-----------------------------------------
Version 2.7 2023-09-21T09:00:30
-----------------------------------------
Patch: SUSE-2018-1332
Released: Tue Jul 17 09:01:19 2018
Summary: Recommended update for timezone
Severity: moderate
References: 1073299,1093392
Description:
This update for timezone provides the following fixes:
- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST offset to standard time used
in Winter. (bsc#1073299)
- yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd
timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid
setting an incorrect timezone. (bsc#1093392)
-----------------------------------------
Patch: SUSE-2018-2463
Released: Thu Oct 25 14:48:34 2018
Summary: Recommended update for timezone, timezone-java
Severity: moderate
References: 1104700,1112310
Description:
This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:
- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates
Other bugfixes:
- Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)
-----------------------------------------
Patch: SUSE-2018-2550
Released: Wed Oct 31 16:16:56 2018
Summary: Recommended update for timezone, timezone-java
Severity: moderate
References: 1113554
Description:
This update provides the latest time zone definitions (2018g), including the following change:
- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)
-----------------------------------------
Patch: SUSE-2018-2569
Released: Fri Nov 2 19:00:18 2018
Summary: Recommended update for pam
Severity: moderate
References: 1110700
Description:
This update for pam fixes the following issues:
- Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)
-----------------------------------------
Patch: SUSE-2018-2607
Released: Wed Nov 7 15:42:48 2018
Summary: Optional update for gcc8
Severity: low
References: 1084812,1084842,1087550,1094222,1102564
Description:
The GNU Compiler GCC 8 is being added to the Development Tools Module by this
update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html
-----------------------------------------
Patch: SUSE-2018-2798
Released: Wed Nov 28 07:48:35 2018
Summary: Recommended update for make
Severity: moderate
References: 1100504
Description:
This update for make fixes the following issues:
- Use a non-blocking read with pselect to avoid hangs (bsc#1100504)
-----------------------------------------
Patch: SUSE-2018-2825
Released: Mon Dec 3 15:35:02 2018
Summary: Security update for pam
Severity: important
References: 1115640,CVE-2018-17953
Description:
This update for pam fixes the following issue:
Security issue fixed:
- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).
-----------------------------------------
Patch: SUSE-2018-2861
Released: Thu Dec 6 14:32:01 2018
Summary: Security update for ncurses
Severity: important
References: 1103320,1115929,CVE-2018-19211
Description:
This update for ncurses fixes the following issues:
Security issue fixed:
- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).
Non-security issue fixed:
- Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).
-----------------------------------------
Patch: SUSE-2019-6
Released: Wed Jan 2 20:25:25 2019
Summary: Recommended update for gcc7
Severity: moderate
References: 1099119,1099192
Description:
GCC 7 was updated to the GCC 7.4 release.
- Fix AVR configuration to not use __cxa_atexit or libstdc++ headers.
Point to /usr/avr/sys-root/include as system header include directory.
- Includes fix for build with ISL 0.20.
- Pulls fix for libcpp lexing bug on ppc64le manifesting during
build with gcc8. [bsc#1099119]
- Pulls fix for forcing compile-time tuning even when building
with -march=z13 on s390x. [bsc#1099192]
- Fixes support for 32bit ASAN with glibc 2.27+
-----------------------------------------
Patch: SUSE-2019-44
Released: Tue Jan 8 13:07:32 2019
Summary: Recommended update for acl
Severity: low
References: 953659
Description:
This update for acl fixes the following issues:
- test: Add helper library to fake passwd/group files.
- quote: Escape literal backslashes. (bsc#953659)
-----------------------------------------
Patch: SUSE-2019-102
Released: Tue Jan 15 18:02:58 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1120402
Description:
This update for timezone fixes the following issues:
- Update 2018i:
São Tomé and PrÃncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
Metlakatla, Alaska observes PST this winter only
Guess Morocco will continue to adjust clocks around Ramadan
Add predictions for Iran from 2038 through 2090
-----------------------------------------
Patch: SUSE-2019-247
Released: Wed Feb 6 07:18:45 2019
Summary: Security update for lua53
Severity: moderate
References: 1123043,CVE-2019-6706
Description:
This update for lua53 fixes the following issues:
Security issue fixed:
- CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)
-----------------------------------------
Patch: SUSE-2019-571
Released: Thu Mar 7 18:13:46 2019
Summary: Security update for file
Severity: moderate
References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Description:
This update for file fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in
readelf.c, which allowed remote attackers to cause a denial of service
(application crash) via a crafted ELF file (bsc#1096974)
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
(bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
(bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
(bsc#1126117)
-----------------------------------------
Patch: SUSE-2019-790
Released: Thu Mar 28 12:06:17 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1130557
Description:
This update for timezone fixes the following issues:
timezone was updated 2019a:
* Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
* Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data
-----------------------------------------
Patch: SUSE-2019-905
Released: Mon Apr 8 16:48:02 2019
Summary: Recommended update for gcc
Severity: moderate
References: 1096008
Description:
This update for gcc fixes the following issues:
- Fix gcc-PIE spec to properly honor -no-pie at link time. (bsc#1096008)
-----------------------------------------
Patch: SUSE-2019-926
Released: Wed Apr 10 16:33:12 2019
Summary: Security update for tar
Severity: moderate
References: 1120610,1130496,CVE-2018-20482,CVE-2019-9923
Description:
This update for tar fixes the following issues:
Security issues fixed:
- CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
- CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).
-----------------------------------------
Patch: SUSE-2019-1105
Released: Tue Apr 30 12:10:58 2019
Summary: Recommended update for gcc7
Severity: moderate
References: 1084842,1114592,1124644,1128794,1129389,1131264,SLE-6738
Description:
This update for gcc7 fixes the following issues:
Update to gcc-7-branch head (r270528).
- Disables switch jump-tables when retpolines are used. This restores
some lost performance for kernel builds with retpolines. (bsc#1131264,
jsc#SLE-6738)
- Fix ICE compiling tensorflow on aarch64. (bsc#1129389)
- Fix for aarch64 FMA steering pass use-after-free. (bsc#1128794)
- Fix for s390x FP load-and-test issue. (bsc#1124644)
- Improve build reproducability by disabling address-space randomization
during build.
- Adjust gnat manual entries in the info directory. (bsc#1114592)
- Includes fix to no longer try linking -lieee with -mieee-fp. (bsc#1084842)
-----------------------------------------
Patch: SUSE-2019-1368
Released: Tue May 28 13:15:38 2019
Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root
Severity: important
References: 1134524,CVE-2019-5021
Description:
This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:
- CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)
-----------------------------------------
Patch: SUSE-2019-1631
Released: Fri Jun 21 11:17:21 2019
Summary: Recommended update for xz
Severity: low
References: 1135709
Description:
This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma,
xz, xzdec, lzmadec, documentation, translated messages, tests,
debug, extra directory) are in public domain licence [bsc#1135709]
-----------------------------------------
Patch: SUSE-2019-1815
Released: Thu Jul 11 07:47:55 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1140016
Description:
This update for timezone fixes the following issues:
- Timezone update 2019b. (bsc#1140016):
- Brazil no longer observes DST.
- 'zic -b slim' outputs smaller TZif files.
- Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
- Add info about the Crimea situation.
-----------------------------------------
Patch: SUSE-2019-2702
Released: Wed Oct 16 18:41:30 2019
Summary: Security update for gcc7
Severity: moderate
References: 1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847
Description:
This update for gcc7 to r275405 fixes the following issues:
Security issues fixed:
- CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649).
- CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145).
Non-security issue fixed:
- Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487).
-----------------------------------------
Patch: SUSE-2019-2762
Released: Thu Oct 24 07:08:44 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1150451
Description:
This update for timezone fixes the following issues:
- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.
-----------------------------------------
Patch: SUSE-2019-2779
Released: Thu Oct 24 16:57:42 2019
Summary: Security update for binutils
Severity: moderate
References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206
Description:
This update for binutils fixes the following issues:
binutils was updated to current 2.32 branch [jsc#ECO-368].
Includes following security fixes:
- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)
- enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
(bsc#1141913).
- Fixed some LTO build issues (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
- Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016).
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590).
Update to binutils 2.32:
* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
encoding of VEX.W-ignored (WIG) VEX instructions.
It also has a new -mx86-used-note=[yes|no] option to generate (or
not) x86 GNU property notes.
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
the Loongson EXTensions (EXT) instructions, the Loongson Content
Address Memory (CAM) ASE and the Loongson MultiMedia extensions
Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
limit on the maximum amount of recursion that is allowed whilst
demangling strings. This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
specifying the starting symbol for disassembly. Disassembly will
continue from this symbol up to the next symbol or the end of the
function.
* The BFD linker will now report property change in linker map file
when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
archives, unless -t is given twice. This makes it more useful
when generating a list of files that should be packaged for a
linker bug report.
* The GOLD linker has improved warning messages for relocations that
refer to discarded sections.
- Improve relro support on s390 [fate#326356]
- Fix broken debug symbols (bsc#1118644)
- Handle ELF compressed header alignment correctly.
-----------------------------------------
Patch: SUSE-2019-2997
Released: Mon Nov 18 15:16:38 2019
Summary: Security update for ncurses
Severity: moderate
References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
Description:
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).
Non-security issue fixed:
- Removed screen.xterm from terminfo database (bsc#1103320).
-----------------------------------------
Patch: SUSE-2019-3061
Released: Mon Nov 25 17:34:22 2019
Summary: Security update for gcc9
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536
Description:
This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html
The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
-----------------------------------------
Patch: SUSE-2019-3086
Released: Thu Nov 28 10:02:24 2019
Summary: Security update for libidn2
Severity: moderate
References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224
Description:
This update for libidn2 to version 2.2.0 fixes the following issues:
- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).
-----------------------------------------
Patch: SUSE-2020-10
Released: Thu Jan 2 12:35:06 2020
Summary: Recommended update for gcc7
Severity: moderate
References: 1146475
Description:
This update for gcc7 fixes the following issues:
- Fix miscompilation with thread-safe localstatic initialization (gcc#85887).
- Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475).
-----------------------------------------
Patch: SUSE-2020-395
Released: Tue Feb 18 14:16:48 2020
Summary: Recommended update for gcc7
Severity: moderate
References: 1160086
Description:
This update for gcc7 fixes the following issue:
- Fixed a miscompilation in zSeries code (bsc#1160086)
-----------------------------------------
Patch: SUSE-2020-453
Released: Tue Feb 25 10:51:53 2020
Summary: Recommended update for binutils
Severity: moderate
References: 1160590
Description:
This update for binutils fixes the following issues:
- Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464)
-----------------------------------------
Patch: SUSE-2020-525
Released: Fri Feb 28 11:49:36 2020
Summary: Recommended update for pam
Severity: moderate
References: 1164562
Description:
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
-----------------------------------------
Patch: SUSE-2020-689
Released: Fri Mar 13 17:09:01 2020
Summary: Recommended update for pam
Severity: moderate
References: 1166510
Description:
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
-----------------------------------------
Patch: SUSE-2020-917
Released: Fri Apr 3 15:02:25 2020
Summary: Recommended update for pam
Severity: moderate
References: 1166510
Description:
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
-----------------------------------------
Patch: SUSE-2020-948
Released: Wed Apr 8 07:44:21 2020
Summary: Security update for gmp, gnutls, libnettle
Severity: moderate
References: 1152692,1155327,1166881,1168345,CVE-2020-11501
Description:
This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:
- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)
FIPS related bugfixes:
- FIPS: Install checksums for binary integrity verification which are
required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)
-----------------------------------------
Patch: SUSE-2020-1226
Released: Fri May 8 10:51:05 2020
Summary: Recommended update for gcc9
Severity: moderate
References: 1149995,1152590,1167898
Description:
This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.
- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go
-----------------------------------------
Patch: SUSE-2020-1294
Released: Mon May 18 07:38:36 2020
Summary: Security update for file
Severity: moderate
References: 1154661,1169512,CVE-2019-18218
Description:
This update for file fixes the following issues:
Security issues fixed:
- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).
Non-security issue fixed:
- Fixed broken '--help' output (bsc#1169512).
-----------------------------------------
Patch: SUSE-2020-1303
Released: Mon May 18 09:40:36 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1169582
Description:
This update for timezone fixes the following issues:
- timezone update 2020a. (bsc#1169582)
* Morocco springs forward on 2020-05-31, not 2020-05-24.
* Canada's Yukon advanced to -07 year-round on 2020-03-08.
* America/Nuuk renamed from America/Godthab.
* zic now supports expiration dates for leap second lists.
-----------------------------------------
Patch: SUSE-2020-1328
Released: Mon May 18 17:16:04 2020
Summary: Recommended update for grep
Severity: moderate
References: 1155271
Description:
This update for grep fixes the following issues:
- Update testsuite expectations, no functional changes (bsc#1155271)
-----------------------------------------
Patch: SUSE-2020-1542
Released: Thu Jun 4 13:24:37 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1172055
Description:
This update for timezone fixes the following issue:
- zdump --version reported 'unknown' (bsc#1172055)
-----------------------------------------
Patch: SUSE-2020-1954
Released: Sat Jul 18 03:07:15 2020
Summary: Recommended update for cracklib
Severity: moderate
References: 1172396
Description:
This update for cracklib fixes the following issues:
- Fixed a buffer overflow when processing long words.
-----------------------------------------
Patch: SUSE-2020-2083
Released: Thu Jul 30 10:27:59 2020
Summary: Recommended update for diffutils
Severity: moderate
References: 1156913
Description:
This update for diffutils fixes the following issue:
- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)
-----------------------------------------
Patch: SUSE-2020-2947
Released: Fri Oct 16 15:23:07 2020
Summary: Security update for gcc10, nvptx-tools
Severity: moderate
References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
Description:
This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:
- Enable build on aarch64
-----------------------------------------
Patch: SUSE-2020-2983
Released: Wed Oct 21 15:03:03 2020
Summary: Recommended update for file
Severity: moderate
References: 1176123
Description:
This update for file fixes the following issues:
- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)
-----------------------------------------
Patch: SUSE-2020-3060
Released: Wed Oct 28 08:09:21 2020
Summary: Security update for binutils
Severity: moderate
References: 1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
Description:
This update for binutils fixes the following issues:
binutils was updated to version 2.35. (jsc#ECO-2373)
Update to binutils 2.35:
* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.
The old behaviour - of displaying as many characters as possible, up to
the 80 column limit - can be restored by the use of the --silent-truncation
option.
* The linker can now produce a dependency file listing the inputs that it
has processed, much like the -M -MP option supported by the compiler.
- fix DT_NEEDED order with -flto [bsc#1163744]
Update to binutils 2.34:
* The disassembler (objdump --disassemble) now has an option to
generate ascii art thats show the arcs between that start and end
points of control flow instructions.
* The binutils tools now have support for debuginfod. Debuginfod is a
HTTP service for distributing ELF/DWARF debugging information as
well as source code. The tools can now connect to debuginfod
servers in order to download debug information about the files that
they are processing.
* The assembler and linker now support the generation of ELF format
files for the Z80 architecture.
- Add new subpackages for libctf and libctf-nobfd.
- Disable LTO due to bsc#1163333.
- Includes fixes for these CVEs:
bsc#1153768 aka CVE-2019-17451 aka PR25070
bsc#1153770 aka CVE-2019-17450 aka PR25078
- fix various build fails on aarch64 (PR25210, bsc#1157755).
Update to binutils 2.33.1:
* Adds support for the Arm Scalable Vector Extension version 2
(SVE2) instructions, the Arm Transactional Memory Extension (TME)
instructions and the Armv8.1-M Mainline and M-profile Vector
Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
Loongson3 LLSC Errata. Add a --enable-mips-fix-loongson3-llsc=[yes|no]
configure time option to set the default behavior. Set the default
if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
which workaround to use. The option --fix-cortex-a53-843419 now
takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
which can be used to force a particular workaround to be used.
See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
GNU_PROPERTY_AARCH64_FEATURE_1_PAC in ELF GNU program properties
in the AArch64 ELF linker.
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI
on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
and --debug-dump=follow) and objdump (--dwarf=links and
--dwarf=follow-links) will now display and/or follow multiple
links if more than one are present in a file. (This usually
happens when gcc's -gsplit-dwarf option is used).
In addition objdump's --dwarf=follow-links now also affects its
other display options, so that for example, when combined with
--syms it will cause the symbol tables in any linked debug info
files to also be displayed. In addition when combined with
--disassemble the --dwarf= follow-links option will ensure that
any symbol tables in the linked files are read and used when
disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
to objdump and readelf.
- Includes fixes for these CVEs:
bsc#1126826 aka CVE-2019-9077 aka PR1126826
bsc#1126829 aka CVE-2019-9075 aka PR1126829
bsc#1126831 aka CVE-2019-9074 aka PR24235
bsc#1140126 aka CVE-2019-12972 aka PR23405
bsc#1143609 aka CVE-2019-14444 aka PR24829
bsc#1142649 aka CVE-2019-14250 aka PR90924
* Add xBPF target
* Fix various problems with DWARF 5 support in gas
* fix nm -B for objects compiled with -flto and -fcommon.
-----------------------------------------
Patch: SUSE-2020-3099
Released: Thu Oct 29 19:33:41 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2020b (bsc#1177460)
* Revised predictions for Morocco's changes starting in 2023.
* Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
* Macquarie Island has stayed in sync with Tasmania since 2011.
* Casey, Antarctica is at +08 in winter and +11 in summer.
* zic no longer supports -y, nor the TYPE field of Rules.
-----------------------------------------
Patch: SUSE-2020-3123
Released: Tue Nov 3 09:48:13 2020
Summary: Recommended update for timezone
Severity: important
References: 1177460,1178346,1178350,1178353
Description:
This update for timezone fixes the following issues:
- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)
-----------------------------------------
Patch: SUSE-2020-3462
Released: Fri Nov 20 13:14:35 2020
Summary: Recommended update for pam and sudo
Severity: moderate
References: 1174593,1177858,1178727
Description:
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
-----------------------------------------
Patch: SUSE-2020-3620
Released: Thu Dec 3 17:03:55 2020
Summary: Recommended update for pam
Severity: moderate
References:
Description:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `<N>` characters length in
some form. This is enabled by the new parameter `usersubstr=<N>`
-----------------------------------------
Patch: SUSE-2020-3640
Released: Mon Dec 7 13:24:41 2020
Summary: Recommended update for binutils
Severity: important
References: 1179036,1179341
Description:
This update for binutils fixes the following issues:
Update binutils 2.35 branch to commit 1c5243df:
* Fixes PR26520, aka [bsc#1179036], a problem in addr2line with
certain DWARF variable descriptions.
* Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878,
PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869,
PR26711
* The above includes fixes for dwo files produced by modern dwp,
fixing several problems in the DWARF reader.
Update binutils to 2.35.1 and rebased branch diff:
* This is a point release over the previous 2.35 version, containing bug
fixes, and as an exception to the usual rule, one new feature. The
new feature is the support for a new directive in the assembler:
'.nop'. This directive creates a single no-op instruction in whatever
encoding is correct for the target architecture. Unlike the .space or
.fill this is a real instruction, and it does affect the generation of
DWARF line number tables, should they be enabled. This fixes an
incompatibility introduced in the latest update that broke the install
scripts of the Oracle server. [bsc#1179341]
-----------------------------------------
Patch: SUSE-2020-3749
Released: Thu Dec 10 14:39:28 2020
Summary: Security update for gcc7
Severity: moderate
References: 1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844
Description:
This update for gcc7 fixes the following issues:
- CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798)
- Enable fortran for the nvptx offload compiler.
- Update README.First-for.SuSE.packagers
- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.
- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its
default enabling. [jsc#SLE-12209, bsc#1167939]
- Fixed 32bit libgnat.so link. [bsc#1178675]
- Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577]
- Fixed debug line info for try/catch. [bsc#1178614]
- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled)
- Fixed corruption of pass private ->aux via DF. [gcc#94148]
- Fixed debug information issue with inlined functions and passed by reference arguments. [gcc#93888]
- Fixed binutils release date detection issue.
- Fixed register allocation issue with exception handling code on s390x. [bsc#1161913]
- Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]
-----------------------------------------
Patch: SUSE-2020-3791
Released: Mon Dec 14 17:39:19 2020
Summary: Recommended update for gzip
Severity: moderate
References:
Description:
This update for gzip fixes the following issue:
- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.
-----------------------------------------
Patch: SUSE-2020-3942
Released: Tue Dec 29 12:22:01 2020
Summary: Recommended update for libidn2
Severity: moderate
References: 1180138
Description:
This update for libidn2 fixes the following issues:
- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
adjusted the RPM license tags (bsc#1180138)
-----------------------------------------
Patch: SUSE-2021-79
Released: Tue Jan 12 10:49:34 2021
Summary: Recommended update for gcc7
Severity: moderate
References: 1167939
Description:
This update for gcc7 fixes the following issues:
- Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939]
-----------------------------------------
Patch: SUSE-2021-179
Released: Wed Jan 20 13:38:51 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
-----------------------------------------
Patch: SUSE-2021-220
Released: Tue Jan 26 14:00:51 2021
Summary: Recommended update for keyutils
Severity: moderate
References: 1180603
Description:
This update for keyutils fixes the following issues:
- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)
-----------------------------------------
Patch: SUSE-2021-293
Released: Wed Feb 3 12:52:34 2021
Summary: Recommended update for gmp
Severity: moderate
References: 1180603
Description:
This update for gmp fixes the following issues:
- correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)
-----------------------------------------
Patch: SUSE-2021-301
Released: Thu Feb 4 08:46:27 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
-----------------------------------------
Patch: SUSE-2021-339
Released: Mon Feb 8 13:16:07 2021
Summary: Optional update for pam
Severity: low
References:
Description:
This update for pam fixes the following issues:
- Added rpm macros for this package, so that other packages can make use of it
This patch is optional to be installed - it doesn't fix any bugs.
-----------------------------------------
Patch: SUSE-2021-596
Released: Thu Feb 25 10:26:30 2021
Summary: Recommended update for gcc7
Severity: moderate
References: 1181618
Description:
This update for gcc7 fixes the following issues:
- Fixed webkit2gtk3 build (bsc#1181618)
- Change GCC exception licenses to SPDX format
- Remove include-fixed/pthread.h
-----------------------------------------
Patch: SUSE-2021-924
Released: Tue Mar 23 10:00:49 2021
Summary: Recommended update for filesystem
Severity: moderate
References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094
Description:
This update for filesystem the following issues:
- Remove duplicate line due to merge error
- Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
- Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
- Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
- Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)
This update for systemd fixes the following issues:
- Fix for a possible memory leak. (bsc#1180020)
- Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
- Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
- Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
- Don't use shell redirections when calling a rpm macro. (bsc#1183094)
- 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)
-----------------------------------------
Patch: SUSE-2021-930
Released: Wed Mar 24 12:09:23 2021
Summary: Security update for nghttp2
Severity: important
References: 1172442,1181358,CVE-2020-11080
Description:
This update for nghttp2 fixes the following issues:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)
-----------------------------------------
Patch: SUSE-2021-974
Released: Mon Mar 29 19:31:27 2021
Summary: Security update for tar
Severity: low
References: 1181131,CVE-2021-20193
Description:
This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)
-----------------------------------------
Patch: SUSE-2021-1018
Released: Tue Apr 6 14:29:13 2021
Summary: Recommended update for gzip
Severity: moderate
References: 1180713
Description:
This update for gzip fixes the following issues:
- Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)
-----------------------------------------
Patch: SUSE-2021-1289
Released: Wed Apr 21 14:02:46 2021
Summary: Recommended update for gzip
Severity: moderate
References: 1177047
Description:
This update for gzip fixes the following issues:
- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)
-----------------------------------------
Patch: SUSE-2021-1291
Released: Wed Apr 21 14:04:06 2021
Summary: Recommended update for mpfr
Severity: moderate
References: 1141190
Description:
This update for mpfr fixes the following issues:
- Fixed an issue when building for ppc64le (bsc#1141190)
Technical library fixes:
- A subtraction of two numbers of the same sign or addition of two numbers of different signs
can be rounded incorrectly (and the ternary value can be incorrect) when one of the two
inputs is reused as the output (destination) and all these MPFR numbers have exactly
GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit
machines).
- The mpfr_fma and mpfr_fms functions can behave incorrectly in case of internal overflow or
underflow.
- The result of the mpfr_sqr function can be rounded incorrectly in a rare case near underflow
when the destination has exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on
32-bit machines, 64 bits on 64-bit machines) and the input has at most GMP_NUMB_BITS bits
of precision.
- The behavior and documentation of the mpfr_get_str function are inconsistent concerning the
minimum precision (this is related to the change of the minimum precision from 2 to 1 in
MPFR 4.0.0). The get_str patch fixes this issue in the following way: the value 1 can now be
provided for n (4th argument of mpfr_get_str); if n = 0, then the number of significant digits
in the output string can now be 1, as already implied by the documentation (but the code was
increasing it to 2).
- The mpfr_cmp_q function can behave incorrectly when the rational (mpq_t) number has a null
denominator.
- The mpfr_inp_str and mpfr_out_str functions might behave incorrectly when the stream is a
null pointer: the stream is replaced by stdin and stdout, respectively. This behavior is
useless, not documented (thus incorrect in case a null pointer would have a special meaning),
and not consistent with other input/output functions.
-----------------------------------------
Patch: SUSE-2021-1643
Released: Wed May 19 13:51:48 2021
Summary: Recommended update for pam
Severity: important
References: 1181443,1184358,1185562
Description:
This update for pam fixes the following issues:
- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)
-----------------------------------------
Patch: SUSE-2021-1861
Released: Fri Jun 4 09:59:40 2021
Summary: Recommended update for gcc10
Severity: moderate
References: 1029961,1106014,1178577,1178624,1178675,1182016
Description:
This update for gcc10 fixes the following issues:
- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)
-----------------------------------------
Patch: SUSE-2021-1926
Released: Thu Jun 10 08:38:14 2021
Summary: Recommended update for gcc
Severity: moderate
References: 1096677
Description:
This update for gcc fixes the following issues:
- Added gccgo symlink and go and gofmt as alternatives to support parallel installation
of golang (bsc#1096677)
-----------------------------------------
Patch: SUSE-2021-1935
Released: Thu Jun 10 10:45:09 2021
Summary: Recommended update for gzip
Severity: moderate
References: 1186642
Description:
This update for gzip fixes the following issue:
- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
-----------------------------------------
Patch: SUSE-2021-1937
Released: Thu Jun 10 10:47:09 2021
Summary: Recommended update for nghttp2
Severity: moderate
References: 1186642
Description:
This update for nghttp2 fixes the following issue:
- The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
-----------------------------------------
Patch: SUSE-2021-2146
Released: Wed Jun 23 17:55:14 2021
Summary: Recommended update for openssh
Severity: moderate
References: 1115550,1174162
Description:
This update for openssh fixes the following issues:
- Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162).
-----------------------------------------
Patch: SUSE-2021-2173
Released: Mon Jun 28 14:59:45 2021
Summary: Recommended update for automake
Severity: moderate
References: 1040589,1047218,1182604,1185540,1186049
Description:
This update for automake fixes the following issues:
- Implement generated autoconf makefiles reproducible (bsc#1182604)
- Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
- Avoid bashisms in test-driver script. (bsc#1185540)
This update for pcre fixes the following issues:
- Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)
This update for brp-check-suse fixes the following issues:
- Add fixes to support reproducible builds. (bsc#1186049)
-----------------------------------------
Patch: SUSE-2021-2193
Released: Mon Jun 28 18:38:43 2021
Summary: Recommended update for tar
Severity: moderate
References: 1184124
Description:
This update for tar fixes the following issues:
- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
-----------------------------------------
Patch: SUSE-2021-2196
Released: Tue Jun 29 09:41:39 2021
Summary: Security update for lua53
Severity: moderate
References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371
Description:
This update for lua53 fixes the following issues:
Update to version 5.3.6:
- CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
- CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
- Long brackets with a huge number of '=' overflow some internal buffer arithmetic.
-----------------------------------------
Patch: SUSE-2021-2555
Released: Thu Jul 29 08:29:55 2021
Summary: Security update for git
Severity: moderate
References: 1168930,1183026,1183580,CVE-2021-21300
Description:
This update for git fixes the following issues:
Update from version 2.26.2 to version 2.31.1 (jsc#SLE-18152)
Security fixes:
- CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally
to apply delay-capable clean/smudge filters (such as Git LFS), Git could run remote code during a clone. (bsc#1183026)
Non security changes:
- Add `sysusers` file to create `git-daemon` user.
- Remove `perl-base` and `openssh-server` dependency on `git-core`and provide a `perl-Git` package. (jsc#SLE-17838)
- `fsmonitor` bug fixes
- Fix `git bisect` to take an annotated tag as a good/bad endpoint
- Fix a corner case in `git mv` on case insensitive systems
- Require only `openssh-clients` where possible (like Tumbleweed or SUSE Linux Enterprise >= 15 SP3). (bsc#1183580)
- Drop `rsync` requirement, not necessary anymore.
- Use of `pack-redundant` command is discouraged and will trigger a warning. The replacement is `repack -d`.
- The `--format=%(trailers)` mechanism gets enhanced to make it easier to design output for machine consumption.
- No longer give message to choose between rebase or merge upon pull if the history `fast-forwards`.
- The configuration variable `core.abbrev` can be set to `no` to force no abbreviation regardless of the hash algorithm
- `git rev-parse` can be explicitly told to give output as absolute or relative path with the
`--path-format=(absolute|relative)` option.
- Bash completion update to make it easier for end-users to add completion for their custom `git` subcommands.
- `git maintenance` learned to drive scheduled maintenance on platforms whose native scheduling methods are not 'cron'.
- After expiring a reflog and making a single commit, the reflog for the branch would record a single entry that
knows both `@{0}` and `@{1}`, but we failed to answer 'what commit were we on?', i.e. `@{1}`
- `git bundle` learns `--stdin` option to read its refs from the standard input.
Also, it now does not lose refs when they point at the same object.
- `git log` learned a new `--diff-merges=<how>` option.
- `git ls-files` can and does show multiple entries when the index is unmerged, which is a source for confusion
unless `-s/-u` option is in use. A new option `--deduplicate` has been introduced.
- `git worktree list` now annotates worktrees as prunable, shows locked and prunable attributes
in `--porcelain mode`, and gained a `--verbose` option.
- `git clone` tries to locally check out the branch pointed at by HEAD of the remote repository after it
is done, but the protocol did not convey the information necessary to do so when copying an empty repository.
The protocol v2 learned how to do so.
- There are other ways than `..` for a single token to denote a `commit range', namely `<rev>^!`
and `<rev>^-<n>`, but `git range-diff` did not understand them.
- The `git range-diff` command learned `--(left|right)-only` option to show only one side of the compared range.
- `git mergetool` feeds three versions (base, local and remote) of a conflicted path unmodified.
The command learned to optionally prepare these files with unconflicted parts already resolved.
- The `.mailmap` is documented to be read only from the root level of a working tree, but a stray file
in a bare repository also was read by accident, which has been corrected.
- `git maintenance` tool learned a new `pack-refs` maintenance task.
- Improved error message given when a configuration variable that is expected to have a boolean value.
- Signed commits and tags now allow verification of objects, whose two object names
(one in SHA-1, the other in SHA-256) are both signed.
- `git rev-list` command learned `--disk-usage` option.
- `git diff`, `git log` `--{skip,rotate}-to=<path>` allows the user to discard diff output for early
paths or move them to the end of the output.
- `git difftool` learned `--skip-to=<path>` option to restart an interrupted session from an arbitrary path.
- `git grep` has been tweaked to be limited to the sparse checkout paths.
- `git rebase --[no-]fork-point` gained a configuration variable `rebase.forkPoint` so that users do not have
to keep specifying a non-default setting.
- `git stash` did not work well in a sparsely checked out working tree.
- Newline characters in the host and path part of `git://` URL are now forbidden.
- `Userdiff` updates for PHP, Rust, CSS
- Avoid administrator error leading to data loss with `git push --force-with-lease[=<ref>]` by
introducing `--force-if-includes`
- only pull `asciidoctor` for the default ruby version
- The `--committer-date-is-author-date` option of `rebase` and `am` subcommands lost the e-mail address by
mistake in 2.29
- The transport protocol v2 has become the default again
- `git worktree` gained a `repair` subcommand, `git init --separate-git-dir` no longer corrupts administrative data
related to linked worktrees
- `git maintenance` introduced for repository maintenance tasks
- `fetch.writeCommitGraph` is deemed to be still a bit too risky and is no longer part of the
`feature.experimental` set.
- The commands in the `diff` family honors the `diff.relative` configuration variable.
- `git diff-files` has been taught to say paths that are marked as `intent-to-add` are new files,
not modified from an empty blob.
- `git gui` now allows opening work trees from the start-up dialog.
- `git bugreport` reports what shell is in use.
- Some repositories have commits that record wrong committer timezone; `git fast-import` has an option to pass
these timestamps intact to allow recreating existing repositories as-is.
- `git describe` will always use the `long` version when giving its output based misplaced tags
- `git pull` issues a warning message until the `pull.rebase` configuration variable is explicitly given
-----------------------------------------
Patch: SUSE-2021-2573
Released: Thu Jul 29 14:21:52 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1188127
Description:
This update for timezone fixes the following issue:
- From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by
the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are
now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127).
-----------------------------------------
Patch: SUSE-2021-2606
Released: Wed Aug 4 13:16:09 2021
Summary: Recommended update for libcbor
Severity: moderate
References: 1102408
Description:
This update for libcbor fixes the following issues:
- Implement a fix to avoid building shared library twice. (bsc#1102408)
-----------------------------------------
Patch: SUSE-2021-2682
Released: Thu Aug 12 20:06:19 2021
Summary: Security update for rpm
Severity: important
References: 1179416,1181805,1183543,1183545,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421
Description:
This update for rpm fixes the following issues:
- Changed default package verification level to 'none' to be compatible to rpm-4.14.1
- Made illegal obsoletes a warning
- Fixed a potential access of freed mem in ndb's glue code (bsc#1179416)
- Added support for enforcing signature policy and payload verification step to
transactions (jsc#SLE-17817)
- Added :humansi and :hmaniec query formatters for human readable output
- Added query selectors for whatobsoletes and whatconflicts
- Added support for sorting caret higher than base version
- rpm does no longer require the signature header to be in a contiguous
region when signing (bsc#1181805)
Security fixes:
- CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an
attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM
repository, to cause RPM database corruption. The highest threat from this vulnerability is to
data integrity (bsc#1183543)
- CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file.
This flaw allows an attacker who can convince a victim to install a seemingly verifiable package,
whose signature header was modified, to cause RPM database corruption and execute code. The highest
threat from this vulnerability is to data integrity, confidentiality, and system availability (bsc#1183545)
- CVE-2021-20266: A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker
who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability
is to system availability.
-----------------------------------------
Patch: SUSE-2021-2993
Released: Thu Sep 9 14:31:33 2021
Summary: Recommended update for gcc
Severity: moderate
References: 1185348
Description:
This update for gcc fixes the following issues:
- With gcc-PIE add -pie even when -fPIC is specified but we are
not linking a shared library. [bsc#1185348]
- Fix postun of gcc-go alternative.
-----------------------------------------
Patch: SUSE-2021-3182
Released: Tue Sep 21 17:04:26 2021
Summary: Recommended update for file
Severity: moderate
References: 1189996
Description:
This update for file fixes the following issues:
- Fixes exception thrown by memory allocation problem (bsc#1189996)
-----------------------------------------
Patch: SUSE-2021-3291
Released: Wed Oct 6 16:45:36 2021
Summary: Security update for glibc
Severity: moderate
References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942
Description:
This update for glibc fixes the following issues:
- CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489).
- CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911).
-----------------------------------------
Patch: SUSE-2021-3445
Released: Fri Oct 15 09:03:39 2021
Summary: Security update for rpm
Severity: important
References: 1183659,1185299,1187670,1188548
Description:
This update for rpm fixes the following issues:
Security issues fixed:
- PGP hardening changes (bsc#1185299)
Maintaince issues fixed:
- Fixed zstd detection (bsc#1187670)
- Added ndb rofs support (bsc#1188548)
- Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659)
-----------------------------------------
Patch: SUSE-2021-3490
Released: Wed Oct 20 16:31:55 2021
Summary: Security update for ncurses
Severity: moderate
References: 1190793,CVE-2021-39537
Description:
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)
-----------------------------------------
Patch: SUSE-2021-3494
Released: Wed Oct 20 16:48:46 2021
Summary: Recommended update for pam
Severity: moderate
References: 1190052
Description:
This update for pam fixes the following issues:
- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)
-----------------------------------------
Patch: SUSE-2021-3510
Released: Tue Oct 26 11:22:15 2021
Summary: Recommended update for pam
Severity: important
References: 1191987
Description:
This update for pam fixes the following issues:
- Fixed a bad directive file which resulted in
the 'securetty' file to be installed as 'macros.pam'.
(bsc#1191987)
-----------------------------------------
Patch: SUSE-2021-3529
Released: Wed Oct 27 09:23:32 2021
Summary: Security update for pcre
Severity: moderate
References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155
Description:
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)
-----------------------------------------
Patch: SUSE-2021-3616
Released: Thu Nov 4 12:29:16 2021
Summary: Security update for binutils
Severity: moderate
References: 1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487
Description:
This update for binutils fixes the following issues:
Update to binutils 2.37:
* The GNU Binutils sources now requires a C99 compiler and library to
build.
* Support for Realm Management Extension (RME) for AArch64 has been
added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
special treatment of __start_*/__stop_* references when
--gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
specify how the numeric values of symbols are reported.
--sym-base=0|8|10|16 tells readelf to display the values in base 8,
base 10 or base 16. A sym base of 0 represents the default action
of displaying values under 10000 in base 10 and values above that in
base 16.
* A new format has been added to the nm program. Specifying
'--format=just-symbols' (or just using -j) will tell the program to
only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
objcopy and strip. This stops the removal of unused section symbols
when the file is copied. Removing these symbols saves space, but
sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
supported by objcopy now make undefined symbols weak on targets that
support weak symbols.
* Readelf and objdump can now display and use the contents of .debug_sup
sections.
* Readelf and objdump will now follow links to separate debug info
files by default. This behaviour can be stopped via the use of the
new '-wN' or '--debug-dump=no-follow-links' options for readelf and
the '-WN' or '--dwarf=no-follow-links' options for objdump. Also
the old behaviour can be restored by the use of the
'--enable-follow-debug-links=no' configure time option.
The semantics of the =follow-links option have also been slightly
changed. When enabled, the option allows for the loading of symbol
tables and string tables from the separate files which can be used
to enhance the information displayed when dumping other sections,
but it does not automatically imply that information from the
separate files should be displayed.
If other debug section display options are also enabled (eg
'--debug-dump=info') then the contents of matching sections in both
the main file and the separate debuginfo file *will* be displayed.
This is because in most cases the debug section will only be present
in one of the files.
If however non-debug section display options are enabled (eg
'--sections') then the contents of matching parts of the separate
debuginfo file will *not* be displayed. This is because in most
cases the user probably only wanted to load the symbol information
from the separate debuginfo file. In order to change this behaviour
a new command line option --process-links can be used. This will
allow di0pslay options to applied to both the main file and any
separate debuginfo files.
* Nm has a new command line option: '--quiet'. This suppresses 'no
symbols' diagnostic.
Update to binutils 2.36:
New features in the Assembler:
- General:
* When setting the link order attribute of ELF sections, it is now
possible to use a numeric section index instead of symbol name.
* Added a .nop directive to generate a single no-op instruction in
a target neutral manner. This instruction does have an effect on
DWARF line number generation, if that is active.
* Removed --reduce-memory-overheads and --hash-size as gas now
uses hash tables that can be expand and shrink automatically.
- X86/x86_64:
* Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
Locker instructions.
* Support non-absolute segment values for lcall and ljmp.
* Add {disp16} pseudo prefix to x86 assembler.
* Configure with --enable-x86-used-note by default for Linux/x86.
- ARM/AArch64:
* Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
Cortex-R82, Neoverse V1, and Neoverse N2 cores.
* Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
Stack Recorder Extension) and BRBE (Branch Record Buffer
Extension) system registers.
* Add support for Armv8-R and Armv8.7-A ISA extensions.
* Add support for DSB memory nXS barrier, WFET and WFIT
instruction for Armv8.7.
* Add support for +csre feature for -march. Add CSR PDEC
instruction for CSRE feature in AArch64.
* Add support for +flagm feature for -march in Armv8.4 AArch64.
* Add support for +ls64 feature for -march in Armv8.7
AArch64. Add atomic 64-byte load/store instructions for this
feature.
* Add support for +pauth (Pointer Authentication) feature for
-march in AArch64.
New features in the Linker:
* Add --error-handling-script=<NAME> command line option to allow
a helper script to be invoked when an undefined symbol or a
missing library is encountered. This option can be suppressed
via the configure time switch: --enable-error-handling-script=no.
* Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
x86-64-{baseline|v[234]} ISA level as needed.
* Add -z unique-symbol to avoid duplicated local symbol names.
* The creation of PE format DLLs now defaults to using a more
secure set of DLL characteristics.
* The linker now deduplicates the types in .ctf sections. The new
command-line option --ctf-share-types describes how to do this:
its default value, share-unconflicted, produces the most compact
output.
* The linker now omits the 'variable section' from .ctf sections
by default, saving space. This is almost certainly what you
want unless you are working on a project that has its own
analogue of symbol tables that are not reflected in the ELF
symtabs.
New features in other binary tools:
* The ar tool's previously unused l modifier is now used for
specifying dependencies of a static library. The arguments of
this option (or --record-libdeps long form option) will be
stored verbatim in the __.LIBDEP member of the archive, which
the linker may read at link time.
* Readelf can now display the contents of LTO symbol table
sections when asked to do so via the --lto-syms command line
option.
* Readelf now accepts the -C command line option to enable the
demangling of symbol names. In addition the --demangle=<style>,
--no-demangle, --recurse-limit and --no-recurse-limit options
are also now availale.
The following security fixes are addressed by the update:
- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).
-----------------------------------------
Patch: SUSE-2021-3643
Released: Tue Nov 9 19:32:18 2021
Summary: Security update for binutils
Severity: moderate
References: 1183909,1184519,1188941,1191473,1192267,CVE-2021-20294
Description:
This update for binutils fixes the following issues:
- For compatibility on old code stream that expect 'brcl 0,label' to
not be disassembled as 'jgnop label' on s390x. (bsc#1192267)
This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).
Security issue fixed:
- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)
-----------------------------------------
Patch: SUSE-2021-3766
Released: Tue Nov 23 07:07:43 2021
Summary: Recommended update for git
Severity: moderate
References: 1192023
Description:
This update for git fixes the following issues:
- Installation of the 'git-daemon' package needs nogroup group dependency (bsc#1192023)
-----------------------------------------
Patch: SUSE-2021-3798
Released: Wed Nov 24 18:01:36 2021
Summary: Recommended update for gcc7
Severity: moderate
References:
Description:
This update for gcc7 fixes the following issues:
- Fixed a build issue when built with recent kernel headers.
- Backport the '-fpatchable-function-entry' feature from newer GCC. (jsc#SLE-20049)
- do not handle exceptions in std::thread (jsc#CAR-1182)
-----------------------------------------
Patch: SUSE-2021-3799
Released: Wed Nov 24 18:07:54 2021
Summary: Recommended update for gcc11
Severity: moderate
References: 1187153,1187273,1188623
Description:
This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:
- gcc11
- gcc-c++11
- and others with 11 prefix.
to select them for building:
- CC='gcc-11'
- CXX='g++-11'
The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.
-----------------------------------------
Patch: SUSE-2021-3872
Released: Thu Dec 2 07:25:55 2021
Summary: Recommended update for cracklib
Severity: moderate
References: 1191736
Description:
This update for cracklib fixes the following issues:
- Enable build time tests (bsc#1191736)
-----------------------------------------
Patch: SUSE-2021-3883
Released: Thu Dec 2 11:47:07 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)
- Palestine will fall back 10-29 (not 10-30) at 01:00
- Fiji suspends DST for the 2021/2022 season
- 'zic -r' marks unspecified timestamps with '-00'
- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
- Refresh timezone info for china
-----------------------------------------
Patch: SUSE-2021-3891
Released: Fri Dec 3 10:21:49 2021
Summary: Recommended update for keyutils
Severity: moderate
References: 1029961,1113013,1187654
Description:
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes.
Updated to 1.6:
* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------
Patch: SUSE-2021-3942
Released: Mon Dec 6 14:46:05 2021
Summary: Security update for brotli
Severity: moderate
References: 1175825,CVE-2020-8927
Description:
This update for brotli fixes the following issues:
- CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).
-----------------------------------------
Patch: SUSE-2021-3946
Released: Mon Dec 6 14:57:42 2021
Summary: Security update for gmp
Severity: moderate
References: 1192717,CVE-2021-43618
Description:
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
-----------------------------------------
Patch: SUSE-2021-3950
Released: Mon Dec 6 14:59:37 2021
Summary: Security update for openssh
Severity: important
References: 1190975,CVE-2021-41617
Description:
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
-----------------------------------------
Patch: SUSE-2021-3980
Released: Thu Dec 9 16:42:19 2021
Summary: Recommended update for glibc
Severity: moderate
References: 1191592
Description:
glibc was updated to fix the following issue:
- Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)
-----------------------------------------
Patch: SUSE-2021-4153
Released: Wed Dec 22 11:00:48 2021
Summary: Security update for openssh
Severity: important
References: 1183137,CVE-2021-28041
Description:
This update for openssh fixes the following issues:
- CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137).
-----------------------------------------
Patch: SUSE-2022-96
Released: Tue Jan 18 05:14:44 2022
Summary: Recommended update for rpm
Severity: important
References: 1180125,1190824,1193711
Description:
This update for rpm fixes the following issues:
- Fix header check so that old rpms no longer get rejected (bsc#1190824)
- Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)
-----------------------------------------
Patch: SUSE-2022-207
Released: Thu Jan 27 09:24:49 2022
Summary: Recommended update for glibc
Severity: moderate
References:
Description:
This update for glibc fixes the following issues:
- Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).
-----------------------------------------
Patch: SUSE-2022-227
Released: Mon Jan 31 06:05:25 2022
Summary: Recommended update for git
Severity: moderate
References: 1193722
Description:
This update for git fixes the following issues:
- update to 2.34.1 (bsc#1193722):
* 'git grep' looking in a blob that has non-UTF8 payload was
completely broken when linked with certain versions of PCREv2
library in the latest release.
* 'git pull' with any strategy when the other side is behind us
should succeed as it is a no-op, but doesn't.
* An earlier change in 2.34.0 caused JGit application (that abused
GIT_EDITOR mechanism when invoking 'git config') to get stuck with
a SIGTTOU signal; it has been reverted.
* An earlier change that broke .gitignore matching has been reverted.
* SubmittingPatches document gained a syntactically incorrect mark-up,
which has been corrected.
- git 2.33.0:
* 'git send-email' learned the '--sendmail-cmd' command line option
and the 'sendemail.sendmailCmd' configuration variable, which is a
more sensible approach than the current way of repurposing the
'smtp-server' that is meant to name the server to instead name the
command to talk to the server.
* The userdiff pattern for C# learned the token 'record'.
* 'git rev-list' learns to omit the 'commit <object-name>' header
lines from the output with the `--no-commit-header` option.
* 'git worktree add --lock' learned to record why the worktree is
locked with a custom message.
* internal improvements including performance optimizations
* a number of bug fixes
- git 2.32.0:
* '.gitattributes', '.gitignore', and '.mailmap' files that are
symbolic links are ignored
* 'git apply --3way' used to first attempt a straight
application, and only fell back to the 3-way merge algorithm
when the straight application failed. Starting with this
version, the command will first try the 3-way merge algorithm
and only when it fails (either resulting with conflict or the
base versions of blobs are missing), falls back to the usual
patch application.
* 'git stash show' can now show the untracked part of the stash
* Improved 'git repack' strategy
* http code can now unlock a certificate with a cached password
respectively.
* 'git clone --reject-shallow' option fails the clone as soon as
we notice that we are cloning from a shallow repository.
* 'gitweb' learned 'e-mail privacy' feature
* Multiple improvements to output and configuration options
* Bug fixes and developer visible fixes
-----------------------------------------
Patch: SUSE-2022-330
Released: Fri Feb 4 09:29:08 2022
Summary: Security update for glibc
Severity: important
References: 1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219
Description:
This update for glibc fixes the following issues:
- CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
Features added:
- IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)
-----------------------------------------
Patch: SUSE-2022-520
Released: Fri Feb 18 12:45:19 2022
Summary: Recommended update for rpm
Severity: moderate
References: 1194968
Description:
This update for rpm fixes the following issues:
- Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968)
-----------------------------------------
Patch: SUSE-2022-692
Released: Thu Mar 3 15:46:47 2022
Summary: Recommended update for filesystem
Severity: moderate
References: 1190447
Description:
This update for filesystem fixes the following issues:
- Release ported filesystem to LTSS channels (bsc#1190447).
-----------------------------------------
Patch: SUSE-2022-789
Released: Thu Mar 10 11:22:05 2022
Summary: Recommended update for update-alternatives
Severity: moderate
References: 1195654
Description:
This update for update-alternatives fixes the following issues:
- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)
-----------------------------------------
Patch: SUSE-2022-861
Released: Tue Mar 15 23:30:48 2022
Summary: Recommended update for openssl-1_1
Severity: moderate
References: 1182959,1195149,1195792,1195856
Description:
This update for openssl-1_1 fixes the following issues:
openssl-1_1:
- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
glibc:
- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
linux-glibc-devel:
- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1
libxcrypt:
- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1
zlib:
- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1
-----------------------------------------
Patch: SUSE-2022-936
Released: Tue Mar 22 18:10:17 2022
Summary: Recommended update for filesystem and systemd-rpm-macros
Severity: moderate
References: 1196275,1196406
Description:
This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:
- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)
systemd-rpm-macros:
- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)
-----------------------------------------
Patch: SUSE-2022-1047
Released: Wed Mar 30 16:20:56 2022
Summary: Recommended update for pam
Severity: moderate
References: 1196093,1197024
Description:
This update for pam fixes the following issues:
- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.
This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)
-----------------------------------------
Patch: SUSE-2022-1118
Released: Tue Apr 5 18:34:06 2022
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2022a (bsc#1177460):
* Palestine will spring forward on 2022-03-27, not on 03-26
* `zdump -v` now outputs better failure indications
* Bug fixes for code that reads corrupted TZif data
-----------------------------------------
Patch: SUSE-2022-1158
Released: Tue Apr 12 14:44:43 2022
Summary: Security update for xz
Severity: important
References: 1198062,CVE-2022-1271
Description:
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
-----------------------------------------
Patch: SUSE-2022-1281
Released: Wed Apr 20 12:26:38 2022
Summary: Recommended update for libtirpc
Severity: moderate
References: 1196647
Description:
This update for libtirpc fixes the following issues:
- Add option to enforce connection via protocol version 2 first (bsc#1196647)
-----------------------------------------
Patch: SUSE-2022-1374
Released: Mon Apr 25 15:02:13 2022
Summary: Recommended update for openldap2
Severity: moderate
References: 1191157,1197004
Description:
This update for openldap2 fixes the following issues:
- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)
-----------------------------------------
Patch: SUSE-2022-1409
Released: Tue Apr 26 12:54:57 2022
Summary: Recommended update for gcc11
Severity: moderate
References: 1195628,1196107
Description:
This update for gcc11 fixes the following issues:
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
packages provided by older GCC work. Add a requires from that
package to the corresponding libstc++6 package to keep those
at the same version. [bsc#1196107]
- Fixed memory corruption when creating dependences with the D language frontend.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
to Recommends.
-----------------------------------------
Patch: SUSE-2022-1439
Released: Wed Apr 27 16:08:04 2022
Summary: Recommended update for binutils
Severity: moderate
References: 1198237
Description:
This update for binutils fixes the following issues:
- The official name IBM z16 for IBM zSeries arch14 is recognized. (bsc#1198237)
-----------------------------------------
Patch: SUSE-2022-1451
Released: Thu Apr 28 10:47:22 2022
Summary: Recommended update for perl
Severity: moderate
References: 1193489
Description:
This update for perl fixes the following issues:
- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)
-----------------------------------------
Patch: SUSE-2022-1484
Released: Mon May 2 16:47:10 2022
Summary: Security update for git
Severity: important
References: 1181400,1198234,CVE-2022-24765
Description:
This update for git fixes the following issues:
- Updated to version 2.35.3:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
-----------------------------------------
Patch: SUSE-2022-1548
Released: Thu May 5 16:45:28 2022
Summary: Security update for tar
Severity: moderate
References: 1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
Description:
This update for tar fixes the following issues:
- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).
- Update to GNU tar 1.34:
* Fix extraction over pipe
* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
* Fix extraction when . and .. are unreadable
* Gracefully handle duplicate symlinks when extracting
* Re-initialize supplementary groups when switching to user
privileges
- Update to GNU tar 1.33:
* POSIX extended format headers do not include PID by default
* --delay-directory-restore works for archives with reversed
member ordering
* Fix extraction of a symbolic link hardlinked to another
symbolic link
* Wildcards in exclude-vcs-ignore mode don't match slash
* Fix the --no-overwrite-dir option
* Fix handling of chained renames in incremental backups
* Link counting works for file names supplied with -T
* Accept only position-sensitive (file-selection) options in file
list files
- prepare usrmerge (bsc#1029961)
- Update to GNU 1.32
* Fix the use of --checkpoint without explicit --checkpoint-action
* Fix extraction with the -U option
* Fix iconv usage on BSD-based systems
* Fix possible NULL dereference (savannah bug #55369)
[bsc#1130496] [CVE-2019-9923]
* Improve the testsuite
- Update to GNU 1.31
* Fix heap-buffer-overrun with --one-top-level, bug introduced
with the addition of that option in 1.28
* Support for zstd compression
* New option '--zstd' instructs tar to use zstd as compression
program. When listing, extractng and comparing, zstd compressed
archives are recognized automatically. When '-a' option is in
effect, zstd compression is selected if the destination archive
name ends in '.zst' or '.tzst'.
* The -K option interacts properly with member names given in the
command line. Names of members to extract can be specified along
with the '-K NAME' option. In this case, tar will extract NAME
and those of named members that appear in the archive after it,
which is consistent with the semantics of the option. Previous
versions of tar extracted NAME, those of named members that
appeared before it, and everything after it.
* Fix CVE-2018-20482 - When creating archives with the --sparse
option, previous versions of tar would loop endlessly if a
sparse file had been truncated while being archived.
-----------------------------------------
Patch: SUSE-2022-1617
Released: Tue May 10 14:40:12 2022
Summary: Security update for gzip
Severity: important
References: 1198062,1198922,CVE-2022-1271
Description:
This update for gzip fixes the following issues:
- CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)
-----------------------------------------
Patch: SUSE-2022-1655
Released: Fri May 13 15:36:10 2022
Summary: Recommended update for pam
Severity: moderate
References: 1197794
Description:
This update for pam fixes the following issue:
- Do not include obsolete header files (bsc#1197794)
-----------------------------------------
Patch: SUSE-2022-1658
Released: Fri May 13 15:40:20 2022
Summary: Recommended update for libpsl
Severity: important
References: 1197771
Description:
This update for libpsl fixes the following issues:
- Fix libpsl compilation issues (bsc#1197771)
-----------------------------------------
Patch: SUSE-2022-1670
Released: Mon May 16 10:06:30 2022
Summary: Security update for openldap2
Severity: important
References: 1199240,CVE-2022-29155
Description:
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
-----------------------------------------
Patch: SUSE-2022-1709
Released: Tue May 17 17:35:47 2022
Summary: Recommended update for libcbor
Severity: important
References: 1197743
Description:
This update for libcbor fixes the following issues:
- Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4
-----------------------------------------
Patch: SUSE-2022-1718
Released: Tue May 17 17:44:43 2022
Summary: Security update for e2fsprogs
Severity: important
References: 1198446,CVE-2022-1304
Description:
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
-----------------------------------------
Patch: SUSE-2022-1851
Released: Thu May 26 08:59:55 2022
Summary: Recommended update for gcc8
Severity: moderate
References: 1197716
Description:
This update for gcc8 fixes the following issues:
- Fix build against SP4. (bsc#1197716)
- Remove bogus fixed include bits/statx.h from glibc 2.30 (bsc#1197716)
-----------------------------------------
Patch: SUSE-2022-1887
Released: Tue May 31 09:24:18 2022
Summary: Recommended update for grep
Severity: moderate
References: 1040589
Description:
This update for grep fixes the following issues:
- Make profiling deterministic. (bsc#1040589, SLE-24115)
-----------------------------------------
Patch: SUSE-2022-1899
Released: Wed Jun 1 10:43:22 2022
Summary: Recommended update for libtirpc
Severity: important
References: 1198176
Description:
This update for libtirpc fixes the following issues:
- Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)
-----------------------------------------
Patch: SUSE-2022-1909
Released: Wed Jun 1 16:25:35 2022
Summary: Recommended update for glibc
Severity: moderate
References: 1198751
Description:
This update for glibc fixes the following issues:
- Add the correct name for the IBM Z16 (bsc#1198751).
-----------------------------------------
Patch: SUSE-2022-2019
Released: Wed Jun 8 16:50:07 2022
Summary: Recommended update for gcc11
Severity: moderate
References: 1192951,1193659,1195283,1196861,1197065
Description:
This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.
* includes SLS hardening backport on x86_64. [bsc#1195283]
* includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
* fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
* use --with-cpu rather than specifying --with-arch/--with-tune
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build [bsc#1192951]
* Package mwaitintrin.h
-----------------------------------------
Patch: SUSE-2022-2049
Released: Mon Jun 13 09:23:52 2022
Summary: Recommended update for binutils
Severity: moderate
References: 1191908,1198422
Description:
This update for binutils fixes the following issues:
- Revert back to old behaviour of not ignoring the in-section content
of to be relocated fields on x86-64, even though that's a RELA architecture.
Compatibility with buggy object files generated by old tools.
[bsc#1198422]
- Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908)
-----------------------------------------
Patch: SUSE-2022-2157
Released: Wed Jun 22 17:11:26 2022
Summary: Recommended update for binutils
Severity: moderate
References: 1198458
Description:
This update for binutils fixes the following issues:
- For building the shim 15.6~rc1 and later versions aarch64 image, objcopy
needs to support efi-app-aarch64 target. (bsc#1198458)
-----------------------------------------
Patch: SUSE-2022-2294
Released: Wed Jul 6 13:34:15 2022
Summary: Security update for expat
Severity: important
References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
Description:
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
-----------------------------------------
Patch: SUSE-2022-2305
Released: Wed Jul 6 13:38:42 2022
Summary: Security update for curl
Severity: important
References: 1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208
Description:
This update for curl fixes the following issues:
- CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)
- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32207: Unpreserved file permissions (bsc#1200736)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
-----------------------------------------
Patch: SUSE-2022-2360
Released: Tue Jul 12 12:01:39 2022
Summary: Security update for pcre2
Severity: important
References: 1199232,CVE-2022-1586
Description:
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
-----------------------------------------
Patch: SUSE-2022-2361
Released: Tue Jul 12 12:05:01 2022
Summary: Security update for pcre
Severity: important
References: 1199232,CVE-2022-1586
Description:
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
-----------------------------------------
Patch: SUSE-2022-2406
Released: Fri Jul 15 11:49:01 2022
Summary: Recommended update for glibc
Severity: moderate
References: 1197718,1199140,1200334,1200855
Description:
This update for glibc fixes the following issues:
- powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
- Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
- i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
- rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)
This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit).
-----------------------------------------
Patch: SUSE-2022-2469
Released: Thu Jul 21 04:38:31 2022
Summary: Recommended update for systemd
Severity: important
References: 1137373,1181658,1194708,1195157,1197570,1198732,1200170,1201276
Description:
This update for systemd fixes the following issues:
- Make {/etc,/usr/lib}/systemd/network owned by both udev and systemd-network. The configuration files put in these
directories are read by both udevd and systemd-networkd (bsc#1201276)
- Allow control characters in environment variable values (bsc#1200170)
- Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
- Fix parsing error in s390 udev rules conversion script (bsc#1198732)
- core/device: device_coldplug(): don't set DEVICE_DEAD
- core/device: do not downgrade device state if it is already enumerated
- core/device: drop unnecessary condition
-----------------------------------------
Patch: SUSE-2022-2493
Released: Thu Jul 21 14:35:08 2022
Summary: Recommended update for rpm-config-SUSE
Severity: moderate
References: 1193282
Description:
This update for rpm-config-SUSE fixes the following issues:
- Add SBAT values macros for other packages (bsc#1193282)
-----------------------------------------
Patch: SUSE-2022-2494
Released: Thu Jul 21 15:16:42 2022
Summary: Recommended update for glibc
Severity: important
References: 1200855,1201560,1201640
Description:
This update for glibc fixes the following issues:
- Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
- i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)
-----------------------------------------
Patch: SUSE-2022-2550
Released: Tue Jul 26 14:00:21 2022
Summary: Security update for git
Severity: important
References: 1201431,CVE-2022-29187
Description:
This update for git fixes the following issues:
- CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).
-----------------------------------------
Patch: SUSE-2022-2566
Released: Wed Jul 27 15:04:49 2022
Summary: Security update for pcre2
Severity: important
References: 1199235,CVE-2022-1587
Description:
This update for pcre2 fixes the following issues:
- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).
-----------------------------------------
Patch: SUSE-2022-2632
Released: Wed Aug 3 09:51:00 2022
Summary: Security update for permissions
Severity: important
References: 1198720,1200747,1201385
Description:
This update for permissions fixes the following issues:
* apptainer: fix starter-suid location (bsc#1198720)
* static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
* postfix: add postlog setgid for maildrop binary (bsc#1201385)
-----------------------------------------
Patch: SUSE-2022-2717
Released: Tue Aug 9 12:54:16 2022
Summary: Security update for ncurses
Severity: moderate
References: 1198627,CVE-2022-29458
Description:
This update for ncurses fixes the following issues:
- CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).
-----------------------------------------
Patch: SUSE-2022-2735
Released: Wed Aug 10 04:31:41 2022
Summary: Recommended update for tar
Severity: moderate
References: 1200657
Description:
This update for tar fixes the following issues:
- Fix race condition while creating intermediate subdirectories (bsc#1200657)
-----------------------------------------
Patch: SUSE-2022-2796
Released: Fri Aug 12 14:34:31 2022
Summary: Recommended update for jitterentropy
Severity: moderate
References:
Description:
This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library,
used by other FIPS libraries.
-----------------------------------------
Patch: SUSE-2022-2844
Released: Thu Aug 18 14:41:25 2022
Summary: Recommended update for tar
Severity: important
References: 1202436
Description:
This update for tar fixes the following issues:
- A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)
-----------------------------------------
Patch: SUSE-2022-2901
Released: Fri Aug 26 03:34:23 2022
Summary: Recommended update for elfutils
Severity: moderate
References:
Description:
This update for elfutils fixes the following issues:
- Fix runtime dependency for devel package
-----------------------------------------
Patch: SUSE-2022-2904
Released: Fri Aug 26 05:28:34 2022
Summary: Recommended update for openldap2
Severity: moderate
References: 1198341
Description:
This update for openldap2 fixes the following issues:
- Prevent memory reuse which may lead to instability (bsc#1198341)
-----------------------------------------
Patch: SUSE-2022-2920
Released: Fri Aug 26 15:17:02 2022
Summary: Recommended update for systemd
Severity: important
References: 1195059,1201795
Description:
This update for systemd fixes the following issues:
- Don't replace /etc/systemd/system/tmp.mount symlink with a dangling one pointing to /usr/lib/systemd/ (bsc#1201795)
- Drop or soften some of the deprecation warnings (jsc#PED-944)
- Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
- Avoid applying presets to any services shipped by the experimental sub-package, as they aren't enabled by default
- analyze: Fix offline check for syscal filter
- calendarspec: Fix timer skipping the next elapse
- core: Allow command argument to be longer
- hwdb: Add AV production controllers to hwdb and add uaccess
- hwdb: Allow console users access to rfkill
- hwdb: Allow end-users root-less access to TL866 EPROM readers
- hwdb: Permit unsetting power/persist for USB devices
- hwdb: Tag IR cameras as such
- hwdb: Fix parsing issue
- hwdb: Make usb match patterns uppercase
- hwdb: Update the hardware database
- journal-file: Stop using the event loop if it's already shutting down
- journal-remote: Disable `--trust` option when gnutls is disabled and check_permission() should not be called
- journald: Ensure resources are properly allocated for SIGTERM handling
- kernel-install: Ensure modules.builtin.alias.bin is removed when no longer needed
- macro: Account for negative values in DECIMAL_STR_WIDTH()
- manager: Disallow clone3() function call in seccomp filters
- missing-syscall: Define MOVE_MOUNT_T_EMPTY_PATH if missing
- pid1,cgroup-show: Prevent failure if cgroup.procs in some subcgroups is not readable
- resolve: Fix typo in dns_class_is_pseudo()
- sd-event: Improve handling of process events and termination of processes
- sd-ipv4acd: Fix ARP packet conflicts occurring when sender hardware is one of the host's interfaces
- stdio-bridge: Improve the meaning of the error message
- tmpfiles: Check for the correct directory
-----------------------------------------
Patch: SUSE-2022-2929
Released: Mon Aug 29 11:21:47 2022
Summary: Recommended update for timezone
Severity: important
References: 1202310
Description:
This update for timezone fixes the following issue:
- Reflect new Chile DST change (bsc#1202310)
-----------------------------------------
Patch: SUSE-2022-3003
Released: Fri Sep 2 15:01:44 2022
Summary: Security update for curl
Severity: low
References: 1202593,CVE-2022-35252
Description:
This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters
into cookies, which could be exploited by sister sites to cause a
denial of service (bsc#1202593).
-----------------------------------------
Patch: SUSE-2022-3127
Released: Wed Sep 7 04:36:10 2022
Summary: Recommended update for libtirpc
Severity: moderate
References: 1198752,1200800
Description:
This update for libtirpc fixes the following issues:
- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
- Fix memory leak in params.r_addr assignement (bsc#1198752)
-----------------------------------------
Patch: SUSE-2022-3215
Released: Thu Sep 8 15:58:27 2022
Summary: Recommended update for rpm
Severity: moderate
References:
Description:
This update for rpm fixes the following issues:
- Support Ed25519 RPM signatures [jsc#SLE-24714]
-----------------------------------------
Patch: SUSE-2022-3262
Released: Tue Sep 13 15:34:29 2022
Summary: Recommended update for gcc11
Severity: moderate
References: 1199140
Description:
This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)
-----------------------------------------
Patch: SUSE-2022-3271
Released: Wed Sep 14 06:45:39 2022
Summary: Security update for perl
Severity: moderate
References: 1047178,CVE-2017-6512
Description:
This update for perl fixes the following issues:
- CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).
-----------------------------------------
Patch: SUSE-2022-3305
Released: Mon Sep 19 11:45:57 2022
Summary: Security update for libtirpc
Severity: important
References: 1201680,CVE-2021-46828
Description:
This update for libtirpc fixes the following issues:
- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).
-----------------------------------------
Patch: SUSE-2022-3328
Released: Wed Sep 21 12:48:56 2022
Summary: Recommended update for jitterentropy
Severity: moderate
References: 1202870
Description:
This update for jitterentropy fixes the following issues:
- Hide the non-GNUC constructs that are library internal from the
exported header, to make it usable in builds with strict C99
compliance. (bsc#1202870)
-----------------------------------------
Patch: SUSE-2022-3353
Released: Fri Sep 23 15:23:40 2022
Summary: Security update for permissions
Severity: moderate
References: 1203018,CVE-2022-31252
Description:
This update for permissions fixes the following issues:
- CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).
-----------------------------------------
Patch: SUSE-2022-3452
Released: Wed Sep 28 12:13:43 2022
Summary: Recommended update for glibc
Severity: moderate
References: 1201942
Description:
This update for glibc fixes the following issues:
- Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
- powerpc: Optimized memcmp for power10 (jsc#PED-987)
-----------------------------------------
Patch: SUSE-2022-3489
Released: Sat Oct 1 13:35:24 2022
Summary: Security update for expat
Severity: important
References: 1203438,CVE-2022-40674
Description:
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
-----------------------------------------
Patch: SUSE-2022-3555
Released: Mon Oct 10 14:05:12 2022
Summary: Recommended update for aaa_base
Severity: important
References: 1199492
Description:
This update for aaa_base fixes the following issues:
- The wrapper rootsh is not a restricted shell. (bsc#1199492)
-----------------------------------------
Patch: SUSE-2022-3785
Released: Wed Oct 26 20:20:19 2022
Summary: Security update for curl
Severity: important
References: 1204383,1204386,CVE-2022-32221,CVE-2022-42916
Description:
This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
- CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386).
-----------------------------------------
Patch: SUSE-2022-3787
Released: Thu Oct 27 04:41:09 2022
Summary: Recommended update for permissions
Severity: important
References: 1194047,1203911
Description:
This update for permissions fixes the following issues:
- Fix regression introduced by backport of security fix (bsc#1203911)
- Add permissions for enlightenment helper on 32bit arches (bsc#1194047)
-----------------------------------------
Patch: SUSE-2022-3884
Released: Mon Nov 7 10:59:26 2022
Summary: Security update for expat
Severity: important
References: 1204708,CVE-2022-43680
Description:
This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).
-----------------------------------------
Patch: SUSE-2022-3904
Released: Tue Nov 8 10:52:13 2022
Summary: Recommended update for openssh
Severity: moderate
References: 1192439
Description:
This update for openssh fixes the following issue:
- Prevent empty messages from being sent. (bsc#1192439)
-----------------------------------------
Patch: SUSE-2022-3910
Released: Tue Nov 8 13:05:04 2022
Summary: Recommended update for pam
Severity: moderate
References:
Description:
This update for pam fixes the following issue:
- Update pam_motd to the most current version. (PED-1712)
-----------------------------------------
Patch: SUSE-2022-3931
Released: Thu Nov 10 11:26:01 2022
Summary: Security update for git
Severity: moderate
References: 1204455,1204456,CVE-2022-39253,CVE-2022-39260
Description:
This update for git fixes the following issues:
- CVE-2022-39260: Fixed overflow in split_cmdline() (bsc#1204456).
- CVE-2022-39253: Fixed dereference issue with symbolic links via the `--local` clone mechanism (bsc#1204455).
-----------------------------------------
Patch: SUSE-2022-3999
Released: Tue Nov 15 17:08:04 2022
Summary: Security update for systemd
Severity: moderate
References: 1204179,1204968,CVE-2022-3821
Description:
This update for systemd fixes the following issues:
- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).
- Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428
* 0469b9f2bc pstore: do not try to load all known pstore modules
* ad05f54439 pstore: Run after modules are loaded
* ccad817445 core: Add trigger limit for path units
* 281d818fe3 core/mount: also add default before dependency for automount mount units
* ffe5b4afa8 logind: fix crash in logind on user-specified message string
- Document udev naming scheme (bsc#1204179)
- Make 'sle15-sp3' net naming scheme still available for backward compatibility
reason
-----------------------------------------
Patch: SUSE-2022-4066
Released: Fri Nov 18 10:43:00 2022
Summary: Recommended update for timezone
Severity: important
References: 1177460,1202324,1204649,1205156
Description:
This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):
- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z
-----------------------------------------
Patch: SUSE-2022-4081
Released: Fri Nov 18 15:40:46 2022
Summary: Security update for dpkg
Severity: low
References: 1199944,CVE-2022-1664
Description:
This update for dpkg fixes the following issues:
- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).
-----------------------------------------
Patch: SUSE-2022-4135
Released: Mon Nov 21 00:13:40 2022
Summary: Recommended update for libeconf
Severity: moderate
References: 1198165
Description:
This update for libeconf fixes the following issues:
- Update to version 0.4.6+git
- econftool:
Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter.
- libeconf:
Parse files correctly on space characters (1198165)
- Update to version 0.4.5+git
- econftool:
New call 'syntax' for checking the configuration files only. Returns an error string with line number if error.
New options '--comment' and '--delimeters'
-----------------------------------------
Patch: SUSE-2022-4146
Released: Mon Nov 21 09:56:12 2022
Summary: Security update for binutils
Severity: moderate
References: 1142579,1185597,1185712,1188374,1191473,1193929,1194783,1197592,1198237,1202816,1202966,1202967,1202969,CVE-2019-1010204,CVE-2021-3530,CVE-2021-3648,CVE-2021-3826,CVE-2021-45078,CVE-2021-46195,CVE-2022-27943,CVE-2022-38126,CVE-2022-38127,CVE-2022-38533
Description:
This update for binutils fixes the following issues:
The following security bugs were fixed:
- CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).
- CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).
- CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).
- CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).
- CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).
- CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).
- CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).
- CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).
- CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).
- CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).
The following non-security bugs were fixed:
- SLE toolchain update of binutils, update to 2.39 from 2.37.
- Update to 2.39:
* The ELF linker will now generate a warning message if the stack is made
executable. Similarly it will warn if the output binary contains a
segment with all three of the read, write and execute permission
bits set. These warnings are intended to help developers identify
programs which might be vulnerable to attack via these executable
memory regions.
The warnings are enabled by default but can be disabled via a command
line option. It is also possible to build a linker with the warnings
disabled, should that be necessary.
* The ELF linker now supports a --package-metadata option that allows
embedding a JSON payload in accordance to the Package Metadata
specification.
* In linker scripts it is now possible to use TYPE=<type> in an output
section description to set the section type value.
* The objdump program now supports coloured/colored syntax
highlighting of its disassembler output for some architectures.
(Currently: AVR, RiscV, s390, x86, x86_64).
* The nm program now supports a --no-weak/-W option to make it ignore
weak symbols.
* The readelf and objdump programs now support a -wE option to prevent
them from attempting to access debuginfod servers when following
links.
* The objcopy program's --weaken, --weaken-symbol, and
--weaken-symbols options now works with unique symbols as well.
- Update to 2.38:
* elfedit: Add --output-abiversion option to update ABIVERSION.
* Add support for the LoongArch instruction set.
* Tools which display symbols or strings (readelf, strings, nm, objdump)
have a new command line option which controls how unicode characters are
handled. By default they are treated as normal for the tool. Using
--unicode=locale will display them according to the current locale.
Using --unicode=hex will display them as hex byte values, whilst
--unicode=escape will display them as escape sequences. In addition
using --unicode=highlight will display them as unicode escape sequences
highlighted in red (if supported by the output device).
* readelf -r dumps RELR relative relocations now.
* Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been
added to objcopy in order to enable UEFI development using binutils.
* ar: Add --thin for creating thin archives. -T is a deprecated alias without
diagnostics. In many ar implementations -T has a different meaning, as
specified by X/Open System Interface.
* Add support for AArch64 system registers that were missing in previous
releases.
* Add support for the LoongArch instruction set.
* Add a command-line option, -muse-unaligned-vector-move, for x86 target
to encode aligned vector move as unaligned vector move.
* Add support for Cortex-R52+ for Arm.
* Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64.
* Add support for Cortex-A710 for Arm.
* Add support for Scalable Matrix Extension (SME) for AArch64.
* The --multibyte-handling=[allow|warn|warn-sym-only] option tells the
assembler what to when it encoutners multibyte characters in the input. The
default is to allow them. Setting the option to 'warn' will generate a
warning message whenever any multibyte character is encountered. Using the
option to 'warn-sym-only' will make the assembler generate a warning whenever a
symbol is defined containing multibyte characters. (References to undefined
symbols will not generate warnings).
* Outputs of .ds.x directive and .tfloat directive with hex input from
x86 assembler have been reduced from 12 bytes to 10 bytes to match the
output of .tfloat directive.
* Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and
'armv9.3-a' for -march in AArch64 GAS.
* Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a',
'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS.
* Add support for Intel AVX512_FP16 instructions.
* Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF
linker to pack relative relocations in the DT_RELR section.
* Add support for the LoongArch architecture.
* Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF
linker to control canonical function pointers and copy relocation.
* Add --max-cache-size=SIZE to set the the maximum cache size to SIZE
bytes.
- Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.
- Add gprofng subpackage.
- Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).
- Add back fix for bsc#1191473, which got lost in the update to 2.38.
- Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).
- Enable PRU architecture for AM335x CPU (Beagle Bone Black board)
-----------------------------------------
Patch: SUSE-2022-4198
Released: Wed Nov 23 13:15:04 2022
Summary: Recommended update for rpm
Severity: moderate
References: 1202750
Description:
This update for rpm fixes the following issues:
- Strip critical bit in signature subpackage parsing
- No longer deadlock DNF after pubkey import (bsc#1202750)
-----------------------------------------
Patch: SUSE-2022-4256
Released: Mon Nov 28 12:36:32 2022
Summary: Recommended update for gcc12
Severity: moderate
References:
Description:
This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the
PackageHub repositories.
To use gcc12 compilers use:
- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.
For a full changelog with all new GCC12 features, check out
https://gcc.gnu.org/gcc-12/changes.html
-----------------------------------------
Patch: SUSE-2022-4312
Released: Fri Dec 2 11:16:47 2022
Summary: Recommended update for tar
Severity: moderate
References: 1200657,1203600
Description:
This update for tar fixes the following issues:
- Fix unexpected inconsistency when making directory (bsc#1203600)
- Update race condition fix (bsc#1200657)
-----------------------------------------
Patch: SUSE-2022-4499
Released: Thu Dec 15 10:48:49 2022
Summary: Recommended update for openssh
Severity: moderate
References: 1179465
Description:
This update for openssh fixes the following issues:
- Make ssh connections update their dbus environment (bsc#1179465):
* Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish
-----------------------------------------
Patch: SUSE-2022-4597
Released: Wed Dec 21 10:13:11 2022
Summary: Security update for curl
Severity: important
References: 1206308,1206309,CVE-2022-43551,CVE-2022-43552
Description:
This update for curl fixes the following issues:
- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
- CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308).
-----------------------------------------
Patch: SUSE-2022-4629
Released: Wed Dec 28 09:24:07 2022
Summary: Security update for systemd
Severity: important
References: 1200723,1205000,CVE-2022-4415
Description:
This update for systemd fixes the following issues:
- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).
Bug fixes:
- Support by-path devlink for multipath nvme block devices (bsc#1200723).
-----------------------------------------
Patch: SUSE-2023-25
Released: Thu Jan 5 09:51:41 2023
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):
- In the Mexican state of Chihuahua:
* The border strip near the US will change to agree with nearby US locations on 2022-11-30.
* The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,
like El Paso, TX.
* The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.
* A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving
time becomes standard time.
- Changes for pre-1996 northern Canada
- Update to past DST transition in Colombia (1993), Singapore (1981)
- 'timegm' is now supported by default
-----------------------------------------
Patch: SUSE-2023-48
Released: Mon Jan 9 10:37:54 2023
Summary: Recommended update for libtirpc
Severity: moderate
References: 1199467
Description:
This update for libtirpc fixes the following issues:
- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)
-----------------------------------------
Patch: SUSE-2023-50
Released: Mon Jan 9 10:42:21 2023
Summary: Recommended update for shadow
Severity: moderate
References: 1205502
Description:
This update for shadow fixes the following issues:
- Fix issue with user id field that cannot be interpreted (bsc#1205502)
-----------------------------------------
Patch: SUSE-2023-110
Released: Fri Jan 20 10:18:16 2023
Summary: Security update for git
Severity: important
References: 1207032,1207033,CVE-2022-23521,CVE-2022-41903
Description:
This update for git fixes the following issues:
- CVE-2022-41903: Fixed a heap overflow in the 'git archive' and
'git log --format' commands (bsc#1207033).
- CVE-2022-23521: Fixed an integer overflow that could be triggered
when parsing a gitattributes file (bsc#1207032).
-----------------------------------------
Patch: SUSE-2023-179
Released: Thu Jan 26 21:54:30 2023
Summary: Recommended update for tar
Severity: low
References: 1202436
Description:
This update for tar fixes the following issue:
- Fix hang when unpacking test tarball (bsc#1202436)
-----------------------------------------
Patch: SUSE-2023-201
Released: Fri Jan 27 15:24:15 2023
Summary: Security update for systemd
Severity: moderate
References: 1204944,1205000,1207264,CVE-2022-4415
Description:
This update for systemd fixes the following issues:
- CVE-2022-4415: Fixed an issue where users could access coredumps
with changed uid, gid or capabilities (bsc#1205000).
Non-security fixes:
- Enabled the pstore service (jsc#PED-2663).
- Fixed an issue accessing TPM when secure boot is enabled (bsc#1204944).
- Fixed an issue where a pamd file could get accidentally overwritten
after an update (bsc#1207264).
-----------------------------------------
Patch: SUSE-2023-348
Released: Fri Feb 10 15:08:41 2023
Summary: Security update for less
Severity: moderate
References: 1207815,CVE-2022-46663
Description:
This update for less fixes the following issues:
- CVE-2022-46663: Fixed denial-of-service by printing specially crafted escape sequences to the terminal (bsc#1207815).
-----------------------------------------
Patch: SUSE-2023-429
Released: Wed Feb 15 17:41:22 2023
Summary: Security update for curl
Severity: important
References: 1207990,1207991,1207992,CVE-2023-23914,CVE-2023-23915,CVE-2023-23916
Description:
This update for curl fixes the following issues:
- CVE-2023-23914: Fixed HSTS ignored on multiple requests (bsc#1207990).
- CVE-2023-23915: Fixed HSTS amnesia with --parallel (bsc#1207991).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).
-----------------------------------------
Patch: SUSE-2023-430
Released: Wed Feb 15 17:42:25 2023
Summary: Security update for git
Severity: important
References: 1208027,1208028,CVE-2023-22490,CVE-2023-23946
Description:
This update for git fixes the following issues:
- CVE-2023-22490: Fixed incorrectly usable local clone optimization even when using a non-local transport (bsc#1208027).
- CVE-2023-23946: Fixed issue where a path outside the working tree can be overwritten as the user who is running 'git apply' (bsc#1208028).
-----------------------------------------
Patch: SUSE-2023-463
Released: Mon Feb 20 16:33:39 2023
Summary: Security update for tar
Severity: moderate
References: 1202436,1207753,CVE-2022-48303
Description:
This update for tar fixes the following issues:
- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).
Bug fixes:
- Fix hang when unpacking test tarball (bsc#1202436).
-----------------------------------------
Patch: SUSE-2023-464
Released: Mon Feb 20 18:11:37 2023
Summary: Recommended update for systemd
Severity: moderate
References:
Description:
This update for systemd fixes the following issues:
- Merge of v249.15
- Drop workaround related to systemd-timesyncd that addressed a Factory issue.
- Conditionalize the use of /lib/modprobe.d only on systems with split usr
support enabled (i.e. SLE).
- Make use of the %systemd_* rpm macros consistently. Using the upstream
variants will ease the backports of Factory changes to SLE since Factory
systemd uses the upstream variants exclusively.
- machines.target belongs to systemd-container, do its init/cleanup steps from
the scriptlets of this sub-package.
- Make sure we apply the presets on units shipped by systemd package.
- systemd-testsuite: move the integration tests in a dedicated sub directory.
- Move systemd-cryptenroll into udev package.
-----------------------------------------
Patch: SUSE-2023-617
Released: Fri Mar 3 16:49:06 2023
Summary: Recommended update for jitterentropy
Severity: moderate
References: 1207789
Description:
This update for jitterentropy fixes the following issues:
- build jitterentropy library with debuginfo (bsc#1207789)
-----------------------------------------
Patch: SUSE-2023-714
Released: Mon Mar 13 10:53:25 2023
Summary: Recommended update for rpm
Severity: important
References: 1207294
Description:
This update for rpm fixes the following issues:
- Fix missing python(abi) for 3.XX versions (bsc#1207294)
-----------------------------------------
Patch: SUSE-2023-776
Released: Thu Mar 16 17:29:23 2023
Summary: Recommended update for gcc12
Severity: moderate
References:
Description:
This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.
To use gcc12 compilers use:
- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.
For a full changelog with all new GCC12 features, check out
https://gcc.gnu.org/gcc-12/changes.html
-----------------------------------------
Patch: SUSE-2023-1582
Released: Mon Mar 27 10:31:52 2023
Summary: Security update for curl
Severity: moderate
References: 1209209,1209210,1209211,1209212,1209214,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538
Description:
This update for curl fixes the following issues:
- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
-----------------------------------------
Patch: SUSE-2023-1662
Released: Wed Mar 29 10:36:23 2023
Summary: Recommended update for patterns-base
Severity: moderate
References: 1203537
Description:
This update for patterns-base fixes the following issues:
- change label of FIPS 140-2 to 140-3 to reflect our current certifications (bsc#1203537)
-----------------------------------------
Patch: SUSE-2023-1688
Released: Wed Mar 29 18:19:10 2023
Summary: Security update for zstd
Severity: moderate
References: 1209533,CVE-2022-4899
Description:
This update for zstd fixes the following issues:
- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).
-----------------------------------------
Patch: SUSE-2023-1718
Released: Fri Mar 31 15:47:34 2023
Summary: Security update for glibc
Severity: moderate
References: 1207571,1207957,1207975,1208358,CVE-2023-0687
Description:
This update for glibc fixes the following issues:
Security issue fixed:
- CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)
Other issues fixed:
- Fix avx2 strncmp offset compare condition check (bsc#1208358)
- elf: Allow dlopen of filter object to work (bsc#1207571)
- powerpc: Fix unrecognized instruction errors with recent GCC
- x86: Cache computation for AMD architecture (bsc#1207957)
-----------------------------------------
Patch: SUSE-2023-1779
Released: Thu Apr 6 08:16:58 2023
Summary: Recommended update for systemd
Severity: moderate
References: 1208432
Description:
This update for systemd fixes the following issues:
- Fix return non-zero value when disabling SysVinit service (bsc#1208432)
- Drop build requirement on libpci, it's not no longer needed
- Move systemd-boot and all components managing (secure) UEFI boot into udev
sub-package, so they aren't installed in systemd based containers
-----------------------------------------
Patch: SUSE-2023-1805
Released: Tue Apr 11 10:12:41 2023
Summary: Recommended update for timezone
Severity: important
References:
Description:
This update for timezone fixes the following issues:
- Version update from 2022g to 2023c:
* Egypt now uses DST again, from April through October.
* This year Morocco springs forward April 23, not April 30.
* Palestine delays the start of DST this year.
* Much of Greenland still uses DST from 2024 on.
* America/Yellowknife now links to America/Edmonton.
* tzselect can now use current time to help infer timezone.
* The code now defaults to C99 or later.
-----------------------------------------
Patch: SUSE-2023-2038
Released: Wed Apr 26 11:06:20 2023
Summary: Security update for git
Severity: moderate
References: 1210686,CVE-2023-25652,CVE-2023-25815,CVE-2023-29007
Description:
This update for git fixes the following issues:
- CVE-2023-25652: Fixed partial overwrite of paths outside the working tree (bsc#1210686).
- CVE-2023-25815: Fixed malicious placemtn of crafted message (bsc#1210686).
- CVE-2023-29007: Fixed arbitrary configuration injection (bsc#1210686).
-----------------------------------------
Patch: SUSE-2023-2066
Released: Fri Apr 28 13:54:17 2023
Summary: Security update for shadow
Severity: moderate
References: 1210507,CVE-2023-29383
Description:
This update for shadow fixes the following issues:
- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).
-----------------------------------------
Patch: SUSE-2023-2111
Released: Fri May 5 14:34:00 2023
Summary: Security update for ncurses
Severity: moderate
References: 1210434,CVE-2023-29491
Description:
This update for ncurses fixes the following issues:
- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).
-----------------------------------------
Patch: SUSE-2023-2131
Released: Tue May 9 13:35:24 2023
Summary: Recommended update for openssh
Severity: important
References: 1207014
Description:
This update for openssh fixes the following issues:
- Remove some patches that cause invalid environment assignments (bsc#1207014).
-----------------------------------------
Patch: SUSE-2023-2224
Released: Wed May 17 09:53:54 2023
Summary: Security update for curl
Severity: important
References: 1211230,1211231,1211232,1211233,CVE-2023-28319,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322
Description:
This update for curl adds the following feature:
Update to version 8.0.1 (jsc#PED-2580)
- CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230).
- CVE-2023-28320: siglongjmp race condition (bsc#1211231).
- CVE-2023-28321: IDN wildcard matching (bsc#1211232).
- CVE-2023-28322: POST-after-PUT confusion (bsc#1211233).
-----------------------------------------
Patch: SUSE-2023-2240
Released: Wed May 17 19:56:54 2023
Summary: Recommended update for systemd
Severity: moderate
References: 1203141,1207410
Description:
This update for systemd fixes the following issues:
- udev-rules: fix nvme symlink creation on namespace changes (bsc#1207410)
- Optimize when hundred workers claim the same symlink with the same priority (bsc#1203141)
- Add nss-resolve and systemd-network to Packagehub-Subpackages (MSC-626)
-----------------------------------------
Patch: SUSE-2023-2484
Released: Mon Jun 12 08:49:58 2023
Summary: Security update for openldap2
Severity: moderate
References: 1211795,CVE-2023-2953
Description:
This update for openldap2 fixes the following issues:
- CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).
-----------------------------------------
Patch: 29171
Released: Tue Jun 20 12:29:00 2023
Summary: Security update for openssl-1_1
Severity: important
References: 1201627,1207534,1211430,CVE-2022-4304,CVE-2023-2650
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
The previous fix for this timing side channel turned out to cause a
severe 2-3x performance regression in the typical use case (bsc#1207534).
- Update further expiring certificates that affect tests (bsc#1201627)
-----------------------------------------
Patch: SUSE-2023-2625
Released: Fri Jun 23 17:16:11 2023
Summary: Recommended update for gcc12
Severity: moderate
References:
Description:
This update for gcc12 fixes the following issues:
- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
* includes regression and other bug fixes
- Speed up builds with --enable-link-serialization.
- Update embedded newlib to version 4.2.0
-----------------------------------------
Patch: SUSE-2023-2765
Released: Mon Jul 3 20:28:14 2023
Summary: Security update for libcap
Severity: moderate
References: 1211418,1211419,CVE-2023-2602,CVE-2023-2603
Description:
This update for libcap fixes the following issues:
- CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).
-----------------------------------------
Patch: SUSE-2023-2811
Released: Wed Jul 12 11:56:18 2023
Summary: Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt
Severity: moderate
References:
Description:
This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues:
This update provides a feature update to the FIDO2 stack.
Changes in libfido2:
- Version 1.13.0 (2023-02-20)
* New API calls:
+ fido_assert_empty_allow_list;
+ fido_cred_empty_exclude_list.
* fido2-token: fix issue when listing large blobs.
- Version 1.12.0 (2022-09-22)
* Support for COSE_ES384.
* Improved support for FIDO 2.1 authenticators.
* New API calls:
+ es384_pk_free;
+ es384_pk_from_EC_KEY;
+ es384_pk_from_EVP_PKEY;
+ es384_pk_from_ptr;
+ es384_pk_new;
+ es384_pk_to_EVP_PKEY;
+ fido_cbor_info_certs_len;
+ fido_cbor_info_certs_name_ptr;
+ fido_cbor_info_certs_value_ptr;
+ fido_cbor_info_maxrpid_minpinlen;
+ fido_cbor_info_minpinlen;
+ fido_cbor_info_new_pin_required;
+ fido_cbor_info_rk_remaining;
+ fido_cbor_info_uv_attempts;
+ fido_cbor_info_uv_modality.
* Documentation and reliability fixes.
- Version 1.11.0 (2022-05-03)
* Experimental PCSC support; enable with -DUSE_PCSC.
* Improved OpenSSL 3.0 compatibility.
* Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.
* winhello: advertise 'uv' instead of 'clientPin'.
* winhello: support hmac-secret in fido_dev_get_assert().
* New API calls:
+ fido_cbor_info_maxlargeblob.
* Documentation and reliability fixes.
* Separate build and regress targets.
- Version 1.10.0 (2022-01-17)
* bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.
* New API calls:
- fido_dev_info_set;
- fido_dev_io_handle;
- fido_dev_new_with_info;
- fido_dev_open_with_info.
* Cygwin and NetBSD build fixes.
* Documentation and reliability fixes.
* Support for TPM 2.0 attestation of COSE_ES256 credentials.
- Version 1.9.0 (2021-10-27)
* Enabled NFC support on Linux.
* Support for FIDO 2.1 'minPinLength' extension.
* Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation.
* Support for TPM 2.0 attestation.
* Support for device timeouts; see fido_dev_set_timeout().
* New API calls:
- es256_pk_from_EVP_PKEY;
- fido_cred_attstmt_len;
- fido_cred_attstmt_ptr;
- fido_cred_pin_minlen;
- fido_cred_set_attstmt;
- fido_cred_set_pin_minlen;
- fido_dev_set_pin_minlen_rpid;
- fido_dev_set_timeout;
- rs256_pk_from_EVP_PKEY.
* Reliability and portability fixes.
* Better handling of HID devices without identification strings; gh#381.
- Update to version 1.8.0:
* Better support for FIDO 2.1 authenticators.
* Support for attestation format 'none'.
* New API calls:
- fido_assert_set_clientdata;
- fido_cbor_info_algorithm_cose;
- fido_cbor_info_algorithm_count;
- fido_cbor_info_algorithm_type;
- fido_cbor_info_transports_len;
- fido_cbor_info_transports_ptr;
- fido_cred_set_clientdata;
- fido_cred_set_id;
- fido_credman_set_dev_rk;
- fido_dev_is_winhello.
* fido2-token: new -Sc option to update a resident credential.
* Documentation and reliability fixes.
* HID access serialisation on Linux.
- Update to version 1.7.0:
* hid_win: detect devices with vendor or product IDs > 0x7fff
* Support for FIDO 2.1 authenticator configuration.
* Support for FIDO 2.1 UV token permissions.
* Support for FIDO 2.1 'credBlobs' and 'largeBlobs' extensions.
* New API calls
* New fido_init flag to disable fido_dev_open’s U2F fallback
* Experimental NFC support on Linux.
- Enabled hidapi again, issues related to hidapi are fixed upstream
- Update to version 1.6.0:
* Documentation and reliability fixes.
* New API calls:
+ fido_cred_authdata_raw_len;
+ fido_cred_authdata_raw_ptr;
+ fido_cred_sigcount;
+ fido_dev_get_uv_retry_count;
+ fido_dev_supports_credman.
* Hardened Windows build.
* Native FreeBSD and NetBSD support.
* Use CTAP2 canonical CBOR when combining hmac-secret and credProtect.
- Create a udev subpackage and ship the udev rule.
Changes in python-fido2:
- update to 0.9.3:
* Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ
* Support the latest Windows webauthn.h API (included in Windows 11).
* Add product name and serial number to HidDescriptors.
* Remove the need for the uhid-freebsd dependency on FreeBSD.
- Update to version 0.9.1
* Add new CTAP error codes and improve handling of unknown codes.
* Client: API changes to better support extensions.
* Client.make_credential now returns a AuthenticatorAttestationResponse,
which holds the AttestationObject and ClientData, as well as any
client extension results for the credential.
* Client.get_assertion now returns an AssertionSelection object,
which is used to select between multiple assertions
* Renames: The CTAP1 and CTAP2 classes have been renamed to
Ctap1 and Ctap2, respectively.
* ClientPin: The ClientPin API has been restructured to support
multiple PIN protocols, UV tokens, and token permissions.
* CTAP 2.1 PRE: Several new features have been added for CTAP 2.1
* HID: The platform specific HID code has been revamped
- Version 0.8.1 (released 2019-11-25)
* Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified.
- Version 0.8.0 (released 2019-11-25)
* New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.
* CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request.
* Fido2Client:
- make_credential/get_assertion now take WebAuthn options objects.
- timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.
* Fido2Server:
- ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.
- RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.
- Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.
- Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.
- Fido2Server.timeout is now in ms and of type int.
* Support native WebAuthn API on Windows through WindowsClient.
- Version 0.7.2 (released 2019-10-24)
* Support for the TPM attestation format.
* Allow passing custom challenges to register/authenticate in Fido2Server.
* Bugfix: CTAP2 CANCEL command response handling fixed.
* Bugfix: Fido2Client fix handling of empty allow_list.
* Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.
- Version 0.7.1 (released 2019-09-20)
* Enforce canonical CBOR on Authenticator responses by default.
* PCSC: Support extended APDUs.
* Server: Verify that UP flag is set.
* U2FFido2Server: Implement AppID exclusion extension.
* U2FFido2Server: Allow custom U2F facet verification.
* Bugfix: U2FFido2Server.authenticate_complete now returns the result.
- Version 0.7.0 (released 2019-06-17)
* Add support for NFC devices using PCSC.
* Add support for the hmac-secret Authenticator extension.
* Honor max credential ID length and number of credentials to Authenticator.
* Add close() method to CTAP devices to explicitly release their resources.
- Version 0.6.0 (released 2019-05-10)
* Don't fail if CTAP2 Info contains unknown fields.
* Replace cbor loads/dumps functions with encode/decode/decode_from.
* Server: Add support for AuthenticatorAttachment.
* Server: Add support for more key algorithms.
* Client: Expose CTAP2 Info object as Fido2Client.info.
Changes in yubikey-manager:
- Update to version 4.0.9 (released 2022-06-17)
* Dependency: Add support for python-fido2 1.x
* Fix: Drop stated support for Click 6 as features from 7 are being used.
- Update to version 4.0.8 (released 2022-01-31)
* Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.
* Bugfix: Fix issue with displaying a Steam credential when it is the only account.
* Bugfix: Prevent installation of files in site-packages root.
* Bugfix: Fix cleanup logic in PIV for protected management key.
* Add support for token identifier when programming slot-based HOTP.
* Add support for programming NDEF in text mode.
* Dependency: Add support for Cryptography ⇠38.
- version update to 4.0.7
** Bugfix release: Fix broken naming for 'YubiKey 4', and a small OATH issue with
touch Steam credentials.
- version 4.0.6 (released 2021-09-08)
** Improve handling of YubiKey device reboots.
** More consistently mask PIN/password input in prompts.
** Support switching mode over CCID for YubiKey Edge.
** Run pkill from PATH instead of fixed location.
- version 4.0.5 (released 2021-07-16)
** Bugfix: Fix PIV feature detection for some YubiKey NEO versions.
** Bugfix: Fix argument short form for --period when adding TOTP credentials.
** Bugfix: More strict validation for some arguments, resulting in better error messages.
** Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
** Bugfix: Fix prompting for access code in the otp settings command (now uses '-A -').
- Update to version 4.0.3
* Add support for fido reset over NFC.
* Bugfix: The --touch argument to piv change-management-key was
ignored.
* Bugfix: Don’t prompt for password when importing PIV key/cert
if file is invalid.
* Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
* Bugfix: Detect PKCS#12 format when outer sequence uses
indefinite length.
* Dependency: Add support for Click 8.
- Update to version 4.0.2
* Update device names
* Add read_info output to the --diagnose command, and show
exception types.
* Bugfix: Fix read_info for YubiKey Plus.
* Add support for YK5-based FIPS YubiKeys.
* Bugfix: Fix OTP device enumeration on Win32.
* Drop reliance on libusb and libykpersonalize.
* Support the 'fido' and 'otp' subcommands over NFC
* New 'ykman --diagnose' command to aid in troubleshooting.
* New 'ykman apdu' command for sending raw APDUs over the smart
card interface.
* New 'yubikit' package added for custom development and advanced
scripting.
* OpenPGP: Add support for KDF enabled YubiKeys.
* Static password: Add support for FR, IT, UK and BEPO keyboard
layouts.
- Update to 3.1.1
* Add support for YubiKey 5C NFC
* OpenPGP: set-touch now performs compatibility checks before prompting for PIN
* OpenPGP: Improve error messages and documentation for set-touch
* PIV: read-object command no longer adds a trailing newline
* CLI: Hint at missing permissions when opening a device fails
* Linux: Improve error handling when pcscd is not running
* Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!
* Bugfix: set-touch now accepts the cached-fixed option
* Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
* Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate
* Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate
* Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception
- Version 3.1.0 (released 2019-08-20)
* Add support for YubiKey 5Ci
* OpenPGP: the info command now prints OpenPGP specification version as well
* OpenPGP: Update support for attestation to match OpenPGP v3.4
* PIV: Use UTC time for self-signed certificates
* OTP: Static password now supports the Norman keyboard layout
- Version 3.0.0 (released 2019-06-24)
* Add support for new YubiKey Preview and lightning form factor
* FIDO: Support for credential management
* OpenPGP: Support for OpenPGP attestation, cardholder certificates and
cached touch policies
* OTP: Add flag for using numeric keypad when sending digits
- Version 2.1.1 (released 2019-05-28)
* OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud
* Don’t automatically select the U2F applet on YubiKey NEO, it might be
blocked by the OS
* ChalResp: Always pad challenge correctly
* Bugfix: Don’t crash with older versions of cryptography
* Bugfix: Password was always prompted in OATH command, even if sent as
argument
Changes in yubikey-manager-qt:
- update to 1.2.5:
* Compatibility update for ykman 5.0.1.
* Update to Python 3.11.
* Update product images.
- Update to version 1.2.4 (released 2021-10-26)
* Update device names and images.
* PIV: Fix import of certificate.
- Update to version 1.2.3
* Improved error handling when using Security Key Series devices.
* PIV: Fix generation of certificate in slot 9c.
- Update to version 1.2.2
* Fix detection of YubiKey Plus
* Compatibility update for yubikey-manager 4.0
* Bugfix: Device caching with multiple devices
* Drop dependencies on libusb and libykpers.
* Add additional product names and images
- update to 1.1.5
* Add support for YubiKey 5C NFC
- Update to version 1.1.4
* OTP: Add option to upload YubiOTP credential to YubiCloud
* Linux: Show hint about pcscd service if opening device fails
* Bugfix: Signal handling now compatible with Python 3.8
- Version 1.1.3 (released 2019-08-20)
* Add suppport for YubiKey 5Ci
* PIV: Use UTC time for self-signed certificates
- Version 1.1.2 (released 2019-06-24)
* Add support for new YubiKey Preview
* PIV: The popup for the management key now have a 'Use default' option
* Windows: Fix issue with importing PIV certificates
* Bugfix: generate static password now works correctly
-----------------------------------------
Patch: SUSE-2023-2827
Released: Fri Jul 14 11:27:47 2023
Summary: Recommended update for libxml2
Severity: moderate
References:
Description:
This update for libxml2 fixes the following issues:
- Build also for modern python version (jsc#PED-68)
-----------------------------------------
Patch: SUSE-2023-2847
Released: Mon Jul 17 08:40:42 2023
Summary: Recommended update for audit
Severity: moderate
References: 1210004
Description:
This update for audit fixes the following issues:
- Check for AF_UNIX unnamed sockets (bsc#1210004)
- Enable livepatching on main library on x86_64
-----------------------------------------
Patch: SUSE-2023-2855
Released: Mon Jul 17 16:35:21 2023
Summary: Recommended update for openldap2
Severity: moderate
References: 1212260
Description:
This update for openldap2 fixes the following issues:
- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)
-----------------------------------------
Patch: SUSE-2023-2882
Released: Wed Jul 19 11:49:39 2023
Summary: Security update for perl
Severity: important
References: 1210999,CVE-2023-31484
Description:
This update for perl fixes the following issues:
- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).
-----------------------------------------
Patch: SUSE-2023-2885
Released: Wed Jul 19 16:58:43 2023
Summary: Recommended update for glibc
Severity: moderate
References: 1208721,1209229,1211828
Description:
This update for glibc fixes the following issues:
- getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
- Exclude static archives from preparation for live patching (bsc#1208721)
- resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)
-----------------------------------------
Patch: SUSE-2023-2891
Released: Wed Jul 19 21:14:33 2023
Summary: Security update for curl
Severity: moderate
References: 1213237,CVE-2023-32001
Description:
This update for curl fixes the following issues:
- CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).
-----------------------------------------
Patch: SUSE-2023-2922
Released: Thu Jul 20 18:34:03 2023
Summary: Recommended update for libfido2
Severity: moderate
References:
Description:
This update for libfido2 fixes the following issues:
- Use openssl 1.1 still on SUSE Linux Enterprise 15 to avoid pulling unneeded
openssl-3 dependency. (jsc#PED-4521)
-----------------------------------------
Patch: SUSE-2023-2944
Released: Mon Jul 24 09:14:24 2023
Summary: Recommended update for linux-glibc-devel
Severity: moderate
References: 1211096
Description:
This update for linux-glibc-devel fixes the following issues:
- Add linux/sev-guest.h (bsc#1211096)
-----------------------------------------
Patch: SUSE-2023-2945
Released: Mon Jul 24 09:37:30 2023
Summary: Security update for openssh
Severity: important
References: 1186673,1209536,1213004,1213008,1213504,CVE-2023-38408
Description:
This update for openssh fixes the following issues:
- CVE-2023-38408: Fixed a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code
execution via a forwarded agent socket if those libraries were present on the
victim's system and if the agent was forwarded to an attacker-controlled
system. [bsc#1213504, CVE-2023-38408]
- Close the right filedescriptor and also close fdh in read_hmac to avoid file
descriptor leaks. [bsc#1209536]
- Attempts to mitigate instances of secrets lingering in memory after a session
exits. [bsc#1186673, bsc#1213004, bsc#1213008]
-----------------------------------------
Patch: SUSE-2023-2965
Released: Tue Jul 25 12:30:22 2023
Summary: Security update for openssl-1_1
Severity: moderate
References: 1213487,CVE-2023-3446
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).
-----------------------------------------
Patch: SUSE-2023-2966
Released: Tue Jul 25 14:26:14 2023
Summary: Recommended update for libxml2
Severity: moderate
References:
Description:
This update for libxml2 fixes the following issues:
- Build also for modern python version (jsc#PED-68)
-----------------------------------------
Patch: SUSE-2023-3102
Released: Tue Aug 1 14:11:53 2023
Summary: Recommended update for openssl-1_1
Severity: moderate
References: 1213517
Description:
This update for openssl-1_1 fixes the following issues:
- Dont pass zero length input to EVP_Cipher (bsc#1213517)
-----------------------------------------
Patch: SUSE-2023-3242
Released: Tue Aug 8 18:19:40 2023
Summary: Security update for openssl-1_1
Severity: moderate
References: 1213853,CVE-2023-3817
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
-----------------------------------------
Patch: SUSE-2023-3285
Released: Fri Aug 11 10:30:38 2023
Summary: Recommended update for shadow
Severity: moderate
References: 1206627,1213189
Description:
This update for shadow fixes the following issues:
- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)
-----------------------------------------
Patch: SUSE-2023-3323
Released: Tue Aug 15 20:29:53 2023
Summary: Recommended update for go1.21
Severity: moderate
References: 1212475,1212667,1212669
Description:
This update for go1.21 fixes the following issues:
go1.21 (released 2023-08-08) is a major release of Go.
go1.21.x minor releases will be provided through August 2024.
https://github.com/golang/go/wiki/Go-Release-Cycle
go1.21 arrives six months after go1.20. Most of its changes are
in the implementation of the toolchain, runtime, and libraries.
As always, the release maintains the Go 1 promise of
compatibility. We expect almost all Go programs to continue to
compile and run as before.
* Go 1.21 introduces a small change to the numbering of
releases. In the past, we used Go 1.N to refer to both the
overall Go language version and release family as well as the
first release in that family. Starting in Go 1.21, the first
release is now Go 1.N.0. Today we are releasing both the Go
1.21 language and its initial implementation, the Go 1.21.0
release. These notes refer to 'Go 1.21'; tools like go version
will report 'go1.21.0' (until you upgrade to Go 1.21.1). See
'Go versions' in the 'Go Toolchains' documentation for details
about the new version numbering.
* Language change: Go 1.21 adds three new built-ins to the
language.
* Language change: The new functions min and max compute the
smallest (or largest, for max) value of a fixed number of given
arguments. See the language spec for details.
* Language change: The new function clear deletes all elements
from a map or zeroes all elements of a slice. See the language
spec for details.
* Package initialization order is now specified more
precisely. This may change the behavior of some programs that
rely on a specific initialization ordering that was not
expressed by explicit imports. The behavior of such programs
was not well defined by the spec in past releases. The new rule
provides an unambiguous definition.
* Multiple improvements that increase the power and precision of
type inference have been made.
* A (possibly partially instantiated generic) function may now be
called with arguments that are themselves (possibly partially
instantiated) generic functions.
* Type inference now also considers methods when a value is
assigned to an interface: type arguments for type parameters
used in method signatures may be inferred from the
corresponding parameter types of matching methods.
* Similarly, since a type argument must implement all the methods
of its corresponding constraint, the methods of the type
argument and constraint are matched which may lead to the
inference of additional type arguments.
* If multiple untyped constant arguments of different kinds (such
as an untyped int and an untyped floating-point constant) are
passed to parameters with the same (not otherwise specified)
type parameter type, instead of an error, now type inference
determines the type using the same approach as an operator with
untyped constant operands. This change brings the types
inferred from untyped constant arguments in line with the types
of constant expressions.
* Type inference is now precise when matching corresponding types
in assignments
* The description of type inference in the language spec has been
clarified.
* Go 1.21 includes a preview of a language change we are
considering for a future version of Go: making for loop
variables per-iteration instead of per-loop, to avoid
accidental sharing bugs. For details about how to try that
language change, see the LoopvarExperiment wiki page.
* Go 1.21 now defines that if a goroutine is panicking and
recover was called directly by a deferred function, the return
value of recover is guaranteed not to be nil. To ensure this,
calling panic with a nil interface value (or an untyped nil)
causes a run-time panic of type *runtime.PanicNilError.
To support programs written for older versions of Go, nil
panics can be re-enabled by setting GODEBUG=panicnil=1. This
setting is enabled automatically when compiling a program whose
main package is in a module with that declares go 1.20 or
earlier.
* Go 1.21 adds improved support for backwards compatibility and
forwards compatibility in the Go toolchain.
* To improve backwards compatibility, Go 1.21 formalizes Go's use
of the GODEBUG environment variable to control the default
behavior for changes that are non-breaking according to the
compatibility policy but nonetheless may cause existing
programs to break. (For example, programs that depend on buggy
behavior may break when a bug is fixed, but bug fixes are not
considered breaking changes.) When Go must make this kind of
behavior change, it now chooses between the old and new
behavior based on the go line in the workspace's go.work file
or else the main module's go.mod file. Upgrading to a new Go
toolchain but leaving the go line set to its original (older)
Go version preserves the behavior of the older toolchain. With
this compatibility support, the latest Go toolchain should
always be the best, most secure, implementation of an older
version of Go. See 'Go, Backwards Compatibility, and GODEBUG'
for details.
* To improve forwards compatibility, Go 1.21 now reads the go
line in a go.work or go.mod file as a strict minimum
requirement: go 1.21.0 means that the workspace or module
cannot be used with Go 1.20 or with Go 1.21rc1. This allows
projects that depend on fixes made in later versions of Go to
ensure that they are not used with earlier versions. It also
gives better error reporting for projects that make use of new
Go features: when the problem is that a newer Go version is
needed, that problem is reported clearly, instead of attempting
to build the code and instead printing errors about unresolved
imports or syntax errors.
* To make these new stricter version requirements easier to
manage, the go command can now invoke not just the toolchain
bundled in its own release but also other Go toolchain versions
found in the PATH or downloaded on demand. If a go.mod or
go.work go line declares a minimum requirement on a newer
version of Go, the go command will find and run that version
automatically. The new toolchain directive sets a suggested
minimum toolchain to use, which may be newer than the strict go
minimum. See 'Go Toolchains' for details.
* go command: The -pgo build flag now defaults to -pgo=auto, and
the restriction of specifying a single main package on the
command line is now removed. If a file named default.pgo is
present in the main package's directory, the go command will
use it to enable profile-guided optimization for building the
corresponding program.
* go command: The -C dir flag must now be the first flag on the
command-line when used.
* go command: The new go test option -fullpath prints full path
names in test log messages, rather than just base names.
* go command: The go test -c flag now supports writing test
binaries for multiple packages, each to pkg.test where pkg is
the package name. It is an error if more than one test package
being compiled has a given package name.]
* go command: The go test -o flag now accepts a directory
argument, in which case test binaries are written to that
directory instead of the current directory.
* cgo: In files that import 'C', the Go toolchain now correctly
reports errors for attempts to declare Go methods on C types.
* runtime: When printing very deep stacks, the runtime now prints
the first 50 (innermost) frames followed by the bottom 50
(outermost) frames, rather than just printing the first 100
frames. This makes it easier to see how deeply recursive stacks
started, and is especially valuable for debugging stack
overflows.
* runtime: On Linux platforms that support transparent huge
pages, the Go runtime now manages which parts of the heap may
be backed by huge pages more explicitly. This leads to better
utilization of memory: small heaps should see less memory used
(up to 50% in pathological cases) while large heaps should see
fewer broken huge pages for dense parts of the heap, improving
CPU usage and latency by up to 1%.
* runtime: As a result of runtime-internal garbage collection
tuning, applications may see up to a 40% reduction in
application tail latency and a small decrease in memory
use. Some applications may also observe a small loss in
throughput. The memory use decrease should be proportional to
the loss in throughput, such that the previous release's
throughput/memory tradeoff may be recovered (with little change
to latency) by increasing GOGC and/or GOMEMLIMIT slightly.
* runtime: Calls from C to Go on threads created in C require
some setup to prepare for Go execution. On Unix platforms, this
setup is now preserved across multiple calls from the same
thread. This significantly reduces the overhead of subsequent C
to Go calls from ~1-3 microseconds per call to ~100-200
nanoseconds per call.
* compiler: Profile-guide optimization (PGO), added as a preview
in Go 1.20, is now ready for general use. PGO enables
additional optimizations on code identified as hot by profiles
of production workloads. As mentioned in the Go command
section, PGO is enabled by default for binaries that contain a
default.pgo profile in the main package directory. Performance
improvements vary depending on application behavior, with most
programs from a representative set of Go programs seeing
between 2 and 7% improvement from enabling PGO. See the PGO
user guide for detailed documentation.
* compiler: PGO builds can now devirtualize some interface method
calls, adding a concrete call to the most common callee. This
enables further optimization, such as inlining the callee.
* compiler: Go 1.21 improves build speed by up to 6%, largely
thanks to building the compiler itself with PGO.
* assembler: On amd64, frameless nosplit assembly functions are
no longer automatically marked as NOFRAME. Instead, the NOFRAME
attribute must be explicitly specified if desired, which is
already the behavior on other architectures supporting frame
pointers. With this, the runtime now maintains the frame
pointers for stack transitions.
* assembler: The verifier that checks for incorrect uses of R15
when dynamic linking on amd64 has been improved.
* linker: On windows/amd64, the linker (with help from the
compiler) now emits SEH unwinding data by default, which
improves the integration of Go applications with Windows
debuggers and other tools.
* linker: In Go 1.21 the linker (with help from the compiler) is
now capable of deleting dead (unreferenced) global map
variables, if the number of entries in the variable initializer
is sufficiently large, and if the initializer expressions are
side-effect free.
* core library: The new log/slog package provides structured
logging with levels. Structured logging emits key-value pairs
to enable fast, accurate processing of large amounts of log
data. The package supports integration with popular log
analysis tools and services.
* core library: The new testing/slogtest package can help to
validate slog.Handler implementations.
* core library: The new slices package provides many common
operations on slices, using generic functions that work with
slices of any element type.
* core library: The new maps package provides several common
operations on maps, using generic functions that work with maps
of any key or element type.
* core library: The new cmp package defines the type constraint
Ordered and two new generic functions Less and Compare that are
useful with ordered types.
* Minor changes to the library: As always, there are various
minor changes and updates to the library, made with the Go 1
promise of compatibility in mind. There are also various
performance improvements, not enumerated here.
* archive/tar: The implementation of the io/fs.FileInfo interface
returned by Header.FileInfo now implements a String method that
calls io/fs.FormatFileInfo.
* archive/zip: The implementation of the io/fs.FileInfo interface
returned by FileHeader.FileInfo now implements a String method
that calls io/fs.FormatFileInfo.
* archive/zip: The implementation of the io/fs.DirEntry interface
returned by the io/fs.ReadDirFile.ReadDir method of the
io/fs.File returned by Reader.Open now implements a String
method that calls io/fs.FormatDirEntry.
* bytes: The Buffer type has two new methods: Available and
AvailableBuffer. These may be used along with the Write method
to append directly to the Buffer.
* context: The new WithoutCancel function returns a copy of a
context that is not canceled when the original context is
canceled.
* context: The new WithDeadlineCause and WithTimeoutCause
functions provide a way to set a context cancellation cause
when a deadline or timer expires. The cause may be retrieved
with the Cause function.
* context: The new AfterFunc function registers a function to run
after a context has been cancelled.
* context: An optimization means that the results of calling
Background and TODO and converting them to a shared type can be
considered equal. In previous releases they were always
different. Comparing Context values for equality has never been
well-defined, so this is not considered to be an incompatible
change.
* crypto/ecdsa: PublicKey.Equal and PrivateKey.Equal now execute
in constant time.
* crypto/elliptic: All of the Curve methods have been deprecated,
along with GenerateKey, Marshal, and Unmarshal. For ECDH
operations, the new crypto/ecdh package should be used
instead. For lower-level operations, use third-party modules
such as filippo.io/nistec.
* crypto/rand: The crypto/rand package now uses the getrandom
system call on NetBSD 10.0 and later.
* crypto/rsa: The performance of private RSA operations
(decryption and signing) is now better than Go 1.19 for
GOARCH=amd64 and GOARCH=arm64. It had regressed in Go 1.20.
* crypto/rsa: Due to the addition of private fields to
PrecomputedValues, PrivateKey.Precompute must be called for
optimal performance even if deserializing (for example from
JSON) a previously-precomputed private key.
* crypto/rsa: PublicKey.Equal and PrivateKey.Equal now execute in
constant time.
* crypto/rsa: The GenerateMultiPrimeKey function and the
PrecomputedValues.CRTValues field have been
deprecated. PrecomputedValues.CRTValues will still be populated
when PrivateKey.Precompute is called, but the values will not
be used during decryption operations.
* crypto/sha256: SHA-224 and SHA-256 operations now use native
instructions when available when GOARCH=amd64, providing a
performance improvement on the order of 3-4x.
* crypto/tls: Servers now skip verifying client certificates
(including not running Config.VerifyPeerCertificate) for
resumed connections, besides checking the expiration time. This
makes session tickets larger when client certificates are in
use. Clients were already skipping verification on resumption,
but now check the expiration time even if
Config.InsecureSkipVerify is set.
* crypto/tls: Applications can now control the content of session
tickets.
* crypto/tls: The new SessionState type describes a resumable
session.
* crypto/tls: The SessionState.Bytes method and ParseSessionState
function serialize and deserialize a SessionState.
* crypto/tls: The Config.WrapSession and Config.UnwrapSession
hooks convert a SessionState to and from a ticket on the server
side.
* crypto/tls: The Config.EncryptTicket and Config.DecryptTicket
methods provide a default implementation of WrapSession and
UnwrapSession.
* crypto/tls: The ClientSessionState.ResumptionState method and
NewResumptionState function may be used by a ClientSessionCache
implementation to store and resume sessions on the client side.
* crypto/tls: To reduce the potential for session tickets to be
used as a tracking mechanism across connections, the server now
issues new tickets on every resumption (if they are supported
and not disabled) and tickets don't bear an identifier for the
key that encrypted them anymore. If passing a large number of
keys to Conn.SetSessionTicketKeys, this might lead to a
noticeable performance cost.
* crypto/tls: Both clients and servers now implement the Extended
Master Secret extension (RFC 7627). The deprecation of
ConnectionState.TLSUnique has been reverted, and is now set for
resumed connections that support Extended Master Secret.
* crypto/tls: The new QUICConn type provides support for QUIC
implementations, including 0-RTT support. Note that this is not
itself a QUIC implementation, and 0-RTT is still not supported
in TLS.
* crypto/tls: The new VersionName function returns the name for a
TLS version number.
* crypto/tls: The TLS alert codes sent from the server for client
authentication failures have been improved. Previously, these
failures always resulted in a 'bad certificate' alert. Now,
certain failures will result in more appropriate alert codes,
as defined by RFC 5246 and RFC 8446:
* crypto/tls: For TLS 1.3 connections, if the server is
configured to require client authentication using
RequireAnyClientCert or RequireAndVerifyClientCert, and the
client does not provide any certificate, the server will now
return the 'certificate required' alert.
* crypto/tls: If the client provides a certificate that is not
signed by the set of trusted certificate authorities configured
on the server, the server will return the 'unknown certificate
authority' alert.
* crypto/tls: If the client provides a certificate that is either
expired or not yet valid, the server will return the 'expired
certificate' alert.
* crypto/tls: In all other scenarios related to client
authentication failures, the server still returns 'bad
certificate'.
* crypto/x509: RevocationList.RevokedCertificates has been
deprecated and replaced with the new RevokedCertificateEntries
field, which is a slice of RevocationListEntry.
RevocationListEntry contains all of the fields in
pkix.RevokedCertificate, as well as the revocation reason code.
* crypto/x509: Name constraints are now correctly enforced on
non-leaf certificates, and not on the certificates where they
are expressed.
* debug/elf: The new File.DynValue method may be used to retrieve
the numeric values listed with a given dynamic tag.
* debug/elf: The constant flags permitted in a DT_FLAGS_1 dynamic
tag are now defined with type DynFlag1. These tags have names
starting with DF_1.
* debug/elf: The package now defines the constant COMPRESS_ZSTD.
* debug/elf: The package now defines the constant
R_PPC64_REL24_P9NOTOC.
* debug/pe: Attempts to read from a section containing
uninitialized data using Section.Data or the reader returned by
Section.Open now return an error.
* embed: The io/fs.File returned by FS.Open now has a ReadAt
method that implements io.ReaderAt.
* embed: Calling FS.Open.Stat will return a type that now
implements a String method that calls io/fs.FormatFileInfo.
* errors: The new ErrUnsupported error provides a standardized
way to indicate that a requested operation may not be performed
because it is unsupported. For example, a call to os.Link when
using a file system that does not support hard links.
* flag: The new BoolFunc function and FlagSet.BoolFunc method
define a flag that does not require an argument and calls a
function when the flag is used. This is similar to Func but for
a boolean flag.
* flag: A flag definition (via Bool, BoolVar, Int, IntVar, etc.)
will panic if Set has already been called on a flag with the
same name. This change is intended to detect cases where
changes in initialization order cause flag operations to occur
in a different order than expected. In many cases the fix to
this problem is to introduce a explicit package dependence to
correctly order the definition before any Set operations.
* go/ast: The new IsGenerated predicate reports whether a file
syntax tree contains the special comment that conventionally
indicates that the file was generated by a tool.
* go/ast: The new File.GoVersion field records the minimum Go
version required by any //go:build or // +build directives.
* go/build: The package now parses build directives (comments
that start with //go:) in file headers (before the package
declaration). These directives are available in the new Package
fields Directives, TestDirectives, and XTestDirectives.
* go/build/constraint: The new GoVersion function returns the
minimum Go version implied by a build expression.
* go/token: The new File.Lines method returns the file's
line-number table in the same form as accepted by
File.SetLines.
* go/types: The new Package.GoVersion method returns the Go
language version used to check the package.
* hash/maphash: The hash/maphash package now has a pure Go
implementation, selectable with the purego build tag.
* html/template: The new error ErrJSTemplate is returned when an
action appears in a JavaScript template literal. Previously an
unexported error was returned.
* io/fs: The new FormatFileInfo function returns a formatted
version of a FileInfo. The new FormatDirEntry function returns
a formatted version of a DirEntry. The implementation of
DirEntry returned by ReadDir now implements a String method
that calls FormatDirEntry, and the same is true for the
DirEntry value passed to WalkDirFunc.
* math/big: The new Int.Float64 method returns the nearest
floating-point value to a multi-precision integer, along with
an indication of any rounding that occurred.
* net: On Linux, the net package can now use Multipath TCP when
the kernel supports it. It is not used by default. To use
Multipath TCP when available on a client, call the
Dialer.SetMultipathTCP method before calling the Dialer.Dial or
Dialer.DialContext methods. To use Multipath TCP when available
on a server, call the ListenConfig.SetMultipathTCP method
before calling the ListenConfig.Listen method. Specify the
network as 'tcp' or 'tcp4' or 'tcp6' as usual. If Multipath TCP
is not supported by the kernel or the remote host, the
connection will silently fall back to TCP. To test whether a
particular connection is using Multipath TCP, use the
TCPConn.MultipathTCP method.
* net: In a future Go release we may enable Multipath TCP by
default on systems that support it.
* net/http: The new ResponseController.EnableFullDuplex method
allows server handlers to concurrently read from an HTTP/1
request body while writing the response. Normally, the HTTP/1
server automatically consumes any remaining request body before
starting to write the response, to avoid deadlocking clients
which attempt to write a complete request before reading the
response. The EnableFullDuplex method disables this behavior.
* net/http: The new ErrSchemeMismatch error is returned by Client
and Transport when the server responds to an HTTPS request with
an HTTP response.
* net/http: The net/http package now supports
errors.ErrUnsupported, in that the expression
errors.Is(http.ErrNotSupported, errors.ErrUnsupported) will
return true.
* os: Programs may now pass an empty time.Time value to the
Chtimes function to leave either the access time or the
modification time unchanged.
* os: On Windows the File.Chdir method now changes the current
directory to the file, rather than always returning an error.
* os: On Unix systems, if a non-blocking descriptor is passed to
NewFile, calling the File.Fd method will now return a
non-blocking descriptor. Previously the descriptor was
converted to blocking mode.
* os: On Windows calling Truncate on a non-existent file used to
create an empty file. It now returns an error indicating that
the file does not exist.
* os: On Windows calling TempDir now uses GetTempPath2W when
available, instead of GetTempPathW. The new behavior is a
security hardening measure that prevents temporary files
created by processes running as SYSTEM to be accessed by
non-SYSTEM processes.
* os: On Windows the os package now supports working with files
whose names, stored as UTF-16, can't be represented as valid
UTF-8.
* os: On Windows Lstat now resolves symbolic links for paths
ending with a path separator, consistent with its behavior on
POSIX platforms.
* os: The implementation of the io/fs.DirEntry interface returned
by the ReadDir function and the File.ReadDir method now
implements a String method that calls io/fs.FormatDirEntry.
* os: The implementation of the io/fs.FS interface returned by
the DirFS function now implements the io/fs.ReadFileFS and the
io/fs.ReadDirFS interfaces.
* path/filepath: The implementation of the io/fs.DirEntry
interface passed to the function argument of WalkDir now
implements a String method that calls io/fs.FormatDirEntry.
* reflect: In Go 1.21, ValueOf no longer forces its argument to
be allocated on the heap, allowing a Value's content to be
allocated on the stack. Most operations on a Value also allow
the underlying value to be stack allocated.
* reflect: The new Value method Value.Clear clears the contents
of a map or zeros the contents of a slice. This corresponds to
the new clear built-in added to the language.
* reflect: The SliceHeader and StringHeader types are now
deprecated. In new code prefer unsafe.Slice, unsafe.SliceData,
unsafe.String, or unsafe.StringData.
* regexp: Regexp now defines MarshalText and UnmarshalText
methods. These implement encoding.TextMarshaler and
encoding.TextUnmarshaler and will be used by packages such as
encoding/json.
* runtime: Textual stack traces produced by Go programs, such as
those produced when crashing, calling runtime.Stack, or
collecting a goroutine profile with debug=2, now include the
IDs of the goroutines that created each goroutine in the stack
trace.
* runtime: Crashing Go applications can now opt-in to Windows
Error Reporting (WER) by setting the environment variable
GOTRACEBACK=wer or calling debug.SetTraceback('wer') before the
crash. Other than enabling WER, the runtime will behave as with
GOTRACEBACK=crash. On non-Windows systems, GOTRACEBACK=wer is
ignored.
* runtime: GODEBUG=cgocheck=2, a thorough checker of cgo pointer
passing rules, is no longer available as a debug
option. Instead, it is available as an experiment using
GOEXPERIMENT=cgocheck2. In particular this means that this mode
has to be selected at build time instead of startup time.
* runtime: GODEBUG=cgocheck=1 is still available (and is still
the default).
* runtime: A new type Pinner has been added to the runtime
package. Pinners may be used to 'pin' Go memory such that it
may be used more freely by non-Go code. For instance, passing
Go values that reference pinned Go memory to C code is now
allowed. Previously, passing any such nested reference was
disallowed by the cgo pointer passing rules. See the docs for
more details.
* runtime/metrics: A few previously-internal GC metrics, such as
live heap size, are now available. GOGC and GOMEMLIMIT are also
now available as metrics.
* runtime/trace: Collecting traces on amd64 and arm64 now incurs
a substantially smaller CPU cost: up to a 10x improvement over
the previous release.
* runtime/trace: Traces now contain explicit stop-the-world
events for every reason the Go runtime might stop-the-world,
not just garbage collection.
* sync: The new OnceFunc, OnceValue, and OnceValues functions
capture a common use of Once to lazily initialize a value on
first use.
* syscall: On Windows the Fchdir function now changes the current
directory to its argument, rather than always returning an
error.
* syscall: On FreeBSD SysProcAttr has a new field Jail that may
be used to put the newly created process in a jailed
environment.
* syscall: On Windows the syscall package now supports working
with files whose names, stored as UTF-16, can't be represented
as valid UTF-8. The UTF16ToString and UTF16FromString functions
now convert between UTF-16 data and WTF-8 strings. This is
backward compatible as WTF-8 is a superset of the UTF-8 format
that was used in earlier releases.
* syscall: Several error values match the new
errors.ErrUnsupported, such that errors.Is(err,
errors.ErrUnsupported) returns true.
ENOSYS
ENOTSUP
EOPNOTSUPP
EPLAN9 (Plan 9 only)
ERROR_CALL_NOT_IMPLEMENTED (Windows only)
ERROR_NOT_SUPPORTED (Windows only)
EWINDOWS (Windows only)
* testing: The new -test.fullpath option will print full path
names in test log messages, rather than just base names.
* testing: The new Testing function reports whether the program
is a test created by go test.
* testing/fstest: Calling Open.Stat will return a type that now
implements a String method that calls io/fs.FormatFileInfo.
* unicode: The unicode package and associated support throughout
the system has been upgraded to Unicode 15.0.0.
* Darwin port: As announced in the Go 1.20 release notes, Go 1.21
requires macOS 10.15 Catalina or later; support for previous
versions has been discontinued.
* Windows port: As announced in the Go 1.20 release notes, Go
1.21 requires at least Windows 10 or Windows Server 2016;
support for previous versions has been discontinued.
* WebAssembly port: The new go:wasmimport directive can now be
used in Go programs to import functions from the WebAssembly
host.
* WebAssembly port: The Go scheduler now interacts much more
efficiently with the JavaScript event loop, especially in
applications that block frequently on asynchronous events.
* WebAssembly System Interface port: Go 1.21 adds an experimental
port to the WebAssembly System Interface (WASI), Preview 1
(GOOS=wasip1, GOARCH=wasm).
* WebAssembly System Interface port: As a result of the addition
of the new GOOS value 'wasip1', Go files named *_wasip1.go will
now be ignored by Go tools except when that GOOS value is being
used. If you have existing filenames matching that pattern, you
will need to rename them.
* ppc64/ppc64le port: On Linux, GOPPC64=power10 now generates
PC-relative instructions, prefixed instructions, and other new
Power10 instructions. On AIX, GOPPC64=power10 generates Power10
instructions, but does not generate PC-relative instructions.
* ppc64/ppc64le port: When building position-independent binaries
for GOPPC64=power10 GOOS=linux GOARCH=ppc64le, users can expect
reduced binary sizes in most cases, in some cases
3.5%. Position-independent binaries are built for ppc64le with
the following -buildmode values: c-archive, c-shared, shared,
pie, plugin.
* loong64 port: The linux/loong64 port now supports
-buildmode=c-archive, -buildmode=c-shared and -buildmode=pie.
* go1.21+ change default GOTOOLCHAIN=auto to local to prevent go
tool commands from downloading upstream go1.x toolchain binaries
* go1.21+ introduce new default behavior that can download
additional versions of go1.x toolchain binaries built by
upstream. See https://go.dev/doc/toolchain for details. The go
tool would attempt toolchain downloads as needed to satisfy a
minimum go version specified in go.mod of the program
containing main() or any of its dependencies.
* Users can override the default GOTOOLCHAIN setting with
go env -w, stored in in ~/.config/go/env.
- Add missing go.env to package. go.env sets defaults including:
GOPROXY GOSUMDB GOTOOLCHAIN
* Starting in go1.21+ a missing go.env defaults to GOPROXY=''
resulting in errors e.g. with online cmds e.g. go mod download:
'GOPROXY list is not the empty string, but contains no entries'
It is not clear why GOPROXY='' is not evaluated as 'the empty
string'.
-----------------------------------------
Patch: SUSE-2023-3325
Released: Wed Aug 16 08:26:08 2023
Summary: Security update for krb5
Severity: important
References: 1214054,CVE-2023-36054
Description:
This update for krb5 fixes the following issues:
- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)
-----------------------------------------
Patch: SUSE-2023-3327
Released: Wed Aug 16 08:45:25 2023
Summary: Security update for pcre2
Severity: moderate
References: 1213514,CVE-2022-41409
Description:
This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).
-----------------------------------------
Patch: SUSE-2023-3388
Released: Wed Aug 23 17:14:22 2023
Summary: Recommended update for binutils
Severity: important
References: 1213282
Description:
This update for binutils fixes the following issues:
- Add `binutils-disable-dt-relr.sh` to address compatibility problems with the glibc version included in future
SUSE Linux Enterprise releases (bsc#1213282, jsc#PED-1435)
-----------------------------------------
Patch: SUSE-2023-3410
Released: Thu Aug 24 06:56:32 2023
Summary: Recommended update for audit
Severity: moderate
References: 1201519,1204844
Description:
This update for audit fixes the following issues:
- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)
-----------------------------------------
Patch: SUSE-2023-3451
Released: Mon Aug 28 12:15:22 2023
Summary: Recommended update for systemd
Severity: moderate
References: 1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873
Description:
This update for systemd fixes the following issues:
- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
- Decrease devlink priority for iso disks (bsc#1213185)
- Do not ignore mount point paths longer than 255 characters (bsc#1208194)
- Refuse hibernation if there's no possible way to resume (bsc#1186606)
- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
- Drop some entries no longer needed by YaST (bsc#1194609)
- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)
-----------------------------------------
Patch: SUSE-2023-3611
Released: Fri Sep 15 09:28:36 2023
Summary: Recommended update for sysuser-tools
Severity: moderate
References: 1195391,1205161,1207778,1213240,1214140
Description:
This update for sysuser-tools fixes the following issues:
- Update to version 3.2
- Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
- Add 'quilt setup' friendly hint to %sysusers_requires usage
- Use append so if a pre file already exists it isn't overridden
- Invoke bash for bash scripts (bsc#1195391)
- Remove all systemd requires not supported on SLE15 (bsc#1214140)
-----------------------------------------
Patch: SUSE-2023-3661
Released: Mon Sep 18 21:44:09 2023
Summary: Security update for gcc12
Severity: important
References: 1214052,CVE-2023-4039
Description:
This update for gcc12 fixes the following issues:
- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).
-----------------------------------------
Patch: SUSE-2023-3666
Released: Mon Sep 18 21:52:18 2023
Summary: Security update for libxml2
Severity: important
References: 1214768,CVE-2023-39615
Description:
This update for libxml2 fixes the following issues:
- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).
-----------------------------------------
Patch: SUSE-2023-3686
Released: Tue Sep 19 17:23:03 2023
Summary: Security update for gcc7
Severity: important
References: 1195517,1196861,1204505,1205145,1214052,CVE-2023-4039
Description:
This update for gcc7 fixes the following issues:
Security issue fixed:
- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).
Other fixes:
- Fixed KASAN kernel compile. [bsc#1205145]
- Fixed ICE with C++17 code as reported in [bsc#1204505]
- Fixed altivec.h redefining bool in C++ which makes bool unusable (bsc#1195517):
- Adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
-----------------------------------------
Patch: SUSE-2023-3701
Released: Wed Sep 20 11:19:10 2023
Summary: Security update for go1.21
Severity: important
References: 1212475,1215084,1215085,1215086,1215087,1215090,CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322
Description:
This update for go1.21 fixes the following issues:
Update to go1.21.1 (bsc#1212475).
- CVE-2023-39318: Fixed improper handling of HTML-like comments within script contexts in html/template (bsc#1215084).
- CVE-2023-39319: Fixed improper handling of special tags within script contexts in html/template (bsc#1215085).
- CVE-2023-39320: Fixed arbitrary execution in go.mod toolchain directive (bsc#1215086).
- CVE-2023-39321, CVE-2023-39322: Fixed a panic when processing post-handshake message on QUIC connections in crypto/tls (bsc#1215087).
The following non-security bug was fixed:
- Add missing directory pprof html asset directory to package (bsc#1215090).