-----------------------------------------
Version 36.88 2022-11-26T09:00:22
-----------------------------------------
Patch: SUSE-2018-1332
Released: Tue Jul 17 09:01:19 2018
Summary: Recommended update for timezone
Severity: moderate
References: 1073299,1093392
Description:
This update for timezone provides the following fixes:
- North Korea switches back from +0830 to +09 on 2018-05-05.
- Ireland's standard time is in the summer, with negative DST offset to standard time used
in Winter. (bsc#1073299)
- yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd
timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid
setting an incorrect timezone. (bsc#1093392)
-----------------------------------------
Patch: SUSE-2018-1462
Released: Tue Jul 31 14:04:41 2018
Summary: Security update for java-11-openjdk
Severity: moderate
References: 1101645,1101651,1101655,1101656,CVE-2018-2940,CVE-2018-2952,CVE-2018-2972,CVE-2018-2973
Description:
This java-11-openjdk update to version jdk-11+24 fixes the following issues:
Security issues fixed:
- CVE-2018-2940: Fix unspecified vulnerability in subcomponent Libraries (bsc#1101645).
- CVE-2018-2952: Fix unspecified vulnerability in subcomponent Concurrency (bsc#1101651).
- CVE-2018-2972: Fix unspecified vulnerability in subcomponent Security (bsc#1101655).
- CVE-2018-2973: Fix unspecified vulnerability in subcomponent JSSE (bsc#1101656).
-----------------------------------------
Patch: SUSE-2018-1999
Released: Tue Sep 25 08:20:35 2018
Summary: Recommended update for zlib
Severity: moderate
References: 1071321
Description:
This update for zlib provides the following fixes:
- Speedup zlib on power8. (fate#325307)
- Add safeguard against negative values in uInt. (bsc#1071321)
-----------------------------------------
Patch: SUSE-2018-2082
Released: Sun Sep 30 14:06:27 2018
Summary: Security update for libX11
Severity: moderate
References: 1102062,1102068,1102073,CVE-2018-14598,CVE-2018-14599,CVE-2018-14600
Description:
This update for libX11 fixes the following security issues:
- CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one
error caused by malicious server responses, leading to DoS or possibly
unspecified other impact (bsc#1102062)
- CVE-2018-14600: The function XListExtensions interpreted a variable as signed
instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes),
leading to DoS or remote code execution (bsc#1102068)
- CVE-2018-14598: A malicious server could have sent a reply in which the first
string overflows, causing a variable to be set to NULL that will be freed later
on, leading to DoS (segmentation fault) (bsc#1102073)
-----------------------------------------
Patch: SUSE-2018-2298
Released: Wed Oct 17 17:02:57 2018
Summary: Recommended update for java-11-openjdk
Severity: moderate
References: 1111162,1112142,1112143,1112144,1112145,1112146,1112147,1112148,1112149,CVE-2018-3136,CVE-2018-3139,CVE-2018-3149,CVE-2018-3150,CVE-2018-3157,CVE-2018-3169,CVE-2018-3180,CVE-2018-3183
Description:
This update for java-11-openjdk fixes the following issues:
Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU)
Security fixes:
- S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support
- S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses
- S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups
- S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability
- S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again
- S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks
- S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound
- S8194534, CVE-2018-3136, bsc#1112142: Manifest better support
- S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates
- S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection
Security-In-Depth fixes:
- S8194546: Choosier FileManagers
- S8195874: Improve jar specification adherence
- S8196897: Improve PRNG support
- S8197881: Better StringBuilder support
- S8201756: Improve cipher inputs
- S8203654: Improve cypher state updates
- S8204497: Better formatting of decimals
- S8200666: Improve LDAP support
- S8199110: Address Internet Addresses
Update to upstream tag jdk-11+28 (OpenJDK 11 rc1)
- S8207317: SSLEngine negotiation fail exception behavior
changed from fail-fast to fail-lazy
- S8207838: AArch64: Float registers incorrectly restored in
JNI call
- S8209637: [s390x] Interpreter doesn't call result handler
after native calls
- S8209670: CompilerThread releasing code buffer in destructor
is unsafe
- S8209735: Disable avx512 by default
- S8209806: API docs should be updated to refer to javase11
- Report version without the '-internal' postfix
- Don't build against gdk making the accessibility depend on a
particular version of gtk.
Update to upstream tag jdk-11+27
- S8031761: [TESTBUG] Add a regression test for JDK-8026328
- S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030
fails with 'unexpected values of outer fields of the class'
when running with -Xcomp
- S8164639: Configure PKCS11 tests to use user-supplied NSS
libraries
- S8189667: Desktop#moveToTrash expects incorrect '<<ALL
FILES>>' FilePermission
- S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in
-Xcomp
- S8195156: [Graal] serviceability/jvmti/GetModulesInfo/
/JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode
- S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails
if run twice
- S8201394: Update java.se module summary to reflect removal of
java.se.ee module
- S8204931: Colors with alpha are painted incorrectly on Linux
- S8204966: [TESTBUG] hotspot/test/compiler/whitebox/
/IsMethodCompilableTest.java test fails with
-XX:CompileThreshold=1
- S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent
quadratic runtime behavior
- S8205687: TimeoutHandler generates huge core files
- S8206176: Remove the temporary tls13VN field
- S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS
libs not found
- S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE
and ja_JP locale.
- S8207009: TLS 1.3 half-close and synchronization issues
- S8207046: arm32 vm crash: C1 arm32 platform functions
parameters type mismatch
- S8207139: NMT is not enabled on Windows 2016/10
- S8207237: SSLSocket#setEnabledCipherSuites is accepting empty
string
- S8207355: C1 compilation hangs in
ComputeLinearScanOrder::compute_dominator
- S8207746: C2: Lucene crashes on AVX512 instruction
- S8207765: HeapMonitorTest.java intermittent failure
- S8207944: java.lang.ClassFormatError: Extra bytes at the end
of class file test' possibly violation of JVMS 4.7.1
- S8207948: JDK 11 L10n resource file update msg drop 10
- S8207966: HttpClient response without content-length does not
return body
- S8208125: Cannot input text into JOptionPane Text Input Dialog
- S8208164: (str) improve specification of String::lines
- S8208166: Still unable to use custom SSLEngine with default
TrustManagerFactory after JDK-8207029
- S8208189: ProblemList compiler/graalunit/JttThreadsTest.java
- S8208205: ProblemList tests that fail due to 'Error attaching
to process: Can't create thread_db agent!'
- S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java
- S8208251: serviceability/jvmti/HeapMonitor/MyPackage/
/HeapMonitorGCCMSTest.java fails intermittently on Linux-X64
- S8208305: ProblemList
compiler/jvmci/compilerToVM/GetFlagValueTest.java
- S8208347: ProblemList
compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java
- S8208353: Upgrade JDK 11 to libpng 1.6.35
- S8208358: update bug ids mentioned in tests
- S8208370: fix typo in ReservedStack tests' @requires
- S8208391: Differentiate response and connect timeouts in HTTP
Client API
- S8208466: Fix potential memory leak in harfbuzz shaping.
- S8208496: New Test to verify concurrent behavior of TLS.
- S8208521: ProblemList more tests that fail due to 'Error
attaching to process: Can't create thread_db agent!'
- S8208640: [a11y] [macos] Unable to navigate between
Radiobuttons in Radio group using keyboard.
- S8208663: JDK 11 L10n resource file update msg drop 20
- S8208676: Missing NULL check and resource leak in
NetworkPerformanceInterface::NetworkPerformance::network_utilization
- S8208691: Tighten up jdk.includeInExceptions security property
- S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/
/TestNssDbSqlite.java fails in aarch64 platforms
- S8209029: ProblemList tests that fail due to 'Error attaching
to process: Can't create thread_db agent!' in jdk-11+25
testing
- S8209149: [TESTBUG] runtime/RedefineTests/
/RedefineRunningMethods.java needs a longer timeout
- S8209451: Please change jdk 11 milestone to FCS
- S8209452: VerifyCACerts.java failed with 'At least one cacert
test failed'
- S8209506: Add Google Trust Services GlobalSign root
certificates
- S8209537: Two security tests failed after JDK-8164639 due to
dependency was missed
-----------------------------------------
Patch: SUSE-2018-2307
Released: Thu Oct 18 14:42:54 2018
Summary: Recommended update for libxcb
Severity: moderate
References: 1101560
Description:
This update for libxcb provides the following fix:
- Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560)
-----------------------------------------
Patch: SUSE-2018-2463
Released: Thu Oct 25 14:48:34 2018
Summary: Recommended update for timezone, timezone-java
Severity: moderate
References: 1104700,1112310
Description:
This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:
- Volgograd moves from +03 to +04 on 2018-10-28.
- Fiji ends DST 2019-01-13, not 2019-01-20.
- Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
- Corrections to past timestamps of DST transitions
- Use 'PST' and 'PDT' for Philippine time
- minor code changes to zic handling of the TZif format
- documentation updates
Other bugfixes:
- Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)
-----------------------------------------
Patch: SUSE-2018-2550
Released: Wed Oct 31 16:16:56 2018
Summary: Recommended update for timezone, timezone-java
Severity: moderate
References: 1113554
Description:
This update provides the latest time zone definitions (2018g), including the following change:
- Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)
-----------------------------------------
Patch: SUSE-2018-2569
Released: Fri Nov 2 19:00:18 2018
Summary: Recommended update for pam
Severity: moderate
References: 1110700
Description:
This update for pam fixes the following issues:
- Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)
-----------------------------------------
Patch: SUSE-2018-2607
Released: Wed Nov 7 15:42:48 2018
Summary: Optional update for gcc8
Severity: low
References: 1084812,1084842,1087550,1094222,1102564
Description:
The GNU Compiler GCC 8 is being added to the Development Tools Module by this
update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other
gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed,
quite some new warnings added and the error pin-pointing and
fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that
have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html
-----------------------------------------
Patch: SUSE-2018-2625
Released: Mon Nov 12 08:58:25 2018
Summary: Recommended update for java-11-openjdk
Severity: moderate
References: 1113734
Description:
This update for java-11-openjdk fixes the following issues:
Merge into the JDK following modules from github.com/javaee:
* com.sum.xml.fastinfoset
* org.jvnet.staxex
* com.sun.istack.runtime
* com.sun.xml.txw2
* com.sun.xml.bind
This provides a default implementation of JAXB-API that
existed in JDK before Java 11 and that some applications
depend on.
-----------------------------------------
Patch: SUSE-2018-2825
Released: Mon Dec 3 15:35:02 2018
Summary: Security update for pam
Severity: important
References: 1115640,CVE-2018-17953
Description:
This update for pam fixes the following issue:
Security issue fixed:
- CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).
-----------------------------------------
Patch: SUSE-2018-2861
Released: Thu Dec 6 14:32:01 2018
Summary: Security update for ncurses
Severity: important
References: 1103320,1115929,CVE-2018-19211
Description:
This update for ncurses fixes the following issues:
Security issue fixed:
- CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).
Non-security issue fixed:
- Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).
-----------------------------------------
Patch: SUSE-2018-3044
Released: Fri Dec 21 18:47:21 2018
Summary: Security update for MozillaFirefox, mozilla-nspr and mozilla-nss
Severity: important
References: 1097410,1106873,1119069,1119105,CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498
Description:
This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:
- Update to Firefox ESR 60.4 (bsc#1119105)
- CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
- CVE-2018-18492: Fixed a use-after-free with select element
- CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
- CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries
to steal cross-origin URLs
- CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
- CVE-2018-12405: Fixed a few memory safety bugs
Issues fixed in mozilla-nss:
- Update to NSS 3.40.1 (bsc#1119105)
- CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
- CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an
SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
- CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
- Fixed a decryption failure during FFDHE key exchange
- Various security fixes in the ASN.1 code
Issues fixed in mozilla-nspr:
- Update mozilla-nspr to 4.20 (bsc#1119105)
-----------------------------------------
Patch: SUSE-2019-44
Released: Tue Jan 8 13:07:32 2019
Summary: Recommended update for acl
Severity: low
References: 953659
Description:
This update for acl fixes the following issues:
- test: Add helper library to fake passwd/group files.
- quote: Escape literal backslashes. (bsc#953659)
-----------------------------------------
Patch: SUSE-2019-102
Released: Tue Jan 15 18:02:58 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1120402
Description:
This update for timezone fixes the following issues:
- Update 2018i:
São Tomé and PrÃncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
- Update 2018h:
Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21
New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move
Metlakatla, Alaska observes PST this winter only
Guess Morocco will continue to adjust clocks around Ramadan
Add predictions for Iran from 2038 through 2090
-----------------------------------------
Patch: SUSE-2019-221
Released: Fri Feb 1 15:20:56 2019
Summary: Security update for java-11-openjdk
Severity: important
References: 1120431,1122293,1122299,CVE-2018-11212,CVE-2019-2422,CVE-2019-2426
Description:
This update for java-11-openjdk to version 11.0.2+7 fixes the following issues:
Security issues fixed:
- CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
- CVE-2019-2426: Improve web server connections
- CVE-2018-11212: Improve JPEG processing (bsc#1122299)
- Better route routing
- Better interface enumeration
- Better interface lists
- Improve BigDecimal support
- Improve robot support
- Better icon support
- Choose printer defaults
- Proper allocation handling
- Initial class initialization
- More reliable p11 transactions
- Improve NIO stability
- Better loading of classloader classes
- Strengthen Windows Access Bridge Support
- Improved data set handling
- Improved LSA authentication
- Libsunmscapi improved interactions
Non-security issues fix:
- Do not resolve by default the added JavaEE modules (bsc#1120431)
- ~2.5% regression on compression benchmark starting with 12-b11
- java.net.http.HttpClient hangs on 204 reply without Content-length 0
- Add additional TeliaSonera root certificate
- Add more ld preloading related info to hs_error file on Linux
- Add test to exercise server-side client hello processing
- AES encrypt performance regression in jdk11b11
- AIX: ProcessBuilder: Piping between created processes does not work.
- AIX: Some class library files are missing the Classpath exception
- AppCDS crashes for some uses with JRuby
- Automate vtable/itable stub size calculation
- BarrierSetC1::generate_referent_check() confuses register allocator
- Better HTTP Redirection
- Catastrophic size_t underflow in BitMap::*_large methods
- Clip.isRunning() may return true after Clip.stop() was called
- Compiler thread creation should be bounded by available space in memory and Code Cache
- com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code
- Default mask register for avx512 instructions
- Delayed starting of debugging via jcmd
- Disable all DES cipher suites
- Disable anon and NULL cipher suites
- Disable unsupported GCs for Zero
- Epsilon alignment adjustments can overflow max TLAB size
- Epsilon elastic TLAB sizing may cause misalignment
- HotSpot update for vm_version.cpp to recognise updated VS2017
- HttpClient does not retrieve files with large sizes over HTTP/1.1
- IIOException 'tEXt chunk length is not proper' on opening png file
- Improve TLS connection stability again
- InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
- Inspect stack during error reporting
- Instead of circle rendered in appl window, but ellipse is produced JEditor Pane
- Introduce diagnostic flag to abort VM on failed JIT compilation
- Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap
- jar has issues with UNC-path arguments for the jar -C parameter [windows]
- java.net.http HTTP client should allow specifying Origin and Referer headers
- java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
- JDK 11.0.1 l10n resource file update
- JDWP Transport Listener: dt_socket thread crash
- JVMTI ResourceExhausted should not be posted in CompilerThread
- LDAPS communication failure with jdk 1.8.0_181
- linux: Poor StrictMath performance due to non-optimized compilation
- Missing synchronization when reading counters for live threads and peak thread count
- NPE in SupportedGroupsExtension
- OpenDataException thrown when constructing CompositeData for StackTraceElement
- Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader
- Populate handlers while holding streamHandlerLock
- ppc64: Enable POWER9 CPU detection
- print_location is not reliable enough (printing register info)
- Reconsider default option for ClassPathURLCheck change done in JDK-8195874
- Register to register spill may use AVX 512 move instruction on unsupported platform.
- s390: Use of shift operators not covered by cpp standard
- serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
- SIGBUS in CodeHeapState::print_names()
- SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
- Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
- Swing apps are slow if displaying from a remote source to many local displays
- switch jtreg to 4.2b13
- Test library OSInfo.getSolarisVersion cannot determine Solaris version
- TestOptionsWithRanges.java is very slow
- TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently
- The Japanese message of FileNotFoundException garbled
- The 'supported_groups' extension in ServerHellos
- ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData
- TimeZone.getDisplayName given Locale.US doesn't always honor the Locale.
- TLS 1.2 Support algorithm in SunPKCS11 provider
- TLS 1.3 handshake server name indication is missing on a session resume
- TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
- TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
- tz: Upgrade time-zone data to tzdata2018g
- Undefined behaviour in ADLC
- Update avx512 implementation
- URLStreamHandler initialization race
- UseCompressedOops requirement check fails fails on 32-bit system
- windows: Update OS detection code to recognize Windows Server 2019
- x86: assert on unbound assembler Labels used as branch targets
- x86: jck tests for ldc2_w bytecode fail
- x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
- '-XX:OnOutOfMemoryError' uses fork instead of vfork
-----------------------------------------
Patch: SUSE-2019-247
Released: Wed Feb 6 07:18:45 2019
Summary: Security update for lua53
Severity: moderate
References: 1123043,CVE-2019-6706
Description:
This update for lua53 fixes the following issues:
Security issue fixed:
- CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)
-----------------------------------------
Patch: SUSE-2019-571
Released: Thu Mar 7 18:13:46 2019
Summary: Security update for file
Severity: moderate
References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907
Description:
This update for file fixes the following issues:
The following security vulnerabilities were addressed:
- CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in
readelf.c, which allowed remote attackers to cause a denial of service
(application crash) via a crafted ELF file (bsc#1096974)
- CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c
(bsc#1126118)
- CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c
(bsc#1126119)
- CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c
(bsc#1126117)
-----------------------------------------
Patch: SUSE-2019-788
Released: Thu Mar 28 11:55:06 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1119687,CVE-2018-20346
Description:
This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:
- CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).
Release notes: https://www.sqlite.org/releaselog/3_27_2.html
-----------------------------------------
Patch: SUSE-2019-790
Released: Thu Mar 28 12:06:17 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1130557
Description:
This update for timezone fixes the following issues:
timezone was updated 2019a:
* Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
* Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
* Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
* zic now has an -r option to limit the time range of output data
-----------------------------------------
Patch: SUSE-2019-1002
Released: Wed Apr 24 10:13:34 2019
Summary: Recommended update for zlib
Severity: moderate
References: 1110304,1129576
Description:
This update for zlib fixes the following issues:
- Fixes a segmentation fault error (bsc#1110304, bsc#1129576)
-----------------------------------------
Patch: SUSE-2019-1040
Released: Thu Apr 25 17:09:21 2019
Summary: Security update for samba
Severity: important
References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880
Description:
This update for samba fixes the following issues:
Security issue fixed:
- CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).
ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686):
- Out of bound read in ldb_wildcard_compare
- Hold at most 10 outstanding paged result cookies
- Put 'results_store' into a doubly linked list
- Refuse to build Samba against a newer minor version of ldb
Non-security issues fixed:
- Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
- Abide to the load_printers parameter in smb.conf (bsc#1124223).
- Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.
-----------------------------------------
Patch: SUSE-2019-1052
Released: Fri Apr 26 14:33:42 2019
Summary: Security update for java-11-openjdk
Severity: moderate
References: 1132728,1132732,CVE-2019-2602,CVE-2019-2684
Description:
This update for java-11-openjdk to version 11.0.3+7 fixes the following issues:
Security issues fixed:
- CVE-2019-2602: Fixed excessive use of CPU time in the BigDecimal implementation (bsc#1132728).
- CVE-2019-2684: Fixed a flaw in the RMI registry implementation which could lead to selection of an incorrect skeleton class (bsc#1132732).
Non-security issues fixed:
- Multiple bug fixes and improvements.
-----------------------------------------
Patch: SUSE-2019-1127
Released: Thu May 2 09:39:24 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937
Description:
This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:
- CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix
queries inside transaction (bsc#1130326).
- CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in
a single transaction with an fts5 virtual table (bsc#1130325).
-----------------------------------------
Patch: SUSE-2019-1152
Released: Fri May 3 18:06:09 2019
Summary: Recommended update for java-11-openjdk
Severity: moderate
References: 1131378
Description:
This update for java-11-openjdk fixes the following issues:
- Require update-ca-certificates by the headless subpackage
(bsc#1131378)
- Removed a font rendering patch with broke related to other font changes.
-----------------------------------------
Patch: SUSE-2019-1368
Released: Tue May 28 13:15:38 2019
Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root
Severity: important
References: 1134524,CVE-2019-5021
Description:
This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:
- CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)
-----------------------------------------
Patch: SUSE-2019-1372
Released: Tue May 28 16:53:28 2019
Summary: Security update for libtasn1
Severity: moderate
References: 1105435,CVE-2018-1000654
Description:
This update for libtasn1 fixes the following issues:
Security issue fixed:
- CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
-----------------------------------------
Patch: SUSE-2019-1398
Released: Fri May 31 12:54:22 2019
Summary: Security update for libpng16
Severity: low
References: 1100687,1121624,1124211,CVE-2018-13785,CVE-2019-7317
Description:
This update for libpng16 fixes the following issues:
Security issues fixed:
- CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when
png_image_free() was called under png_safe_execute (bsc#1124211).
- CVE-2018-13785: Fixed a wrong calculation of row_factor in the
png_check_chunk_length function in pngrutil.c, which could haved triggered
and integer overflow and result in an divide-by-zero while processing a
crafted PNG file, leading to a denial of service (bsc#1100687)
-----------------------------------------
Patch: SUSE-2019-1631
Released: Fri Jun 21 11:17:21 2019
Summary: Recommended update for xz
Severity: low
References: 1135709
Description:
This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma,
xz, xzdec, lzmadec, documentation, translated messages, tests,
debug, extra directory) are in public domain licence [bsc#1135709]
-----------------------------------------
Patch: SUSE-2019-1807
Released: Wed Jul 10 13:13:21 2019
Summary: Recommended update for java-11-openjdk
Severity: moderate
References: 1137264
Description:
This update ships the OpenJDK LTS version 11 in the java-11-openjdk packages. (FATE#326347 bsc#1137264)
-----------------------------------------
Patch: SUSE-2019-1815
Released: Thu Jul 11 07:47:55 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1140016
Description:
This update for timezone fixes the following issues:
- Timezone update 2019b. (bsc#1140016):
- Brazil no longer observes DST.
- 'zic -b slim' outputs smaller TZif files.
- Palestine's 2019 spring-forward transition was on 03-29, not 03-30.
- Add info about the Crimea situation.
-----------------------------------------
Patch: SUSE-2019-2002
Released: Mon Jul 29 13:00:27 2019
Summary: Security update for java-11-openjdk
Severity: important
References: 1115375,1140461,1141780,1141781,1141782,1141783,1141784,1141785,1141787,1141788,1141789,CVE-2019-2745,CVE-2019-2762,CVE-2019-2766,CVE-2019-2769,CVE-2019-2786,CVE-2019-2816,CVE-2019-2818,CVE-2019-2821,CVE-2019-7317
Description:
This update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues:
Security issues fixed:
- CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
- CVE-2019-2762: Exceptional throw cases (bsc#1141782).
- CVE-2019-2766: Improve file protocol handling (bsc#1141789).
- CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
- CVE-2019-2786: More limited privilege usage (bsc#1141787).
- CVE-2019-7317: Improve PNG support options (bsc#1141780).
- CVE-2019-2818: Better Poly1305 support (bsc#1141788).
- CVE-2019-2816: Normalize normalization (bsc#1141785).
- CVE-2019-2821: Improve TLS negotiation (bsc#1141781).
- Certificate validation improvements
Non-security issues fixed:
- Do not fail installation when the manpages are not present (bsc#1115375)
- Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if
there is whitespace after the header or footer (bsc#1140461)
-----------------------------------------
Patch: SUSE-2019-2134
Released: Wed Aug 14 11:54:56 2019
Summary: Recommended update for zlib
Severity: moderate
References: 1136717,1137624,1141059,SLE-5807
Description:
This update for zlib fixes the following issues:
- Update the s390 patchset. (bsc#1137624)
- Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
- Use FAT LTO objects in order to provide proper static library.
- Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
- Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)
-----------------------------------------
Patch: SUSE-2019-2142
Released: Wed Aug 14 18:14:04 2019
Summary: Recommended update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :
* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
This adds a new experimental function SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
mozilla-nspr was updated to version 4.21
* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.
-----------------------------------------
Patch: SUSE-2019-2533
Released: Thu Oct 3 15:02:50 2019
Summary: Security update for sqlite3
Severity: moderate
References: 1150137,CVE-2019-16168
Description:
This update for sqlite3 fixes the following issues:
Security issue fixed:
- CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).
-----------------------------------------
Patch: SUSE-2019-2762
Released: Thu Oct 24 07:08:44 2019
Summary: Recommended update for timezone
Severity: moderate
References: 1150451
Description:
This update for timezone fixes the following issues:
- Fiji observes DST from 2019-11-10 to 2020-01-12.
- Norfolk Island starts observing Australian-style DST.
-----------------------------------------
Patch: SUSE-2019-2997
Released: Mon Nov 18 15:16:38 2019
Summary: Security update for ncurses
Severity: moderate
References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595
Description:
This update for ncurses fixes the following issues:
Security issues fixed:
- CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
- CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).
Non-security issue fixed:
- Removed screen.xterm from terminfo database (bsc#1103320).
-----------------------------------------
Patch: SUSE-2019-2998
Released: Mon Nov 18 15:17:23 2019
Summary: Security update for java-11-openjdk
Severity: important
References: 1152856,1154212,CVE-2019-2894,CVE-2019-2933,CVE-2019-2945,CVE-2019-2949,CVE-2019-2958,CVE-2019-2962,CVE-2019-2964,CVE-2019-2973,CVE-2019-2975,CVE-2019-2977,CVE-2019-2978,CVE-2019-2981,CVE-2019-2983,CVE-2019-2987,CVE-2019-2988,CVE-2019-2989,CVE-2019-2992,CVE-2019-2999
Description:
This update for java-11-openjdk to version jdk-11.0.5-10 fixes the following issues:
Security issues fixed (October 2019 CPU bsc#1154212):
- CVE-2019-2933: Windows file handling redux
- CVE-2019-2945: Better socket support
- CVE-2019-2949: Better Kerberos ccache handling
- CVE-2019-2958: Build Better Processes
- CVE-2019-2964: Better support for patterns
- CVE-2019-2962: Better Glyph Images
- CVE-2019-2973: Better pattern compilation
- CVE-2019-2975: Unexpected exception in jjs
- CVE-2019-2978: Improved handling of jar files
- CVE-2019-2977: Improve String index handling
- CVE-2019-2981: Better Path supports
- CVE-2019-2983: Better serial attributes
- CVE-2019-2987: Better rendering of native glyphs
- CVE-2019-2988: Better Graphics2D drawing
- CVE-2019-2989: Improve TLS connection support
- CVE-2019-2992: Enhance font glyph mapping
- CVE-2019-2999: Commentary on Javadoc comments
- CVE-2019-2894: Enhance ECDSA operations (bsc#1152856).
-----------------------------------------
Patch: SUSE-2019-3061
Released: Mon Nov 25 17:34:22 2019
Summary: Security update for gcc9
Severity: moderate
References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536
Description:
This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html
The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.
Security issues fixed:
- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)
Non-security issues fixed:
- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)
-----------------------------------------
Patch: SUSE-2019-3086
Released: Thu Nov 28 10:02:24 2019
Summary: Security update for libidn2
Severity: moderate
References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224
Description:
This update for libidn2 to version 2.2.0 fixes the following issues:
- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).
-----------------------------------------
Patch: SUSE-2019-3395
Released: Mon Dec 30 14:05:06 2019
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1141322,1158527,1159819,CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
-----------------------------------------
Patch: SUSE-2020-213
Released: Wed Jan 22 15:38:15 2020
Summary: Security update for java-11-openjdk
Severity: important
References: 1160968,CVE-2020-2583,CVE-2020-2590,CVE-2020-2593,CVE-2020-2601,CVE-2020-2604,CVE-2020-2654,CVE-2020-2655
Description:
This update for java-11-openjdk fixes the following issues:
Update to version jdk-11.0.6-10 (January 2020 CPU, bsc#1160968)
Fixing these security related issues:
- CVE-2020-2583: Unlink Set of LinkedHashSets
- CVE-2020-2590: Improve Kerberos interop capabilities
- CVE-2020-2593: Normalize normalization for all
- CVE-2020-2601: Better Ticket Granting Services
- CVE-2020-2604: Better serial filter handling
- CVE-2020-2655: Better TLS messaging support
- CVE-2020-2654: Improve Object Identifier Processing
-----------------------------------------
Patch: SUSE-2020-362
Released: Fri Feb 7 11:14:20 2020
Summary: Recommended update for libXi
Severity: moderate
References: 1153311
Description:
This update for libXi fixes the following issue:
- The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311)
-----------------------------------------
Patch: SUSE-2020-525
Released: Fri Feb 28 11:49:36 2020
Summary: Recommended update for pam
Severity: moderate
References: 1164562
Description:
This update for pam fixes the following issues:
- Add libdb as build-time dependency to enable pam_userdb module.
Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)
-----------------------------------------
Patch: SUSE-2020-689
Released: Fri Mar 13 17:09:01 2020
Summary: Recommended update for pam
Severity: moderate
References: 1166510
Description:
This update for PAM fixes the following issue:
- The license of libdb linked against pam_userdb is not always wanted,
so we temporary disabled pam_userdb again. It will be published
in a different package at a later time. (bsc#1166510)
-----------------------------------------
Patch: SUSE-2020-917
Released: Fri Apr 3 15:02:25 2020
Summary: Recommended update for pam
Severity: moderate
References: 1166510
Description:
This update for pam fixes the following issues:
- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)
-----------------------------------------
Patch: SUSE-2020-948
Released: Wed Apr 8 07:44:21 2020
Summary: Security update for gmp, gnutls, libnettle
Severity: moderate
References: 1152692,1155327,1166881,1168345,CVE-2020-11501
Description:
This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:
- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)
FIPS related bugfixes:
- FIPS: Install checksums for binary integrity verification which are
required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)
-----------------------------------------
Patch: SUSE-2020-1226
Released: Fri May 8 10:51:05 2020
Summary: Recommended update for gcc9
Severity: moderate
References: 1149995,1152590,1167898
Description:
This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.
- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go
-----------------------------------------
Patch: SUSE-2020-1294
Released: Mon May 18 07:38:36 2020
Summary: Security update for file
Severity: moderate
References: 1154661,1169512,CVE-2019-18218
Description:
This update for file fixes the following issues:
Security issues fixed:
- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).
Non-security issue fixed:
- Fixed broken '--help' output (bsc#1169512).
-----------------------------------------
Patch: SUSE-2020-1303
Released: Mon May 18 09:40:36 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1169582
Description:
This update for timezone fixes the following issues:
- timezone update 2020a. (bsc#1169582)
* Morocco springs forward on 2020-05-31, not 2020-05-24.
* Canada's Yukon advanced to -07 year-round on 2020-03-08.
* America/Nuuk renamed from America/Godthab.
* zic now supports expiration dates for leap second lists.
-----------------------------------------
Patch: SUSE-2020-1328
Released: Mon May 18 17:16:04 2020
Summary: Recommended update for grep
Severity: moderate
References: 1155271
Description:
This update for grep fixes the following issues:
- Update testsuite expectations, no functional changes (bsc#1155271)
-----------------------------------------
Patch: SUSE-2020-1353
Released: Wed May 20 13:02:32 2020
Summary: Security update for freetype2
Severity: moderate
References: 1079603,1091109,CVE-2018-6942
Description:
This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:
- CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).
Non-security issues fixed:
- Update to version 2.10.1
* The bytecode hinting of OpenType variation fonts was flawed, since
the data in the `CVAR' table wasn't correctly applied.
* Auto-hinter support for Mongolian.
* The handling of the default character in PCF fonts as introduced
in version 2.10.0 was partially broken, causing premature abortion
of charmap iteration for many fonts.
* If `FT_Set_Named_Instance' was called with the same arguments
twice in a row, the function returned an incorrect error code the
second time.
* Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug
introduced in version 2.10.0).
* Increased precision while computing OpenType font variation
instances.
* The flattening algorithm of cubic Bezier curves was slightly
changed to make it faster. This can cause very subtle rendering
changes, which aren't noticeable by the eye, however.
* The auto-hinter now disables hinting if there are blue zones
defined for a `style' (i.e., a certain combination of a script and
its related typographic features) but the font doesn't contain any
characters needed to set up at least one blue zone.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* A bunch of new functions has been added to access and process
COLR/CPAL data of OpenType fonts with color-layered glyphs.
* As a GSoC 2018 project, Nikhil Ramakrishnan completely
overhauled and modernized the API reference.
* The logic for computing the global ascender, descender, and
height of OpenType fonts has been slightly adjusted for
consistency.
* `TT_Set_MM_Blend' could fail if called repeatedly with the same
arguments.
* The precision of handling deltas in Variation Fonts has been
increased.The problem did only show up with multidimensional
designspaces.
* New function `FT_Library_SetLcdGeometry' to set up the geometry
of LCD subpixels.
* FreeType now uses the `defaultChar' property of PCF fonts to set
the glyph for the undefined character at glyph index 0 (as
FreeType already does for all other supported font formats). As
a consequence, the order of glyphs of a PCF font if accessed
with FreeType can be different now compared to previous
versions.
This change doesn't affect PCF font access with cmaps.
* `FT_Select_Charmap' has been changed to allow parameter value
`FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT
formats to access built-in cmaps that don't have a predefined
`FT_Encoding' value.
* A previously reserved field in the `FT_GlyphSlotRec' structure
now holds the glyph index.
* The usual round of fuzzer bug fixes to better reject malformed
fonts.
* `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have
been removed.These two functions were public by oversight only
and were never documented.
* A new function `FT_Error_String' returns descriptions of error
codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is
defined.
* `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new
functions limited to Adobe MultiMaster fonts to directly set and
get the weight vector.
- Enable subpixel rendering with infinality config:
- Re-enable freetype-config, there is just too many fallouts.
- Update to version 2.9.1
* Type 1 fonts containing flex features were not rendered
correctly (bug introduced in version 2.9).
* CVE-2018-6942: Older FreeType versions can crash with certain
malformed variation fonts.
* Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage.
* Emboldening of bitmaps didn't work correctly sometimes, showing
various artifacts (bug introduced in version 2.8.1).
* The auto-hinter script ranges have been updated for Unicode 11.
No support for new scripts have been added, however, with the
exception of Georgian Mtavruli.
- freetype-config is now deprecated by upstream and not enabled
by default.
- Update to version 2.10.1
* The `ftmulti' demo program now supports multiple hidden axes with
the same name tag.
* `ftview', `ftstring', and `ftgrid' got a `-k' command line option
to emulate a sequence of keystrokes at start-up.
* `ftview', `ftstring', and `ftgrid' now support screen dumping to a
PNG file.
* The bytecode debugger, `ttdebug', now supports variation TrueType
fonts; a variation font instance can be selected with the new `-d'
command line option.
- Add tarball signatures and freetype2.keyring
- Update to version 2.10.0
* The `ftdump' demo program has new options `-c' and `-C' to
display charmaps in compact and detailed format, respectively.
Option `-V' has been removed.
* The `ftview', `ftstring', and `ftgrid' demo programs use a new
command line option `-d' to specify the program window's width,
height, and color depth.
* The `ftview' demo program now displays red boxes for zero-width
glyphs.
* `ftglyph' has limited support to display fonts with
color-layered glyphs.This will be improved later on.
* `ftgrid' can now display bitmap fonts also.
* The `ttdebug' demo program has a new option `-f' to select a
member of a TrueType collection (TTC).
* Other various improvements to the demo programs.
- Remove 'Supplements: fonts-config' to avoid accidentally pulling
in Qt dependencies on some non-Qt based desktops.(bsc#1091109)
fonts-config is fundamental but ft2demos seldom installs by end users.
only fonts-config maintainers/debuggers may use ft2demos along to
debug some issues.
- Update to version 2.9.1
* No changelog upstream.
-----------------------------------------
Patch: SUSE-2020-1404
Released: Mon May 25 15:32:34 2020
Summary: Recommended update for zlib
Severity: moderate
References: 1138793,1166260
Description:
This update for zlib fixes the following issues:
- Including the latest fixes from IBM (bsc#1166260)
IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
deflate algorithm in hardware with estimated compression and decompression performance
orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
The fix will avoid to test if the app was linked with exactly same version of zlib
like the one that is present on the runtime.
-----------------------------------------
Patch: SUSE-2020-1507
Released: Fri May 29 17:23:52 2020
Summary: Recommended update for publicsuffix
Severity: moderate
References: 1171819
Description:
This update for publicsuffix fixes the following issues:
- Update from version 20180312 to version 20200506. (bsc#1171819).
- New in version 20200506:
* gTLD autopull: 2020-05-06 (#1030)
* Update public_suffix_list.dat (#993)
* Add shopware.store domain (#958)
* Add clic2000.net to Private Section (#1010)
* Add Fabrica apps domain: onfabrica.com (#999)
* Add dyndns.dappnode.io (#912)
* Added curv.dev to public_suffix_list.dat (#968)
* Add panel.gg and daemon.panel.gg (#978)
* adding sth.ac.at (#997)
* Add netlify.app (#1012)
* Added Wiki Link as info resource (#1011)
* Add schulserver.de, update IServ GmbH contact information (#996)
* Add conn.uk, copro.uk, couk.me and ukco.me domains (#963)
* Remove flynnhub.com (#971)
* Added graphox.us domain (#960)
* Add domains for FASTVPS EESTI OU (#941)
* Add platter.dev user app domains (#935)
* Add playstation-cloud.com (#1006)
* gTLD autopull: 2020-04-02 (#1005)
* ACI prefix (#930)
* Update public_suffix_list.dat (#923)
* Add toolforge.org and wmcloud.org (#970)
* gTLD autopull: 2020-03-29 (#1003)
- New in version 20200326:
* aero registry removal
* Add Mineduc subregistry for public schools: aprendemas.cl
* Update public_suffix_list.dat - Existing Section
* gTLD autopull: 2020-03-15
* Add 'urown.cloud' and 'dnsupdate.info'
* Remove site.builder.nu
* Remove unnecessary trailing whitespace for name.fj
* Update .eu IDNs to add Greek and URL for Cyrillic
* Update fj entry
- New in version 20200201:
* gTLD autopull: 2020-02-01 (#952)
* gTLD autopull: 2020-01-31 (#951)
* Add WoltLab Cloud domains (#947)
* Add qbuser.com domain (#943)
* Added senseering domain (#946)
* Add u.channelsdvr.net to PSL (#950)
* Add discourse.team (#949)
* gTLD autopull: 2020-01-06 (#942)
* gTLD autopull: 2019-12-25 (#939)
* Urgent removal of eq.edu.au (#924)
* gTLD autopull: 2019-12-20 (#938)
* gTLD autopull: 2019-12-11 (#932)
* Added adobeaemcloud domains (#931)
* Add Observable domain: observableusercontent.com. (#914)
* Correct v.ua sorting
* add v.ua (#919)
* Add en-root.fr domain (#910)
* add Datawire private domain (#925)
* Add amsw.nl private domain to PSL (#929)
* Add *.on-k3s.io (#922)
* Add *.r.appspot.com to public suffix list (#920)
* Added gentapps.com (#916)
* Add oya.to (#908)
* Add Group 53, LLC Domains (#900)
* Add perspecta.cloud (#898)
* Add 0e.vc to PSL (#896)
* Add skygearapp.com (#892)
* Update Hostbip Section (#871)
* Add qcx.io and *.sys.qcx.io (#868)
* Add builtwithdark.com to the public suffix list (#857)
* Add_customer-oci.com (#811)
* Move out old .ru reserved domains
* gTLD autopull: 2019-12-02 (#928)
* gTLD autopull: 2019-11-20 (#926)
- New in version 20191115:
* Add gov.scot for Scottish Government
* update gTLD list to 2019-11-15 state
* remove go-vip.co, go-vip.net, wpcomstaging.com
- New in version 20191025:
* gTLD list updated to 2019-10-24 state
* Update .so suffix list
* Add the new TLD .ss
* Add xn--mgbah1a3hjkrd (موريتانيا)
* Add lolipop.io
* Add altervista.org
* Remove zone.id from list
* Add new domain to Synology dynamic dns service
- New in version 20190808:
* tools: update newgtlds.go to filter removed gTLDs (#860)
* gTLD autopull: 2019-08-08 (#862)
* Remove non-public nuernberg.museum nuremberg.museum domains (#859)
* gTLD autopull: 2019-08-02 (#858)
* Update public_suffix_list.dat (#825)
* Update reference as per #855
* add nic.za
* Update contact for SymfonyCloud (#854)
* Add lelux.site (#849)
* Add *.webhare.dev (#847)
* Update Hostbip Section (#846)
* Add Yandex Cloud domains (#850)
* Add ASEINet domains (#844)
* Update nymnom section (#771)
* Add Handshake zones (#796)
* Add iserv.dev for IServ GmbH (#826)
* Add trycloudflare.com to Cloudflare's domains (#835)
* Add shopitsite.com (#838)
* Add pubtls.org (#839)
* Add qualifio.com domains (#840)
* Update newgtlds tooling & associated gTLD data. (#834)
* Add web.app for Google (#830)
* Add iobb.net (#828)
* Add cloudera.site (#829)
- New in version 20190529:
* Add Balena domains (#814)
* Add KingHost domains (#827)
* Add dyn53.io (#820)
* Add azimuth.network and arvo.network (#812)
* Update .rw domains per ccTLD (#821)
* Add b-data.io (#759)
* Add co.bn (#789)
* Add Zitcom domains (#817)
* Add Carrd suffixes (#816)
* Add Linode Suffixes (#810)
* Add lab.ms (#807)
* Add wafflecell.com (#805)
* Add häkkinen.fi (#804)
* Add prvcy.page (#803)
* Add SRCF user domains: soc.srcf.net, user.srcf.net (#802)
* Add KaasHosting (#801)
* Adding cloud66.zone (#797)
* Add gehirn.ne.jp and usercontent.jp for Gehirn Inc. (#795)
* Add Clerk user domains (#791)
* Add loginline (.app, .dev, .io, .services, .site) (#790)
* Add wnext.app (#785)
* Add Hostbip Registry Domains (#770)
* Add glitch.me (#769)
* added thingdustdata.com (#767)
* Add dweb.link (#766)
* Add onred.one (#764)
* Add mo-siemens.io (#762)
* Add Render domains (#761)
* Add *.moonscale.io (#757)
* Add Stackhero domain (#755)
* Add voorloper.cloud (#750)
* Add repl.co and repl.run (#748)
* Add edugit.org (#736)
* Add Hakaran domains (#733)
* Add barsy.ca (#732)
* Add Names.of.London Domains (#543)
* Add nctu.me (#746)
* Br 201904 update (#809)
* Delete DOHA
* Add app.banzaicloud.io (#730)
* Update .TR (#741)
* Add Nabu Casa (#781)
* Added uk0.bigv.io under Bytemark Hosting (#745)
* Add GOV.UK PaaS client domains (#765)
* Add discourse.group for Civilized Discourse Construction Kit, Inc. (#768)
* Add on-rancher.cloud and on-rio.io (#779)
* Syncloud dynamic dns service (#727)
* Add git-pages.rit.edu (#690)
* Add workers.dev (#772)
* Update .AM (#756)
* Add go-vip.net. (#793)
* Add site.builder.nu (#723)
* Update .FR sectorial domains (#527)
* Remove ACTIVE
* Remove SPIEGEL
* Remove EPOST
* Remove ZIPPO
* Remove BLANCO
- New in version 20190205:
* Add domains of Individual Network Berlin e.V. (#711)
* Added bss.design to PSL (#685)
* Add fastly-terrarium.com (#729)
* Add Swisscom Application Cloud domains (#698)
* Update public_suffix_list.dat with api.stdlib.com (#751)
* Add regional domain for filegear.me (#713)
* Remove bv.nl (#758)
* Update public_suffix_list.dat
- Link public_suffix_list.dat to effective_tld_names.dat for the
purpose of httpcomponents-client
- Do not pull in full python3, psl-make-dafsa already pulls in
what it needs to generate the things
- New in version 20181227:
* Add run.app and a.run.app to the psl (#681)
* Add telebit.io .app .xyz (#726)
* Add Leadpages domains (#731)
* Add public suffix entries for dapps.earth (#708)
* Add Bytemark Hosting domains (#620)
* Remove .STATOIL
* linter: Expect rules to be in NFKC (#725)
* Convert list data from NFKD to NFKC (#720)
* Update LS (#718)
- New in version 20181030:
* Add readthedocs.io (#722)
* Remove trailing whitespace from L11948 (#721)
* Add krasnik.pl, leczna.pl, lubartow.pl, lublin.pl, poniatowa.pl
and swidnik.pl domains to the Public Suffix List (#670)
* Add instantcloud.cn by Redstar Consultants (#696)
* Add Fermax and mydobiss.com domain (#706)
* Add shop.th & online.th (#716)
* Add siteleaf.net (#655)
* Add wpcomstaging.com and go-vip.co to the PSL (#719)
- Update to version 20181003:
* Remove deleted TLDs (#710)
* Added apigee.io (#712)
* Add AWS ElasticBeanstalk Ningxia, CN region (#597)
* Add Github PULL REQUEST TEMPLATE (#699)
* Add ong.br 2nd level domain (#707)
- Update to version 20180813:
* Update .ID list (#703)
* Updated .bn ccTLD. Removed wildcard. (#702)
* Remove stackspace.space from PSL (#691)
* Remove XPERIA (#697)
- Update to version 20180719:
* Remove .IWC
* Update Kuwait's ccTLD (.kw)
* Use https for www.transip.nl
* Remove MEO and SAPO
- New in version 20180523:
* Remove 1password domains (#632)
* Add cleverapps.io (Clever Cloud) (#634)
* Remove .BOOTS
* Add azurecontainer.io to Microsoft domains (#637)
* Change the patchnewgtlds tool for the updated .zw domain
* Add new gTLDs up to 2018-04-17 and new ccTLDs up to 2018-04-17
* cloud.muni.cz cloud subdomains (#622)
* Add YunoHost DynDns domains: nohost.me & noho.st (#615)
* Use a custom token for the newGTLD list (#645)
* lug.org.uk (#514)
* Adding xnbay.com,u2.xnbay.com,u2-local.xnbay.com to public_suffix_list.dat. (#506)
* Adding customer.speedpartner.de (#585)
* Adding ravendb.net subdomains (#535)
* Adding own.pm (#544)
* pcloud.host (#531)
* Add additional Lukanet Ltd domains (#652)
* Add zone.id (#575)
* Add half.host (#571)
* Update 香港 TLD (#568)
* Add Now-DNS domains (#560)
* Added blackbaudcdn.net private domain to PSL (#558)
* Adding IServ GmbH domains (#552)
* Add FASTVPS EESTI OU domains (#541)
* nic.it - update regions and provinces (#524)
* Update Futureweb OG Private Domains (#520)
* add United Gameserver virtualuser domains (#600)
* Add Lightmaker Property Manager, Inc domains (#604)
* Update Uberspace domains (#616)
* Add Datto, Inc domains
* Add memset hosting domains (#625)
* Add utwente.io (#626)
* Add bci.dnstrace.pro (#630)
* Add May First domains (#635)
* Add Linki Tools domains (#636)
* Update NymNom domains
* Add Co & Co domains (#650)
* Add new gTLDs up to 2018-05-08 (#653)
* Correct linter issues (#654)
* Add cnpy.gdn as private domain (#633)
* Add freedesktop.org (#619)
* Add Omnibond Systems (#656)
* Add hasura.app to the list (#668)
* Update gu ccTLD suffixes (#669)
- New in version 20180328:
* Add gwiddle.co.uk (#521)
* Add ox.rs (#522)
* Add myjino.ru (#512)
* Add ras.ru domains (#511)
* Add AWS ElasticBeanstalk Osaka, JP region (#628)
* Remove trailing whitespace (#621)
-----------------------------------------
Patch: SUSE-2020-1511
Released: Fri May 29 18:03:39 2020
Summary: Security update for java-11-openjdk
Severity: important
References: 1167462,1169511,CVE-2020-2754,CVE-2020-2755,CVE-2020-2756,CVE-2020-2757,CVE-2020-2767,CVE-2020-2773,CVE-2020-2778,CVE-2020-2781,CVE-2020-2800,CVE-2020-2803,CVE-2020-2805,CVE-2020-2816,CVE-2020-2830
Description:
This update for java-11-openjdk fixes the following issues:
Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511).
Security issues fixed:
- CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
- CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
- CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
- CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511).
- CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511).
- CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511).
- CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511).
- CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511).
- CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511).
- CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511).
- CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511).
- CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511).
- CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511).
-----------------------------------------
Patch: SUSE-2020-1542
Released: Thu Jun 4 13:24:37 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1172055
Description:
This update for timezone fixes the following issue:
- zdump --version reported 'unknown' (bsc#1172055)
-----------------------------------------
Patch: SUSE-2020-1677
Released: Thu Jun 18 18:16:39 2020
Summary: Security update for mozilla-nspr, mozilla-nss
Severity: important
References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr to version 4.25
-----------------------------------------
Patch: SUSE-2020-1852
Released: Mon Jul 6 16:50:23 2020
Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts
Severity: moderate
References: 1169444
Description:
This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:
- Support transforming bitmap glyphs from python. (bsc#1169444)
- Allow python-Sphinx >= 3
Changes in ttf-converter:
- Update from version 1.0 to version 1.0.6:
* ftdump is now shipped additionally as new dependency for ttf-converter
* Standardize output when converting vector and bitmap fonts
* Add more subfamilies fixes (bsc#1169444)
* Add --family and --subfamily arguments to force values on those fields
* Add parameters to fix glyph unicode values
--fix-glyph-unicode : Try to fix unicode points and glyph names
based on glyph names containing hexadecimal codes (like
'$0C00', 'char12345' or 'uni004F')
--replace-unicode-values: When passed 2 comma separated numbers
a,b the glyph with an unicode value of a is replaced with the
unicode value b. Can be used more than once.
--shift-unicode-values: When passed 3 comma separated numbers
a,b,c this shifts the unicode values of glyphs between a and b
(both included) by adding c. Can be used more than once.
* Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444)
When used, all glyphs are modified with the transformation function and
values passed as parameters. The parameter has three values separated by
commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff
* Add support to convert bitmap fonts (bsc#1169444)
* Rename MediumItalic subfamily to Medium Italic
* Show some more information when removing duplicated glyphs
* Add a --force-monospaced argument instead of hardcoding font names
* Convert `BoldCond` subfamily to `Bold Condensed`
* Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41)
* Add a --version argument
* Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41)
Changes in xorg-x11-fonts:
- Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
- Include the subfamily in the filename of converted fonts
- Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
- Replace some unicode values in cu-pua12.pcf.gz to fix them
- Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs
don't pretend to be latin characters when they're not.
- Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444)
Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular,
MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular
Changes in ghostscript-fonts:
- Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41)
Use the --force-monospaced argument of ttf-converter 1.0.3
-----------------------------------------
Patch: SUSE-2020-1954
Released: Sat Jul 18 03:07:15 2020
Summary: Recommended update for cracklib
Severity: moderate
References: 1172396
Description:
This update for cracklib fixes the following issues:
- Fixed a buffer overflow when processing long words.
-----------------------------------------
Patch: SUSE-2020-2083
Released: Thu Jul 30 10:27:59 2020
Summary: Recommended update for diffutils
Severity: moderate
References: 1156913
Description:
This update for diffutils fixes the following issue:
- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)
-----------------------------------------
Patch: SUSE-2020-2116
Released: Tue Aug 4 15:12:41 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)
-----------------------------------------
Patch: SUSE-2020-2143
Released: Thu Aug 6 11:06:49 2020
Summary: Security update for java-11-openjdk
Severity: important
References: 1174157,CVE-2020-14556,CVE-2020-14562,CVE-2020-14573,CVE-2020-14577,CVE-2020-14581,CVE-2020-14583,CVE-2020-14593,CVE-2020-14621
Description:
This update for java-11-openjdk fixes the following issues:
- Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157)
* Security fixes:
+ JDK-8230613: Better ASCII conversions
+ JDK-8231800: Better listing of arrays
+ JDK-8232014: Expand DTD support
+ JDK-8233234: Better Zip Naming
+ JDK-8233239, CVE-2020-14562: Enhance TIFF support
+ JDK-8233255: Better Swing Buttons
+ JDK-8234032: Improve basic calendar services
+ JDK-8234042: Better factory production of certificates
+ JDK-8234418: Better parsing with CertificateFactory
+ JDK-8234836: Improve serialization handling
+ JDK-8236191: Enhance OID processing
+ JDK-8236867, CVE-2020-14573: Enhance Graal interface handling
+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ JDK-8238002, CVE-2020-14581: Better matrix operations
+ JDK-8238013: Enhance String writing
+ JDK-8238804: Enhance key handling process
+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ JDK-8238843: Enhanced font handing
+ JDK-8238920, CVE-2020-14583: Better Buffer support
+ JDK-8238925: Enhance WAV file playback
+ JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ JDK-8240482: Improved WAV file playback
+ JDK-8241379: Update JCEKS support
+ JDK-8241522: Manifest improved jar headers redux
+ JDK-8242136, CVE-2020-14621: Better XML namespace handling
* Other changes:
+ JDK-6933331: (d3d/ogl) java.lang.IllegalStateException:
Buffers have not been created
+ JDK-7124307: JSpinner and changing value by mouse
+ JDK-8022574: remove HaltNode code after uncommon trap calls
+ JDK-8039082: [TEST_BUG] Test
java/awt/dnd/BadSerializationTest/BadSerializationTest.java
fails
+ JDK-8040630: Popup menus and tooltips flicker with previous
popup contents when first shown
+ JDK-8044365: (dc) MulticastSendReceiveTests.java failing with
ENOMEM when joining group (OS X 10.9)
+ JDK-8048215: [TESTBUG]
java/lang/management/ManagementFactory/ThreadMXBeanProxy.java
Expected non-null LockInfo
+ JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails
in nightly
+ JDK-8080353: JShell: Better error message on attempting to
add default method
+ JDK-8139876: Exclude hanging nsk/stress/stack from execution
with deoptimization enabled
+ JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails
with -XX:+DeoptimizeALot
+ JDK-8153430: jdk regression test MletParserLocaleTest,
ParserInfiniteLoopTest reduce default timeout
+ JDK-8156207: Resource allocated BitMaps are often cleared
unnecessarily
+ JDK-8159740: JShell: corralled declarations do not have
correct source to wrapper mapping
+ JDK-8175984: ICC_Profile has un-needed, not-empty finalize
method
+ JDK-8176359: Frame#setMaximizedbounds not working properly in
multi screen environments
+ JDK-8183369: RFC unconformity of HttpURLConnection with proxy
+ JDK-8187078: -XX:+VerifyOops finds numerous problems when
running JPRT
+ JDK-8189861: Refactor CacheFind
+ JDK-8191169: java/net/Authenticator/B4769350.java failed
intermittently
+ JDK-8191930: [Graal] emits unparseable XML into compile log
+ JDK-8193879: Java debugger hangs on method invocation
+ JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on
Windows
+ JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
+ JDK-8198000:
java/awt/List/EmptyListEventTest/EmptyListEventTest.java
debug assert on Windows
+ JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/
/WrongParentAfterRemoveMenu.java debug assert on Windows
+ JDK-8198339: Test javax/swing/border/Test6981576.java is
unstable
+ JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows,
after JDK-8198801
+ JDK-8203264: JNI exception pending in
PlainDatagramSocketImpl.c:740
+ JDK-8203672: JNI exception pending in PlainSocketImpl.c
+ JDK-8203673: JNI exception pending in
DualStackPlainDatagramSocketImpl.c:398
+ JDK-8204834: Fix confusing 'allocate' naming in OopStorage
+ JDK-8205399: Set node color on pinned HashMap.TreeNode
deletion
+ JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/
/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with
handshake_failure
+ JDK-8206179: com/sun/management/OperatingSystemMXBean/
/GetCommittedVirtualMemorySize.java fails with Committed
virtual memory size illegal value
+ JDK-8207334: VM times out in VM_HandshakeAllThreads::doit()
with RunThese30M
+ JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize)
doesn't work with 1GB LargePages
-----------------------------------------
Patch: SUSE-2020-2197
Released: Tue Aug 11 13:32:49 2020
Summary: Security update for libX11
Severity: important
References: 1174628,CVE-2020-14344
Description:
This update for libX11 fixes the following issues:
- Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628).
-----------------------------------------
Patch: SUSE-2020-2373
Released: Fri Aug 28 12:58:51 2020
Summary: Security update for SUSE Manager 4.1.1
Severity: moderate
References: 1136857,1165572,1169553,1169780,1170244,1170468,1170654,1171281,1172279,1172504,1172709,1172807,1172831,1172839,1173169,1173522,1173535,1173554,1173566,1173584,1173932,1173982,1173997,1174025,1174167,1174201,1174229,1174325,1174405,1174470,1174965,1175485,1175555,1175558,1175724,1175791,678126,CVE-2020-11022
Description:
This consolidated update includes multiple patchinfos for SUSE Manager Server and Proxy. This patchinfo is used for the
codestream release only.
-----------------------------------------
Patch: SUSE-2020-2420
Released: Tue Sep 1 13:48:35 2020
Summary: Recommended update for zlib
Severity: moderate
References: 1174551,1174736
Description:
This update for zlib provides the following fixes:
- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)
-----------------------------------------
Patch: SUSE-2020-2474
Released: Thu Sep 3 12:10:29 2020
Summary: Security update for libX11
Severity: moderate
References: 1175239,CVE-2020-14363
Description:
This update for libX11 fixes the following issues:
- CVE-2020-14363: Fix an integer overflow in init_om() (bsc#1175239).
-----------------------------------------
Patch: SUSE-2020-2651
Released: Wed Sep 16 14:42:55 2020
Summary: Recommended update for zlib
Severity: moderate
References: 1175811,1175830,1175831
Description:
This update for zlib fixes the following issues:
- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)
-----------------------------------------
Patch: SUSE-2020-2947
Released: Fri Oct 16 15:23:07 2020
Summary: Security update for gcc10, nvptx-tools
Severity: moderate
References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
Description:
This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them
via:
CC=gcc-10
CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:
- Enable build on aarch64
-----------------------------------------
Patch: SUSE-2020-2983
Released: Wed Oct 21 15:03:03 2020
Summary: Recommended update for file
Severity: moderate
References: 1176123
Description:
This update for file fixes the following issues:
- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)
-----------------------------------------
Patch: SUSE-2020-2995
Released: Thu Oct 22 10:03:09 2020
Summary: Security update for freetype2
Severity: important
References: 1177914,CVE-2020-15999
Description:
This update for freetype2 fixes the following issues:
- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).
-----------------------------------------
Patch: SUSE-2020-3091
Released: Thu Oct 29 16:35:37 2020
Summary: Security update for MozillaThunderbird and mozilla-nspr
Severity: important
References: 1174230,1176384,1176756,1176899,1177977,CVE-2020-15673,CVE-2020-15676,CVE-2020-15677,CVE-2020-15678,CVE-2020-15683,CVE-2020-15969
Description:
This update for MozillaThunderbird and mozilla-nspr fixes the following issues:
- Mozilla Thunderbird 78.4
* new: MailExtensions: browser.tabs.sendMessage API added
* new: MailExtensions: messageDisplayScripts API added
* changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2
* changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages
* changed: MailExtensions: compose.begin functions now support creating a message with attachments
* fixed: Thunderbird could freeze when updating global search index
* fixed: Multiple issues with handling of self-signed SSL certificates addressed
* fixed: Recipient address fields in compose window could expand to fill all available space
* fixed: Inserting emoji characters in message compose window caused unexpected behavior
* fixed: Button to restore default folder icon color was not keyboard accessible
* fixed: Various keyboard navigation fixes
* fixed: Various color-related theme fixes
* fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work
MFSA 2020-47 (bsc#1177977)
* CVE-2020-15969 Use-after-free in usersctp
* CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
- Mozilla Thunderbird 78.3.3
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP message status icons were not visible in message header pane
* Creating a new calendar event did not require an event title
- Mozilla Thunderbird 78.3.2 (bsc#1176899)
* OpenPGP: Improved support for encrypting with subkeys
* OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly
* Single-click deletion of recipient pills with middle mouse button restored
* Searching an address book list did not display results
* Dark mode, high contrast, and Windows theming fixes
- Mozilla Thunderbird 78.3.1
* fix crash in nsImapProtocol::CreateNewLineFromSocket
- Mozilla Thunderbird 78.3.0
MFSA 2020-44 (bsc#1176756)
* CVE-2020-15677 Download origin spoofing via redirect
* CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element
* CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario
* CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3
- update mozilla-nspr to version 4.25.1
* The macOS platform code for shared library loading was
changed to support macOS 11.
* Dependency needed for the MozillaThunderbird udpate
-----------------------------------------
Patch: SUSE-2020-3099
Released: Thu Oct 29 19:33:41 2020
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2020b (bsc#1177460)
* Revised predictions for Morocco's changes starting in 2023.
* Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.
* Macquarie Island has stayed in sync with Tasmania since 2011.
* Casey, Antarctica is at +08 in winter and +11 in summer.
* zic no longer supports -y, nor the TYPE field of Rules.
-----------------------------------------
Patch: SUSE-2020-3123
Released: Tue Nov 3 09:48:13 2020
Summary: Recommended update for timezone
Severity: important
References: 1177460,1178346,1178350,1178353
Description:
This update for timezone fixes the following issues:
- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)
-----------------------------------------
Patch: SUSE-2020-3359
Released: Tue Nov 17 13:18:30 2020
Summary: Security update for java-11-openjdk
Severity: moderate
References: 1177943,CVE-2020-14779,CVE-2020-14781,CVE-2020-14782,CVE-2020-14792,CVE-2020-14796,CVE-2020-14797,CVE-2020-14798,CVE-2020-14803
Description:
This update for java-11-openjdk fixes the following issues:
- Update to upstream tag jdk-11.0.9-11 (October 2020 CPU,
bsc#1177943)
* New features
+ JDK-8250784: Shenandoah: A Low-Pause-Time Garbage Collector
* Security fixes
+ JDK-8233624: Enhance JNI linkage
+ JDK-8236196: Improve string pooling
+ JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ JDK-8240124: Better VM Interning
+ JDK-8241114, CVE-2020-14792: Better range handling
+ JDK-8242680, CVE-2020-14796: Improved URI Support
+ JDK-8242685, CVE-2020-14797: Better Path Validation
+ JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ JDK-8243302: Advanced class supports
+ JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ JDK-8244479: Further constrain certificates
+ JDK-8244955: Additional Fix for JDK-8240124
+ JDK-8245407: Enhance zoning of times
+ JDK-8245412: Better class definitions
+ JDK-8245417: Improve certificate chain handling
+ JDK-8248574: Improve jpeg processing
+ JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ JDK-8253019: Enhanced JPEG decoding
* Other changes
+ JDK-6532025: GIF reader throws misleading exception with
truncated images
+ JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/
/PDialogTest.java needs update by removing an infinite loop
+ JDK-8022535: [TEST BUG] javax/swing/text/html/parser/
/Test8017492.java fails
+ JDK-8062947: Fix exception message to correctly represent
LDAP connection failure
+ JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed
+ JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/
/CloseServerSocket.java fails intermittently with Address
already in use
+ JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed
due to timeout on DeadServerNoTimeoutTest is incorrect
+ JDK-8160768: Add capability to custom resolve host/domain
names within the default JNDI LDAP provider
+ JDK-8172404: Tools should warn if weak algorithms are used
before restricting them
+ JDK-8193367: Annotated type variable bounds crash javac
+ JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java
fails intermittently: Connection reset
+ JDK-8203026: java.rmi.NoSuchObjectException: no such object
in table
+ JDK-8203281: [Windows] JComboBox change in ui when
editor.setBorder() is called
+ JDK-8203382: Rename SystemDictionary::initialize_wk_klass to
resolve_wk_klass
+ JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and
JdbExprTest.sh fail due to timeout
+ JDK-8203928: [Test] Convert non-JDB scaffolding
serviceability shell script tests to java
+ JDK-8204963: javax.swing.border.TitledBorder has a memory leak
+ JDK-8204994: SA might fail to attach to process with 'Windbg
Error: WaitForEvent failed'
+ JDK-8205534: Remove SymbolTable dependency from
serviceability agent
+ JDK-8206309: Tier1 SA tests fail
+ JDK-8208281: java/nio/channels/
/AsynchronousSocketChannel/Basic.java timed out
+ JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java
version - step1
+ JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh
is incorrect
+ JDK-8209342: Problemlist SA tests on Solaris due to Error
attaching to process: Can't create thread_db agent!
+ JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java
should be marked as headful
+ JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with
timeout
+ JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java
version - step2
+ JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with
ZGC
+ JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java
+ JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/
/ap10t001/TestDescription.java failed with ObjectFree:
GetCurrentThreadCpuTimerInfo returned unexpected error code
+ JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java
version - step3
+ JDK-8210527: JShell: NullPointerException in
jdk.jshell.Eval.translateExceptionStack
+ JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related
tests
+ JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails
with waitForPrompt timed out after 60 seconds
+ JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should
clarify which output is the pending reply after a timeout
+ JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java
version - step4
+ JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java
fails to find ThreadLocalObject
+ JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh
test
+ JDK-8211694: JShell: Redeclared variable should be reset
+ JDK-8212200: assert when shared java.lang.Object is redefined
by JVMTI agent
+ JDK-8212629: [TEST] wrong breakpoint in
test/jdk/com/sun/jdi/DeferredStepTest
+ JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57)
- unexpected. lastLine=52, minLine=52, maxLine=55
+ JDK-8212807: tools/jar/multiRelease/Basic.java times out
+ JDK-8213182: Minimal VM build failure after JDK-8212200
(assert when shared java.lang.Object is redefined by JVMTI
agent)
+ JDK-8213214: Set -Djava.io.tmpdir= when running tests
+ JDK-8213275: ReplaceCriticalClasses.java fails with
jdk.internal.vm.PostVMInitHook not found
+ JDK-8213574: Deadlock in string table expansion when dumping
lots of CDS classes
+ JDK-8213703: LambdaConversionException: Invalid receiver type
not a subtype of implementation type interface
+ JDK-8214074: Ghash optimization using AVX instructions
+ JDK-8214491: Upgrade to JLine 3.9.0
+ JDK-8214797: TestJmapCoreMetaspace.java timed out
+ JDK-8215243: JShell tests failing intermitently with
'Problem cleaning up the following threads:'
+ JDK-8215244: jdk/jshell/ToolBasicTest.java
testHistoryReference failed
+ JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash
optimization using AVX instructions)
+ JDK-8215438: jshell tool: Ctrl-D causes EOF
+ JDK-8216021: RunTest.gmk might set concurrency level to 1 on
Windows
+ JDK-8216974: HttpConnection not returned to the pool after
204 response
+ JDK-8218948: SimpleDateFormat :: format - Zone Names are not
reflected correctly during run time
+ JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is
too small on new Skylake CPUs
+ JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs
instead of aliased B&W glyphs
+ JDK-8221658: aarch64: add necessary predicate for ubfx
patterns
+ JDK-8221759: Crash when completing 'java.io.File.path'
+ JDK-8221918: runtime/SharedArchiveFile/serviceability/
/ReplaceCriticalClasses.java fails: Shared archive not found
+ JDK-8222074: Enhance auto vectorization for x86
+ JDK-8222079: Don't use memset to initialize fields decode_env
constructor in disassembler.cpp
+ JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely
on hostname command
+ JDK-8223688: JShell: crash on the instantiation of raw
anonymous class
+ JDK-8223777: In posix_spawn mode, failing to exec()
jspawnhelper does not result in an error
+ JDK-8223940: Private key not supported by chosen signature
algorithm
+ JDK-8224184: jshell got IOException at exiting with AIX
+ JDK-8224234: compiler/codegen/TestCharVect2.java fails in
test_mulc
+ JDK-8225037: java.net.JarURLConnection::getJarEntry() throws
NullPointerException
+ JDK-8225625: AES Electronic Codebook (ECB) encryption and
decryption optimization using AVX512 + VAES instructions
+ JDK-8226536: Catch OOM from deopt that fails rematerializing
objects
+ JDK-8226575: OperatingSystemMXBean should be made container
aware
+ JDK-8226697: Several tests which need the @key headful
keyword are missing it.
+ JDK-8226809: Circular reference in printed stack trace is not
correctly indented & ambiguous
+ JDK-8227059: sun/security/tools/keytool/
/DefaultSignatureAlgorithm.java timed out
+ JDK-8227269: Slow class loading when running with JDWP
+ JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java
fails due to 'exitValue = 6'
+ JDK-8228448: Jconsole can't connect to itself
+ JDK-8228967: Trust/Key store and SSL context utilities for
tests
+ JDK-8229378: jdwp library loader in linker_md.c quietly
truncates on buffer overflow
+ JDK-8229815: Upgrade Jline to 3.12.1
+ JDK-8230000: some httpclients testng tests run zero test
+ JDK-8230002: javax/xml/jaxp/unittest/transform/
/SecureProcessingTest.java runs zero test
+ JDK-8230010: Remove jdk8037819/BasicTest1.java
+ JDK-8230094: CCE in createXMLEventWriter(Result) over an
arbitrary XMLStreamWriter
+ JDK-8230402: Allocation of compile task fails with assert:
'Leaking compilation tasks?'
+ JDK-8230767: FlightRecorderListener returns null recording
+ JDK-8230870: (zipfs) Add a ZIP FS test that is similar to
test/jdk/java/util/zip/EntryCount64k.java
+ JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes()
can be quicker for self thread
+ JDK-8231586: enlarge encoding space for OopMapValue offsets
+ JDK-8231953: Wrong assumption in assertion in
oop::register_oop
+ JDK-8231968: getCurrentThreadAllocatedBytes default
implementation s/b getThreadAllocatedBytes
+ JDK-8232083: Minimal VM is broken after JDK-8231586
+ JDK-8232161: Align some one-way conversion in MS950 charset
with Windows
+ JDK-8232855: jshell missing word in /help help
+ JDK-8233027: OopMapSet::all_do does oms.next() twice during
iteration
+ JDK-8233228: Disable weak named curves by default in TLS,
CertPath, and Signed JAR
+ JDK-8233386: Initialize NULL fields for unused decorations
+ JDK-8233452: java.math.BigDecimal.sqrt() with
RoundingMode.FLOOR results in incorrect result
+ JDK-8233686: XML transformer uses excessive amount of memory
+ JDK-8233741: AES Countermode (AES-CTR) optimization using
AVX512 + VAES instructions
+ JDK-8233829: javac cannot find non-ASCII module name under
non-UTF8 environment
+ JDK-8233958: Memory retention due to HttpsURLConnection
finalizer that serves no purpose
+ JDK-8234011: (zipfs) Memory leak in
ZipFileSystem.releaseDeflater()
+ JDK-8234058: runtime/CompressedOops/
/CompressedClassPointers.java fails with 'Narrow klass base:
0x0000000000000000' missing from stdout/stderr
+ JDK-8234149: Several regression tests do not dispose Frame at
end
+ JDK-8234347: 'Turkey' meta time zone does not generate
composed localized names
+ JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/
/bug6980209.java fails in linux nightly
+ JDK-8234535: Cross compilation fails due to missing CFLAGS
for the BUILD_CC
+ JDK-8234541: C1 emits an empty message when it inlines
successfully
+ JDK-8234687: change javap reporting on unknown attributes
+ JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK
11
+ JDK-8236548: Localized time zone name inconsistency between
English and other locales
+ JDK-8236617: jtreg test containers/docker/
/TestMemoryAwareness.java fails after 8226575
+ JDK-8237182: Update copyright header for shenandoah and
epsilon files
+ JDK-8237888: security/infra/java/security/cert/
/CertPathValidator/certification/LuxTrustCA.java fails when
checking validity interval
+ JDK-8237977: Further update
javax/net/ssl/compatibility/Compatibility.java
+ JDK-8238270: java.net HTTP/2 client does not decrease stream
count when receives 204 response
+ JDK-8238284: [macos] Zero VM build fails due to an obvious
typo
+ JDK-8238380: java.base/unix/native/libjava/childproc.c
'multiple definition' link errors with GCC10
+ JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c
'multiple definition' link errors with GCC10
+ JDK-8238388: libj2gss/NativeFunc.o 'multiple definition' link
errors with GCC10
+ JDK-8238448: RSASSA-PSS signature verification fail when
using certain odd key sizes
+ JDK-8238710: LingeredApp doesn't log stdout/stderr if exits
with non-zero code
+ JDK-8239083: C1 assert(known_holder == NULL ||
(known_holder->is_instance_klass() &&
(!known_holder->is_interface() ||
((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())),
'should be non-static concrete method');
+ JDK-8239385: KerberosTicket client name refers wrongly to
sAMAccountName in AD
+ JDK-8240169: javadoc fails to link to non-modular api docs
+ JDK-8240295: hs_err elapsed time in seconds is not accurate
enough
+ JDK-8240360: NativeLibraryEvent has wrong library name on
Linux
+ JDK-8240676: Meet not symmetric failure when running lucene
on jdk8
+ JDK-8241007: Shenandoah: remove
ShenandoahCriticalControlThreadPriority support
+ JDK-8241065: Shenandoah: remove leftover code after
JDK-8231086
+ JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is
failing on 32bit Windows
+ JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier:
java.lang.NullPointerException
+ JDK-8241138: http.nonProxyHosts=* causes
StringIndexOutOfBoundsException in DefaultProxySelector
+ JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark
+ JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java
fails with OOME
+ JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure
+ JDK-8241750: x86_32 build failure after JDK-8227269
+ JDK-8242184: CRL generation error with RSASSA-PSS
+ JDK-8242283: Can't start JVM when java home path includes
non-ASCII character
+ JDK-8242556: Cannot load RSASSA-PSS public key with non-null
params from byte array
+ JDK-8243029: Rewrite javax/net/ssl/compatibility/
/Compatibility.java with a flexible interop test framework
+ JDK-8243138: Enhance BaseLdapServer to support starttls
extended request
+ JDK-8243320: Add SSL root certificates to Oracle Root CA
program
+ JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA
program
+ JDK-8243389: enhance os::pd_print_cpu_info on linux
+ JDK-8243453: java --describe-module failed with non-ASCII
module name under non-UTF8 environment
+ JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+ JDK-8243489: Thread CPU Load event may contain wrong data for
CPU time under certain conditions
+ JDK-8243925: Toolkit#getScreenInsets() returns wrong value on
HiDPI screens (Windows)
+ JDK-8244087: 2020-04-24 public suffix list update
+ JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest
release 1.8.26
+ JDK-8244164: AArch64: jaotc generates incorrect code for
compressed OOPs with non-zero heap base
+ JDK-8244196: adjust output in os_linux
+ JDK-8244225: stringop-overflow warning on strncpy call from
compile_the_world_in
+ JDK-8244287: JFR: Methods samples have line number 0
+ JDK-8244703: 'platform encoding not initialized' exceptions
with debugger, JNI
+ JDK-8244719: CTW: C2 compilation fails with
'assert(!VerifyHashTableKeys || _hash_lock == 0) failed:
remove node from hash table before modifying it'
+ JDK-8244729: Shenandoah: remove resolve paths from
SBSA::generate_shenandoah_lrb
+ JDK-8244763: Update --release 8 symbol information after JSR
337 MR3
+ JDK-8244818: Java2D Queue Flusher crash while moving
application window to external monitor
+ JDK-8245151: jarsigner should not raise duplicate warnings on
verification
+ JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9
+ JDK-8245714: 'Bad graph detected in build_loop_late' when
loads are pinned on loop limit check uncommon branch
+ JDK-8245801: StressRecompilation triggers assert 'redundunt
OSR recompilation detected. memory leak in CodeCache!'
+ JDK-8245832: JDK build make-static-libs should build all JDK
libraries
+ JDK-8245880: Shenandoah: check class unloading flag early in
concurrent code root scan
+ JDK-8245981: Upgrade to jQuery 3.5.1
+ JDK-8246027: Minimal fastdebug build broken after JDK-8245801
+ JDK-8246094: [macos] Sound Recording and playback is not
working
+ JDK-8246153: TestEliminateArrayCopy fails with
-XX:+StressReflectiveCode
+ JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
+ JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest
fails with AssertionError
+ JDK-8246203: Segmentation fault in verification due to stack
overflow with -XX:+VerifyIterativeGVN
+ JDK-8246330: Add TLS Tests for Legacy ECDSA curves
+ JDK-8246453: TestClone crashes with 'all collected exceptions
must come from the same place'
+ JDK-8247246: Add explicit ResolvedJavaType.link and expose
presence of default methods
+ JDK-8247350: [aarch64] assert(false) failed: wrong size of
mach node
+ JDK-8247502: PhaseStringOpts crashes while optimising
effectively dead code
+ JDK-8247615: Initialize the bytes left for the heap sampler
+ JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV
in SBC2Support::pin_and_expand
+ JDK-8247874: Replacement in VersionProps.java.template not
working when --with-vendor-bug-url contains '&'
+ JDK-8247979: aarch64: missing side effect of killing flags
for clearArray_reg_reg
+ JDK-8248214: Add paddings for TaskQueueSuper to reduce
false-sharing cache contention
+ JDK-8248219: aarch64: missing memory barrier in
fast_storefield and fast_accessfield
+ JDK-8248348: Regression caused by the update to BCEL 6.0
+ JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to
jtreg 5.1
+ JDK-8248495: [macos] zerovm is broken due to libffi headers
location
+ JDK-8248851: CMS: Missing memory fences between free chunk
check and klass read
+ JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on
Windows
+ JDK-8249159: Downport test rework for SSLSocketTemplate from
8224650
+ JDK-8249215: JFrame::setVisible crashed with
-Dfile.encoding=UTF-8 on Japanese Windows.
+ JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is
not highlighted in GTKLookAndFeel
+ JDK-8249255: Build fails if source code in cygwin home dir
+ JDK-8249277: TestVerifyIterativeGVN.java is failing with
timeout in OpenJDK 11
+ JDK-8249278: Revert JDK-8226253 which breaks the spec of
AccessibleState.SHOWING for JList
+ JDK-8249560: Shenandoah: Fix racy GC request handling
+ JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle
+ JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should
account for corner cases
+ JDK-8250582: Revert Principal Name type to NT-UNKNOWN when
requesting TGS Kerberos tickets
+ JDK-8250609: C2 crash in IfNode::fold_compares
+ JDK-8250627: Use -XX:+/-UseContainerSupport for
enabling/disabling Java container metrics
+ JDK-8250755: Better cleanup for
jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java
+ JDK-8250787: Provider.put no longer registering aliases in
FIPS env
+ JDK-8250826: jhsdb does not work with coredump which comes
from Substrate VM
+ JDK-8250827: Shenandoah: needs to reset/finish StringTable's
dead count before/after parallel walk
+ JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check
the bounds
+ JDK-8251117: Cannot check P11Key size in P11Cipher and
P11AEADCipher
+ JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java
test failure
+ JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with
I-U
+ JDK-8251469: Better cleanup for
test/jdk/javax/imageio/SetOutput.java
+ JDK-8251487: Shenandoah: missing detail timing tracking for
final mark cleaning phase
+ JDK-8252120: compiler/oracle/TestCompileCommand.java
misspells 'occured'
+ JDK-8252157: JDK-8231209 11u backport breaks jmm binary
compatibility
+ JDK-8252258: [11u] JDK-8242154 changes the default vendor
+ JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after
downport of 8234011
+ JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10)
in JDK 11
+ JDK-8253283: [11u] Test build/translations/
/VerifyTranslations.java failing after JDK-8252258
+ JDK-8253813: Backout JDK-8244287 from 11u: it causes several
crashes
+ Fix regression '8250861: Crash in MinINode::Ideal(PhaseGVN*,
bool)' introduced in jdk 11.0.9
-----------------------------------------
Patch: SUSE-2020-3462
Released: Fri Nov 20 13:14:35 2020
Summary: Recommended update for pam and sudo
Severity: moderate
References: 1174593,1177858,1178727
Description:
This update for pam and sudo fixes the following issue:
pam:
- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)
sudo:
- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)
-----------------------------------------
Patch: SUSE-2020-3620
Released: Thu Dec 3 17:03:55 2020
Summary: Recommended update for pam
Severity: moderate
References:
Description:
This update for pam fixes the following issues:
- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
- Check whether the password contains a substring of of the user's name of at least `<N>` characters length in
some form. This is enabled by the new parameter `usersubstr=<N>`
-----------------------------------------
Patch: SUSE-2020-3772
Released: Mon Dec 14 11:11:29 2020
Summary: Recommended update for hamcrest
Severity: moderate
References: 1174544
Description:
This update for hamcrest fixes the following issue:
- Add obsoletes in the core API to solve conflicts during updates. (bsc#1174544)
-----------------------------------------
Patch: SUSE-2020-3942
Released: Tue Dec 29 12:22:01 2020
Summary: Recommended update for libidn2
Severity: moderate
References: 1180138
Description:
This update for libidn2 fixes the following issues:
- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
adjusted the RPM license tags (bsc#1180138)
-----------------------------------------
Patch: SUSE-2021-65
Released: Mon Jan 11 15:11:49 2021
Summary: Recommended update for hamcrest
Severity: low
References: 1120493,1179994
Description:
This update for hamcrest fixes the following issues:
- Make hamcrest build reproducibly. (bsc#1120493)
- Fix typo in hamcrest-core description. (bsc#1179994)
-----------------------------------------
Patch: SUSE-2021-179
Released: Wed Jan 20 13:38:51 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
-----------------------------------------
Patch: SUSE-2021-220
Released: Tue Jan 26 14:00:51 2021
Summary: Recommended update for keyutils
Severity: moderate
References: 1180603
Description:
This update for keyutils fixes the following issues:
- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)
-----------------------------------------
Patch: SUSE-2021-293
Released: Wed Feb 3 12:52:34 2021
Summary: Recommended update for gmp
Severity: moderate
References: 1180603
Description:
This update for gmp fixes the following issues:
- correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)
-----------------------------------------
Patch: SUSE-2021-301
Released: Thu Feb 4 08:46:27 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
-----------------------------------------
Patch: SUSE-2021-339
Released: Mon Feb 8 13:16:07 2021
Summary: Optional update for pam
Severity: low
References:
Description:
This update for pam fixes the following issues:
- Added rpm macros for this package, so that other packages can make use of it
This patch is optional to be installed - it doesn't fix any bugs.
-----------------------------------------
Patch: SUSE-2021-352
Released: Tue Feb 9 15:02:05 2021
Summary: Security update for java-11-openjdk
Severity: important
References: 1181239
Description:
This update for java-11-openjdk fixes the following issues:
java-11-openjdk was upgraded to include January 2021 CPU (bsc#1181239)
- Enable Sheandoah GC for x86_64 (jsc#ECO-3171)
-----------------------------------------
Patch: SUSE-2021-761
Released: Wed Mar 10 12:26:54 2021
Summary: Recommended update for libX11
Severity: moderate
References: 1181963
Description:
This update for libX11 fixes the following issues:
- Fixes a race condition in 'libX11' that causes various applications to crash randomly. (bsc#1181963)
-----------------------------------------
Patch: SUSE-2021-786
Released: Mon Mar 15 11:19:23 2021
Summary: Recommended update for zlib
Severity: moderate
References: 1176201
Description:
This update for zlib fixes the following issues:
- Fixed hw compression on z15 (bsc#1176201)
-----------------------------------------
Patch: SUSE-2021-924
Released: Tue Mar 23 10:00:49 2021
Summary: Recommended update for filesystem
Severity: moderate
References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094
Description:
This update for filesystem the following issues:
- Remove duplicate line due to merge error
- Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
- Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
- Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
- Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)
This update for systemd fixes the following issues:
- Fix for a possible memory leak. (bsc#1180020)
- Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
- Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
- Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
- Don't use shell redirections when calling a rpm macro. (bsc#1183094)
- 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)
-----------------------------------------
Patch: SUSE-2021-930
Released: Wed Mar 24 12:09:23 2021
Summary: Security update for nghttp2
Severity: important
References: 1172442,1181358,CVE-2020-11080
Description:
This update for nghttp2 fixes the following issues:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)
-----------------------------------------
Patch: SUSE-2021-1007
Released: Thu Apr 1 17:47:20 2021
Summary: Security update for MozillaFirefox
Severity: important
References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987
Description:
This update for MozillaFirefox fixes the following issues:
- Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942)
* CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read
* CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage
* CVE-2021-23984: Malicious extensions could have spoofed popup information
* CVE-2021-23987: Memory safety bugs
-----------------------------------------
Patch: SUSE-2021-1282
Released: Tue Apr 20 14:47:17 2021
Summary: Security update for apache-commons-io
Severity: moderate
References: 1184755,CVE-2021-29425
Description:
This update for apache-commons-io fixes the following issues:
- CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755)
-----------------------------------------
Patch: SUSE-2021-1409
Released: Wed Apr 28 16:32:50 2021
Summary: Security update for giflib
Severity: low
References: 1184123
Description:
This update for giflib fixes the following issues:
- Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123).
-----------------------------------------
Patch: SUSE-2021-1554
Released: Tue May 11 09:43:41 2021
Summary: Security update for java-11-openjdk
Severity: important
References: 1184606,1185055,1185056,CVE-2021-2161,CVE-2021-2163
Description:
This update for java-11-openjdk fixes the following issues:
- Update to upstream tag jdk-11.0.11+9 (April 2021 CPU)
* CVE-2021-2163: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055)
* CVE-2021-2161: Fixed incorrect handling of partially quoted arguments in ProcessBuilder (bsc#1185056)
- moved mozilla-nss dependency to java-11-openjdk-headless package, this is necessary to be able to do crypto
with just java-11-openjdk-headless installed (bsc#1184606).
-----------------------------------------
Patch: SUSE-2021-1563
Released: Tue May 11 11:16:00 2021
Summary: Recommended update for maven
Severity: moderate
References: 1184022
Description:
This update for systemtap fixes the following issues:
- Releasing maven for SLE-15 SP1 and SP2. (bsc#1184022)
-----------------------------------------
Patch: SUSE-2021-1643
Released: Wed May 19 13:51:48 2021
Summary: Recommended update for pam
Severity: important
References: 1181443,1184358,1185562
Description:
This update for pam fixes the following issues:
- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)
-----------------------------------------
Patch: SUSE-2021-1765
Released: Wed May 26 12:36:38 2021
Summary: Security update for libX11
Severity: moderate
References: 1182506,CVE-2021-31535
Description:
This update for libX11 fixes the following issues:
- CVE-2021-31535: Fixed missing request length checks in libX11 (bsc#1182506).
-----------------------------------------
Patch: SUSE-2021-1861
Released: Fri Jun 4 09:59:40 2021
Summary: Recommended update for gcc10
Severity: moderate
References: 1029961,1106014,1178577,1178624,1178675,1182016
Description:
This update for gcc10 fixes the following issues:
- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)
-----------------------------------------
Patch: SUSE-2021-1897
Released: Tue Jun 8 16:15:17 2021
Summary: Security update for libX11
Severity: important
References: 1186643,CVE-2021-31535
Description:
This update for libX11 fixes the following issues:
- Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)
-----------------------------------------
Patch: SUSE-2021-1937
Released: Thu Jun 10 10:47:09 2021
Summary: Recommended update for nghttp2
Severity: moderate
References: 1186642
Description:
This update for nghttp2 fixes the following issue:
- The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
-----------------------------------------
Patch: SUSE-2021-2146
Released: Wed Jun 23 17:55:14 2021
Summary: Recommended update for openssh
Severity: moderate
References: 1115550,1174162
Description:
This update for openssh fixes the following issues:
- Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162).
-----------------------------------------
Patch: SUSE-2021-2173
Released: Mon Jun 28 14:59:45 2021
Summary: Recommended update for automake
Severity: moderate
References: 1040589,1047218,1182604,1185540,1186049
Description:
This update for automake fixes the following issues:
- Implement generated autoconf makefiles reproducible (bsc#1182604)
- Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
- Avoid bashisms in test-driver script. (bsc#1185540)
This update for pcre fixes the following issues:
- Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)
This update for brp-check-suse fixes the following issues:
- Add fixes to support reproducible builds. (bsc#1186049)
-----------------------------------------
Patch: SUSE-2021-2196
Released: Tue Jun 29 09:41:39 2021
Summary: Security update for lua53
Severity: moderate
References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371
Description:
This update for lua53 fixes the following issues:
Update to version 5.3.6:
- CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
- CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
- Long brackets with a huge number of '=' overflow some internal buffer arithmetic.
-----------------------------------------
Patch: SUSE-2021-2320
Released: Wed Jul 14 17:01:06 2021
Summary: Security update for sqlite3
Severity: important
References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
Description:
This update for sqlite3 fixes the following issues:
- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener
optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
(bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with
a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated
columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)
-----------------------------------------
Patch: SUSE-2021-2555
Released: Thu Jul 29 08:29:55 2021
Summary: Security update for git
Severity: moderate
References: 1168930,1183026,1183580,CVE-2021-21300
Description:
This update for git fixes the following issues:
Update from version 2.26.2 to version 2.31.1 (jsc#SLE-18152)
Security fixes:
- CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally
to apply delay-capable clean/smudge filters (such as Git LFS), Git could run remote code during a clone. (bsc#1183026)
Non security changes:
- Add `sysusers` file to create `git-daemon` user.
- Remove `perl-base` and `openssh-server` dependency on `git-core`and provide a `perl-Git` package. (jsc#SLE-17838)
- `fsmonitor` bug fixes
- Fix `git bisect` to take an annotated tag as a good/bad endpoint
- Fix a corner case in `git mv` on case insensitive systems
- Require only `openssh-clients` where possible (like Tumbleweed or SUSE Linux Enterprise >= 15 SP3). (bsc#1183580)
- Drop `rsync` requirement, not necessary anymore.
- Use of `pack-redundant` command is discouraged and will trigger a warning. The replacement is `repack -d`.
- The `--format=%(trailers)` mechanism gets enhanced to make it easier to design output for machine consumption.
- No longer give message to choose between rebase or merge upon pull if the history `fast-forwards`.
- The configuration variable `core.abbrev` can be set to `no` to force no abbreviation regardless of the hash algorithm
- `git rev-parse` can be explicitly told to give output as absolute or relative path with the
`--path-format=(absolute|relative)` option.
- Bash completion update to make it easier for end-users to add completion for their custom `git` subcommands.
- `git maintenance` learned to drive scheduled maintenance on platforms whose native scheduling methods are not 'cron'.
- After expiring a reflog and making a single commit, the reflog for the branch would record a single entry that
knows both `@{0}` and `@{1}`, but we failed to answer 'what commit were we on?', i.e. `@{1}`
- `git bundle` learns `--stdin` option to read its refs from the standard input.
Also, it now does not lose refs when they point at the same object.
- `git log` learned a new `--diff-merges=<how>` option.
- `git ls-files` can and does show multiple entries when the index is unmerged, which is a source for confusion
unless `-s/-u` option is in use. A new option `--deduplicate` has been introduced.
- `git worktree list` now annotates worktrees as prunable, shows locked and prunable attributes
in `--porcelain mode`, and gained a `--verbose` option.
- `git clone` tries to locally check out the branch pointed at by HEAD of the remote repository after it
is done, but the protocol did not convey the information necessary to do so when copying an empty repository.
The protocol v2 learned how to do so.
- There are other ways than `..` for a single token to denote a `commit range', namely `<rev>^!`
and `<rev>^-<n>`, but `git range-diff` did not understand them.
- The `git range-diff` command learned `--(left|right)-only` option to show only one side of the compared range.
- `git mergetool` feeds three versions (base, local and remote) of a conflicted path unmodified.
The command learned to optionally prepare these files with unconflicted parts already resolved.
- The `.mailmap` is documented to be read only from the root level of a working tree, but a stray file
in a bare repository also was read by accident, which has been corrected.
- `git maintenance` tool learned a new `pack-refs` maintenance task.
- Improved error message given when a configuration variable that is expected to have a boolean value.
- Signed commits and tags now allow verification of objects, whose two object names
(one in SHA-1, the other in SHA-256) are both signed.
- `git rev-list` command learned `--disk-usage` option.
- `git diff`, `git log` `--{skip,rotate}-to=<path>` allows the user to discard diff output for early
paths or move them to the end of the output.
- `git difftool` learned `--skip-to=<path>` option to restart an interrupted session from an arbitrary path.
- `git grep` has been tweaked to be limited to the sparse checkout paths.
- `git rebase --[no-]fork-point` gained a configuration variable `rebase.forkPoint` so that users do not have
to keep specifying a non-default setting.
- `git stash` did not work well in a sparsely checked out working tree.
- Newline characters in the host and path part of `git://` URL are now forbidden.
- `Userdiff` updates for PHP, Rust, CSS
- Avoid administrator error leading to data loss with `git push --force-with-lease[=<ref>]` by
introducing `--force-if-includes`
- only pull `asciidoctor` for the default ruby version
- The `--committer-date-is-author-date` option of `rebase` and `am` subcommands lost the e-mail address by
mistake in 2.29
- The transport protocol v2 has become the default again
- `git worktree` gained a `repair` subcommand, `git init --separate-git-dir` no longer corrupts administrative data
related to linked worktrees
- `git maintenance` introduced for repository maintenance tasks
- `fetch.writeCommitGraph` is deemed to be still a bit too risky and is no longer part of the
`feature.experimental` set.
- The commands in the `diff` family honors the `diff.relative` configuration variable.
- `git diff-files` has been taught to say paths that are marked as `intent-to-add` are new files,
not modified from an empty blob.
- `git gui` now allows opening work trees from the start-up dialog.
- `git bugreport` reports what shell is in use.
- Some repositories have commits that record wrong committer timezone; `git fast-import` has an option to pass
these timestamps intact to allow recreating existing repositories as-is.
- `git describe` will always use the `long` version when giving its output based misplaced tags
- `git pull` issues a warning message until the `pull.rebase` configuration variable is explicitly given
-----------------------------------------
Patch: SUSE-2021-2573
Released: Thu Jul 29 14:21:52 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1188127
Description:
This update for timezone fixes the following issue:
- From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by
the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are
now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127).
-----------------------------------------
Patch: SUSE-2021-2606
Released: Wed Aug 4 13:16:09 2021
Summary: Recommended update for libcbor
Severity: moderate
References: 1102408
Description:
This update for libcbor fixes the following issues:
- Implement a fix to avoid building shared library twice. (bsc#1102408)
-----------------------------------------
Patch: SUSE-2021-2682
Released: Thu Aug 12 20:06:19 2021
Summary: Security update for rpm
Severity: important
References: 1179416,1181805,1183543,1183545,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421
Description:
This update for rpm fixes the following issues:
- Changed default package verification level to 'none' to be compatible to rpm-4.14.1
- Made illegal obsoletes a warning
- Fixed a potential access of freed mem in ndb's glue code (bsc#1179416)
- Added support for enforcing signature policy and payload verification step to
transactions (jsc#SLE-17817)
- Added :humansi and :hmaniec query formatters for human readable output
- Added query selectors for whatobsoletes and whatconflicts
- Added support for sorting caret higher than base version
- rpm does no longer require the signature header to be in a contiguous
region when signing (bsc#1181805)
Security fixes:
- CVE-2021-3421: A flaw was found in the RPM package in the read functionality. This flaw allows an
attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM
repository, to cause RPM database corruption. The highest threat from this vulnerability is to
data integrity (bsc#1183543)
- CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file.
This flaw allows an attacker who can convince a victim to install a seemingly verifiable package,
whose signature header was modified, to cause RPM database corruption and execute code. The highest
threat from this vulnerability is to data integrity, confidentiality, and system availability (bsc#1183545)
- CVE-2021-20266: A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker
who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability
is to system availability.
-----------------------------------------
Patch: SUSE-2021-2885
Released: Tue Aug 31 12:21:17 2021
Summary: Recommended update for publicsuffix
Severity: low
References: 1189124
Description:
This update for publicsuffix fixes the following issues:
- Updates the list of known/accepted domains with recent data (bsc#1189124).
-----------------------------------------
Patch: SUSE-2021-2952
Released: Fri Sep 3 14:38:44 2021
Summary: Security update for java-11-openjdk
Severity: important
References: 1185476,1188564,1188565,1188566,CVE-2021-2341,CVE-2021-2369,CVE-2021-2388
Description:
This update for java-11-openjdk fixes the following issues:
- Update to jdk-11.0.12+7
- CVE-2021-2369: Fixed JAR file handling problem containing multiple MANIFEST.MF files. (bsc#1188565)
- CVE-2021-2388: Fixed a flaw inside the Hotspot component performed range check elimination. (bsc#1188566)
- CVE-2021-2341: Fixed a flaw inside the FtpClient. (bsc#1188564)
-----------------------------------------
Patch: SUSE-2021-3115
Released: Thu Sep 16 14:04:26 2021
Summary: Recommended update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829
Description:
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
Nederlanden Root CA - G3†root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
-----------------------------------------
Patch: SUSE-2021-3171
Released: Mon Sep 20 17:26:34 2021
Summary: Recommended update for java-11-openjdk
Severity: important
References: 1189201,1190252
Description:
This update for java-11-openjdk fixes the following issues:
- Implement FIPS support in OpenJDK
- Fix build with 'glibc-2.34' (bsc#1189201)
- Add support for 'riscv64' (zero VM)
- Make NSS the default security provider. (bsc#1190252)
-----------------------------------------
Patch: SUSE-2021-3182
Released: Tue Sep 21 17:04:26 2021
Summary: Recommended update for file
Severity: moderate
References: 1189996
Description:
This update for file fixes the following issues:
- Fixes exception thrown by memory allocation problem (bsc#1189996)
-----------------------------------------
Patch: SUSE-2021-3291
Released: Wed Oct 6 16:45:36 2021
Summary: Security update for glibc
Severity: moderate
References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942
Description:
This update for glibc fixes the following issues:
- CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489).
- CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911).
-----------------------------------------
Patch: SUSE-2021-3445
Released: Fri Oct 15 09:03:39 2021
Summary: Security update for rpm
Severity: important
References: 1183659,1185299,1187670,1188548
Description:
This update for rpm fixes the following issues:
Security issues fixed:
- PGP hardening changes (bsc#1185299)
Maintaince issues fixed:
- Fixed zstd detection (bsc#1187670)
- Added ndb rofs support (bsc#1188548)
- Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659)
-----------------------------------------
Patch: SUSE-2021-3490
Released: Wed Oct 20 16:31:55 2021
Summary: Security update for ncurses
Severity: moderate
References: 1190793,CVE-2021-39537
Description:
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)
-----------------------------------------
Patch: SUSE-2021-3494
Released: Wed Oct 20 16:48:46 2021
Summary: Recommended update for pam
Severity: moderate
References: 1190052
Description:
This update for pam fixes the following issues:
- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)
-----------------------------------------
Patch: SUSE-2021-3510
Released: Tue Oct 26 11:22:15 2021
Summary: Recommended update for pam
Severity: important
References: 1191987
Description:
This update for pam fixes the following issues:
- Fixed a bad directive file which resulted in
the 'securetty' file to be installed as 'macros.pam'.
(bsc#1191987)
-----------------------------------------
Patch: SUSE-2021-3529
Released: Wed Oct 27 09:23:32 2021
Summary: Security update for pcre
Severity: moderate
References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155
Description:
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)
-----------------------------------------
Patch: SUSE-2021-3671
Released: Tue Nov 16 14:48:10 2021
Summary: Security update for java-11-openjdk
Severity: important
References: 1191901,1191903,1191904,1191906,1191909,1191910,1191911,1191912,1191913,1191914,CVE-2021-35550,CVE-2021-35556,CVE-2021-35559,CVE-2021-35561,CVE-2021-35564,CVE-2021-35565,CVE-2021-35567,CVE-2021-35578,CVE-2021-35586,CVE-2021-35603
Description:
This update for java-11-openjdk fixes the following issues:
Update to 11.0.13+8 (October 2021 CPU)
- CVE-2021-35550, bsc#1191901: Update the default enabled cipher suites preference
- CVE-2021-35565, bsc#1191909: com.sun.net.HttpsServer spins on TLS session close
- CVE-2021-35556, bsc#1191910: Richer Text Editors
- CVE-2021-35559, bsc#1191911: Enhanced style for RTF kit
- CVE-2021-35561, bsc#1191912: Better hashing support
- CVE-2021-35564, bsc#1191913: Improve Keystore integrity
- CVE-2021-35567, bsc#1191903: More Constrained Delegation
- CVE-2021-35578, bsc#1191904: Improve TLS client handshaking
- CVE-2021-35586, bsc#1191914: Better BMP support
- CVE-2021-35603, bsc#1191906: Better session identification
- Improve Stream handling for SSL
- Improve requests of certificates
- Correct certificate requests
- Enhance DTLS client handshake
-----------------------------------------
Patch: SUSE-2021-3766
Released: Tue Nov 23 07:07:43 2021
Summary: Recommended update for git
Severity: moderate
References: 1192023
Description:
This update for git fixes the following issues:
- Installation of the 'git-daemon' package needs nogroup group dependency (bsc#1192023)
-----------------------------------------
Patch: SUSE-2021-3799
Released: Wed Nov 24 18:07:54 2021
Summary: Recommended update for gcc11
Severity: moderate
References: 1187153,1187273,1188623
Description:
This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:
- gcc11
- gcc-c++11
- and others with 11 prefix.
to select them for building:
- CC='gcc-11'
- CXX='g++-11'
The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.
-----------------------------------------
Patch: SUSE-2021-3872
Released: Thu Dec 2 07:25:55 2021
Summary: Recommended update for cracklib
Severity: moderate
References: 1191736
Description:
This update for cracklib fixes the following issues:
- Enable build time tests (bsc#1191736)
-----------------------------------------
Patch: SUSE-2021-3883
Released: Thu Dec 2 11:47:07 2021
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)
- Palestine will fall back 10-29 (not 10-30) at 01:00
- Fiji suspends DST for the 2021/2022 season
- 'zic -r' marks unspecified timestamps with '-00'
- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
- Refresh timezone info for china
-----------------------------------------
Patch: SUSE-2021-3891
Released: Fri Dec 3 10:21:49 2021
Summary: Recommended update for keyutils
Severity: moderate
References: 1029961,1113013,1187654
Description:
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes.
Updated to 1.6:
* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------
Patch: SUSE-2021-3942
Released: Mon Dec 6 14:46:05 2021
Summary: Security update for brotli
Severity: moderate
References: 1175825,CVE-2020-8927
Description:
This update for brotli fixes the following issues:
- CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).
-----------------------------------------
Patch: SUSE-2021-3946
Released: Mon Dec 6 14:57:42 2021
Summary: Security update for gmp
Severity: moderate
References: 1192717,CVE-2021-43618
Description:
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
-----------------------------------------
Patch: SUSE-2021-3950
Released: Mon Dec 6 14:59:37 2021
Summary: Security update for openssh
Severity: important
References: 1190975,CVE-2021-41617
Description:
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
-----------------------------------------
Patch: SUSE-2021-3980
Released: Thu Dec 9 16:42:19 2021
Summary: Recommended update for glibc
Severity: moderate
References: 1191592
Description:
glibc was updated to fix the following issue:
- Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)
-----------------------------------------
Patch: SUSE-2021-4153
Released: Wed Dec 22 11:00:48 2021
Summary: Security update for openssh
Severity: important
References: 1183137,CVE-2021-28041
Description:
This update for openssh fixes the following issues:
- CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137).
-----------------------------------------
Patch: SUSE-2021-4182
Released: Thu Dec 23 11:51:51 2021
Summary: Recommended update for zlib
Severity: moderate
References: 1192688
Description:
This update for zlib fixes the following issues:
- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)
-----------------------------------------
Patch: SUSE-2022-12
Released: Mon Jan 3 15:36:04 2022
Summary: Recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff
Severity: moderate
References:
Description:
This recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff provides the following fix:
- Ship some missing binaries to PackageHub.
-----------------------------------------
Patch: SUSE-2022-96
Released: Tue Jan 18 05:14:44 2022
Summary: Recommended update for rpm
Severity: important
References: 1180125,1190824,1193711
Description:
This update for rpm fixes the following issues:
- Fix header check so that old rpms no longer get rejected (bsc#1190824)
- Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)
-----------------------------------------
Patch: SUSE-2022-143
Released: Thu Jan 20 14:32:30 2022
Summary: Recommended update for java-11-openjdk
Severity: moderate
References: 1193314
Description:
This update for java-11-openjdk fixes the following issues:
- Java Cryptography was always operating in FIPS mode if crypto-policies was not used.
- Allow plain key import in fips mode unless 'com.suse.fips.plainKeySupport' is set to false
-----------------------------------------
Patch: SUSE-2022-207
Released: Thu Jan 27 09:24:49 2022
Summary: Recommended update for glibc
Severity: moderate
References:
Description:
This update for glibc fixes the following issues:
- Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).
-----------------------------------------
Patch: SUSE-2022-227
Released: Mon Jan 31 06:05:25 2022
Summary: Recommended update for git
Severity: moderate
References: 1193722
Description:
This update for git fixes the following issues:
- update to 2.34.1 (bsc#1193722):
* 'git grep' looking in a blob that has non-UTF8 payload was
completely broken when linked with certain versions of PCREv2
library in the latest release.
* 'git pull' with any strategy when the other side is behind us
should succeed as it is a no-op, but doesn't.
* An earlier change in 2.34.0 caused JGit application (that abused
GIT_EDITOR mechanism when invoking 'git config') to get stuck with
a SIGTTOU signal; it has been reverted.
* An earlier change that broke .gitignore matching has been reverted.
* SubmittingPatches document gained a syntactically incorrect mark-up,
which has been corrected.
- git 2.33.0:
* 'git send-email' learned the '--sendmail-cmd' command line option
and the 'sendemail.sendmailCmd' configuration variable, which is a
more sensible approach than the current way of repurposing the
'smtp-server' that is meant to name the server to instead name the
command to talk to the server.
* The userdiff pattern for C# learned the token 'record'.
* 'git rev-list' learns to omit the 'commit <object-name>' header
lines from the output with the `--no-commit-header` option.
* 'git worktree add --lock' learned to record why the worktree is
locked with a custom message.
* internal improvements including performance optimizations
* a number of bug fixes
- git 2.32.0:
* '.gitattributes', '.gitignore', and '.mailmap' files that are
symbolic links are ignored
* 'git apply --3way' used to first attempt a straight
application, and only fell back to the 3-way merge algorithm
when the straight application failed. Starting with this
version, the command will first try the 3-way merge algorithm
and only when it fails (either resulting with conflict or the
base versions of blobs are missing), falls back to the usual
patch application.
* 'git stash show' can now show the untracked part of the stash
* Improved 'git repack' strategy
* http code can now unlock a certificate with a cached password
respectively.
* 'git clone --reject-shallow' option fails the clone as soon as
we notice that we are cloning from a shallow repository.
* 'gitweb' learned 'e-mail privacy' feature
* Multiple improvements to output and configuration options
* Bug fixes and developer visible fixes
-----------------------------------------
Patch: SUSE-2022-330
Released: Fri Feb 4 09:29:08 2022
Summary: Security update for glibc
Severity: important
References: 1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219
Description:
This update for glibc fixes the following issues:
- CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
Features added:
- IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)
-----------------------------------------
Patch: SUSE-2022-383
Released: Tue Feb 15 17:47:36 2022
Summary: Recommended update for cyrus-sasl
Severity: moderate
References: 1194265
Description:
This update for cyrus-sasl fixes the following issues:
- Fixed an issue when in postfix 'sasl' authentication with password fails. (bsc#1194265)
- Add config parameter '--with-dblib=gdbm'
- Avoid converting of '/etc/sasldb2 by every update. Convert '/etc/sasldb2' only if it is a Berkeley DB.
-----------------------------------------
Patch: SUSE-2022-520
Released: Fri Feb 18 12:45:19 2022
Summary: Recommended update for rpm
Severity: moderate
References: 1194968
Description:
This update for rpm fixes the following issues:
- Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968)
-----------------------------------------
Patch: SUSE-2022-692
Released: Thu Mar 3 15:46:47 2022
Summary: Recommended update for filesystem
Severity: moderate
References: 1190447
Description:
This update for filesystem fixes the following issues:
- Release ported filesystem to LTSS channels (bsc#1190447).
-----------------------------------------
Patch: SUSE-2022-743
Released: Mon Mar 7 22:08:12 2022
Summary: Security update for cyrus-sasl
Severity: important
References: 1194265,1196036,CVE-2022-24407
Description:
This update for cyrus-sasl fixes the following issues:
- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).
The following non-security bugs were fixed:
- postfix: sasl authentication with password fails (bsc#1194265).
-----------------------------------------
Patch: SUSE-2022-789
Released: Thu Mar 10 11:22:05 2022
Summary: Recommended update for update-alternatives
Severity: moderate
References: 1195654
Description:
This update for update-alternatives fixes the following issues:
- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)
-----------------------------------------
Patch: SUSE-2022-816
Released: Mon Mar 14 10:22:04 2022
Summary: Security update for java-11-openjdk
Severity: moderate
References: 1194925,1194926,1194927,1194928,1194929,1194930,1194931,1194932,1194933,1194934,1194935,1194937,1194939,1194940,1194941,CVE-2022-21248,CVE-2022-21277,CVE-2022-21282,CVE-2022-21283,CVE-2022-21291,CVE-2022-21293,CVE-2022-21294,CVE-2022-21296,CVE-2022-21299,CVE-2022-21305,CVE-2022-21340,CVE-2022-21341,CVE-2022-21360,CVE-2022-21365,CVE-2022-21366
Description:
This update for java-11-openjdk fixes the following issues:
- CVE-2022-21248: Fixed incomplete deserialization class filtering in ObjectInputStream. (bnc#1194926)
- CVE-2022-21277: Fixed incorrect reading of TIFF files in TIFFNullDecompressor. (bnc#1194930)
- CVE-2022-21282: Fixed Insufficient URI checks in the XSLT TransformerImpl. (bnc#1194933)
- CVE-2022-21283: Fixed unexpected exception thrown in regex Pattern. (bnc#1194937)
- CVE-2022-21291: Fixed Incorrect marking of writeable fields. (bnc#1194925)
- CVE-2022-21293: Fixed Incomplete checks of StringBuffer and StringBuilder during deserialization. (bnc#1194935)
- CVE-2022-21294: Fixed Incorrect IdentityHashMap size checks during deserialization. (bnc#1194934)
- CVE-2022-21296: Fixed Incorrect access checks in XMLEntityManager. (bnc#1194932)
- CVE-2022-21299: Fixed Infinite loop related to incorrect handling of newlines in XMLEntityScanner. (bnc#1194931)
- CVE-2022-21305: Fixed Array indexing issues in LIRGenerator. (bnc#1194939)
- CVE-2022-21340: Fixed Excessive resource use when reading JAR manifest attributes. (bnc#1194940)
- CVE-2022-21341: Fixed OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream. (bnc#1194941)
- CVE-2022-21360: Fixed Excessive memory allocation in BMPImageReader. (bnc#1194929)
- CVE-2022-21365: Fixed Integer overflow in BMPImageReader. (bnc#1194928)
- CVE-2022-21366: Fixed Excessive memory allocation in TIFF*Decompressor. (bnc#1194927)
-----------------------------------------
Patch: SUSE-2022-861
Released: Tue Mar 15 23:30:48 2022
Summary: Recommended update for openssl-1_1
Severity: moderate
References: 1182959,1195149,1195792,1195856
Description:
This update for openssl-1_1 fixes the following issues:
openssl-1_1:
- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
glibc:
- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
linux-glibc-devel:
- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1
libxcrypt:
- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1
zlib:
- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1
-----------------------------------------
Patch: SUSE-2022-936
Released: Tue Mar 22 18:10:17 2022
Summary: Recommended update for filesystem and systemd-rpm-macros
Severity: moderate
References: 1196275,1196406
Description:
This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:
- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)
systemd-rpm-macros:
- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)
-----------------------------------------
Patch: SUSE-2022-1033
Released: Tue Mar 29 18:42:05 2022
Summary: Recommended update for java-11-openjdk
Severity: moderate
References:
Description:
This update for java-11-openjdk fixes the following issues:
- Build failure on Solaris.
- Unable to connect to https://google.com using java.net.HttpClient.
-----------------------------------------
Patch: SUSE-2022-1047
Released: Wed Mar 30 16:20:56 2022
Summary: Recommended update for pam
Severity: moderate
References: 1196093,1197024
Description:
This update for pam fixes the following issues:
- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.
This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)
-----------------------------------------
Patch: SUSE-2022-1061
Released: Wed Mar 30 18:27:06 2022
Summary: Security update for zlib
Severity: important
References: 1197459,CVE-2018-25032
Description:
This update for zlib fixes the following issues:
- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).
-----------------------------------------
Patch: SUSE-2022-1118
Released: Tue Apr 5 18:34:06 2022
Summary: Recommended update for timezone
Severity: moderate
References: 1177460
Description:
This update for timezone fixes the following issues:
- timezone update 2022a (bsc#1177460):
* Palestine will spring forward on 2022-03-27, not on 03-26
* `zdump -v` now outputs better failure indications
* Bug fixes for code that reads corrupted TZif data
-----------------------------------------
Patch: SUSE-2022-1158
Released: Tue Apr 12 14:44:43 2022
Summary: Security update for xz
Severity: important
References: 1198062,CVE-2022-1271
Description:
This update for xz fixes the following issues:
- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)
-----------------------------------------
Patch: SUSE-2022-1265
Released: Tue Apr 19 15:22:37 2022
Summary: Security update for jsoup, jsr-305
Severity: important
References: 1189749,CVE-2021-37714
Description:
This update for jsoup, jsr-305 fixes the following issues:
- CVE-2021-37714: Fixed infinite in untrusted HTML or XML data parsing (bsc#1189749).
Changes in jsr-305:
- Build with java source and target levels 8
- Upgrade to upstream version 3.0.2
Changes in jsoup:
- Upgrade to upstream version 1.14.2
- Generate tarball using source service instead of a script
-----------------------------------------
Patch: SUSE-2022-1281
Released: Wed Apr 20 12:26:38 2022
Summary: Recommended update for libtirpc
Severity: moderate
References: 1196647
Description:
This update for libtirpc fixes the following issues:
- Add option to enforce connection via protocol version 2 first (bsc#1196647)
-----------------------------------------
Patch: SUSE-2022-1374
Released: Mon Apr 25 15:02:13 2022
Summary: Recommended update for openldap2
Severity: moderate
References: 1191157,1197004
Description:
This update for openldap2 fixes the following issues:
- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)
-----------------------------------------
Patch: SUSE-2022-1409
Released: Tue Apr 26 12:54:57 2022
Summary: Recommended update for gcc11
Severity: moderate
References: 1195628,1196107
Description:
This update for gcc11 fixes the following issues:
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
packages provided by older GCC work. Add a requires from that
package to the corresponding libstc++6 package to keep those
at the same version. [bsc#1196107]
- Fixed memory corruption when creating dependences with the D language frontend.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
to Recommends.
-----------------------------------------
Patch: SUSE-2022-1451
Released: Thu Apr 28 10:47:22 2022
Summary: Recommended update for perl
Severity: moderate
References: 1193489
Description:
This update for perl fixes the following issues:
- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)
-----------------------------------------
Patch: SUSE-2022-1484
Released: Mon May 2 16:47:10 2022
Summary: Security update for git
Severity: important
References: 1181400,1198234,CVE-2022-24765
Description:
This update for git fixes the following issues:
- Updated to version 2.35.3:
- CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).
-----------------------------------------
Patch: SUSE-2022-1513
Released: Tue May 3 16:13:25 2022
Summary: Security update for java-11-openjdk
Severity: important
References: 1198671,1198672,1198673,1198674,1198675,CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21476,CVE-2022-21496
Description:
This update for java-11-openjdk fixes the following issues:
- CVE-2022-21426: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198672).
- CVE-2022-21434: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198674).
- CVE-2022-21496: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198673).
- CVE-2022-21443: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198675).
- CVE-2022-21476: Fixed Oracle Java SE compromission via unauthenticated attacker with network access via multiple protocols (bsc#1198671).
-----------------------------------------
Patch: SUSE-2022-1565
Released: Fri May 6 17:09:36 2022
Summary: Security update for giflib
Severity: moderate
References: 1094832,1146299,1184123,974847,CVE-2016-3977,CVE-2018-11490,CVE-2019-15133
Description:
This update for giflib fixes the following issues:
- CVE-2019-15133: Fixed a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero (bsc#1146299).
- CVE-2018-11490: Fixed a heap-based buffer overflow in DGifDecompressLine function in dgif_lib.c (bsc#1094832).
- CVE-2016-3977: Fixed a heap buffer overflow in gif2rgb (bsc#974847).
Update to version 5.2.1
* In gifbuild.c, avoid a core dump on no color map.
* Restore inadvertently removed library version numbers in Makefile.
Changes in version 5.2.0
* The undocumented and deprecated GifQuantizeBuffer() entry point
has been moved to the util library to reduce libgif size and attack
surface. Applications needing this function are couraged to link the
util library or make their own copy.
* The following obsolete utility programs are no longer installed:
gifecho, giffilter, gifinto, gifsponge. These were either installed in
error or have been obsolesced by modern image-transformmation tools
like ImageMagick convert. They may be removed entirely in a future
release.
* Address SourceForge issue #136: Stack-buffer-overflow in gifcolor.c:84
* Address SF bug #134: Giflib fails to slurp significant number of gifs
* Apply SPDX convention for license tagging.
Changes in version 5.1.9
* The documentation directory now includes an HTMlified version of the
GIF89 standard, and a more detailed description of how LZW compression
is applied to GIFs.
* Address SF bug #129: The latest version of giflib cannot be build on windows.
* Address SF bug #126: Cannot compile giflib using c89
Changes in version 5.1.8
* Address SF bug #119: MemorySanitizer: FPE on unknown address (CVE-2019-15133 bsc#1146299)
* Address SF bug #125: 5.1.7: xmlto is still required for tarball
* Address SF bug #124: 5.1.7: ar invocation is not crosscompile compatible
* Address SF bug #122: 5.1.7 installs manpages to wrong directory
* Address SF bug #121: make: getversion: Command not found
* Address SF bug #120: 5.1.7 does not build a proper library - no
Changes in version 5.1.7
* Correct a minor packaging error (superfluous symlinks) in the 5.1.6 tarballs.
Changes in version 5.1.6
* Fix library installation in the Makefile.
Changes in version 5.1.5
* Fix SF bug #114: Null dereferences in main() of gifclrmp
* Fix SF bug #113: Heap Buffer Overflow-2 in function DGifDecompressLine()
in cgif.c. This had been assigned (CVE-2018-11490 bsc#1094832).
* Fix SF bug #111: segmentation fault in PrintCodeBlock
* Fix SF bug #109: Segmentation fault of giftool reading a crafted file
* Fix SF bug #107: Floating point exception in giftext utility
* Fix SF bug #105: heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317
* Fix SF bug #104: Ineffective bounds check in DGifSlurp
* Fix SF bug #103: GIFLIB 5.1.4: DGifSlurp fails on empty comment
* Fix SF bug #87: Heap buffer overflow in 5.1.2 (gif2rgb). (CVE-2016-3977 bsc#974847)
* The horrible old autoconf build system has been removed with extreme prejudice.
You now build this simply by running 'make' from the top-level directory.
The following non-security bugs were fixed:
- build path independent objects and inherit CFLAGS from the build system (bsc#1184123)
-----------------------------------------
Patch: SUSE-2022-1655
Released: Fri May 13 15:36:10 2022
Summary: Recommended update for pam
Severity: moderate
References: 1197794
Description:
This update for pam fixes the following issue:
- Do not include obsolete header files (bsc#1197794)
-----------------------------------------
Patch: SUSE-2022-1658
Released: Fri May 13 15:40:20 2022
Summary: Recommended update for libpsl
Severity: important
References: 1197771
Description:
This update for libpsl fixes the following issues:
- Fix libpsl compilation issues (bsc#1197771)
-----------------------------------------
Patch: SUSE-2022-1660
Released: Fri May 13 15:42:21 2022
Summary: Recommended update for publicsuffix
Severity: low
References: 1198068
Description:
This update for publicsuffix fixes the following issue:
- Update to version 20220405 (bsc#1198068)
-----------------------------------------
Patch: SUSE-2022-1670
Released: Mon May 16 10:06:30 2022
Summary: Security update for openldap2
Severity: important
References: 1199240,CVE-2022-29155
Description:
This update for openldap2 fixes the following issues:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
-----------------------------------------
Patch: SUSE-2022-1709
Released: Tue May 17 17:35:47 2022
Summary: Recommended update for libcbor
Severity: important
References: 1197743
Description:
This update for libcbor fixes the following issues:
- Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4
-----------------------------------------
Patch: SUSE-2022-1718
Released: Tue May 17 17:44:43 2022
Summary: Security update for e2fsprogs
Severity: important
References: 1198446,CVE-2022-1304
Description:
This update for e2fsprogs fixes the following issues:
- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
and possibly arbitrary code execution. (bsc#1198446)
-----------------------------------------
Patch: SUSE-2022-1887
Released: Tue May 31 09:24:18 2022
Summary: Recommended update for grep
Severity: moderate
References: 1040589
Description:
This update for grep fixes the following issues:
- Make profiling deterministic. (bsc#1040589, SLE-24115)
-----------------------------------------
Patch: SUSE-2022-1899
Released: Wed Jun 1 10:43:22 2022
Summary: Recommended update for libtirpc
Severity: important
References: 1198176
Description:
This update for libtirpc fixes the following issues:
- Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)
-----------------------------------------
Patch: SUSE-2022-1909
Released: Wed Jun 1 16:25:35 2022
Summary: Recommended update for glibc
Severity: moderate
References: 1198751
Description:
This update for glibc fixes the following issues:
- Add the correct name for the IBM Z16 (bsc#1198751).
-----------------------------------------
Patch: SUSE-2022-2019
Released: Wed Jun 8 16:50:07 2022
Summary: Recommended update for gcc11
Severity: moderate
References: 1192951,1193659,1195283,1196861,1197065
Description:
This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.
* includes SLS hardening backport on x86_64. [bsc#1195283]
* includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
* fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
* use --with-cpu rather than specifying --with-arch/--with-tune
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build [bsc#1192951]
* Package mwaitintrin.h
-----------------------------------------
Patch: SUSE-2022-2060
Released: Mon Jun 13 15:26:16 2022
Summary: Recommended update for geronimo-specs
Severity: moderate
References: 1200426
Description:
This recommended update for geronimo-specs provides the following fix:
- Ship geronimo-annotation-1_0-api to SUSE Manager server as it is now needed by google-gson.
(bsc#1200426)
-----------------------------------------
Patch: SUSE-2022-2294
Released: Wed Jul 6 13:34:15 2022
Summary: Security update for expat
Severity: important
References: 1196025,1196026,1196168,1196169,1196171,1196784,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
Description:
This update for expat fixes the following issues:
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).
-----------------------------------------
Patch: SUSE-2022-2305
Released: Wed Jul 6 13:38:42 2022
Summary: Security update for curl
Severity: important
References: 1200734,1200735,1200736,1200737,CVE-2022-32205,CVE-2022-32206,CVE-2022-32207,CVE-2022-32208
Description:
This update for curl fixes the following issues:
- CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)
- CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
- CVE-2022-32207: Unpreserved file permissions (bsc#1200736)
- CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)
-----------------------------------------
Patch: SUSE-2022-2308
Released: Wed Jul 6 14:15:13 2022
Summary: Security update for openssl-1_1
Severity: important
References: 1185637,1199166,1200550,1201099,CVE-2022-1292,CVE-2022-2068,CVE-2022-2097
Description:
This update for openssl-1_1 fixes the following issues:
- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).
-----------------------------------------
Patch: SUSE-2022-2360
Released: Tue Jul 12 12:01:39 2022
Summary: Security update for pcre2
Severity: important
References: 1199232,CVE-2022-1586
Description:
This update for pcre2 fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
-----------------------------------------
Patch: SUSE-2022-2361
Released: Tue Jul 12 12:05:01 2022
Summary: Security update for pcre
Severity: important
References: 1199232,CVE-2022-1586
Description:
This update for pcre fixes the following issues:
- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)
-----------------------------------------
Patch: SUSE-2022-2406
Released: Fri Jul 15 11:49:01 2022
Summary: Recommended update for glibc
Severity: moderate
References: 1197718,1199140,1200334,1200855
Description:
This update for glibc fixes the following issues:
- powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
- Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
- i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
- rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)
This readds the s390 32bit glibc and libcrypt1 libraries (glibc-32bit, glibc-locale-base-32bit, libcrypt1-32bit).
-----------------------------------------
Patch: SUSE-2022-2469
Released: Thu Jul 21 04:38:31 2022
Summary: Recommended update for systemd
Severity: important
References: 1137373,1181658,1194708,1195157,1197570,1198732,1200170,1201276
Description:
This update for systemd fixes the following issues:
- Make {/etc,/usr/lib}/systemd/network owned by both udev and systemd-network. The configuration files put in these
directories are read by both udevd and systemd-networkd (bsc#1201276)
- Allow control characters in environment variable values (bsc#1200170)
- Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
- Fix parsing error in s390 udev rules conversion script (bsc#1198732)
- core/device: device_coldplug(): don't set DEVICE_DEAD
- core/device: do not downgrade device state if it is already enumerated
- core/device: drop unnecessary condition
-----------------------------------------
Patch: SUSE-2022-2493
Released: Thu Jul 21 14:35:08 2022
Summary: Recommended update for rpm-config-SUSE
Severity: moderate
References: 1193282
Description:
This update for rpm-config-SUSE fixes the following issues:
- Add SBAT values macros for other packages (bsc#1193282)
-----------------------------------------
Patch: SUSE-2022-2494
Released: Thu Jul 21 15:16:42 2022
Summary: Recommended update for glibc
Severity: important
References: 1200855,1201560,1201640
Description:
This update for glibc fixes the following issues:
- Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
- i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)
-----------------------------------------
Patch: SUSE-2022-2533
Released: Fri Jul 22 17:37:15 2022
Summary: Security update for mozilla-nss
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
Description:
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
Mozilla NSPR was updated to version 4.34:
* add an API that returns a preferred loopback IP on hosts that have two IP stacks available.
-----------------------------------------
Patch: SUSE-2022-2550
Released: Tue Jul 26 14:00:21 2022
Summary: Security update for git
Severity: important
References: 1201431,CVE-2022-29187
Description:
This update for git fixes the following issues:
- CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).
-----------------------------------------
Patch: SUSE-2022-2552
Released: Tue Jul 26 14:55:40 2022
Summary: Security update for libxml2
Severity: important
References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824
Description:
This update for libxml2 fixes the following issues:
Update to 2.9.14:
- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).
Update to version 2.9.13:
- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes. (bsc#1196490)
-----------------------------------------
Patch: SUSE-2022-2566
Released: Wed Jul 27 15:04:49 2022
Summary: Security update for pcre2
Severity: important
References: 1199235,CVE-2022-1587
Description:
This update for pcre2 fixes the following issues:
- CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).
-----------------------------------------
Patch: SUSE-2022-2595
Released: Fri Jul 29 16:00:42 2022
Summary: Security update for mozilla-nss
Severity: important
References: 1192079,1192080,1192086,1192087,1192228,1198486,1200027,CVE-2022-31741
Description:
This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:
- Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
- FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- FIPS: mark algorithms as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- FIPS: remove hard disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Run test suite at build time, and make it pass (bsc#1198486).
- FIPS: skip algorithms that are hard disabled in FIPS mode.
- Prevent expired PayPalEE cert from failing the tests.
- Allow checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- FIPS: remove XCBC MAC from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
- FIPS: allow testing of unapproved algorithms (bsc#1192228).
- FIPS: add version indicators. (bmo#1729550, bsc#1192086).
- FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).
Version update to NSS 3.79:
- Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Update mercurial in clang-format docker image.
- Use of uninitialized pointer in lg_init after alloc fail.
- selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Add SECMOD_LockedModuleHasRemovableSlots.
- Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Correct invalid record inner and outer content type alerts.
- NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- improve error handling after nssCKFWInstance_CreateObjectHandle.
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- NSS 3.79 should depend on NSPR 4.34
Version update to NSS 3.78.1:
- Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple
Version update to NSS 3.78:
- Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
- Reworked overlong record size checks and added TLS1.3 specific boundaries.
- Add ECH Grease Support to tstclnt
- Add a strict variant of moz::pkix::CheckCertHostname.
- Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Make SEC_PKCS12EnableCipher succeed
- Update zlib in NSS to 1.2.12.
Version update to NSS 3.77:
- Fix link to TLS page on wireshark wiki
- Add two D-TRUST 2020 root certificates.
- Add Telia Root CA v2 root certificate.
- Remove expired explicitly distrusted certificates from certdata.txt.
- support specific RSA-PSS parameters in mozilla::pkix
- Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Remove token member from NSSSlot struct.
- Provide secure variants of mpp_pprime and mpp_make_prime.
- Support UTF-8 library path in the module spec string.
- Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Update googletest to 1.11.0
- Add SetTls13GreaseEchSize to experimental API.
- TLS 1.3 Illegal legacy_version handling/alerts.
- Fix calculation of ECH HRR Transcript.
- Allow ld path to be set as environment variable.
- Ensure we don't read uninitialized memory in ssl gtests.
- Fix DataBuffer Move Assignment.
- internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- rework signature verification in mozilla::pkix
Version update to NSS 3.76.1
- Remove token member from NSSSlot struct.
- Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Check return value of PK11Slot_GetNSSToken.
- Use Wycheproof JSON for RSASSA-PSS
- Add SHA256 fingerprint comments to old certdata.txt entries.
- Avoid truncating files in nss-release-helper.py.
- Throw illegal_parameter alert for illegal extensions in handshake message.
Version update to NSS 3.75
- Make DottedOIDToCode.py compatible with python3.
- Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Remove redundant key type check.
- Update ABI expectations to match ECH changes.
- Enable CKM_CHACHA20.
- check return on NSS_NoDB_Init and NSS_Shutdown.
- Run ECDSA test vectors from bltest as part of the CI tests.
- Add ECDSA test vectors to the bltest command line tool.
- Allow to build using clang's integrated assembler.
- Allow to override python for the build.
- test HKDF output rather than input.
- Use ASSERT macros to end failed tests early.
- move assignment operator for DataBuffer.
- Add test cases for ECH compression and unexpected extensions in SH.
- Update tests for ECH-13.
- Tidy up error handling.
- Add tests for ECH HRR Changes.
- Server only sends GREASE HRR extension if enabled by preference.
- Update generation of the Associated Data for ECH-13.
- When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Allow for compressed, non-contiguous, extensions.
- Scramble the PSK extension in CHOuter.
- Split custom extension handling for ECH.
- Add ECH-13 HRR Handling.
- Client side ECH padding.
- Stricter ClientHelloInner Decompression.
- Remove ECH_inner extension, use new enum format.
- Update the version number for ECH-13 and adjust the ECHConfig size.
Version update to NSS 3.74
- mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
- Ensure clients offer consistent ciphersuites after HRR
- NSS does not properly restrict server keys based on policy
- Set nssckbi version number to 2.54
- Replace Google Trust Services LLC (GTS) R4 root certificate
- Replace Google Trust Services LLC (GTS) R3 root certificate
- Replace Google Trust Services LLC (GTS) R2 root certificate
- Replace Google Trust Services LLC (GTS) R1 root certificate
- Replace GlobalSign ECC Root CA R4
- Remove Expired Root Certificates - DST Root CA X3
- Remove Expiring Cybertrust Global Root and GlobalSign root certificates
- Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
- Add iTrusChina ECC root certificate
- Add iTrusChina RSA root certificate
- Add ISRG Root X2 root certificate
- Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
- Avoid a clang 13 unused variable warning in opt build
- Check for missing signedData field
- Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
Version update to NSS 3.73.1:
- Add SHA-2 support to mozilla::pkix's OSCP implementation
Version update to NSS 3.73
- check for missing signedData field.
- Ensure DER encoded signatures are within size limits.
- NSS needs FiPS 140-3 version indicators.
- pkix_CacheCert_Lookup doesn't return cached certs
- sunset Coverity from NSS
Fixed MFSA 2021-51 (bsc#1193170) CVE-2021-43527: Memory corruption via DER-encoded DSA and RSA-PSS signatures
Version update to NSS 3.72
- Fix nsinstall parallel failure.
- Increase KDF cache size to mitigate perf regression in about:logins
Version update to NSS 3.71
- Set nssckbi version number to 2.52.
- Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Import of PKCS#12 files with Camellia encryption is not supported
- Add HARICA Client ECC Root CA 2021.
- Add HARICA Client RSA Root CA 2021.
- Add HARICA TLS ECC Root CA 2021.
- Add HARICA TLS RSA Root CA 2021.
- Add TunTrust Root CA certificate to NSS.
Version update to NSS 3.70
- Update test case to verify fix.
- Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Avoid using a lookup table in nssb64d.
- Use HW accelerated SHA2 on AArch64 Big Endian.
- Change default value of enableHelloDowngradeCheck to true.
- Cache additional PBE entries.
- Read HPKE vectors from official JSON.
Version update to NSS 3.69.1:
- Disable DTLS 1.0 and 1.1 by default
- integrity checks in key4.db not happening on private components with AES_CBC
NSS 3.69:
- Disable DTLS 1.0 and 1.1 by default (backed out again)
- integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
- SSL handling of signature algorithms ignores environmental invalid algorithms.
- sqlite 3.34 changed it's open semantics, causing nss failures.
- Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- SQLite calls could timeout in starvation situations.
- Coverity/cpp scanner errors found in nss 3.67
- Import the NSS documentation from MDN in nss/doc.
- NSS using a tempdir to measure sql performance not active
Version Update to 3.68.4 (bsc#1200027)
- CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)
-----------------------------------------
Patch: SUSE-2022-2632
Released: Wed Aug 3 09:51:00 2022
Summary: Security update for permissions
Severity: important
References: 1198720,1200747,1201385
Description:
This update for permissions fixes the following issues:
* apptainer: fix starter-suid location (bsc#1198720)
* static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
* postfix: add postlog setgid for maildrop binary (bsc#1201385)
-----------------------------------------
Patch: SUSE-2022-2664
Released: Thu Aug 4 09:22:06 2022
Summary: Security update for harfbuzz
Severity: important
References: 1200900,CVE-2022-33068
Description:
This update for harfbuzz fixes the following issues:
- CVE-2022-33068: Fixed a integer overflow in hb-ot-shape-fallback.cc (bsc#1200900).
-----------------------------------------
Patch: SUSE-2022-2707
Released: Tue Aug 9 10:18:18 2022
Summary: Security update for java-11-openjdk
Severity: important
References: 1201684,1201692,1201694,CVE-2022-21540,CVE-2022-21541,CVE-2022-34169
Description:
This update for java-11-openjdk fixes the following issues:
Update to upstream tag jdk-11.0.16+8 (July 2022 CPU)
- CVE-2022-21540: Improve class compilation (bsc#1201694)
- CVE-2022-21541: Enhance MethodHandle invocations (bsc#1201692)
- CVE-2022-34169: Improve Xalan supports (bsc#1201684)
-----------------------------------------
Patch: SUSE-2022-2717
Released: Tue Aug 9 12:54:16 2022
Summary: Security update for ncurses
Severity: moderate
References: 1198627,CVE-2022-29458
Description:
This update for ncurses fixes the following issues:
- CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).
-----------------------------------------
Patch: SUSE-2022-2796
Released: Fri Aug 12 14:34:31 2022
Summary: Recommended update for jitterentropy
Severity: moderate
References:
Description:
This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library,
used by other FIPS libraries.
-----------------------------------------
Patch: SUSE-2022-2901
Released: Fri Aug 26 03:34:23 2022
Summary: Recommended update for elfutils
Severity: moderate
References:
Description:
This update for elfutils fixes the following issues:
- Fix runtime dependency for devel package
-----------------------------------------
Patch: SUSE-2022-2904
Released: Fri Aug 26 05:28:34 2022
Summary: Recommended update for openldap2
Severity: moderate
References: 1198341
Description:
This update for openldap2 fixes the following issues:
- Prevent memory reuse which may lead to instability (bsc#1198341)
-----------------------------------------
Patch: SUSE-2022-2920
Released: Fri Aug 26 15:17:02 2022
Summary: Recommended update for systemd
Severity: important
References: 1195059,1201795
Description:
This update for systemd fixes the following issues:
- Don't replace /etc/systemd/system/tmp.mount symlink with a dangling one pointing to /usr/lib/systemd/ (bsc#1201795)
- Drop or soften some of the deprecation warnings (jsc#PED-944)
- Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
- Avoid applying presets to any services shipped by the experimental sub-package, as they aren't enabled by default
- analyze: Fix offline check for syscal filter
- calendarspec: Fix timer skipping the next elapse
- core: Allow command argument to be longer
- hwdb: Add AV production controllers to hwdb and add uaccess
- hwdb: Allow console users access to rfkill
- hwdb: Allow end-users root-less access to TL866 EPROM readers
- hwdb: Permit unsetting power/persist for USB devices
- hwdb: Tag IR cameras as such
- hwdb: Fix parsing issue
- hwdb: Make usb match patterns uppercase
- hwdb: Update the hardware database
- journal-file: Stop using the event loop if it's already shutting down
- journal-remote: Disable `--trust` option when gnutls is disabled and check_permission() should not be called
- journald: Ensure resources are properly allocated for SIGTERM handling
- kernel-install: Ensure modules.builtin.alias.bin is removed when no longer needed
- macro: Account for negative values in DECIMAL_STR_WIDTH()
- manager: Disallow clone3() function call in seccomp filters
- missing-syscall: Define MOVE_MOUNT_T_EMPTY_PATH if missing
- pid1,cgroup-show: Prevent failure if cgroup.procs in some subcgroups is not readable
- resolve: Fix typo in dns_class_is_pseudo()
- sd-event: Improve handling of process events and termination of processes
- sd-ipv4acd: Fix ARP packet conflicts occurring when sender hardware is one of the host's interfaces
- stdio-bridge: Improve the meaning of the error message
- tmpfiles: Check for the correct directory
-----------------------------------------
Patch: SUSE-2022-2929
Released: Mon Aug 29 11:21:47 2022
Summary: Recommended update for timezone
Severity: important
References: 1202310
Description:
This update for timezone fixes the following issue:
- Reflect new Chile DST change (bsc#1202310)
-----------------------------------------
Patch: SUSE-2022-2939
Released: Mon Aug 29 14:49:17 2022
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1201298,1202645
Description:
This update for mozilla-nss fixes the following issues:
Update to NSS 3.79.1 (bsc#1202645)
* compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_ComputeCertType.
* protect SFTKSlot needLogin with slotLock.
* avoid data race on primary password change.
* check for null template in sec_asn1{d,e}_push_state.
- FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298).
-----------------------------------------
Patch: SUSE-2022-2947
Released: Wed Aug 31 09:16:21 2022
Summary: Security update for zlib
Severity: important
References: 1202175,CVE-2022-37434
Description:
This update for zlib fixes the following issues:
- CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).
-----------------------------------------
Patch: SUSE-2022-2977
Released: Thu Sep 1 12:30:19 2022
Summary: Recommended update for util-linux
Severity: moderate
References: 1197178,1198731
Description:
This update for util-linux fixes the following issues:
- agetty: Resolve tty name even if stdin is specified (bsc#1197178)
- libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
-----------------------------------------
Patch: SUSE-2022-2994
Released: Fri Sep 2 10:44:54 2022
Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame
Severity: moderate
References: 1198925
Description:
This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.
-----------------------------------------
Patch: SUSE-2022-3003
Released: Fri Sep 2 15:01:44 2022
Summary: Security update for curl
Severity: low
References: 1202593,CVE-2022-35252
Description:
This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters
into cookies, which could be exploited by sister sites to cause a
denial of service (bsc#1202593).
-----------------------------------------
Patch: SUSE-2022-3127
Released: Wed Sep 7 04:36:10 2022
Summary: Recommended update for libtirpc
Severity: moderate
References: 1198752,1200800
Description:
This update for libtirpc fixes the following issues:
- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
- Fix memory leak in params.r_addr assignement (bsc#1198752)
-----------------------------------------
Patch: SUSE-2022-3215
Released: Thu Sep 8 15:58:27 2022
Summary: Recommended update for rpm
Severity: moderate
References:
Description:
This update for rpm fixes the following issues:
- Support Ed25519 RPM signatures [jsc#SLE-24714]
-----------------------------------------
Patch: SUSE-2022-3252
Released: Mon Sep 12 09:07:53 2022
Summary: Security update for freetype2
Severity: moderate
References: 1198823,1198830,1198832,CVE-2022-27404,CVE-2022-27405,CVE-2022-27406
Description:
This update for freetype2 fixes the following issues:
- CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830).
- CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832).
- CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823).
Non-security fixes:
- Updated to version 2.10.4
-----------------------------------------
Patch: SUSE-2022-3262
Released: Tue Sep 13 15:34:29 2022
Summary: Recommended update for gcc11
Severity: moderate
References: 1199140
Description:
This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)
-----------------------------------------
Patch: SUSE-2022-3271
Released: Wed Sep 14 06:45:39 2022
Summary: Security update for perl
Severity: moderate
References: 1047178,CVE-2017-6512
Description:
This update for perl fixes the following issues:
- CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).
-----------------------------------------
Patch: SUSE-2022-3305
Released: Mon Sep 19 11:45:57 2022
Summary: Security update for libtirpc
Severity: important
References: 1201680,CVE-2021-46828
Description:
This update for libtirpc fixes the following issues:
- CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).
-----------------------------------------
Patch: SUSE-2022-3307
Released: Mon Sep 19 13:26:51 2022
Summary: Security update for sqlite3
Severity: moderate
References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737
Description:
This update for sqlite3 fixes the following issues:
- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).
-----------------------------------------
Patch: SUSE-2022-3328
Released: Wed Sep 21 12:48:56 2022
Summary: Recommended update for jitterentropy
Severity: moderate
References: 1202870
Description:
This update for jitterentropy fixes the following issues:
- Hide the non-GNUC constructs that are library internal from the
exported header, to make it usable in builds with strict C99
compliance. (bsc#1202870)
-----------------------------------------
Patch: SUSE-2022-3353
Released: Fri Sep 23 15:23:40 2022
Summary: Security update for permissions
Severity: moderate
References: 1203018,CVE-2022-31252
Description:
This update for permissions fixes the following issues:
- CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).
-----------------------------------------
Patch: SUSE-2022-3452
Released: Wed Sep 28 12:13:43 2022
Summary: Recommended update for glibc
Severity: moderate
References: 1201942
Description:
This update for glibc fixes the following issues:
- Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
- powerpc: Optimized memcmp for power10 (jsc#PED-987)
-----------------------------------------
Patch: SUSE-2022-3489
Released: Sat Oct 1 13:35:24 2022
Summary: Security update for expat
Severity: important
References: 1203438,CVE-2022-40674
Description:
This update for expat fixes the following issues:
- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).
-----------------------------------------
Patch: SUSE-2022-3551
Released: Fri Oct 7 17:03:55 2022
Summary: Recommended update for libgcrypt
Severity: moderate
References: 1182983,1190700,1191020,1202117
Description:
This update for libgcrypt fixes the following issues:
- FIPS: Fixed gpg/gpg2 gets out of core handler in FIPS mode while
typing Tab key to Auto-Completion. [bsc#1182983]
- FIPS: Ported libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941]
* Enable the jitter based entropy generator by default in random.conf
* Update the internal jitterentropy to version 3.4.0
- FIPS: Get most of the entropy from rndjent_poll [bsc#1202117]
- FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700]
* Consider approved keylength greater or equal to 112 bits.
- FIPS: Zeroize buffer and digest in check_binary_integrity() [bsc#1191020]
-----------------------------------------
Patch: SUSE-2022-3555
Released: Mon Oct 10 14:05:12 2022
Summary: Recommended update for aaa_base
Severity: important
References: 1199492
Description:
This update for aaa_base fixes the following issues:
- The wrapper rootsh is not a restricted shell. (bsc#1199492)
-----------------------------------------
Patch: SUSE-2022-3663
Released: Wed Oct 19 19:05:21 2022
Summary: Recommended update for openssl-1_1
Severity: moderate
References: 1121365,1180995,1190651,1190653,1190888,1193859,1198471,1198472,1201293,1202148,1203046,1203069
Description:
This update for openssl-1_1 fixes the following issues:
- FIPS: Default to RFC-7919 groups for genparam and dhparam
- FIPS: list only FIPS approved digest and public key algorithms
[bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472]
- FIPS: Add KAT for the RAND_DRBG implementation [bsc#1203069]
- FIPS: openssl: RAND api should call into FIPS DRBG [bsc#1201293]
* The FIPS_drbg implementation is not FIPS validated anymore. To
provide backwards compatibility for applications that need FIPS
compliant RNG number generation and use FIPS_drbg_generate,
this function was re-wired to call the FIPS validated DRBG
instance instead through the RAND_bytes() call.
- FIPS: Fix minor memory leaks by FIPS patch [bsc#1203046]
- FIPS: OpenSSL: Port openssl to use jitterentropy [bsc#1202148, jsc#SLE-24941]
libcrypto.so now requires libjitterentropy3 library.
- FIPS: OpenSSL Provide a service-level indicator [bsc#1190651]
- FIPS: Add zeroization of temporary variables to the hmac integrity
function FIPSCHECK_verify(). [bsc#1190653]
-----------------------------------------
Patch: SUSE-2022-3692
Released: Fri Oct 21 16:15:07 2022
Summary: Security update for libxml2
Severity: important
References: 1204366,1204367,CVE-2022-40303,CVE-2022-40304
Description:
This update for libxml2 fixes the following issues:
- CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).
- CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).
-----------------------------------------
Patch: SUSE-2022-3784
Released: Wed Oct 26 18:03:28 2022
Summary: Security update for libtasn1
Severity: critical
References: 1204690,CVE-2021-46848
Description:
This update for libtasn1 fixes the following issues:
- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)
-----------------------------------------
Patch: SUSE-2022-3785
Released: Wed Oct 26 20:20:19 2022
Summary: Security update for curl
Severity: important
References: 1204383,1204386,CVE-2022-32221,CVE-2022-42916
Description:
This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
- CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386).
-----------------------------------------
Patch: SUSE-2022-3787
Released: Thu Oct 27 04:41:09 2022
Summary: Recommended update for permissions
Severity: important
References: 1194047,1203911
Description:
This update for permissions fixes the following issues:
- Fix regression introduced by backport of security fix (bsc#1203911)
- Add permissions for enlightenment helper on 32bit arches (bsc#1194047)
-----------------------------------------
Patch: SUSE-2022-3870
Released: Fri Nov 4 11:12:08 2022
Summary: Recommended update for openssl-1_1
Severity: moderate
References: 1190651,1202148
Description:
This update for openssl-1_1 fixes the following issues:
- FIPS: Add a missing dependency on jitterentropy-devel for libopenssl-1_1-devel (bsc#1202148)
- FIPS: OpenSSL service-level indicator: Allow AES XTS 256 (bsc#1190651)
-----------------------------------------
Patch: SUSE-2022-3873
Released: Fri Nov 4 14:58:08 2022
Summary: Recommended update for mozilla-nspr, mozilla-nss
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
Description:
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.34.1:
* add file descriptor sanity checks in the NSPR poll function.
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729):
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
Other fixes that were applied:
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Use libjitterentropy for entropy (bsc#1202870).
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------
Patch: SUSE-2022-3884
Released: Mon Nov 7 10:59:26 2022
Summary: Security update for expat
Severity: important
References: 1204708,CVE-2022-43680
Description:
This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).
-----------------------------------------
Patch: SUSE-2022-3904
Released: Tue Nov 8 10:52:13 2022
Summary: Recommended update for openssh
Severity: moderate
References: 1192439
Description:
This update for openssh fixes the following issue:
- Prevent empty messages from being sent. (bsc#1192439)
-----------------------------------------
Patch: SUSE-2022-3910
Released: Tue Nov 8 13:05:04 2022
Summary: Recommended update for pam
Severity: moderate
References:
Description:
This update for pam fixes the following issue:
- Update pam_motd to the most current version. (PED-1712)
-----------------------------------------
Patch: SUSE-2022-3931
Released: Thu Nov 10 11:26:01 2022
Summary: Security update for git
Severity: moderate
References: 1204455,1204456,CVE-2022-39253,CVE-2022-39260
Description:
This update for git fixes the following issues:
- CVE-2022-39260: Fixed overflow in split_cmdline() (bsc#1204456).
- CVE-2022-39253: Fixed dereference issue with symbolic links via the `--local` clone mechanism (bsc#1204455).
-----------------------------------------
Patch: SUSE-2022-3958
Released: Fri Nov 11 15:20:45 2022
Summary: Recommended update for mozilla-nss
Severity: moderate
References: 1191546,1198980,1201298,1202870,1204729
Description:
This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729)
* Bump minimum NSPR version to 4.34.1.
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
- FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- FIPS: Allow the use of longer symmetric keys via the service level indicator
(bsc#1191546).
- FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546).
- FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870).
- FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms.
- FIPS: Use libjitterentropy for entropy.
- FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.
-----------------------------------------
Patch: SUSE-2022-3961
Released: Mon Nov 14 07:33:50 2022
Summary: Recommended update for zlib
Severity: important
References: 1203652
Description:
This update for zlib fixes the following issues:
- Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)
-----------------------------------------
Patch: SUSE-2022-3974
Released: Mon Nov 14 15:39:20 2022
Summary: Recommended update for util-linux
Severity: moderate
References: 1201959,1204211
Description:
This update for util-linux fixes the following issues:
- Fix file conflict during upgrade (bsc#1204211)
- libuuid improvements (bsc#1201959, PED-1150):
libuuid: Fix range when parsing UUIDs.
Improve cache handling for short running applications-increment the cache size over runtime.
Implement continuous clock handling for time based UUIDs.
Check clock value from clock file to provide seamless libuuid.
-----------------------------------------
Patch: SUSE-2022-3986
Released: Tue Nov 15 12:57:41 2022
Summary: Security update for libX11
Severity: moderate
References: 1204422,1204425,CVE-2022-3554,CVE-2022-3555
Description:
This update for libX11 fixes the following issues:
- CVE-2022-3554: Fixed memory leak in XRegisterIMInstantiateCallback() (bsc#1204422).
- CVE-2022-3555: Fixed memory leak in _XFreeX11XCBStructure() (bsc#1204425).
-----------------------------------------
Patch: SUSE-2022-3999
Released: Tue Nov 15 17:08:04 2022
Summary: Security update for systemd
Severity: moderate
References: 1204179,1204968,CVE-2022-3821
Description:
This update for systemd fixes the following issues:
- CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).
- Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428
* 0469b9f2bc pstore: do not try to load all known pstore modules
* ad05f54439 pstore: Run after modules are loaded
* ccad817445 core: Add trigger limit for path units
* 281d818fe3 core/mount: also add default before dependency for automount mount units
* ffe5b4afa8 logind: fix crash in logind on user-specified message string
- Document udev naming scheme (bsc#1204179)
- Make 'sle15-sp3' net naming scheme still available for backward compatibility
reason
-----------------------------------------
Patch: SUSE-2022-4011
Released: Wed Nov 16 11:29:09 2022
Summary: Security update for jsoup
Severity: moderate
References: 1203459,CVE-2022-36033
Description:
This update for jsoup fixes the following issues:
Updated to version 1.15.3:
- CVE-2022-36033: Fixed incorrect sanitization of user input in SafeList.preserveRelativeLinks (bsc#1203459).
-----------------------------------------
Patch: SUSE-2022-4066
Released: Fri Nov 18 10:43:00 2022
Summary: Recommended update for timezone
Severity: important
References: 1177460,1202324,1204649,1205156
Description:
This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):
- Mexico will no longer observe DST except near the US border
- Chihuahua moves to year-round -06 on 2022-10-30
- Fiji no longer observes DST
- In vanguard form, GMT is now a Zone and Etc/GMT a link
- zic now supports links to links, and vanguard form uses this
- Simplify four Ontario zones
- Fix a Y2438 bug when reading TZif data
- Enable 64-bit time_t on 32-bit glibc platforms
- Omit large-file support when no longer needed
- Jordan and Syria switch from +02/+03 with DST to year-round +03
- Palestine transitions are now Saturdays at 02:00
- Simplify three Ukraine zones into one
- Improve tzselect on intercontinental Zones
- Chile's DST is delayed by a week in September 2022 (bsc#1202324)
- Iran no longer observes DST after 2022
- Rename Europe/Kiev to Europe/Kyiv
- New `zic -R` command option
- Vanguard form now uses %z
-----------------------------------------
Patch: SUSE-2022-4076
Released: Fri Nov 18 15:00:38 2022
Summary: Recommended update for jsoup
Severity: moderate
References:
Description:
This update for jsoup fixes the following issues:
- Fix typo in the ant *-build.xml file that caused errors while building eclipse.
-----------------------------------------
Patch: SUSE-2022-4078
Released: Fri Nov 18 15:34:17 2022
Summary: Security update for java-11-openjdk
Severity: moderate
References: 1203476,1204468,1204471,1204472,1204473,1204475,1204480,1204523,CVE-2022-21618,CVE-2022-21619,CVE-2022-21624,CVE-2022-21626,CVE-2022-21628,CVE-2022-39399
Description:
This update for java-11-openjdk fixes the following issues:
- Update to jdk-11.0.17+8 (October 2022 CPU)
- CVE-2022-39399: Improve HTTP/2 client usage(bsc#1204480)
- CVE-2022-21628: Better HttpServer service (bsc#1204472)
- CVE-2022-21624: Enhance icon presentations (bsc#1204475)
- CVE-2022-21619: Improve NTLM support (bsc#1204473)
- CVE-2022-21626: Key X509 usages (bsc#1204471)
- CVE-2022-21618: Wider MultiByte (bsc#1204468)
-----------------------------------------
Patch: SUSE-2022-4081
Released: Fri Nov 18 15:40:46 2022
Summary: Security update for dpkg
Severity: low
References: 1199944,CVE-2022-1664
Description:
This update for dpkg fixes the following issues:
- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).
-----------------------------------------
Patch: SUSE-2022-4135
Released: Mon Nov 21 00:13:40 2022
Summary: Recommended update for libeconf
Severity: moderate
References: 1198165
Description:
This update for libeconf fixes the following issues:
- Update to version 0.4.6+git
- econftool:
Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter.
- libeconf:
Parse files correctly on space characters (1198165)
- Update to version 0.4.5+git
- econftool:
New call 'syntax' for checking the configuration files only. Returns an error string with line number if error.
New options '--comment' and '--delimeters'
-----------------------------------------
Patch: SUSE-2022-4153
Released: Mon Nov 21 14:34:09 2022
Summary: Security update for krb5
Severity: important
References: 1205126,CVE-2022-42898
Description:
This update for krb5 fixes the following issues:
- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).
-----------------------------------------
Patch: SUSE-2022-4198
Released: Wed Nov 23 13:15:04 2022
Summary: Recommended update for rpm
Severity: moderate
References: 1202750
Description:
This update for rpm fixes the following issues:
- Strip critical bit in signature subpackage parsing
- No longer deadlock DNF after pubkey import (bsc#1202750)
-----------------------------------------
Patch: SUSE-2022-4212
Released: Thu Nov 24 15:53:48 2022
Summary: Recommended update for openssl-1_1
Severity: moderate
References: 1190651
Description:
This update for openssl-1_1 fixes the following issues:
- FIPS: Mark PBKDF2 with key shorter than 112 bits as non-approved (bsc#1190651)
- FIPS: Consider RSA siggen/sigver with PKCS1 padding also approved (bsc#1190651)
- FIPS: Return the correct indicator for a given EC group order bits (bsc#1190651)
-----------------------------------------
Patch: SUSE-2022-4233
Released: Fri Nov 25 18:19:33 2022
Summary: Recommended update for publicsuffix
Severity: low
References:
Description:
This update for publicsuffix fixes the following issues:
- Update to version 20220903