

This update for libzypp, zypper fixes the following issues:

• Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
• multicurl: propagate ssl settings stored in repo url (bsc#1127591)
• MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
• zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
• Teach MediaNetwork to retry on HTTP2 errors.
• Fix selecting installed patterns from picklist (bsc#1209406)
• man: better explanation of --priority

This update for python-Flask fixes the following issues:

• CVE-2023-30861: Fixed a potential cookie confusion due to incorrect caching (bsc#1211246).

This update for zlib fixes the following issue:

• Fix function calling order to avoid crashes (bsc#1210593)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

This update for util-linux fixes the following issues:

• Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164)

This update for openldap2 fixes the following issues:

• CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

This update for ceph, ceph-image, ceph-iscsi fixes the following issues:

• Update to 16.2.13-66-g54799ee0666: + (bsc#1199880) mgr: don't dump global config holding gil + (bsc#1209621) cephadm: fix NFS haproxy failover if active node disappears + (bsc#1210153) mgr/cephadm: fix handling of mgr upgrades with 3 or more mgrs + (bsc#1210243, bsc#1210314) ceph-volume: fix regression in activate + (bsc#1210719) cephadm: mount host /etc/hosts for daemon containers in podman deployments + (bsc#1210784) mgr/dashboard: Fix SSO error: 'str' object has no attribute 'decode' + (bsc#1210944) cmake: patch boost source to support python 3.11 + (bsc#1211090) fix FTBFS on s390x

• Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS.

• Update to 16.2.11-65-g8b7e6fc0182: + (bsc#1201088) test/librados: fix FTBFS on gcc 13 + (bsc#1208820) mgr/dashboard: allow to pass controls on iscsi disk create

• Update to 16.2.11-62-gce6291a3463: + (bsc#1201088) fix FTBFS on gcc 13

• Update to 16.2.13-66-g54799ee0666: + (bsc#1199880) mgr: don't dump global config holding gil + (bsc#1209621) cephadm: fix NFS haproxy failover if active node disappears + (bsc#1210153) mgr/cephadm: fix handling of mgr upgrades with 3 or more mgrs + (bsc#1210243, bsc#1210314) ceph-volume: fix regression in activate + (bsc#1210719) cephadm: mount host /etc/hosts for daemon containers in podman deployments + (bsc#1210784) mgr/dashboard: Fix SSO error: 'str' object has no attribute 'decode' + (bsc#1210944) cmake: patch boost source to support python 3.11 + (bsc#1211090) fix FTBFS on s390x

• Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS.

• Update to 16.2.11-65-g8b7e6fc0182: + (bsc#1201088) test/librados: fix FTBFS on gcc 13 + (bsc#1208820) mgr/dashboard: allow to pass controls on iscsi disk create

• Update to 16.2.11-62-gce6291a3463: + (bsc#1201088) fix FTBFS on gcc 13

• Update to 3.5+1679292226.g8769429: + rbd-target-api: don't ignore controls on disk create (bsc#1208820)
• checkin.sh: default to ses7 branch

SUSE-CU-2023:798-1

This update for rpm fixes the following issues:

• Fix missing python(abi) for 3.XX versions (bsc#1207294)

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:

• Do not autouninstall SUSE PTF packages
• Ensure 'duplinvolvedmap_all' is reset when a solver is reused
• Fix 'keep installed' jobs not disabling 'best update' rules
• New '-P' and '-W' options for `testsolv`
• New introspection interface for weak dependencies similar to ruleinfos
• Ensure special case file dependencies are written correctly in the testcase writer
• Support better info about alternatives
• Support decision reason queries
• Support merging of related decisions
• Support stringification of multiple solvables
• Support stringification of ruleinfo, decisioninfo and decision reasons

• Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233)
• Avoid redirecting 'history.logfile=/dev/null' into the target
• Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
• Enhance yaml-cpp detection
• Improve download of optional files
• MultiCurl: Make sure to reset the progress function when falling back.
• Properly reset range requests (bsc#1204548)
• Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version.
• Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls.
• Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side.
• ProgressData: enforce reporting the INIT||END state (bsc#1206949)
• ps: fix service detection on newer Tumbleweed systems (bsc#1205636)

• Allow to (re)add a service with the same URL (bsc#1203715)
• Bump dependency requirement to libzypp-devel 17.31.7 or greater
• Explain outdatedness of repositories
• patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
• Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions.
• Update man page and explain '.no_auto_prune' (bsc#1204956)

This update for python-PyJWT fixes the following issues:

• CVE-2022-29217: Fixed Key confusion through non-blocklisted public key formats (bsc#1199756).

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• Update to 2.4.0 (bsc#1199756) - Explicit check the key for ECAlgorithm - Don't use implicit optionals - documentation fix: show correct scope - fix: Update copyright information - Don't mutate options dictionary in .decode_complete() - Add support for Python 3.10 - api_jwk: Add PyJWKSet.__getitem__ - Update usage.rst - Docs: mention performance reasons for reusing RSAPrivateKey when encoding - Fixed typo in usage.rst - Add detached payload support for JWS encoding and decoding - Replace various string interpolations with f-strings by

This update for python3 fixes the following issues:

• CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).

• Eliminate unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355).

This update for ceph fixes the following issues:
Security issues fixed:

• CVE-2022-0670: Fixed user/tenant read/write access to an entire file system (bsc#1201837).
• CVE-2022-3650: Fixed Python script that allowed privilege escalation from ceph to root (bsc#1204430).
• CVE-2022-3854: Fixed possible DoS issue in ceph URL processing on RGW backends (bsc#1205025).

• osd, tools, kv: non-aggressive, on-line trimming of accumulated dups (bsc#1199183).
• ceph-volume: fix fast device alloc size on mulitple device (bsc#1200262).
• cephadm: update monitoring container images (bsc#1200501).
• mgr/dashboard: prevent alert redirect (bsc#1200978).
• mgr/volumes: Add subvolumegroup resize cmd (bsc#1201797).
• monitoring/ceph-mixin: add RGW host to label info (bsc#1201976).
• mgr/dashboard: enable addition of custom Prometheus alerts (bsc#1202077).
• python-common: Add 'KB' to supported suffixes in SizeMatcher (bsc#1203375).
• mgr/dashboard: fix rgw connect when using ssl (bsc#1205436).
• ceph.spec.in: Add -DFMT_DEPRECATED_OSTREAM to CXXFLAGS (bsc#1202292).
• cephfs-shell: move source to separate subdirectory (bsc#1201604).

• mgr/cephadm: try to get FQDN for configuration files (bsc#1196046).
• When an RBD is mapped, it is attempted to be deployed as an OSD. (bsc#1187748).
• OSD marked down causes wrong backfill_toofull (bsc#1188911).
• cephadm: Fix iscsi client caps (allow mgr calls) (bsc#1192838).
• mgr/cephadm: fix and improve osd draining (bsc#1200317).
• add iscsi and nfs to upgrade process (bsc#1206158).
• mgr/mgr_module.py: CLICommand: Fix parsing of kwargs arguments (bsc#1192840).

SUSE-CU-2023:629-1

This update for python-cryptography, python-cryptography-vectors fixes the following issues:

• Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

• CVE-2020-36242: Fixed a bug where certain sequences of update() calls could result in integer overflow (bsc#1182066).
• CVE-2020-25659: Fixed Bleichenbacher vulnerabilities (bsc#1178168).

• update to 3.3.2 (bsc#1198331)

This update for libxml2 fixes the following issues:

• Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz

This update for libxslt fixes the following issues:

• CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

SUSE-CU-2023:500-1

This update for python-waitress fixes the following issues:

• CVE-2022-24761: Fixed a bug to avoid inconsistent interpretation of HTTP requests leading to request smuggling. (bsc#1197255)

This update for buildah fixes the following issues:

• CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
• CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
• CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

• run: add container gid to additional groups

• Add fix for CVE-2022-2990 / bsc#1202812

• Don't try to call runLabelStdioPipes if spec.Linux is not set
• build: support filtering cache by duration using --cache-ttl
• build: support building from commit when using git repo as build context
• build: clean up git repos correctly when using subdirs
• integration tests: quote '?' in shell scripts
• test: manifest inspect should have OCIv1 annotation
• vendor: bump to c/common@87fab4b7019a
• Failure to determine a file or directory should print an error
• refactor: remove unused CommitOptions from generateBuildOutput
• stage_executor: generate output for cases with no commit
• stage_executor, commit: output only if last stage in build
• Use errors.Is() instead of os.Is{Not,}Exist
• Minor test tweak for podman-remote compatibility
• Cirrus: Use the latest imgts container
• imagebuildah: complain about the right Dockerfile
• tests: don't try to wrap `nil` errors
• cmd/buildah.commitCmd: don't shadow 'err'
• cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
• Fix a copy/paste error message
• Fix a typo in an error message
• build,cache: support pulling/pushing cache layers to/from remote sources
• Update vendor of containers/(common, storage, image)
• Rename chroot/run.go to chroot/run_linux.go
• Don't bother telling codespell to skip files that don't exist
• Set user namespace defaults correctly for the library
• imagebuildah: optimize cache hits for COPY and ADD instructions
• Cirrus: Update VM images w/ updated bats
• docs, run: show SELinux label flag for cache and bind mounts
• imagebuildah, build: remove undefined concurrent writes
• bump github.com/opencontainers/runtime-tools
• Add FreeBSD support for 'buildah info'
• Vendor in latest containers/(storage, common, image)
• Add freebsd cross build targets
• Make the jail package build on 32bit platforms
• Cirrus: Ensure the build-push VM image is labeled
• GHA: Fix dynamic script filename
• Vendor in containers/(common, storage, image)
• Run codespell
• Remove import of github.com/pkg/errors
• Avoid using cgo in pkg/jail
• Rename footypes to fooTypes for naming consistency
• Move cleanupTempVolumes and cleanupRunMounts to run_common.go
• Make the various run mounts work for FreeBSD
• Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
• Move runSetupRunMounts to run_common.go
• Move cleanableDestinationListFromMounts to run_common.go
• Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
• Move setupMounts and runSetupBuiltinVolumes to run_common.go
• Tidy up - runMakeStdioPipe can't be shared with linux
• Move runAcceptTerminal to run_common.go
• Move stdio copying utilities to run_common.go
• Move runUsingRuntime and runCollectOutput to run_common.go
• Move fileCloser, waitForSync and contains to run_common.go
• Move checkAndOverrideIsolationOptions to run_common.go
• Move DefaultNamespaceOptions to run_common.go
• Move getNetworkInterface to run_common.go
• Move configureEnvironment to run_common.go
• Don't crash in configureUIDGID if Process.Capabilities is nil
• Move configureUIDGID to run_common.go
• Move runLookupPath to run_common.go
• Move setupTerminal to run_common.go
• Move etc file generation utilities to run_common.go
• Add run support for FreeBSD
• Add a simple FreeBSD jail library
• Add FreeBSD support to pkg/chrootuser
• Sync call signature for RunUsingChroot with chroot/run.go
• test: verify feature to resolve basename with args
• vendor: bump openshift/imagebuilder to master@4151e43
• GHA: Remove required reserved-name use
• buildah: set XDG_RUNTIME_DIR before setting default runroot
• imagebuildah: honor build output even if build container is not commited
• chroot: honor DefaultErrnoRet
• [CI:DOCS] improve pull-policy documentation
• tests: retrofit test since --file does not supports dir
• Switch to golang native error wrapping
• BuildDockerfiles: error out if path to containerfile is a directory
• define.downloadToDirectory: fail early if bad HTTP response
• GHA: Allow re-use of Cirrus-Cron fail-mail workflow
• add: fail on bad http response instead of writing to container
• [CI:DOCS] Update buildahimage comment
• lint: inspectable is never nil
• vendor: c/common to common@7e1563b
• build: support OCI hooks for ephemeral build containers
• [CI:BUILD] Install latest buildah instead of compiling
• Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
• Make sure cpp is installed in buildah images
• demo: use unshare for rootless invocations
• buildah.spec.rpkg: initial addition
• build: fix test for subid 4
• build, userns: add support for --userns=auto
• Fix building upstream buildah image
• Remove redundant buildahimages-are-sane validation
• Docs: Update multi-arch buildah images readme
• Cirrus: Migrate multiarch build off github actions
• retrofit-tests: we skip unused stages so use stages
• stage_executor: dont rely on stage while looking for additional-context
• buildkit, multistage: skip computing unwanted stages
• More test cleanup
• copier: work around freebsd bug for 'mkdir /'
• Replace $BUILDAH_BINARY with buildah() function
• Fix up buildah images
• Make util and copier build on FreeBSD
• Vendor in latest github.com/sirupsen/logrus
• Makefile: allow building without .git
• run_unix: don't return an error from getNetworkInterface
• run_unix: return a valid DefaultNamespaceOptions
• Update vendor of containers/storage
• chroot: use ActKillThread instead of ActKill
• use resolvconf package from c/common/libnetwork
• update c/common to latest main
• copier: add `NoOverwriteNonDirDir` option
• Sort buildoptions and move cli/build functions to internal
• Fix TODO: de-spaghettify run mounts
• Move options parsing out of build.go and into pkg/cli
• [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
• build, multiarch: support splitting build logs for --platform
• [CI:BUILD] WIP Cleanup Image Dockerfiles
• cli remove stutter
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• Fix use generic/ambiguous DEBUG name
• Cirrus: use Ubuntu 22.04 LTS
• Fix codespell errors
• Remove util.StringInSlice because it is defined in containers/common
• buildah: add support for renaming a device in rootless setups
• squash: never use build cache when computing last step of last stage
• Update vendor of containers/(common, storage, image)
• buildkit: supports additionalBuildContext in builds via --build-context
• buildah source pull/push: show progress bar
• run: allow resuing secret twice in different RUN steps
• test helpers: default to being rootless-aware
• Add --cpp-flag flag to buildah build
• build: accept branch and subdirectory when context is git repo
• Vendor in latest containers/common
• vendor: update c/storage and c/image
• Fix gentoo install docs
• copier: move NSS load to new process
• Add test for prevention of reusing encrypted layers
• Make `buildah build --label foo` create an empty 'foo' label again

• build, multiarch: support splitting build logs for --platform
• copier: add `NoOverwriteNonDirDir` option
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• buildkit: supports additionalBuildContext in builds via --build-context
• Add --cpp-flag flag to buildah build

• define.downloadToDirectory: fail early if bad HTTP response
• add: fail on bad http response instead of writing to container
• squash: never use build cache when computing last step of last stage
• run: allow resuing secret twice in different RUN steps
• integration tests: update expected error messages
• integration tests: quote '?' in shell scripts
• Use errors.Is() to check for storage errors
• lint: inspectable is never nil
• chroot: use ActKillThread instead of ActKill
• chroot: honor DefaultErrnoRet
• Set user namespace defaults correctly for the library
• contrib/rpm/buildah.spec: fix `rpm` parser warnings

• Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.

• buildah: add support for renaming a device in rootless setups

• Make `buildah build --label foo` create an empty 'foo' label again
• imagebuildah,build: move deepcopy of args before we spawn goroutine
• Vendor in containers/storage v1.40.2
• buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
• help output: get more consistent about option usage text
• Handle OS version and features flags
• buildah build: --annotation and --label should remove values
• buildah build: add a --env
• buildah: deep copy options.Args before performing concurrent build/stage
• test: inline platform and builtinargs behaviour
• vendor: bump imagebuilder to master/009dbc6
• build: automatically set correct TARGETPLATFORM where expected
• Vendor in containers/(common, storage, image)
• imagebuildah, executor: process arg variables while populating baseMap
• buildkit: add support for custom build output with --output
• Cirrus: Update CI VMs to F36
• fix staticcheck linter warning for deprecated function
• Fix docs build on FreeBSD
• copier.unwrapError(): update for Go 1.16
• copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
• copier.Put(): write to read-only directories
• Ed's periodic test cleanup
• using consistent lowercase 'invalid' word in returned err msg
• use etchosts package from c/common
• run: set actual hostname in /etc/hostname to match docker parity
• Update vendor of containers/(common,storage,image)
• manifest-create: allow creating manifest list from local image
• Update vendor of storage,common,image
• Initialize network backend before first pull
• oci spec: change special mount points for namespaces
• tests/helpers.bash: assert handle corner cases correctly
• buildah: actually use containers.conf settings
• integration tests: learn to start a dummy registry
• Fix error check to work on Podman
• buildah build should accept at most one arg
• tests: reduce concurrency for flaky bud-multiple-platform-no-run
• vendor in latest containers/common,image,storage
• manifest-add: allow override arch,variant while adding image
• Remove a stray `\` from .containerenv
• Vendor in latest opencontainers/selinux v1.10.1
• build, commit: allow removing default identity labels
• Create shorter names for containers based on image IDs
• test: skip rootless on cgroupv2 in root env
• fix hang when oci runtime fails
• Set permissions for GitHub actions
• copier test: use correct UID/GID in test archives
• run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

This update for permissions fixes the following issues:

• Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137)
• Fix regression introduced by backport of security fix (bsc#1203911)

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

This update for dbus-1 fixes the following issues:
- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).
Bugfixes:
- Disable asserts (bsc#1087072).

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

This update for openssl-1_1 fixes the following issues:

• Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)
• Fix memory leaks (bsc#1203046)

This update for openssh fixes the following issue:

• Prevent empty messages from being sent. (bsc#1192439)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for protobuf fixes the following issues:

• CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).
• CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)
• CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)

This update for python-rsa fixes the following issues:
- CVE-2020-25658: Fixed bleichenbacher timing oracle attack against RSA decryption (bsc#1178676).

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• Fix file conflict during upgrade (bsc#1204211)
• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

This update for python-Mako fixes the following issues:
- CVE-2022-40023: Fixed regular expression Denial of Service when using the Lexer class to parse (bsc#1203246).

This update fixes for python3-apipkg the following issues:

This update for nfs-utils fixes the following issues:

• Fix nfsdcltrack bug that affected non-x86 archs (bsc#1202627)
• Ensure sysctl setting work (bsc#1199856)

This update for python-cryptography, python-cryptography-vectors fixes the following issues:

• Update in SLE-15 (bsc#1177083, jsc#PM-2730, jsc#SLE-18312)
• Refresh patches for new version
• Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352)
• update to 2.9.2 * 2.9.2 - 2020-04-22 - Updated the macOS wheel to fix an issue where it would not run on macOS versions older than 10.15. * 2.9.1 - 2020-04-21 - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1g. * 2.9 - 2020-04-02 - BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden. - BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade. - BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed. - Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format. - BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514. - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1f. - Added support for parsing single_extensions in an OCSP response. - NameAttribute values can now be empty strings.

• Add openSSL_111d.patch to make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792.

• bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in finalize_with_tag API
• Update in SLE-15 (bsc#1177083, jsc#PM-2730, jsc#SLE-18312)
• Include in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352)
• update to 2.9.2: * updated vectors for the cryptography 2.9.2 testing

This update for systemd fixes the following issues:

• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2 * 8a70235d8a core: Add trigger limit for path units * 93e544f3a0 core/mount: also add default before dependency for automount mount units * 5916a7748c logind: fix crash in logind on user-specified message string

• Document udev naming scheme (bsc#1204179).

This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

• Mexico will no longer observe DST except near the US border
• Chihuahua moves to year-round -06 on 2022-10-30
• Fiji no longer observes DST
• In vanguard form, GMT is now a Zone and Etc/GMT a link
• zic now supports links to links, and vanguard form uses this
• Simplify four Ontario zones
• Fix a Y2438 bug when reading TZif data
• Enable 64-bit time_t on 32-bit glibc platforms
• Omit large-file support when no longer needed
• Jordan and Syria switch from +02/+03 with DST to year-round +03
• Palestine transitions are now Saturdays at 02:00
• Simplify three Ukraine zones into one
• Improve tzselect on intercontinental Zones
• Chile's DST is delayed by a week in September 2022 (bsc#1202324)
• Iran no longer observes DST after 2022
• Rename Europe/Kiev to Europe/Kyiv
• New `zic -R` command option
• Vanguard form now uses %z

This update for sudo fixes the following issues:

• CVE-2022-43995: Fixed a potential heap-based buffer over-read when entering a passwor dof seven characters or fewer and using the crypt() password backend (bsc#1204986).

• Fix wrong information output in the error message (bsc#1190818).
• Make sure SIGCHLD is not ignored when sudo is executed; fixes race condition (bsc#1203201).

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for binutils fixes the following issues:
The following security bugs were fixed:

• CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).
• CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).
• CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).
• CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).
• CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).
• CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).
• CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).
• CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).
• CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).
• CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).

• SLE toolchain update of binutils, update to 2.39 from 2.37.
• Update to 2.39: * The ELF linker will now generate a warning message if the stack is made executable. Similarly it will warn if the output binary contains a segment with all three of the read, write and execute permission bits set. These warnings are intended to help developers identify programs which might be vulnerable to attack via these executable memory regions. The warnings are enabled by default but can be disabled via a command line option. It is also possible to build a linker with the warnings disabled, should that be necessary. * The ELF linker now supports a --package-metadata option that allows embedding a JSON payload in accordance to the Package Metadata specification. * In linker scripts it is now possible to use TYPE= in an output section description to set the section type value. * The objdump program now supports coloured/colored syntax highlighting of its disassembler output for some architectures. (Currently: AVR, RiscV, s390, x86, x86_64). * The nm program now supports a --no-weak/-W option to make it ignore weak symbols. * The readelf and objdump programs now support a -wE option to prevent them from attempting to access debuginfod servers when following links. * The objcopy program's --weaken, --weaken-symbol, and --weaken-symbols options now works with unique symbols as well.

• Update to 2.38: * elfedit: Add --output-abiversion option to update ABIVERSION. * Add support for the LoongArch instruction set. * Tools which display symbols or strings (readelf, strings, nm, objdump) have a new command line option which controls how unicode characters are handled. By default they are treated as normal for the tool. Using --unicode=locale will display them according to the current locale. Using --unicode=hex will display them as hex byte values, whilst --unicode=escape will display them as escape sequences. In addition using --unicode=highlight will display them as unicode escape sequences highlighted in red (if supported by the output device). * readelf -r dumps RELR relative relocations now. * Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been added to objcopy in order to enable UEFI development using binutils. * ar: Add --thin for creating thin archives. -T is a deprecated alias without diagnostics. In many ar implementations -T has a different meaning, as specified by X/Open System Interface. * Add support for AArch64 system registers that were missing in previous releases. * Add support for the LoongArch instruction set. * Add a command-line option, -muse-unaligned-vector-move, for x86 target to encode aligned vector move as unaligned vector move. * Add support for Cortex-R52+ for Arm. * Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64. * Add support for Cortex-A710 for Arm. * Add support for Scalable Matrix Extension (SME) for AArch64. * The --multibyte-handling=[allow|warn|warn-sym-only] option tells the assembler what to when it encoutners multibyte characters in the input. The default is to allow them. Setting the option to 'warn' will generate a warning message whenever any multibyte character is encountered. Using the option to 'warn-sym-only' will make the assembler generate a warning whenever a symbol is defined containing multibyte characters. (References to undefined symbols will not generate warnings). * Outputs of .ds.x directive and .tfloat directive with hex input from x86 assembler have been reduced from 12 bytes to 10 bytes to match the output of .tfloat directive. * Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in AArch64 GAS. * Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS. * Add support for Intel AVX512_FP16 instructions. * Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF linker to pack relative relocations in the DT_RELR section. * Add support for the LoongArch architecture. * Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF linker to control canonical function pointers and copy relocation. * Add --max-cache-size=SIZE to set the the maximum cache size to SIZE bytes.
• Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.
• Add gprofng subpackage.
• Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).
• Add back fix for bsc#1191473, which got lost in the update to 2.38.
• Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).
• Enable PRU architecture for AM335x CPU (Beagle Bone Black board)

This update for nfsidmap fixes the following issues:

• Various bugfixes and improvemes from upstream In particular, fixed a crash that can happen when a 'static' mapping is configured. (bsc#1200901)

This update for rpm fixes the following issues:

• Strip critical bit in signature subpackage parsing
• No longer deadlock DNF after pubkey import (bsc#1202750)

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for lvm2 fixes the following issues:

• Design changes to avoid kernel panic (bsc#1198523)
• Fix device-mapper rpm package versioning to prevent migration issues (bsc#1199074)
• killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216)

This update for python3 fixes the following issues:

• CVE-2022-37454: Fixed a buffer overflow in hashlib.sha3_* implementations. (bsc#1204577)
• CVE-2020-10735: Fixed a bug to limit amount of digits converting text to int and vice vera. (bsc#1203125)

• Fixed a crash in the garbage collection (bsc#1188607).

This update for libxslt fixes the following issues:

• Fix broken license symlink for libxslt-tools (bsc#1203669)

This update for sudo fixes the following issues:

• Change sudo-ldap schema from ASCII to UTF8 to fix a regression introduced in a previous maintenance update (bsc#1197998)

This update for openssh fixes the following issues:

• Make ssh connections update their dbus environment (bsc#1179465): * Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

• Support by-path devlink for multipath nvme block devices (bsc#1200723).
• Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
• Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

This update for curl fixes the following issues:

• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):

• In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
• Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time.
• Changes for pre-1996 northern Canada
• Update to past DST transition in Colombia (1993), Singapore (1981)
• 'timegm' is now supported by default

This update for ca-certificates-mozilla fixes the following issues:

• Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
• Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

This update for sudo fixes the following issues:

• CVE-2023-22809: Fixed an arbitrary file write issue that could be exploited by users with sudoedit permissions (bsc#1207082).

This update for python-certifi fixes the following issues:

• remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle certs (bsc#1206212 CVE-2022-23491) - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1
• Add removeTrustCor.patch

This update for util-linux fixes the following issues:

• libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646).
• Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt does not exist.
• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

This update for python-py fixes the following issues:

• CVE-2022-42969: Fixed an excessive resource consumption that could be triggered when interacting with a Subversion repository containing crated data (bsc#1204364).

This update for glib2 fixes the following issues:

• CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

This update for permissions fixes the following issues:
Update to version 20181225:

• Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issues

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

This update for python-setuptools fixes the following issues:

• CVE-2022-40897: Fixed an excessive CPU usage that could be triggered by fetching a malicious HTML document (bsc#1206667).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
• FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)

This update for python3 fixes the following issues:
- CVE-2022-45061: Fixed DoS when IDNA decodes extremely long domain names (bsc#1205244).
Bugfixes:
- Fixed issue where email.generator.py replaces a non-existent header (bsc#1208443).

SUSE-CU-2022:2688-1

SUSE-CU-2022:2687-1

This update for rpm fixes the following issues:

• Support Ed25519 RPM signatures [jsc#SLE-24714]

This update for libzypp, zypper fixes the following issues:
libzypp:

• Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
• Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
• Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
• Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

• Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
• Reject install/remove modifier without argument (bsc#1201576)
• zypper-download: Handle unresolvable arguments as errors
• Put signing key supplying repository name in quotes

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

Implement ECO jsc#SLE-20950 to fix the channel configuration for libeconf-devel having L3 support (instead of unsupported).

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for ca-certificates-mozilla fixes the following issues:
Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)

• Added:

• Removed:

• Added:

• Removed:

• Added:

• Added new root CAs:

• Removed old root CAs:

This update for glibc fixes the following issues:

• Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
• powerpc: Optimized memcmp for power10 (jsc#PED-987)

This update for python3 fixes the following issues:

• CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for libzypp, zypper fixes the following issues:
libzypp:

• Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Remove migration code that is no longer needed (bsc#1203649)
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

• Fix contradiction in the man page: `--download-in-advance` option is the default behavior
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Fix tests to use locale 'C.UTF-8' rather than 'en_US'
• Make sure 'up' respects solver related CLI options (bsc#1201972)
• Remove unneeded code to compute the PPP status because it is now auto established
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

SUSE-CU-2022:2085-1

This update for aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures fixes the following issues:

• Update in SLE-15 (bsc#1196696, bsc#1195916, jsc#SLE-23972)

• Remove redundant python3 dependency from Requires
• Update regular expression to fix python shebang
• Style is enforced upstream and triggers unnecessary build version requirements
• Allow specifying fs_id in cloudwatch log group name
• Includes fix for stunnel path
• Added hardening to systemd service(s).
• Raise minimal pytest version
• Fix typo in the ansi2html Requires
• Cleanup with spec-cleaner
• Make sure the tests are really executed
• Remove useless devel dependency
• Multiprocessing support in Python 3.8 was broken, but is now fixed
• Bumpy the URL to point to github rather than to docs

This update for python-iniconfig provides the following fix:

• Ship python3-iniconfig also to openSUSE 15.3 and 15.4 (bsc#1202498)

This update for systemd-presets-common-SUSE fixes the following issues:

• CVE-2022-1706: Fixed accessible configs from unprivileged containers in VMs running on VMware products (bsc#1199524).

• Modify branding-preset-states to fix systemd-presets-common-SUSE not enabling new user systemd service preset configuration just as it handles system service presets. By passing an (optional) second parameter 'user', the save/apply-changes commands now work with user services instead of system ones (bsc#1200485)

• Add the wireplumber user service preset to enable it by default in SLE15-SP4 where it replaced pipewire-media-session, but keep pipewire-media-session preset so we don't have to branch the systemd-presets-common-SUSE package for SP4 (bsc#1200485)

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for python-lxml fixes the following issues:

• CVE-2022-2309: Fixed NULL pointer dereference due to state leak between parser runs (bsc#1201253).

This update for systemd fixes the following issues:

• Drop or soften some of the deprecation warnings (jsc#PED-944)
• Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
• tmpfiles: check for the correct directory

This feature update for LibreOffice provides the following fixes:
abseil-cpp:

• Provide abseil-cpp version 20211102.0 as LibreOffice 7.3 dependency. (jsc#SLE-23447)
• Mention already fixed issues. (fate#326485, bsc#1041090)

• Provide libcuckoo version 0.3 as LibreOffice dependency. (jsc#SLE-23447)

• Update libixion from version 0.16.1 to version 0.17.0. (jsc#SLE-23447)
• Build with mdds-2_0 instead of mdds-1.5. (jsc#SLE-23447)
• Build with gcc11 and gcc11-c++. (jsc#SLE-23447)
• Remove unneeded vulkan dependency
• Provide binaries for non x86_64 architectures directly to SUSE Package Hub. (ijsc#MSC-303)

• Update LibreOffice from version 7.2.5.1 to version 7.3.3.1. (jsc#SLE-23447, jsc#SLE-24021) * Update bundled dependencies: * gpgme from version 1.13.1 to version 1.16.0 * libgpg-error from version 1.37 to version 1.43 * libassuan from version 2.5.3 to version 2.5.5 * pdfium from version 4500 to version 4699 * skia from version m90-45c57e116ee0ce214bdf78405a4762722e4507d9 to version m97-a7230803d64ae9d44f4e1282444801119a3ae967 * boost from version 1_75 to version 1_77 * icu4c from version 69_1 to version 70_1 * On SUSE Linux Enterprise 15 SP3 and newer require curl-devel 7.68.0 or newer * New build dependencies: * abseil-cpp-devel * libassuan0 * libcuckoo-devel * libopenjp2 * requrire liborcus-0.17 instead of liborcus-0.16 * requrire mdds-2.0 instead of mdds-1.5 * Do not use serf-1 anymore but use curl instead. * Other fixes: * Extraneous/missing lines in table in Impress versus PowerPoint (bsc#1192616) * Text with tabs appears quite different in Impress than in PowerPoint (bsc#1196212) * Bullets appear larger and green instead of black. (bsc#1195881) * Enable gtk3_kde5 and make it possible to use gtk3 in kde with the kde filepicker (bsc#1197017) * Mention already fixed issues. (bsc#1183308, bsc#1196017, bsc#1196499)

• Update liborcus from version 0.16.1 to version 0.17.2. (jsc#SLE-23447)
• Require mdds-2_0 instead of mdds-1.5. (jsc#SLE-23447)
• Require libixion-0.17 instead of libixion-0.16. (jsc#SLE-23447)
• Build with libtool and use autotools. (jsc#SLE-23447)
• Provide binaries for non x86_64 architectures directly to SUSE Package Hub. (ijsc#MSC-303)

• Provide mdds-2_0 version 2.0.2 as LibreOffice dependency. (jsc#SLE-23447)

• Provide binaries for non x86_64 architectures directly to SUSE Package Hub. (ijsc#MSC-303)
• There are no visible changes for the final user.

• Provide binaries for non x86_64 architectures directly to SUSE Package Hub. (ijsc#MSC-303)
• There are no visible changes for the final user.

• Provide binaries for non x86_64 architectures directly to SUSE Package Hub. (ijsc#MSC-303)
• There are no visible changes for the final user.

This update for timezone fixes the following issue:

• Reflect new Chile DST change (bsc#1202310)

This update for python-iniconfig provides the following fix:

• Ship missing python2-iniconfig to openSUSE 15.3 (bsc#1202498)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This feature update for python-kubernetes provides:

• Deliver python3-kubernetes to the Containers Module 15 SP4. (jsc#SLE-17904, MSC-443) * Deliver python3-google-auth to Basesystem Module 15 SP4 as dependency of python3-kubernetes. * Deliver python3-cachetools to Basesystem Module 15 SP4 as dependency of python3-google-auth.
• There are no visible changes for the final user.

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for curl fixes the following issues:

• CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593).

This update for python-pytz fixes the following issues:

• update to 2022.1: matches tzdata 2022a

• declare python 3.10 compatibility

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for icu fixes the following issues:

• CVE-2020-21913: Fixed a memory safetey issue that could lead to use after free (bsc#1193951).

SUSE-CU-2022:1852-1

This update for protobuf fixes the following issues:

• CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

This update for yaml-cpp fixes the following issues:

• CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
• CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
• CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
• CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

This update for aaa_base fixes the following issues:

• Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
• Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

This update for util-linux fixes the following issue:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)

This update for timezone fixes the following issues:

• timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

This update for nfs-utils fixes the following issues:

• Ensure `sloppy` is added correctly for newer kernels. (bsc#1197297) * This is required for kernels since 5.6 (like in SUSE Linux Enterprise 15 SP4), and it's safe for all kernels.
• Fix the source build with new `glibc` like in SUSE Linux Enterprise 15 SP4. (bsc#1197788)

This update for tcmu-runner fixes the following issues:

• fix g_object_unref: assertion 'G_IS_OBJECT (object)' failed. (bsc#1196787)

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

• Harden package signature checks (bsc#1184501).

• reworked choice rule generation to cover more usecases
• support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
• support parsing of Debian's Multi-Arch indicator
• fix segfault on conflict resolution when using bindings
• fix split provides not working if the update includes a forbidden vendor change
• support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
• support zstd compressed control files in debian packages
• add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
• support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
• support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
• support solv files with an idarray block
• allow accessing the toolversion at runtime

• ZConfig: Update solver settings if target changes (bsc#1196368)
• Fix possible hang in singletrans mode (bsc#1197134)
• Do 2 retries if mount is still busy.
• Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
• Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
• Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
• Fix handling of ISO media in releaseAll (bsc#1196061)
• Hint on common ptf resolver conflicts (bsc#1194848)
• Hint on ptf<>patch resolver conflicts (bsc#1194848)

• info: print the packages upstream URL if available (fixes #426)
• info: Fix SEGV with not installed PTFs (bsc#1196317)
• Don't prevent less restrictive umasks (bsc#1195999)

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for systemd fixes the following issues:

• Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
• When migrating from sysvinit to systemd (it probably won't happen anymore), let's use the default systemd target, which is the graphical.target one.
• Don't open /var journals in volatile mode when runtime_journal==NULL
• udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
• man: tweak description of auto/noauto (bsc#1191502)
• shared/install: ignore failures for auxiliary files
• install: make UnitFileChangeType enum anonymous
• shared/install: reduce scope of iterator variables
• systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
• Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
• Drop or soften some of the deprecation warnings (bsc#1193086)

This update for lvm2 fixes the following issues:

• udev: create symlinks and watch even in suspended state (bsc#1195231)

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for e2fsprogs fixes the following issues:

• Add support for 'libreadline7' for Leap. (bsc#1196939)

This update for openldap2 fixes the following issues:

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for glib2-branding fixes the following issues:

• Change the default `LibreOffice Startcenter` entry to `libreoffice-startcenter.desktop` and provide the missing favorite link. (bsc#1195836)

This update for systemd-presets-common-SUSE fixes the following issue:

• enable vgauthd service for VMWare by default (bsc#1195251)

This update for binutils fixes the following issues:

• The official name IBM z16 for IBM zSeries arch14 is recognized. (bsc#1198237)

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for psmisc fixes the following issues:

• Add a fallback if the system call name_to_handle_at() is not supported by the used file system.
• Replace the synchronizing over pipes of the sub process for the stat(2) system call with mutex and conditions from pthreads(7) (bsc#1194172)
• Use statx(2) or SYS_statx system call to replace the stat(2) system call and avoid the sub process (bsc#1194172)

This update for gzip fixes the following issues:

• CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

This update for python-python3-saml fixes the following issues:

• Update expiry dates for responses. (bsc#1197846)

This update for systemd fixes the following issues:

• tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
• journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
• tmpfiles: constify item_compatible() parameters
• test tmpfiles: add a test for 'w+'
• test: add test checking tmpfiles conf file precedence
• journald: make use of CLAMP() in cache_space_refresh()
• journal-file: port journal_file_open() to openat_report_new()
• fs-util: make sure openat_report_new() initializes return param also on shortcut
• fs-util: fix typos in comments
• fs-util: add openat_report_new() wrapper around openat()

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for curl fixes the following issues:

• CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
• CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
• CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issue:

• Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

This update for libcbor fixes the following issues:

• Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4

This update for python-rtslib-fb fixes the following issues:

• Update parameters description.
• Enable the 'disable_emulate_legacy_capacity' parameter. (bsc#1199090)

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for oath-toolkit fixes the following issues:

• Fix build issues occurring on SUSE Linux Enterprise 15 Service Pack 4 (bsc#1197790)

This update for leveldb fixes the following issue:

• fix tests (bsc#1197742)

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
• CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

This update for pcre2 fixes the following issues:

• CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for glibc fixes the following issues:

• Add the correct name for the IBM Z16 (bsc#1198751).

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for binutils fixes the following issues:

• Revert back to old behaviour of not ignoring the in-section content of to be relocated fields on x86-64, even though that's a RELA architecture. Compatibility with buggy object files generated by old tools. [bsc#1198422]
• Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908)

This update for ceph-iscsi fixes the following issues:

• Update to 3.5+1655410541.gf482c7a. + Improve werkzeug version checking (bsc#1198435)

This update for binutils fixes the following issues:

• For building the shim 15.6~rc1 and later versions aarch64 image, objcopy needs to support efi-app-aarch64 target. (bsc#1198458)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

This update for systemd-presets-branding-SLE fixes the following issues:

• Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

This update for curl fixes the following issues:

• CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
• CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for python3 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for python-PyJWT fixes the following issues:

• CVE-2022-29217: Fixed key confusion through non-blocklisted public key format (bsc#1199756).

This update for p11-kit fixes the following issues:

• CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for systemd fixes the following issues:

• Allow control characters in environment variable values (bsc#1200170)
• Call pam_loginuid when creating user@.service (bsc#1198507)
• Fix parsing error in s390 udev rules conversion script (bsc#1198732)
• Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
• Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit
• Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed'
• basic/env-util: (mostly) follow POSIX for what variable names are allowed
• basic/env-util: make function shorter
• basic/escape: add mode where empty arguments are still shown as ''
• basic/escape: always escape newlines in shell_escape()
• basic/escape: escape control characters, but not utf-8, in shell quoting
• basic/escape: use consistent location for '*' in function declarations
• basic/string-util: inline iterator variable declarations
• basic/string-util: simplify how str_realloc() is used
• basic/string-util: split out helper function
• core/device: device_coldplug(): don't set DEVICE_DEAD
• core/device: do not downgrade device state if it is already enumerated
• core/device: drop unnecessary condition
• string-util: explicitly cast character to unsigned
• string-util: fix build error on aarch64
• test-env-util: Verify that \r is disallowed in env var values
• test-env-util: print function headers