Container summary for bci/openjdk

SUSE-CU-2024:5205-1

This update for gcc14 fixes the following issues:
This update ships the GNU Compiler Collection GCC 14.2. (jsc#PED-10474)
The compiler runtime libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 13 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP5 and SP6, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc14 compilers use:

• install 'gcc14' or 'gcc14-c++' or one of the other 'gcc14-COMPILER' frontend packages.
• override your Makefile to use CC=gcc14, CXX=g++14 and similar overrides for the other languages.

• Add libquadmath0-devel-gcc14 sub-package to allow installing quadmath.h and SO link without installing the fortran frontend

• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Remove timezone Recommends from the libstdc++6 package. [bsc#1221601]
• Revert libgccjit dependency change. [bsc#1220724]
• Fix libgccjit-devel dependency, a newer shared library is OK.
• Fix libgccjit dependency, the corresponding compiler isn't required.
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Re-enable AutoReqProv for cross packages but filter files processed via __requires_exclude_from and __provides_exclude_from. [bsc#1219031]
• Package m2rte.so plugin in the gcc14-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc14 from gcc14-m2 as m2 programs are linked against libstdc++6.

SUSE-CU-2024:5081-1

SUSE-CU-2024:5010-1

This update for bash fixes the following issues:

• Load completion file eveh if a brace expansion is in the command line included (bsc#1227807).

SUSE-CU-2024:4976-1

SUSE-CU-2024:4853-1

This update for e2fsprogs fixes the following issue:

• resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145).

SUSE-CU-2024:4746-1

This update for glibc fixes the following issue:

• fix memory malloc problem: Initiate tcache shutdown even without allocations (bsc#1228661).

SUSE-CU-2024:4671-1

SUSE-CU-2024:4647-1

This update for curl fixes the following issue:

• Make special characters in URL work with aws-sigv4 (bsc#1230516).

SUSE-CU-2024:4581-1

SUSE-CU-2024:4525-1

SUSE-CU-2024:4466-1

This update for ncurses fixes the following issues:

• Allow the terminal description based on static fallback entries to be freed (bsc#1229028)

SUSE-CU-2024:4435-1

SUSE-CU-2024:4306-1

This update for expat fixes the following issues:

• CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
• CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
• CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)

This update for util-linux fixes the following issue:

• Skip aarch64 decode path for rest of the architectures (bsc#1229476).

SUSE-CU-2024:4236-1

This update for curl fixes the following issues:

• CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093)

SUSE-CU-2024:4123-1

This update for glibc fixes the following issue:

• s390x: Fix segfault in wcsncmp (bsc#1228043).

SUSE-CU-2024:4083-1

This update for systemd fixes the following issues:

• CVE-2023-7008: Fixed man-in-the-middle due to unsigned name response in signed zone not refused when DNSSEC=yes (bsc#1218297)

• Unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414)
• Don't mention any rpm macros inside comments, even if escaped (bsc#1228091)
• Skip redundant dependencies specified the LSB description that references the file name of the service itself for early boot scripts (bsc#1221479).

SUSE-CU-2024:4028-1

SUSE-CU-2024:3990-1

This update for curl fixes the following issues:
- CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535)

This update for glib2 fixes the following issues:

• Fixed a possible use after free regression introduced by CVE-2024-34397 patch (bsc#1224044).

This update for mozilla-nss fixes the following issues:

• FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).

SUSE-CU-2024:3884-1

This update for git fixes the following issue:

• Fix syntax error with old apparmor versions (bsc#1229029)

SUSE-CU-2024:3838-1

SUSE-CU-2024:3727-1

SUSE-CU-2024:3655-1

This update for util-linux fixes the following issues:

• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).
• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).
• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).

This update for openssl-1_1 fixes the following issues:

• CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)

• Build with no-afalgeng (bsc#1226463)

SUSE-CU-2024:3586-1

SUSE-CU-2024:3499-1

SUSE-CU-2024:3498-1

This update of various packages delivers 32bit variants to allow running Wine on SLE PackageHub 15 SP6.

SUSE-CU-2024:3431-1

SUSE-CU-2024:3333-1

This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.24+8 (July 2024 CPU):

• CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
• CVE-2024-21138: Fixed an infinite loop due to excessive symbol length (bsc#1228047).
• CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check Elimination (bsc#1228048).
• CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling (bsc#1228052).
• CVE-2024-21145: Fixed an index overflow in RangeCheckElimination (bsc#1228051).
• CVE-2024-21144: Fixed an excessive loading time in Pack200 due to improper header validation (bsc#1228050).

This update for git fixes the following issues:

• CVE-2024-24577: Fixed arbitrary code execution due to heap corruption in git_index_add (bsc#1219660)

This update of libxkbcommon fixes the following issue:

• ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)

This update for patterns-base fixes the following issues:
Added a fips-certified pattern matching the exact certified FIPS versions of the Linux Kernel, openssl 1.1.1, gnutls/nettle, mozilla-nss and libgcrypt.
Note that applying this pattern might cause downgrade of various packages and so deinstall security and bugfix updates released after the certified binaries.

This update for mozilla-nss fixes the following issues:

• Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
• Added 'Provides: nss' so other RPMs that require 'nss' can be installed (jira PED-6358).

• FIPS: added safe memsets (bsc#1222811)
• FIPS: restrict AES-GCM (bsc#1222830)
• FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
• FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
• FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)

• Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918)

• bmo#1905691 - ChaChaXor to return after the function

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

• add diagnostic assertions for SFTKObject refcount.
• freeing the slot in DeleteCertAndKey if authentication failed
• fix formatting issues.
• Add Firmaprofesional CA Root-A Web to NSS.
• remove invalid acvp fuzz test vectors.
• pad short P-384 and P-521 signatures gtests.
• remove unused FreeBL ECC code.
• pad short P-384 and P-521 signatures.
• be less strict about ECDSA private key length.
• Integrate HACL* P-521.
• Integrate HACL* P-384.
• memory leak in create_objects_from_handles.
• ensure all input is consumed in a few places in mozilla::pkix
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• clean up escape handling
• Use lib::pkix as default validator instead of the old-one
• Need to add high level support for PQ signing.
• Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• Allow for non-full length ecdsa signature when using softoken
• Modification of .taskcluster.yml due to mozlint indent defects
• Implement support for PBMAC1 in PKCS#12
• disable VLA warnings for fuzz builds.
• remove redundant AllocItem implementation.
• add PK11_ReadDistrustAfterAttribute.
• - Clang-formatting of SEC_GetMgfTypeByOidTag update
• Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
• sftk_getParameters(): Fix fallback to default variable after error with configfile.
• Switch to the mozillareleases/image_builder image

• switch from ec_field_GFp to ec_field_plain

• merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
• remove ckcapi.
• avoid a potential PK11GenericObject memory leak.
• Remove incomplete ESDH code.
• Decrypt RSA OAEP encrypted messages.
• Fix certutil CRLDP URI code.
• Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
• Add ability to encrypt and decrypt CMS messages using ECDH.
• Correct Templates for key agreement in smime/cmsasn.c.
• Moving the decodedCert allocation to NSS.
• Allow developers to speed up repeated local execution of NSS tests that depend on certificates.

• Removing check for message len in ed25519 (bmo#1325335)
• add ed25519 to SECU_ecName2params. (bmo#1884276)
• add EdDSA wycheproof tests. (bmo#1325335)
• nss/lib layer code for EDDSA. (bmo#1325335)
• Adding EdDSA implementation. (bmo#1325335)
• Exporting Certificate Compression types (bmo#1881027)
• Updating ACVP docker to rust 1.74 (bmo#1880857)
• Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
• Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

• (CVE-2023-5388) Timing attack against RSA decryption in TLS
• Certificate Compression: enabling the check that the compression was advertised
• Move Windows workers to nss-1/b-win2022-alpha
• Remove Email trust bit from OISTE WISeKey Global Root GC CA
• Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
• Certificate Compression: Updating nss_bogo_shim to support Certificate compression
• TLS Certificate Compression (RFC 8879) Implementation
• Add valgrind annotations to freebl kyber operations for constant-time execution tests
• Set nssckbi version number to 2.66
• Add Telekom Security roots
• Add D-Trust 2022 S/MIME roots
• Remove expired Security Communication RootCA1 root
• move keys to a slot that supports concatenation in PK11_ConcatSymKeys
• remove unmaintained tls-interop tests
• bogo: add support for the -ipv6 and -shim-id shim flags
• bogo: add support for the -curves shim flag and update Kyber expectations
• bogo: adjust expectation for a key usage bit test
• mozpkix: add option to ignore invalid subject alternative names
• Fix selfserv not stripping `publicname:` from -X value
• take ownership of ecckilla shims
• add valgrind annotations to freebl/ec.c
• PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
• Update zlib to 1.3.1

• make Xyber768d00 opt-in by policy
• add libssl support for xyber768d00
• add PK11_ConcatSymKeys
• add Kyber and a PKCS#11 KEM interface to softoken
• add a FreeBL API for Kyber
• part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
• part 1: add a script for vendoring kyber from pq-crystals repo
• Removing the calls to RSA Blind from loader.*
• fix worker type for level3 mac tasks
• RSA Blind implementation
• Remove DSA selftests
• read KWP testvectors from JSON
• Backed out changeset dcb174139e4f
• Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
• Wrap CC shell commands in gyp expansions

• Use pypi dependencies for MacOS worker in ./build_gyp.sh
• p7sign: add -a hash and -u certusage (also p7verify cleanups)
• add a defensive check for large ssl_DefSend return values
• Add dependency to the taskcluster script for Darwin
• Upgrade version of the MacOS worker for the CI

• Bump builtins version number.
• Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
• Remove 4 DigiCert (Symantec/Verisign) Root Certificates
• Remove 3 TrustCor Root Certificates from NSS.
• Remove Camerfirma root certificates from NSS.
• Remove old Autoridad de Certificacion Firmaprofesional Certificate.
• Add four Commscope root certificates to NSS.
• Add TrustAsia Global Root CA G3 and G4 root certificates.
• Include P-384 and P-521 Scalar Validation from HACL*
• Include P-256 Scalar Validation from HACL*.
• After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
• Add means to provide library parameters to C_Initialize
• add OSXSAVE and XCR0 tests to AVX2 detection.
• Typo in ssl3_AppendHandshakeNumber
• Introducing input check of ssl3_AppendHandshakeNumber
• Fix Invalid casts in instance.c

• Updated code and commit ID for HACL*
• update ACVP fuzzed test vector: refuzzed with current NSS
• Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
• NSS needs a database tool that can dump the low level representation of the database
• declare string literals using char in pkixnames_tests.cpp
• avoid implicit conversion for ByteString
• update rust version for acvp docker
• Moving the init function of the mpi_ints before clean-up in ec.c
• P-256 ECDH and ECDSA from HACL*
• Add ACVP test vectors to the repository
• Stop relying on std::basic_string
• Transpose the PPC_ABI check from Makefile to gyp

• Update zlib in NSS to 1.3.
• softoken: iterate hashUpdate calls for long inputs.
• regenerate NameConstraints test certificates (bsc#1214980).

• Set nssckbi version number to 2.62
• Add 4 Atos TrustedRoot Root CA certificates to NSS
• Add 4 SSL.com Root CA certificates
• Add Sectigo E46 and R46 Root CA certificates
• Add LAWtrust Root CA2 (4096)
• Remove E-Tugra Certification Authority root
• Remove Camerfirma Chambers of Commerce Root.
• Remove Hongkong Post Root CA 1
• Remove E-Tugra Global Root CA ECC v3 and RSA v3
• Avoid redefining BYTE_ORDER on hppa Linux

• Implementation of the HW support check for ADX instruction
• Removing the support of Curve25519
• Fix comment about the addition of ticketSupportsEarlyData
• Adding args to enable-legacy-db build
• dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
• Initialize flags in slot structures
• Improve the length check of RSA input to avoid heap overflow
• Followup Fixes
• avoid processing unexpected inputs by checking for m_exptmod base sign
• add a limit check on order_k to avoid infinite loop
• Update HACL* to commit 5f6051d2
• add SHA3 to cryptohi and softoken
• HACL SHA3
• Disabling ASM C25519 for A but X86_64

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
• clean up escape handling.
• remove redundant AllocItem implementation.
• Disable ASM support for Curve25519.
• Disable ASM support for Curve25519 for all but X86_64.

SUSE-CU-2024:3267-1

SUSE-CU-2024:3196-1

This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

• library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures
• library: Just check for SIGLOST and don't delete it
• library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
• library: Use size_t for alloc functions CVE-2018-1126
• library: Increase comm size to 64
• pgrep: Fix stack-based buffer overflow CVE-2018-1125
• pgrep: Remove >15 warning as comm can be longer
• ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
• ps: Increase command name selection field to 64
• top: Don't use cwd for location of config CVE-2018-1122
• update translations
• library: build on non-glibc systems
• free: fix scaling on 32-bit systems
• Revert 'Support running with child namespaces'
• library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
• doc: Document I idle state in ps.1 and top.1
• free: fix some of the SI multiples
• kill: -l space between name parses correctly
• library: dont use vm_min_free on non Linux
• library: don't strip off wchan prefixes (ps & top)
• pgrep: warn about 15+ char name only if -f not used
• pgrep/pkill: only match in same namespace by default
• pidof: specify separator between pids
• pkill: Return 0 only if we can kill process
• pmap: fix duplicate output line under '-x' option
• ps: avoid eip/esp address truncations
• ps: recognizes SCHED_DEADLINE as valid CPU scheduler
• ps: display NUMA node under which a thread ran
• ps: Add seconds display for cputime and time
• ps: Add LUID field
• sysctl: Permit empty string for value
• sysctl: Don't segv when file not available
• sysctl: Read and write large buffers
• top: add config file support for XDG specification
• top: eliminated minor libnuma memory leak
• top: show fewer memory decimal places (configurable)
• top: provide command line switch for memory scaling
• top: provide command line switch for CPU States
• top: provides more accurate cpu usage at startup
• top: display NUMA node under which a thread ran
• top: fix argument parsing quirk resulting in SEGV
• top: delay interval accepts non-locale radix point
• top: address a wishlist man page NLS suggestion
• top: fix potential distortion in 'Mem' graph display
• top: provide proper multi-byte string handling
• top: startup defaults are fully customizable
• watch: define HOST_NAME_MAX where not defined
• vmstat: Fix alignment for disk partition format
• watch: Support ANSI 39,49 reset sequences

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for procps fixes the following issues:

• Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for git fixes the following issues:
Update from version 2.26.2 to version 2.31.1 (jsc#SLE-18152)
Security fixes:

• CVE-2021-21300: On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could run remote code during a clone. (bsc#1183026)

• Add `sysusers` file to create `git-daemon` user.
• Remove `perl-base` and `openssh-server` dependency on `git-core`and provide a `perl-Git` package. (jsc#SLE-17838)
• `fsmonitor` bug fixes
• Fix `git bisect` to take an annotated tag as a good/bad endpoint
• Fix a corner case in `git mv` on case insensitive systems
• Require only `openssh-clients` where possible (like Tumbleweed or SUSE Linux Enterprise >= 15 SP3). (bsc#1183580)
• Drop `rsync` requirement, not necessary anymore.
• Use of `pack-redundant` command is discouraged and will trigger a warning. The replacement is `repack -d`.
• The `--format=%(trailers)` mechanism gets enhanced to make it easier to design output for machine consumption.
• No longer give message to choose between rebase or merge upon pull if the history `fast-forwards`.
• The configuration variable `core.abbrev` can be set to `no` to force no abbreviation regardless of the hash algorithm
• `git rev-parse` can be explicitly told to give output as absolute or relative path with the `--path-format=(absolute|relative)` option.
• Bash completion update to make it easier for end-users to add completion for their custom `git` subcommands.
• `git maintenance` learned to drive scheduled maintenance on platforms whose native scheduling methods are not 'cron'.
• After expiring a reflog and making a single commit, the reflog for the branch would record a single entry that knows both `@{0}` and `@{1}`, but we failed to answer 'what commit were we on?', i.e. `@{1}`
• `git bundle` learns `--stdin` option to read its refs from the standard input. Also, it now does not lose refs when they point at the same object.
• `git log` learned a new `--diff-merges=` option.
• `git ls-files` can and does show multiple entries when the index is unmerged, which is a source for confusion unless `-s/-u` option is in use. A new option `--deduplicate` has been introduced.
• `git worktree list` now annotates worktrees as prunable, shows locked and prunable attributes in `--porcelain mode`, and gained a `--verbose` option.
• `git clone` tries to locally check out the branch pointed at by HEAD of the remote repository after it is done, but the protocol did not convey the information necessary to do so when copying an empty repository. The protocol v2 learned how to do so.
• There are other ways than `..` for a single token to denote a `commit range', namely `^!` and `^-`, but `git range-diff` did not understand them.
• The `git range-diff` command learned `--(left|right)-only` option to show only one side of the compared range.
• `git mergetool` feeds three versions (base, local and remote) of a conflicted path unmodified. The command learned to optionally prepare these files with unconflicted parts already resolved.
• The `.mailmap` is documented to be read only from the root level of a working tree, but a stray file in a bare repository also was read by accident, which has been corrected.
• `git maintenance` tool learned a new `pack-refs` maintenance task.
• Improved error message given when a configuration variable that is expected to have a boolean value.
• Signed commits and tags now allow verification of objects, whose two object names (one in SHA-1, the other in SHA-256) are both signed.
• `git rev-list` command learned `--disk-usage` option.
• `git diff`, `git log` `--{skip,rotate}-to=` allows the user to discard diff output for early paths or move them to the end of the output.
• `git difftool` learned `--skip-to=` option to restart an interrupted session from an arbitrary path.
• `git grep` has been tweaked to be limited to the sparse checkout paths.
• `git rebase --[no-]fork-point` gained a configuration variable `rebase.forkPoint` so that users do not have to keep specifying a non-default setting.
• `git stash` did not work well in a sparsely checked out working tree.
• Newline characters in the host and path part of `git://` URL are now forbidden.
• `Userdiff` updates for PHP, Rust, CSS
• Avoid administrator error leading to data loss with `git push --force-with-lease[=]` by introducing `--force-if-includes`
• only pull `asciidoctor` for the default ruby version
• The `--committer-date-is-author-date` option of `rebase` and `am` subcommands lost the e-mail address by mistake in 2.29
• The transport protocol v2 has become the default again
• `git worktree` gained a `repair` subcommand, `git init --separate-git-dir` no longer corrupts administrative data related to linked worktrees
• `git maintenance` introduced for repository maintenance tasks
• `fetch.writeCommitGraph` is deemed to be still a bit too risky and is no longer part of the `feature.experimental` set.
• The commands in the `diff` family honors the `diff.relative` configuration variable.
• `git diff-files` has been taught to say paths that are marked as `intent-to-add` are new files, not modified from an empty blob.
• `git gui` now allows opening work trees from the start-up dialog.
• `git bugreport` reports what shell is in use.
• Some repositories have commits that record wrong committer timezone; `git fast-import` has an option to pass these timestamps intact to allow recreating existing repositories as-is.
• `git describe` will always use the `long` version when giving its output based misplaced tags
• `git pull` issues a warning message until the `pull.rebase` configuration variable is explicitly given

This update for git fixes the following issues:

• Installation of the 'git-daemon' package needs nogroup group dependency (bsc#1192023)

This update for git fixes the following issues:

• update to 2.34.1 (bsc#1193722): * 'git grep' looking in a blob that has non-UTF8 payload was completely broken when linked with certain versions of PCREv2 library in the latest release. * 'git pull' with any strategy when the other side is behind us should succeed as it is a no-op, but doesn't. * An earlier change in 2.34.0 caused JGit application (that abused GIT_EDITOR mechanism when invoking 'git config') to get stuck with a SIGTTOU signal; it has been reverted. * An earlier change that broke .gitignore matching has been reverted. * SubmittingPatches document gained a syntactically incorrect mark-up, which has been corrected.

• git 2.33.0: * 'git send-email' learned the '--sendmail-cmd' command line option and the 'sendemail.sendmailCmd' configuration variable, which is a more sensible approach than the current way of repurposing the 'smtp-server' that is meant to name the server to instead name the command to talk to the server. * The userdiff pattern for C# learned the token 'record'. * 'git rev-list' learns to omit the 'commit ' header lines from the output with the `--no-commit-header` option. * 'git worktree add --lock' learned to record why the worktree is locked with a custom message. * internal improvements including performance optimizations * a number of bug fixes

• git 2.32.0: * '.gitattributes', '.gitignore', and '.mailmap' files that are symbolic links are ignored * 'git apply --3way' used to first attempt a straight application, and only fell back to the 3-way merge algorithm when the straight application failed. Starting with this version, the command will first try the 3-way merge algorithm and only when it fails (either resulting with conflict or the base versions of blobs are missing), falls back to the usual patch application. * 'git stash show' can now show the untracked part of the stash * Improved 'git repack' strategy * http code can now unlock a certificate with a cached password respectively. * 'git clone --reject-shallow' option fails the clone as soon as we notice that we are cloning from a shallow repository. * 'gitweb' learned 'e-mail privacy' feature * Multiple improvements to output and configuration options * Bug fixes and developer visible fixes

This update for procps fixes the following issues:

• Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

This update for git fixes the following issues:

• Updated to version 2.35.3: - CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).

This update for pcre2 fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for git fixes the following issues:

• CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).

This update for pcre2 fixes the following issues:

• CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for git fixes the following issues:
- CVE-2022-39260: Fixed overflow in split_cmdline() (bsc#1204456). - CVE-2022-39253: Fixed dereference issue with symbolic links via the `--local` clone mechanism (bsc#1204455).

This update for git fixes the following issues:

• CVE-2022-41903: Fixed a heap overflow in the 'git archive' and 'git log --format' commands (bsc#1207033).
• CVE-2022-23521: Fixed an integer overflow that could be triggered when parsing a gitattributes file (bsc#1207032).

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for less fixes the following issues:
- CVE-2022-46663: Fixed denial-of-service by printing specially crafted escape sequences to the terminal (bsc#1207815).

This update for git fixes the following issues:
- CVE-2023-22490: Fixed incorrectly usable local clone optimization even when using a non-local transport (bsc#1208027). - CVE-2023-23946: Fixed issue where a path outside the working tree can be overwritten as the user who is running 'git apply' (bsc#1208028).

This update for git fixes the following issues:

• CVE-2023-25652: Fixed partial overwrite of paths outside the working tree (bsc#1210686).
• CVE-2023-25815: Fixed malicious placemtn of crafted message (bsc#1210686).
• CVE-2023-29007: Fixed arbitrary configuration injection (bsc#1210686).

This update for procps fixes the following issue:

• Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

This update for pcre2 fixes the following issues:
- CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

This update for gawk fixes the following issues:

• CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

This update for git fixes the following issues:

• Downgrade openssh dependency to recommends (bsc#1215533)

This update for git fixes the following issues:

• Add rule for /etc/gitconfig in gitweb.cgi apparmor profile (bsc#1216501).
• gitweb.cgi AppArmor profile - make the profile a named profile - add local/include to make custom additions easier

This update for procps fixes the following issues:

• Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369)

• For support up to 2048 CPU as well (bsc#1185417)
• Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122)
• Get the first CPU summary correct (bsc#1121753)
• Enable pidof for SLE-15 as this is provided by sysvinit-tools
• Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build
• Do not truncate output of w with option -n
• Prefer logind over utmp (jsc#PED-3144)
• Don't install translated man pages for non-installed binaries (uptime, kill).
• Fix directory for Ukrainian man pages translations.
• Move localized man pages to lang package.

• Update to procps-ng-3.3.17

• Package translations in procps-lang.

• Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited.

• Enable pidof by default

• Update to procps-ng-3.3.16

This update for git fixes the following issues:

• Do not replace apparmor configuration (bsc#1216545)

This update for krb5 fixes the following issues:

• CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770).
• CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771).
• CVE-2024-26462: Fixed memory leak at /krb5/src/kdc/ndr.c (bsc#1220772).

This update for curl fixes the following issues:

• CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665)
• CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667)

This update for nghttp2 fixes the following issues:

• CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399)

This update for less fixes the following issues:

• CVE-2022-48624: Fixed LESSCLOSE handling in less that does not quote shell metacharacters (bsc#1219901).

This update for less fixes the following issues:

• CVE-2024-32487: Fixed mishandling of \n character in paths when LESSOPEN is set leads to OS command execution. (bsc#1222849)

This update for e2fsprogs fixes the following issues:
EA Inode handling fixes:

• ext2fs: avoid re-reading inode multiple times (bsc#1223596)
• e2fsck: fix potential out-of-bounds read in inc_ea_inode_refs() (bsc#1223596)
• e2fsck: add more checks for ea inode consistency (bsc#1223596)
• e2fsck: fix golden output of several tests (bsc#1223596)

This update for git fixes the following issues:

• CVE-2024-32002: Fixed recursive clones on case-insensitive filesystems that support symbolic links are susceptible to case confusion (bsc#1224168).
• CVE-2024-32004: Fixed arbitrary code execution during local clones (bsc#1224170).
• CVE-2024-32020: Fixed file overwriting vulnerability during local clones (bsc#1224171).
• CVE-2024-32021: Fixed git may create hardlinks to arbitrary user-readable files (bsc#1224172).
• CVE-2024-32465: Fixed arbitrary code execution during clone operations (bsc#1224173).

This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5.
This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro.

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

SUSE-CU-2024:3113-1

SUSE-CU-2024:2981-1

SUSE-CU-2024:2891-1

This update for gcc13 fixes the following issues:
Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.

SUSE-CU-2024:2782-1

This update for openssl-1_1 fixes the following issues:

• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

SUSE-CU-2024:2704-1

This update for jitterentropy fixes the following issues:

• Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command.

• add FIPS 140 hints to man page
• simplify the test tool to search for optimal configurations
• fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
• enhancement: add ARM64 assembler code to read high-res timer

SUSE-CU-2024:2638-1

SUSE-CU-2024:2569-1

SUSE-CU-2024:2516-1

SUSE-CU-2024:2466-1

This update for glibc fixes the following issues:

• CVE-2024-33599: Fixed a stack-based buffer overflow in netgroup cache in nscd (bsc#1223423)
• CVE-2024-33600: Avoid null pointer crashes after notfound response in nscd (bsc#1223424)
• CVE-2024-33600: Do not send missing not-found response in addgetnetgrentX in nscd (bsc#1223424)
• CVE-2024-33601, CVE-2024-33602: Fixed use of two buffers in addgetnetgrentX ( bsc#1223425)
• CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425)

• Avoid creating userspace live patching prologue for _start routine (bsc#1221940)

SUSE-CU-2024:2417-1

SUSE-CU-2024:2362-1

SUSE-CU-2024:2328-1

This update for openssl-1_1 fixes the following issues:

• CVE-2024-2511: Fixed unconstrained session cache growth in TLSv1.3 (bsc#1222548).

This update for util-linux fixes the following issues:

• Processes not cleaned up after failed SSH session are using up 100% CPU (bsc#1220117)
• lscpu: Add more ARM cores (bsc#1223605)
• Document that chcpu -g is not supported on IBM z/VM (bsc#1218609)

This update for glib2 fixes the following issues:

• CVE-2024-34397: Fixed signal subscription unicast spoofing vulnerability (bsc#1224044).

SUSE-CU-2024:2216-1

SUSE-CU-2024:2134-1

This update for coreutils fixes the following issues:

• ls: avoid triggering automounts (bsc#1221632)

SUSE-CU-2024:2072-1

SUSE-CU-2024:2002-1

SUSE-CU-2024:1965-1

SUSE-CU-2024:1918-1

This update for java-11-openjdk fixes the following issues:

• CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
• CVE-2024-21012: Fixed unauthorized data modification due HTTP/2 client improper reverse DNS lookup (JDK-8315708,bsc#1222987)
• CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
• CVE-2024-21085: Fixed denial of service due to Pack200 excessive memory allocation (JDK-8322114,bsc#1222984)
• CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986)

• Upgrade to upstream tag jdk-11.0.23+9 (April 2024 CPU) * Security fixes + JDK-8318340: Improve RSA key implementations * Other changes + JDK-6928542: Chinese characters in RTF are not decoded + JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/ /bug4517214.java fails on MacOS + JDK-7148092: [macosx] When Alt+down arrow key is pressed, the combobox popup does not appear. + JDK-8054022: HttpURLConnection timeouts with Expect: 100-Continue and no chunking + JDK-8054572: [macosx] JComboBox paints the border incorrectly + JDK-8058176: [mlvm] tests should not allow code cache exhaustion + JDK-8067651: LevelTransitionTest.java, fix trivial methods levels logic + JDK-8068225: nsk/jdi/EventQueue/remove_l/remove_l005 intermittently times out + JDK-8156889: ListKeychainStore.sh fails in some virtualized environments + JDK-8166275: vm/mlvm/meth/stress/compiler/deoptimize keeps timeouting + JDK-8166554: Avoid compilation blocking in OverloadCompileQueueTest.java + JDK-8169475: WheelModifier.java fails by timeout + JDK-8180266: Convert sun/security/provider/KeyStore/DKSTest.sh to Java Jtreg Test + JDK-8186610: move ModuleUtils to top-level testlibrary + JDK-8192864: defmeth tests can hide failures + JDK-8193543: Regression automated test '/open/test/jdk/java/ /awt/TrayIcon/SystemTrayInstance/SystemTrayInstanceTest.java' fails + JDK-8198668: MemoryPoolMBean/isUsageThresholdExceeded/ /isexceeded001/TestDescription.java still failing + JDK-8202282: [TESTBUG] appcds TestCommon .makeCommandLineForAppCDS() can be removed + JDK-8202790: DnD test DisposeFrameOnDragTest.java does not clean up + JDK-8202931: [macos] java/awt/Choice/ChoicePopupLocation/ /ChoicePopupLocation.java fails + JDK-8207211: [TESTBUG] Remove excessive output from CDS/AppCDS tests + JDK-8207214: Broken links in JDK API serialized-form page + JDK-8207855: Make applications/jcstress invoke tests in batches + JDK-8208243: vmTestbase/gc/lock/jni/jnilock002/ /TestDescription.java fails in jdk/hs nightly + JDK-8208278: [mlvm] [TESTBUG] vm.mlvm.mixed.stress.java .findDeadlock.INDIFY_Test Deadlocked threads are not always detected + JDK-8208623: [TESTBUG] runtime/LoadClass/LongBCP.java fails in AUFS file system + JDK-8208699: remove unneeded imports from runtime tests + JDK-8208704: runtime/appcds/MultiReleaseJars.java timed out often in hs-tier7 testing + JDK-8208705: [TESTBUG] The -Xlog:cds,cds+hashtables vm option is not always required for appcds tests + JDK-8209549: remove VMPropsExt from TEST.ROOT + JDK-8209595: MonitorVmStartTerminate.java timed out + JDK-8209946: [TESTBUG] CDS tests should use '@run driver' + JDK-8211438: [Testbug] runtime/XCheckJniJsig/XCheckJSig.java looks for libjsig in wrong location + JDK-8211978: Move testlibrary/jdk/testlibrary/ /SimpleSSLContext.java and testkeys to network testlibrary + JDK-8213622: Windows VS2013 build failure - ''snprintf': identifier not found' + JDK-8213926: WB_EnqueueInitializerForCompilation requests compilation for NULL + JDK-8213927: G1 ignores AlwaysPreTouch when UseTransparentHugePages is enabled + JDK-8214908: add ctw tests for jdk.jfr and jdk.management.jfr modules + JDK-8214915: CtwRunner misses export for jdk.internal.access + JDK-8216408: XMLStreamWriter setDefaultNamespace(null) throws NullPointerException + JDK-8217475: Unexpected StackOverflowError in 'process reaper' thread + JDK-8218754: JDK-8068225 regression in JDIBreakpointTest + JDK-8219475: javap man page needs to be updated + JDK-8219585: [TESTBUG] sun/management/jmxremote/bootstrap/ /JMXInterfaceBindingTest.java passes trivially when it shouldn't + JDK-8219612: [TESTBUG] compiler.codecache.stress.Helper .TestCaseImpl can't be defined in different runtime package as its nest host + JDK-8225471: Test utility jdk.test.lib.util.FileUtils .areAllMountPointsAccessible needs to tolerate duplicates + JDK-8226706: (se) Reduce the number of outer loop iterations on Windows in java/nio/channels/Selector/RacyDeregister.java + JDK-8226905: unproblem list applications/ctw/modules/* tests on windows + JDK-8226910: make it possible to use jtreg's -match via run-test framework + JDK-8227438: [TESTLIB] Determine if file exists by Files.exists in function FileUtils.deleteFileIfExistsWithRetry + JDK-8231585: java/lang/management/ThreadMXBean/ /MaxDepthForThreadInfoTest.java fails with java.lang.NullPointerException + JDK-8232839: JDI AfterThreadDeathTest.java failed due to 'FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()' + JDK-8233453: MLVM deoptimize stress test timed out + JDK-8234309: LFGarbageCollectedTest.java fails with parse Exception + JDK-8237222: [macos] java/awt/Focus/UnaccessibleChoice/ /AccessibleChoiceTest.java fails + JDK-8237777: 'Dumping core ...' is shown despite claiming that '# No core dump will be written.' + JDK-8237834: com/sun/jndi/ldap/LdapDnsProviderTest.java failing with LDAP response read timeout + JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel + JDK-8239801: [macos] java/awt/Focus/UnaccessibleChoice/ /AccessibleChoiceTest.java fails + JDK-8244679: JVM/TI GetCurrentContendedMonitor/contmon001 failed due to '(IsSameObject#3) unexpected monitor object: 0x000000562336DBA8' + JDK-8246222: Rename javac test T6395981.java to be more informative + JDK-8247818: GCC 10 warning stringop-overflow with symbol code + JDK-8249087: Always initialize _body[0..1] in Symbol constructor + JDK-8251349: Add TestCaseImpl to OverloadCompileQueueTest.java's build dependencies + JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/ /btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR + JDK-8253543: sanity/client/SwingSet/src/ /ButtonDemoScreenshotTest.java failed with 'AssertionError: All pixels are not black' + JDK-8253739: java/awt/image/MultiResolutionImage/ /MultiResolutionImageObserverTest.java fails + JDK-8253820: Save test images and dumps with timestamps from client sanity suite + JDK-8255277: randomDelay in DrainDeadlockT and LoggingDeadlock do not randomly delay + JDK-8255546: Missing coverage for javax.smartcardio.CardPermission and ResponseAPDU + JDK-8255743: Relax SIGFPE match in in runtime/ErrorHandling/SecondaryErrorTest.java + JDK-8257505: nsk/share/test/StressOptions stressTime is scaled in getter but not when printed + JDK-8259801: Enable XML Signature secure validation mode by default + JDK-8264135: UnsafeGetStableArrayElement should account for different JIT implementation details + JDK-8265349: vmTestbase/../stress/compiler/deoptimize/ /Test.java fails with OOME due to CodeCache exhaustion. + JDK-8269025: jsig/Testjsig.java doesn't check exit code + JDK-8269077: TestSystemGC uses 'require vm.gc.G1' for large pages subtest + JDK-8271094: runtime/duplAttributes/DuplAttributesTest.java doesn't check exit code + JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code + JDK-8271828: mark hotspot runtime/classFileParserBug tests which ignore external VM flags + JDK-8271829: mark hotspot runtime/Throwable tests which ignore external VM flags + JDK-8271890: mark hotspot runtime/Dictionary tests which ignore external VM flags + JDK-8272291: mark hotspot runtime/logging tests which ignore external VM flags + JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes + JDK-8272551: mark hotspot runtime/modules tests which ignore external VM flags + JDK-8272552: mark hotspot runtime/cds tests which ignore external VM flags + JDK-8273803: Zero: Handle 'zero' variant in CommandLineOptionTest.java + JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + JDK-8274621: NullPointerException because listenAddress[0] is null + JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC + JDK-8280007: Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 + JDK-8281149: (fs) java/nio/file/FileStore/Basic.java fails with java.lang.RuntimeException: values differ by more than 1GB + JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/ /ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from problemlist. + JDK-8281717: Cover logout method for several LoginModule + JDK-8282665: [REDO] ByteBufferTest.java: replace endless recursion with RuntimeException in void ck(double x, double y) + JDK-8284090: com/sun/security/auth/module/AllPlatforms.java fails to compile + JDK-8285756: clean up use of bad arguments for `@clean` in langtools tests + JDK-8285785: CheckCleanerBound test fails with PasswordCallback object is not released + JDK-8285867: Convert applet manual tests SelectionVisible.java to Frame and automate + JDK-8286846: test/jdk/javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java fails on mac aarch64 + JDK-8286969: Add a new test library API to execute kinit in SecurityTools.java + JDK-8287113: JFR: Periodic task thread uses period for method sampling events + JDK-8289511: Improve test coverage for XPath Axes: child + JDK-8289764: gc/lock tests failed with 'OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects' + JDK-8289948: Improve test coverage for XPath functions: Node Set Functions + JDK-8290399: [macos] Aqua LAF does not fire an action event if combo box menu is displayed + JDK-8290909: MemoryPoolMBean/isUsageThresholdExceeded tests failed with 'isUsageThresholdExceeded() returned false, and is still false, while threshold = MMMMMMM and used peak = NNNNNNN' + JDK-8292182: [TESTLIB] Enhance JAXPPolicyManager to setup required permissions for jtreg version 7 jar + JDK-8292946: GC lock/jni/jnilock001 test failed 'assert(gch->gc_cause() == GCCause::_scavenge_alot || !gch->incremental_collection_failed()) failed: Twice in a row' + JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed with 'RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG' + JDK-8294158: HTML formatting for PassFailJFrame instructions + JDK-8294254: [macOS] javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java failure + JDK-8294402: Add diagnostic logging to VMProps.checkDockerSupport + JDK-8294535: Add screen capture functionality to PassFailJFrame + JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM + JDK-8296384: [TESTBUG] sun/security/provider/SecureRandom/ /AbstractDrbg/SpecTest.java intermittently timeout + JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java failed: ExceptionInInitializerError: target class not found + JDK-8300269: The selected item in an editable JComboBox with titled border is not visible in Aqua LAF + JDK-8300727: java/awt/List/ListGarbageCollectionTest/ /AwtListGarbageCollectionTest.java failed with 'List wasn't garbage collected' + JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + JDK-8301377: adjust timeout for JLI GetObjectSizeIntrinsicsTest.java subtest again + JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + JDK-8302017: Allocate BadPaddingException only if it will be thrown + JDK-8302109: Trivial fixes to btree tests + JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/TestAMEnotNPE.java + JDK-8302607: increase timeout for ContinuousCallSiteTargetChange.java + JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM + JDK-8304314: StackWalkTest.java fails after CODETOOLS-7903373 + JDK-8304725: AsyncGetCallTrace can cause SIGBUS on M1 + JDK-8305502: adjust timeouts in three more M&M tests + JDK-8305505: NPE in javazic compiler + JDK-8305972: Update XML Security for Java to 3.0.2 + JDK-8306072: Open source several AWT MouseInfo related tests + JDK-8306076: Open source AWT misc tests + JDK-8306409: Open source AWT KeyBoardFocusManger, LightWeightComponent related tests + JDK-8306640: Open source several AWT TextArea related tests + JDK-8306652: Open source AWT MenuItem related tests + JDK-8306681: Open source more AWT DnD related tests + JDK-8306683: Open source several clipboard and color AWT tests + JDK-8306752: Open source several container and component AWT tests + JDK-8306753: Open source several container AWT tests + JDK-8306755: Open source few Swing JComponent and AbstractButton tests + JDK-8306812: Open source several AWT Miscellaneous tests + JDK-8306871: Open source more AWT Drag & Drop tests + JDK-8306996: Open source Swing MenuItem related tests + JDK-8307123: Fix deprecation warnings in DPrinter + JDK-8307130: Open source few Swing JMenu tests + JDK-8307299: Move more DnD tests to open + JDK-8307311: Timeouts on one macOS 12.6.1 host of two Swing JTableHeader tests + JDK-8307381: Open Source JFrame, JIF related Swing Tests + JDK-8307683: Loop Predication should not hoist range checks with trap on success projection by negating their condition + JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC while allocating + JDK-8308116: jdk.test.lib.compiler.InMemoryJavaCompiler .compile does not close files + JDK-8308223: failure handler missed jcmd.vm.info command + JDK-8308232: nsk/jdb tests don't pass -verbose flag to the debuggee + JDK-8308245: Add -proc:full to describe current default annotation processing policy + JDK-8308336: Test java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java failed: java.net.BindException: Address already in use + JDK-8309104: [JVMCI] compiler/unsafe/ /UnsafeGetStableArrayElement test asserts wrong values with Graal + JDK-8309119: [17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication + JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/ /agentthr001/TestDescription.java crashing due to empty while loop + JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + JDK-8309870: Using -proc:full should be considered requesting explicit annotation processing + JDK-8310106: sun.security.ssl.SSLHandshake .getHandshakeProducer() incorrectly checks handshakeConsumers + JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/ /bug6889007.java fails + JDK-8310551: vmTestbase/nsk/jdb/interrupt/interrupt001/ /interrupt001.java timed out due to missing prompt + JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + JDK-8311511: Improve description of NativeLibrary JFR event + JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + JDK-8313164: src/java.desktop/windows/native/libawt/windows/ /awt_Robot.cpp GetRGBPixels adjust releasing of resources + JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + JDK-8313643: Update HarfBuzz to 8.2.2 + JDK-8313816: Accessing jmethodID might lead to spurious crashes + JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + JDK-8314164: java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + JDK-8315042: NPE in PKCS7.parseOldSignedData + JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + JDK-8315594: Open source few headless Swing misc tests + JDK-8315600: Open source few more headless Swing misc tests + JDK-8315602: Open source swing security manager test + JDK-8315606: Open source few swing text/html tests + JDK-8315611: Open source swing text/html and tree test + JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + JDK-8315731: Open source several Swing Text related tests + JDK-8315761: Open source few swing JList and JMenuBar tests + JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/ /bug4654927.java: component must be showing on the screen to determine its location + JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + JDK-8316028: Update FreeType to 2.13.2 + JDK-8316030: Update Libpng to 1.6.40 + JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + JDK-8317307: test/jdk/com/sun/jndi/ldap/ /LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + JDK-8318154: Improve stability of WheelModifier.java test + JDK-8318410: jdk/java/lang/instrument/BootClassPath/ /BootClassPathTest.sh fails on Japanese Windows + JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with 'transport error 202: bind failed: Address already in use' + JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + JDK-8318951: Additional negative value check in JPEG decoding + JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + JDK-8318983: Fix comment typo in PKCS12Passwd.java + JDK-8319124: Update XML Security for Java to 3.0.3 + JDK-8319456: jdk/jfr/event/gc/collection/ /TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + JDK-8320208: Update Public Suffix List to b5bf572 + JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + JDK-8320798: Console read line with zero out should zero out underlying buffer + JDK-8320884: Bump update version for OpenJDK: jdk-11.0.23 + JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + JDK-8321408: Add Certainly roots R1 and E1 + JDK-8321480: ISO 4217 Amendment 176 Update + JDK-8322178: Error. can't find jdk.testlibrary .SimpleSSLContext in test directory or libraries + JDK-8322417: Console read line with zero out should zero out when throwing exception + JDK-8322725: (tz) Update Timezone Data to 2023d + JDK-8322750: Test 'api/java_awt/interactive/ /SystemTrayTests.html' failed because A blue ball icon is added outside of the system tray + JDK-8322752: [11u] GetStackTraceAndRetransformTest.java is failing assert + JDK-8322772: Clean up code after JDK-8322417 + JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + JDK-8323515: Create test alias 'all' for all test roots + JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/ /platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + JDK-8324184: Windows VS2010 build failed with 'error C2275: 'int64_t'' + JDK-8324307: [11u] hotspot fails to build with GCC 12 and newer (non-static data member initializers) + JDK-8324347: Enable 'maybe-uninitialized' warning for FreeType 2.13.1 + JDK-8324659: GHA: Generic jtreg errors are not reported + JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/ /AKISerialNumber.java is failing + JDK-8325150: (tz) Update Timezone Data to 2024a + JDK-8326109: GCC 13 reports maybe-uninitialized warnings for jni.cpp with dtrace enabled + JDK-8326503: [11u] java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java fail because of package org.junit.jupiter.api does not exist + JDK-8327391: Add SipHash attribution file + JDK-8329837: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.23

• Removed the possibility to use the system timezone-java (bsc#1213470)

SUSE-CU-2024:1868-1

SUSE-CU-2024:1816-1

SUSE-CU-2024:1778-1

This update for ca-certificates fixes the following issue:

• Update version (bsc#1221184) * Use flock to serialize calls (bsc#1188500) * Make certbundle.run container friendly * Create /var/lib/ca-certificates if needed

SUSE-CU-2024:1656-1

This update for glibc fixes the following issues:

• iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992)

SUSE-CU-2024:1592-1

SUSE-CU-2024:1499-1

SUSE-CU-2024:1456-1

This update for gcc13 fixes the following issues:

• Fix unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Fixed building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]

SUSE-CU-2024:1412-1

This update for glibc fixes the following issues:

• duplocale: protect use of global locale (bsc#1220441, BZ #23970)

SUSE-CU-2024:1365-1

This update for expat fixes the following issues:

• CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
• CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for util-linux fixes the following issues:

• CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831)

SUSE-CU-2024:1251-1

SUSE-CU-2024:1217-1

SUSE-CU-2024:1131-1

SUSE-CU-2024:1054-1

This update for coreutils fixes the following issues:

• tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

SUSE-CU-2024:994-1

This update for glibc fixes the following issues:
Security issues fixed:

• qsort: harden handling of degenerated / non transient compare function (bsc#1218866)

• getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163)
• aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113)

SUSE-CU-2024:898-1

This update for giflib fixes the following issues:
Update to version 5.2.2

• Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506 (bsc#1198880)
• #138 Documentation for obsolete utilities still installed
• #139: Typo in 'LZW image data' page ('110_2 = 4_10')
• #140: Typo in 'LZW image data' page ('LWZ')
• #141: Typo in 'Bits and bytes' page ('filed')
• Note as already fixed SF issue #143: cannot compile under mingw
• #144: giflib-5.2.1 cannot be build on windows and other platforms using c89
• #145: Remove manual pages installation for binaries that are not installed too
• #146: [PATCH] Limit installed man pages to binaries, move giflib to section 7
• #147 [PATCH] Fixes to doc/whatsinagif/ content
• #148: heap Out of Bound Read in gif2rgb.c:298 DumpScreen2RGB
• Declared no-info on SF issue #150: There is a denial of service vulnerability in GIFLIB 5.2.1
• Declared Won't-fix on SF issue 149: Out of source builds no longer possible
• #151: A heap-buffer-overflow in gif2rgb.c:294:45
• #152: Fix some typos on the html documentation and man pages
• #153: Fix segmentation faults due to non correct checking for args
• #154: Recover the giffilter manual page
• #155: Add gifsponge docs
• #157: An OutofMemory-Exception or Memory Leak in gif2rgb
• #158: There is a null pointer problem in gif2rgb
• #159 A heap-buffer-overflow in GIFLIB5.2.1 DumpScreen2RGB() in gif2rgb.c:298:45
• #163: detected memory leaks in openbsd_reallocarray giflib/openbsd-reallocarray.c
• #164: detected memory leaks in GifMakeMapObject giflib/gifalloc.c
• #166: a read zero page leads segment fault in getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
• #167: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function at Line 321 of gif2rgb.c

SUSE-CU-2024:840-1

This update for libssh fixes the following issues:

• Fix regression parsing IPv6 addresses provided as hostname (bsc#1220385)

SUSE-CU-2024:770-1

SUSE-CU-2024:718-1

This update for rpm fixes the following issues:

• backport lua support for rpm.execute to ease migrating from SLE Micro 5.5 to 6.0 (bsc#1216752)

SUSE-CU-2024:674-1

This update for mozilla-nss fixes the following issues:
Update to NSS 3.90.2:

• CVE-2023-5388: Fixed timing attack against RSA decryption in TLS (bsc#1216198)

SUSE-CU-2024:639-1

This update for openssl-1_1 fixes the following issues:

• CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

This update for libxml2 fixes the following issues:

• CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

SUSE-CU-2024:590-1

SUSE-CU-2024:524-1

SUSE-CU-2024:438-1

This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.22 (January 2024 CPU):
- CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM due to a missing bounds check (bsc#1218907). - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class file verifier (bsc#1218903). - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM that could lead to corruption of JVM memory (bsc#1218905). - CVE-2024-20926: Fixed arbitrary Java code execution in Nashorn (bsc#1218906). - CVE-2024-20945: Fixed a potential private key leak through debug logs (bsc#1218909). - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel attack against TLS (bsc#1218911).
Find the full release notes at:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029215.html

This update for aaa_base fixes the following issues:

• Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

This update for cpio fixes the following issues:

• Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

SUSE-CU-2024:388-1

This update for cpio fixes the following issues:

• CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571).

This update for util-linux fixes the following issues:

• Fix performance degradation (bsc#1207987)

SUSE-CU-2024:353-1

This update for systemd fixes the following issues:

• resolved: actually check authenticated flag of SOA transaction
• core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
• core: Add trace logging to mount_add_device_dependencies()
• core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
• core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
• core: wrap some long comment
• utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
• utmp-wtmp: Fix error in case isatty() fails
• homed: Handle EINTR gracefully when waiting for device node
• resolved: Handle EINTR returned from fd_wait_for_event() better
• sd-netlink: Handle EINTR from poll() gracefully, as success
• varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
• stdio-bridge: Don't be bothered with EINTR
• sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
• core: Replace slice dependencies as they get added (bsc#1214668)

SUSE-CU-2024:300-1

SUSE-CU-2024:263-1

This update for pam fixes the following issues:

• CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475).
• Check localtime_r() return value to fix crashing (bsc#1217000)

This update for libssh fixes the following issues:
Security fixes:
- CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209) - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126) - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186) - CVE-2023-1667: Fixed NULL dereference during rekeying with algorithm guessing (bsc#1211188) - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)
Other fixes:

• Update to version 0.9.8 - Allow @ in usernames when parsing from URI composes

• Update to version 0.9.7 - Fix several memory leaks in GSSAPI handling code

SUSE-CU-2024:203-1

SUSE-CU-2024:179-1

SUSE-CU-2024:117-1

This update for tar fixes the following issues:

• CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969).

SUSE-CU-2024:116-1

This update for libxcrypt fixes the following issues:

• fix variable name for datamember [bsc#1215496]
• added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

SUSE-CU-2024:54-1

This update for mozilla-nss fixes the following issues:
Mozilla NSS was updated to NSS 3.90.1

• regenerate NameConstraints test certificates.
• add OSXSAVE and XCR0 tests to AVX2 detection.

SUSE-CU-2024:23-1

SUSE-CU-2023:4289-1

This update for curl fixes the following issues:

• libssh: Implement SFTP packet size limit (bsc#1216987)

SUSE-CU-2023:4215-1

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
• Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

SUSE-CU-2023:4155-1

SUSE-CU-2023:4093-1

This update for p11-kit fixes the following issues:

• Ensure that programs using can be compiled with CRYPTOKI_GNU. Fixes GnuTLS builds (jsc#PED-6705).

This update for libtirpc fixes the following issue:

• fix sed parsing in specfile (bsc#1216862)

SUSE-CU-2023:4031-1

This update for curl fixes the following issues:

• CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
• CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

This update of man fixes the following problem:

• The 'man' commands is delivered to SUSE Linux Enterprise Micro to allow browsing man pages.

SUSE-CU-2023:3961-1

This update for javapackages-tools fixes the following issues:

• Add requirement for `python-xml` as it is needed by some scripts
• Ensure reproducibility of built binaries
• Minor bug fixes

This update for sqlite3 fixes the following issues:

• CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

SUSE-CU-2023:3873-1

SUSE-CU-2023:3820-1

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

SUSE-CU-2023:3747-1

This update for crypto-policies fixes the following issues:
- Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998)

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

SUSE-CU-2023:3653-1

This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage
Update to 1.3.3:

• Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
• _rpc_dtablesize: use portable system call
• libtirpc: Fix use-after-free accessing the error number
• Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch
• rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
• Eliminate deadlocks in connects with an MT environment
• clnt_dg_freeres() uncleared set active state may deadlock
• thread safe clnt destruction
• SUNRPC: mutexed access blacklist_read state variable
• SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

• Replace the final SunRPC licenses with BSD licenses
• blacklist: Add a few more well known ports
• libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

• Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors.
• svc_dg: Free xp_netid during destroy
• Fix memory management issues of fd locks
• libtirpc: replace array with list for per-fd locks
• __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
• __rpc_dtbsize: rlim_cur instead of rlim_max
• pkg-config: use the correct replacements for libdir/includedir

SUSE-CU-2023:3602-1

SUSE-CU-2023:3569-1

This update for java-11-openjdk fixes the following issues:

• Upgraded to JDK 11.0.21+9 (October 2023 CPU):

This update for nghttp2 fixes the following issues:

• CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

SUSE-CU-2023:3542-1

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

SUSE-CU-2023:3515-1

This update for rpm fixes the following issue:

• Enables build for all python modules (jsc#PED-68, jsc#PED-1988)

This update for openssl-1_1 fixes the following issues:

• Displays 'fips' in the version string (bsc#1215215)

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

• elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676)

This update provides rebuilds of various packages against the newer icu73 to support GB18030-2023.
This set contains libreoffice, various libraries used by libreoffice and GNOME, and brltty.

This update for systemd fixes the following issues:

• Fix mismatch of nss-resolve version in Package Hub (no source code changes)

This update for aaa_base fixes the following issues:

• Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

SUSE-CU-2023:3383-1

This update for shadow fixes the following issues:

• CVE-2023-4641: Fixed potential password leak (bsc#1214806).

This update for curl fixes the following issues:

• CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888)
• CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889)

SUSE-CU-2023:3352-1

This update for nghttp2 fixes the following issues:

• CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713).

SUSE-CU-2023:3292-1

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

This update for libX11 fixes the following issues:

• CVE-2023-43786: Fixed stack exhaustion from infinite recursion in PutSubImage() (bsc#1215684).
• CVE-2023-43787: Fixed integer overflow in XCreateImage() leading to a heap overflow (bsc#1215685).
• CVE-2023-43785: Fixed out-of-bounds memory access in _XkbReadKeySyms() (bsc#1215683).

SUSE-CU-2023:3182-1

This update for glibc fixes the following issues:

• nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415)
• Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457)
• elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688)
• elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676)
• ld.so: Always use MAP_COPY to map the first segment (BZ #30452)
• add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

This update for curl fixes the following issues:

• CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026)

SUSE-CU-2023:3135-1

SUSE-CU-2023:3068-1

This update for java-11-openjdk fixes the following issues:

• Fix a regression where the validation would reject valid zip64 (zip with 64-bit offset extensions)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

SUSE-CU-2023:2990-1

This update for sysuser-tools fixes the following issues:

• Update to version 3.2
• Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
• Add 'quilt setup' friendly hint to %sysusers_requires usage
• Use append so if a pre file already exists it isn't overridden
• Invoke bash for bash scripts (bsc#1195391)
• Remove all systemd requires not supported on SLE15 (bsc#1214140)

SUSE-CU-2023:2951-1

This update for crypto-policies fixes the following issues:

• Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998)

SUSE-CU-2023:2891-1

SUSE-CU-2023:2839-1

SUSE-CU-2023:2812-1

This update for audit fixes the following issues:

• Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
• Fix rules not loaded when restarting auditd.service (bsc#1204844)

This update for systemd fixes the following issues:

• Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
• Decrease devlink priority for iso disks (bsc#1213185)
• Do not ignore mount point paths longer than 255 characters (bsc#1208194)
• Refuse hibernation if there's no possible way to resume (bsc#1186606)
• Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
• Drop some entries no longer needed by YaST (bsc#1194609)
• The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
• Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

This update for freetype2 fixes the following issues:

• CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).

SUSE-CU-2023:2697-1

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

SUSE-CU-2023:2642-1

This update for shadow fixes the following issues:

• Prevent lock files from remaining after power interruptions (bsc#1213189)
• Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

This update for java-11-openjdk fixes the following issues:
Updated to jdk-11.0.20+8 (July 2023 CPU):
- CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473). - CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474). - CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475). - CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479). - CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481). - CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482). - CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).
- JDK-8298676: Enhanced Look and Feel - JDK-8300285: Enhance TLS data handling - JDK-8300596: Enhance Jar Signature validation - JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1 - JDK-8302475: Enhance HTTP client file downloading - JDK-8302483: Enhance ZIP performance - JDK-8303376: Better launching of JDI - JDK-8304468: Better array usages - JDK-8305312: Enhanced path handling - JDK-8308682: Enhance AES performance
Bugfixes:
- JDK-8171426: java/lang/ProcessBuilder/Basic.java failed with Stream closed - JDK-8178806: Better exception logging in crypto code - JDK-8187522: test/sun/net/ftp/FtpURLConnectionLeak.java timed out - JDK-8209167: Use CLDR's time zone mappings for Windows - JDK-8209546: Make sun/security/tools/keytool/autotest.sh to support macosx - JDK-8209880: tzdb.dat is not reproducibly built - JDK-8213531: Test javax/swing/border/TestTitledBorderLeak.java fails - JDK-8214459: NSS source should be removed - JDK-8214807: Improve handling of very old class files - JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from tests - JDK-8215575: C2 crash: assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded - JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle - JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError - JDK-8232853: AuthenticationFilter.Cache::remove may throw ConcurrentModificationException - JDK-8243936: NonWriteable system properties are actually writeable - JDK-8246383: NullPointerException in JceSecurity.getVerificationResult when using Entrust provider - JDK-8248701: On Windows generated modules-deps.gmk can contain backslash-r (CR) characters - JDK-8257856: Make ClassFileVersionsTest.java robust to JDK version updates - JDK-8259530: Generated docs contain MIT/GPL-licenced works without reproducing the licence - JDK-8263420: Incorrect function name in NSAccessibilityStaticText native peer implementation - JDK-8264290: Create implementation for NSAccessibilityComponentGroup protocol peer - JDK-8264304: Create implementation for NSAccessibilityToolbar protocol peer - JDK-8265486: ProblemList javax/sound/midi/Sequencer/ /Recording.java on macosx-aarch64 - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input? - JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile - JDK-8275233: Incorrect line number reported in exception stack trace thrown from a lambda expression - JDK-8275721: Name of UTC timezone in a locale changes depending on previous code - JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit) - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir as unnecessary - JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905 - JDK-8278434: timeouts in test java/time/test/java/time/format/ /TestZoneTextPrinterParser.java - JDK-8280703: CipherCore.doFinal(...) causes potentially massive byte[] allocations during decryption - JDK-8282077: PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error - JDK-8282201: Consider removal of expiry check in VerifyCACerts.java test - JDK-8282467: add extra diagnostics for JDK-8268184 - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary - JDK-8283059: Uninitialized warning in check_code.c with GCC 11.2 - JDK-8285497: Add system property for Java SE specification maintenance version - JDK-8286398: Address possibly lossy conversions in jdk.internal.le - JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code - JDK-8287246: DSAKeyValue should check for missing params instead of relying on KeyFactory provider - JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable - JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies - JDK-8289301: P11Cipher should not throw out of bounds exception during padding - JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067 - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately - JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected - JDK-8293232: Fix race condition in pkcs11 SessionManager - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation - JDK-8294548: Problem list SA core file tests on macosx-x64 due to JDK-8294316 - JDK-8294906: Memory leak in PKCS11 NSS TLS server - JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames - JDK-8296934: Write a test to verify whether Undecorated Frame can be iconified or not - JDK-8297000: [jib] Add more friendly warning for proxy issues - JDK-8297450: ScaledTextFieldBorderTest.java fails when run with -show parameter - JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors - JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE - JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument - JDK-8300205: Swing test bug8078268 make latch timeout configurable - JDK-8300490: Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550 - JDK-8301119: Support for GB18030-2022 - JDK-8301170: perfMemory_windows.cpp add free_security_attr to early returns - JDK-8301401: Allow additional characters for GB18030-2022 support - JDK-8302151: BMPImageReader throws an exception reading BMP images - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message - JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN - JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return - JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20 - JDK-8303440: The 'ZonedDateTime.parse' may not accept the 'UTC+XX' zone id - JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates - JDK-8303476: Add the runtime version in the release file of a JDK image - JDK-8303482: Update LCMS to 2.15 - JDK-8303564: C2: 'Bad graph detected in build_loop_late' after a CMove is wrongly split thru phi - JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return - JDK-8303822: gtestMain should give more helpful output - JDK-8303861: Error handling step timeouts should never be blocked by OnError and others - JDK-8303937: Corrupted heap dumps due to missing retries for os::write() - JDK-8304134: jib bootstrapper fails to quote filename when checking download filetype - JDK-8304291: [AIX] Broken build after JDK-8301998 - JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998 - JDK-8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0 - JDK-8304760: Add 2 Microsoft TLS roots - JDK-8305113: (tz) Update Timezone Data to 2023c - JDK-8305400: ISO 4217 Amendment 175 Update - JDK-8305528: [11u] Backport of JDK-8259530 breaks build with JDK10 bootstrap VM - JDK-8305682: Update the javadoc in the Character class to state support for GB 18030-2022 Implementation Level 2 - JDK-8305711: Arm: C2 always enters slowpath for monitorexit - JDK-8305721: add `make compile-commands` artifacts to .gitignore - JDK-8305975: Add TWCA Global Root CA - JDK-8306543: GHA: MSVC installation is failing - JDK-8306658: GHA: MSVC installation could be optional since it might already be pre-installed - JDK-8306664: GHA: Update MSVC version to latest stepping - JDK-8306768: CodeCache Analytics reports wrong threshold - JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep - JDK-8307134: Add GTS root CAs - JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest fails after backport of JDK-8303861 - JDK-8308006: Missing NMT memory tagging in CMS - JDK-8308884: [17u/11u] Backout JDK-8297951 - JDK-8309476: [11u] tools/jmod/hashes/HashesOrderTest.java fails intermittently - JDK-8311465: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20

SUSE-CU-2023:2607-1

SUSE-CU-2023:2558-1

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

SUSE-CU-2023:2504-1

This update for openssl-1_1 fixes the following issues:

• Dont pass zero length input to EVP_Cipher (bsc#1213517)

SUSE-CU-2023:2445-1

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

This update for libxml2 fixes the following issues:

• Build also for modern python version (jsc#PED-68)

SUSE-CU-2023:2372-1

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for glibc fixes the following issues:

• getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
• Exclude static archives from preparation for live patching (bsc#1208721)
• resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

This update for curl fixes the following issues:

• CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

SUSE-CU-2023:2325-1

This update for libxml2 fixes the following issues:

• Build also for modern python version (jsc#PED-68)

This update for audit fixes the following issues:

• Check for AF_UNIX unnamed sockets (bsc#1210004)
• Enable livepatching on main library on x86_64

This update for openldap2 fixes the following issues:

• libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

SUSE-CU-2023:2280-1

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.90:

• Add a constant time select function
• Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
• output early build errors by default
• Update the technical constraints for KamuSM
• Add BJCA Global Root CA1 and CA2 root certificates
• Enable default UBSan Checks
• Add explicit handling of zero length records
• Tidy up DTLS ACK Error Handling Path
• Refactor zero length record tests
• Fix compiler warning via correct assert
• run linux tests on nss-t/t-linux-xlarge-gcp
• In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
• Fix reading raw negative numbers
• Repairing unreachable code in clang built with gyp
• Integrate Vale Curve25519
• Removing unused flags for Hacl*
• Adding a better error message
• Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
• Fall back to the softokn when writing certificate trust
• FIPS-104-3 requires we restart post programmatically
• cmd/ecperf: fix dangling pointer warning on gcc 13
• Update ACVP dockerfile for compatibility with debian package changes
• Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
• Removed deprecated sprintf function and replaced with snprintf
• fix rst warnings in nss doc
• Fix incorrect pygment style
• Change GYP directive to apply across platforms
• Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

• Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

• Update the technical constraints for KamuSM.
• Add BJCA Global Root CA1 and CA2 root certificates.

• revert freebl/softoken RSA_MIN_MODULUS_BITS increase
• PR_STATIC_ASSERT is cursed
• Need to add policy control to keys lengths for signatures
• Fix unreachable code warning in fuzz builds
• Fix various compiler warnings in NSS
• Enable various compiler warnings for clang builds
• set PORT error after sftk_HMACCmp failure
• Need to add policy control to keys lengths for signatures
• remove data length assertion in sec_PKCS7Decrypt
• Make high tag number assertion failure an error
• CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
• Tolerate certificate_authorities xtn in ClientHello
• Fix build failure on Windows
• migrate Win 2012 tasks to Azure
• fix title length in doc
• Add interop tests for HRR and PSK to GREASE suite
• Add presence/absence tests for TLS GREASE
• Correct addition of GREASE value to ALPN xtn
• CH extension permutation
• TLS GREASE (RFC8701)
• improve handling of unknown PKCS#12 safe bag types
• use a different treeherder symbol for each docker image build task
• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag
• build failure while implicitly casting SECStatus to PRUInt32

• improve handling of unknown PKCS#12 safe bag types

• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag.
• build failure while implicitly casting SECStatus to PRUInt32
• Add check for ClientHello SID max length
• Added EarlyData ALPN test support to BoGo shim
• ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
• On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
• ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
• Added Bogo ECH rejection test support
• Added ECH 0Rtt support to BoGo shim
• RSA OAEP Wycheproof JSON
• RSA decrypt Wycheproof JSON
• ECDSA Wycheproof JSON
• ECDH Wycheproof JSON
• PKCS#1v1.5 wycheproof json
• Use X25519 wycheproof json
• Move scripts to python3
• Properly link FuzzingEngine for oss-fuzz.
• Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
• NSS needs to move off of DSA for integrity checks
• Add initial testing with ACVP vector sets using acvp-rust
• Don't clone libFuzzer, rely on clang instead

• NULL password encoding incorrect
• Fix rng stub signature for fuzzing builds
• Updating the compiler parsing for build
• Modification of supported compilers
• tstclnt crashes when accessing gnutls server without a user cert in the database.
• Add configuration option to enable source-based coverage sanitizer
• Update ECCKiila generated files.
• Add support for the LoongArch 64-bit architecture
• add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
• Additional zero-length RSA modulus checks

• conscious language removal in NSS
• Set nssckbi version number to 2.60
• Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
• Remove Staat der Nederlanden EV Root CA from NSS
• Remove EC-ACC root cert from NSS
• Remove SwissSign Platinum CA - G2 from NSS
• Remove Network Solutions Certificate Authority
• compress docker image artifact with zstd
• Migrate nss from AWS to GCP
• Enable static builds in the CI
• Removing SAW docker from the NSS build system
• Initialising variables in the rsa blinding code
• Implementation of the double-signing of the message for ECDSA
• Adding exponent blinding for RSA.

• Modification of the primes.c and dhe-params.c in order to have better looking tables
• Update zlib in NSS to 1.2.13
• Skip building modutil and shlibsign when building in Firefox
• Use __STDC_VERSION__ rather than __STDC__ as a guard
• Remove redundant variable definitions in lowhashtest
• Add note about python executable to build instructions.

• Bump minimum NSPR version to 4.35
• Add a flag to disable building libnssckbi.

• Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
• Set nssckbi version number to 2.58
• Add two SECOM root certificates to NSS
• Add two DigitalSign root certificates to NSS
• Remove Camerfirma Global Chambersign Root from NSS
• Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
• Removed skipping of ECH on equality of private and public server name
• Added comment and bug reference to ECHRandomHRRExtension bogo test
• Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
• Added check for server only sending ECH extension

• check for null template in sec_asn1{d,e}_push_state
• QuickDER: Forbid NULL tags with non-zero length
• Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
• Cast the result of GetProcAddress
• pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

• Enable aarch64 hardware crypto support on OpenBSD
• make NSS_SecureMemcmp 0/1 valued
• Add no_application_protocol alert handler and test client error code is set
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
• required for Firefox 104

• raised NSPR requirement to 4.34.1

• changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

• Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
• Add support for asynchronous client auth hooks.
• nss-policy-check: make unknown keyword check optional.
• GatherBuffer: Reduced plaintext buffer allocations

SUSE-CU-2023:2253-1

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.35

• fixes for building with clang
• use the number of online processors for the PR_GetNumberOfProcessors() API on some platforms
• fix build on mips+musl libc
• Add support for the LoongArch 64-bit architecture

• clang-format lib/freebl/stubs.c
• Add a constant time select function
• Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
• output early build errors by default
• Update the technical constraints for KamuSM
• Add BJCA Global Root CA1 and CA2 root certificates
• Enable default UBSan Checks
• Add explicit handling of zero length records
• Tidy up DTLS ACK Error Handling Path
• Refactor zero length record tests
• Fix compiler warning via correct assert
• run linux tests on nss-t/t-linux-xlarge-gcp
• In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
• Fix reading raw negative numbers
• Repairing unreachable code in clang built with gyp
• Integrate Vale Curve25519
• Removing unused flags for Hacl*
• Adding a better error message
• Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
• Fall back to the softokn when writing certificate trust
• FIPS-104-3 requires we restart post programmatically
• cmd/ecperf: fix dangling pointer warning on gcc 13
• Update ACVP dockerfile for compatibility with debian package changes
• Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
• Removed deprecated sprintf function and replaced with snprintf
• fix rst warnings in nss doc
• Fix incorrect pygment style
• Change GYP directive to apply across platforms
• Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

• Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

• Update the technical constraints for KamuSM.
• Add BJCA Global Root CA1 and CA2 root certificates.

• revert freebl/softoken RSA_MIN_MODULUS_BITS increase
• PR_STATIC_ASSERT is cursed
• Need to add policy control to keys lengths for signatures
• Fix unreachable code warning in fuzz builds
• Fix various compiler warnings in NSS
• Enable various compiler warnings for clang builds
• set PORT error after sftk_HMACCmp failure
• Need to add policy control to keys lengths for signatures
• remove data length assertion in sec_PKCS7Decrypt
• Make high tag number assertion failure an error
• CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
• Tolerate certificate_authorities xtn in ClientHello
• Fix build failure on Windows
• migrate Win 2012 tasks to Azure
• fix title length in doc
• Add interop tests for HRR and PSK to GREASE suite
• Add presence/absence tests for TLS GREASE
• Correct addition of GREASE value to ALPN xtn
• CH extension permutation
• TLS GREASE (RFC8701)
• improve handling of unknown PKCS#12 safe bag types
• use a different treeherder symbol for each docker image build task
• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag
• build failure while implicitly casting SECStatus to PRUInt32

• improve handling of unknown PKCS#12 safe bag types

• remove nested table in rst doc
• Export NSS_CMSSignerInfo_GetDigestAlgTag.
• build failure while implicitly casting SECStatus to PRUInt32
• Add check for ClientHello SID max length
• Added EarlyData ALPN test support to BoGo shim
• ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
• On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
• ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
• Added Bogo ECH rejection test support
• Added ECH 0Rtt support to BoGo shim
• RSA OAEP Wycheproof JSON
• RSA decrypt Wycheproof JSON
• ECDSA Wycheproof JSON
• ECDH Wycheproof JSON
• PKCS#1v1.5 wycheproof json
• Use X25519 wycheproof json
• Move scripts to python3
• Properly link FuzzingEngine for oss-fuzz.
• Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
• NSS needs to move off of DSA for integrity checks
• Add initial testing with ACVP vector sets using acvp-rust
• Don't clone libFuzzer, rely on clang instead

• NULL password encoding incorrect
• Fix rng stub signature for fuzzing builds
• Updating the compiler parsing for build
• Modification of supported compilers
• tstclnt crashes when accessing gnutls server without a user cert in the database.
• Add configuration option to enable source-based coverage sanitizer
• Update ECCKiila generated files.
• Add support for the LoongArch 64-bit architecture
• add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
• Additional zero-length RSA modulus checks

• conscious language removal in NSS
• Set nssckbi version number to 2.60
• Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
• Remove Staat der Nederlanden EV Root CA from NSS
• Remove EC-ACC root cert from NSS
• Remove SwissSign Platinum CA - G2 from NSS
• Remove Network Solutions Certificate Authority
• compress docker image artifact with zstd
• Migrate nss from AWS to GCP
• Enable static builds in the CI
• Removing SAW docker from the NSS build system
• Initialising variables in the rsa blinding code
• Implementation of the double-signing of the message for ECDSA
• Adding exponent blinding for RSA.

• Modification of the primes.c and dhe-params.c in order to have better looking tables
• Update zlib in NSS to 1.2.13
• Skip building modutil and shlibsign when building in Firefox
• Mark _nss_version_c unused on clang-cl
• bmo#1795668 - Remove redundant variable definitions in lowhashtest
• Add note about python executable to build instructions.

• Bump minimum NSPR version to 4.35
• Add a flag to disable building libnssckbi.

• Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
• Set nssckbi version number to 2.58
• Add two SECOM root certificates to NSS
• Add two DigitalSign root certificates to NSS
• Remove Camerfirma Global Chambersign Root from NSS
• Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
• Removed skipping of ECH on equality of private and public server name
• Added comment and bug reference to ECHRandomHRRExtension bogo test
• Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
• Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing
• Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo
• Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
• Update BoGo tests to recent BoringSSL version
• Bump minimum NSPR version to 4.34.1

• check for null template in sec_asn1{d,e}_push_state
• QuickDER: Forbid NULL tags with non-zero length
• Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
• Cast the result of GetProcAddress
• pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

• Enable aarch64 hardware crypto support on OpenBSD
• make NSS_SecureMemcmp 0/1 valued
• Add no_application_protocol alert handler and test client error code is set
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
• required for Firefox 104

• raised NSPR requirement to 4.34.1

• changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

• Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
• Add support for asynchronous client auth hooks.
• nss-policy-check: make unknown keyword check optional.
• GatherBuffer: Reduced plaintext buffer allocations

SUSE-CU-2023:2231-1

This update for libcap fixes the following issues:

• CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

SUSE-CU-2023:2176-1

SUSE-CU-2023:2128-1

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).
• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

• Update further expiring certificates that affect tests (bsc#1201627)

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

SUSE-CU-2023:2093-1

This update for libX11 fixes the following issues:

• CVE-2023-3138: Fixed buffer overflows in InitExt.c (bsc#1212102).

SUSE-CU-2023:2074-1

SUSE-CU-2023:2025-1

SUSE-CU-2023:1977-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This java-11-openjdk update to version jdk-11+24 fixes the following issues:
Security issues fixed:

• CVE-2018-2940: Fix unspecified vulnerability in subcomponent Libraries (bsc#1101645).
• CVE-2018-2952: Fix unspecified vulnerability in subcomponent Concurrency (bsc#1101651).
• CVE-2018-2972: Fix unspecified vulnerability in subcomponent Security (bsc#1101655).
• CVE-2018-2973: Fix unspecified vulnerability in subcomponent JSSE (bsc#1101656).

This update for libX11 fixes the following security issues:

• CVE-2018-14599: The function XListExtensions was vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact (bsc#1102062)
• CVE-2018-14600: The function XListExtensions interpreted a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution (bsc#1102068)
• CVE-2018-14598: A malicious server could have sent a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault) (bsc#1102073)

This update for java-11-openjdk fixes the following issues:
Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU)
Security fixes:

• S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support
• S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses
• S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups
• S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability
• S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again
• S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks
• S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound
• S8194534, CVE-2018-3136, bsc#1112142: Manifest better support
• S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates
• S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection

• S8194546: Choosier FileManagers
• S8195874: Improve jar specification adherence
• S8196897: Improve PRNG support
• S8197881: Better StringBuilder support
• S8201756: Improve cipher inputs
• S8203654: Improve cypher state updates
• S8204497: Better formatting of decimals
• S8200666: Improve LDAP support
• S8199110: Address Internet Addresses

• S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
• S8207838: AArch64: Float registers incorrectly restored in JNI call
• S8209637: [s390x] Interpreter doesn't call result handler after native calls
• S8209670: CompilerThread releasing code buffer in destructor is unsafe
• S8209735: Disable avx512 by default
• S8209806: API docs should be updated to refer to javase11
• Report version without the '-internal' postfix

• Don't build against gdk making the accessibility depend on a particular version of gtk.

• S8031761: [TESTBUG] Add a regression test for JDK-8026328
• S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030 fails with 'unexpected values of outer fields of the class' when running with -Xcomp
• S8164639: Configure PKCS11 tests to use user-supplied NSS libraries
• S8189667: Desktop#moveToTrash expects incorrect '<>' FilePermission
• S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in -Xcomp
• S8195156: [Graal] serviceability/jvmti/GetModulesInfo/ /JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode
• S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails if run twice
• S8201394: Update java.se module summary to reflect removal of java.se.ee module
• S8204931: Colors with alpha are painted incorrectly on Linux
• S8204966: [TESTBUG] hotspot/test/compiler/whitebox/ /IsMethodCompilableTest.java test fails with -XX:CompileThreshold=1
• S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent quadratic runtime behavior
• S8205687: TimeoutHandler generates huge core files
• S8206176: Remove the temporary tls13VN field
• S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not found
• S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE and ja_JP locale.
• S8207009: TLS 1.3 half-close and synchronization issues
• S8207046: arm32 vm crash: C1 arm32 platform functions parameters type mismatch
• S8207139: NMT is not enabled on Windows 2016/10
• S8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
• S8207355: C1 compilation hangs in ComputeLinearScanOrder::compute_dominator
• S8207746: C2: Lucene crashes on AVX512 instruction
• S8207765: HeapMonitorTest.java intermittent failure
• S8207944: java.lang.ClassFormatError: Extra bytes at the end of class file test' possibly violation of JVMS 4.7.1
• S8207948: JDK 11 L10n resource file update msg drop 10
• S8207966: HttpClient response without content-length does not return body
• S8208125: Cannot input text into JOptionPane Text Input Dialog
• S8208164: (str) improve specification of String::lines
• S8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
• S8208189: ProblemList compiler/graalunit/JttThreadsTest.java
• S8208205: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!'
• S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java
• S8208251: serviceability/jvmti/HeapMonitor/MyPackage/ /HeapMonitorGCCMSTest.java fails intermittently on Linux-X64
• S8208305: ProblemList compiler/jvmci/compilerToVM/GetFlagValueTest.java
• S8208347: ProblemList compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java
• S8208353: Upgrade JDK 11 to libpng 1.6.35
• S8208358: update bug ids mentioned in tests
• S8208370: fix typo in ReservedStack tests' @requires
• S8208391: Differentiate response and connect timeouts in HTTP Client API
• S8208466: Fix potential memory leak in harfbuzz shaping.
• S8208496: New Test to verify concurrent behavior of TLS.
• S8208521: ProblemList more tests that fail due to 'Error attaching to process: Can't create thread_db agent!'
• S8208640: [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard.
• S8208663: JDK 11 L10n resource file update msg drop 20
• S8208676: Missing NULL check and resource leak in NetworkPerformanceInterface::NetworkPerformance::network_utilization
• S8208691: Tighten up jdk.includeInExceptions security property
• S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/ /TestNssDbSqlite.java fails in aarch64 platforms
• S8209029: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' in jdk-11+25 testing
• S8209149: [TESTBUG] runtime/RedefineTests/ /RedefineRunningMethods.java needs a longer timeout
• S8209451: Please change jdk 11 milestone to FCS
• S8209452: VerifyCACerts.java failed with 'At least one cacert test failed'
• S8209506: Add Google Trust Services GlobalSign root certificates
• S8209537: Two security tests failed after JDK-8164639 due to dependency was missed

This update for libxcb provides the following fix:

• Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for java-11-openjdk fixes the following issues:
Merge into the JDK following modules from github.com/javaee:

• com.sum.xml.fastinfoset
• org.jvnet.staxex
• com.sun.istack.runtime
• com.sun.xml.txw2
• com.sun.xml.bind

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:

• Update to Firefox ESR 60.4 (bsc#1119105)
• CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
• CVE-2018-18492: Fixed a use-after-free with select element
• CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
• CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
• CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
• CVE-2018-12405: Fixed a few memory safety bugs

• Update to NSS 3.40.1 (bsc#1119105)
• CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
• CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
• CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
• Fixed a decryption failure during FFDHE key exchange
• Various security fixes in the ASN.1 code

• Update mozilla-nspr to 4.20 (bsc#1119105)

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for java-11-openjdk to version 11.0.2+7 fixes the following issues:
Security issues fixed:

• CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
• CVE-2019-2426: Improve web server connections
• CVE-2018-11212: Improve JPEG processing (bsc#1122299)
• Better route routing
• Better interface enumeration
• Better interface lists
• Improve BigDecimal support
• Improve robot support
• Better icon support
• Choose printer defaults
• Proper allocation handling
• Initial class initialization
• More reliable p11 transactions
• Improve NIO stability
• Better loading of classloader classes
• Strengthen Windows Access Bridge Support
• Improved data set handling
• Improved LSA authentication
• Libsunmscapi improved interactions

• Do not resolve by default the added JavaEE modules (bsc#1120431)
• ~2.5% regression on compression benchmark starting with 12-b11
• java.net.http.HttpClient hangs on 204 reply without Content-length 0
• Add additional TeliaSonera root certificate
• Add more ld preloading related info to hs_error file on Linux
• Add test to exercise server-side client hello processing
• AES encrypt performance regression in jdk11b11
• AIX: ProcessBuilder: Piping between created processes does not work.
• AIX: Some class library files are missing the Classpath exception
• AppCDS crashes for some uses with JRuby
• Automate vtable/itable stub size calculation
• BarrierSetC1::generate_referent_check() confuses register allocator
• Better HTTP Redirection
• Catastrophic size_t underflow in BitMap::*_large methods
• Clip.isRunning() may return true after Clip.stop() was called
• Compiler thread creation should be bounded by available space in memory and Code Cache
• com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code
• Default mask register for avx512 instructions
• Delayed starting of debugging via jcmd
• Disable all DES cipher suites
• Disable anon and NULL cipher suites
• Disable unsupported GCs for Zero
• Epsilon alignment adjustments can overflow max TLAB size
• Epsilon elastic TLAB sizing may cause misalignment
• HotSpot update for vm_version.cpp to recognise updated VS2017
• HttpClient does not retrieve files with large sizes over HTTP/1.1
• IIOException 'tEXt chunk length is not proper' on opening png file
• Improve TLS connection stability again
• InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
• Inspect stack during error reporting
• Instead of circle rendered in appl window, but ellipse is produced JEditor Pane
• Introduce diagnostic flag to abort VM on failed JIT compilation
• Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap
• jar has issues with UNC-path arguments for the jar -C parameter [windows]
• java.net.http HTTP client should allow specifying Origin and Referer headers
• java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
• JDK 11.0.1 l10n resource file update
• JDWP Transport Listener: dt_socket thread crash
• JVMTI ResourceExhausted should not be posted in CompilerThread
• LDAPS communication failure with jdk 1.8.0_181
• linux: Poor StrictMath performance due to non-optimized compilation
• Missing synchronization when reading counters for live threads and peak thread count
• NPE in SupportedGroupsExtension
• OpenDataException thrown when constructing CompositeData for StackTraceElement
• Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader
• Populate handlers while holding streamHandlerLock
• ppc64: Enable POWER9 CPU detection
• print_location is not reliable enough (printing register info)
• Reconsider default option for ClassPathURLCheck change done in JDK-8195874
• Register to register spill may use AVX 512 move instruction on unsupported platform.
• s390: Use of shift operators not covered by cpp standard
• serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
• SIGBUS in CodeHeapState::print_names()
• SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
• Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
• Swing apps are slow if displaying from a remote source to many local displays
• switch jtreg to 4.2b13
• Test library OSInfo.getSolarisVersion cannot determine Solaris version
• TestOptionsWithRanges.java is very slow
• TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently
• The Japanese message of FileNotFoundException garbled
• The 'supported_groups' extension in ServerHellos
• ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData
• TimeZone.getDisplayName given Locale.US doesn't always honor the Locale.
• TLS 1.2 Support algorithm in SunPKCS11 provider
• TLS 1.3 handshake server name indication is missing on a session resume
• TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
• TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
• tz: Upgrade time-zone data to tzdata2018g
• Undefined behaviour in ADLC
• Update avx512 implementation
• URLStreamHandler initialization race
• UseCompressedOops requirement check fails fails on 32-bit system
• windows: Update OS detection code to recognize Windows Server 2019
• x86: assert on unbound assembler Labels used as branch targets
• x86: jck tests for ldc2_w bytecode fail
• x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
• '-XX:OnOutOfMemoryError' uses fork instead of vfork

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This update for samba fixes the following issues:
Security issue fixed:

• CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).

• Out of bound read in ldb_wildcard_compare
• Hold at most 10 outstanding paged result cookies
• Put 'results_store' into a doubly linked list
• Refuse to build Samba against a newer minor version of ldb

• Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
• Abide to the load_printers parameter in smb.conf (bsc#1124223).
• Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.

This update for java-11-openjdk to version 11.0.3+7 fixes the following issues:
Security issues fixed:

• CVE-2019-2602: Fixed excessive use of CPU time in the BigDecimal implementation (bsc#1132728).
• CVE-2019-2684: Fixed a flaw in the RMI registry implementation which could lead to selection of an incorrect skeleton class (bsc#1132732).

• Multiple bug fixes and improvements.

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for java-11-openjdk fixes the following issues:

• Require update-ca-certificates by the headless subpackage (bsc#1131378)
• Removed a font rendering patch with broke related to other font changes.

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for libtasn1 fixes the following issues:
Security issue fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).

This update for libpng16 fixes the following issues:
Security issues fixed:

• CVE-2019-7317: Fixed a use-after-free vulnerability, triggered when png_image_free() was called under png_safe_execute (bsc#1124211).
• CVE-2018-13785: Fixed a wrong calculation of row_factor in the png_check_chunk_length function in pngrutil.c, which could haved triggered and integer overflow and result in an divide-by-zero while processing a crafted PNG file, leading to a denial of service (bsc#1100687)

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update ships the OpenJDK LTS version 11 in the java-11-openjdk packages. (FATE#326347 bsc#1137264)

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for java-11-openjdk to version jdk-11.0.4+11 fixes the following issues:
Security issues fixed:

• CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
• CVE-2019-2762: Exceptional throw cases (bsc#1141782).
• CVE-2019-2766: Improve file protocol handling (bsc#1141789).
• CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
• CVE-2019-2786: More limited privilege usage (bsc#1141787).
• CVE-2019-7317: Improve PNG support options (bsc#1141780).
• CVE-2019-2818: Better Poly1305 support (bsc#1141788).
• CVE-2019-2816: Normalize normalization (bsc#1141785).
• CVE-2019-2821: Improve TLS negotiation (bsc#1141781).
• Certificate validation improvements

• Do not fail installation when the manpages are not present (bsc#1115375)
• Backport upstream fix for JDK-8208602: Cannot read PEM X.509 cert if there is whitespace after the header or footer (bsc#1140461)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

• New function in pk11pub.h: PK11_FindRawCertsWithSubject
• The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374)
• Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
• Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
• Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
• Add IPSEC IKE support to softoken (bmo#1546229)
• Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
• Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed.
• Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

• Changed prbit.h to use builtin function on aarch64.
• Removed Gonk/B2G references.

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).