Container summary for bci/openjdk-devel

• Package rebuilt to account for the new jakarta-inject dependency

• Fixed build with jakarta-inject, which was introduced as a new google-guice dependency

• Use plexus-metadata-generator executable directly to simplify build classpath

• Removed dependency on plexus-metadata-generator, plexus-component-metadata and on their dependencies, since there is no plexus @Component annotation any more

• Added dependency on jakarta-inject, needed by google-guice 6.0.0

• Added dependency on plexus-xml where relevant

• Changes in version 2.2.0:

• Changes in version 2.1.1:

• Changes in version 4.0.0:

• Changes in version 3.0.1:

• Require the new plexus-xml package to fix build

• Provide plexus-containers-container-default for easier update
• Add dependency on plexus-xml where relevant
• Changes of sisu version 0.9.0.M3:

• Changes of sisu version 0.9.0.M2:

• Changes of sisu.inject version 9.0.M1:

• Changes of sisu.plexus version 0.9.0.M2:

• Changes of sisu.plexus version 0.9.0.M1:

• Build sisu-mojos within sisu package, since the sources of sisu-mojos, sisu-inject and sisu-plexus were joined in the same upstream project

This update of libxkbcommon fixes the following issue:

• ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)

SUSE-CU-2024:3241-1

This update for java-21-openjdk fixes the following issues:
Updated to version 21.0.4+7 (July 2024 CPU):

• CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
• CVE-2024-21138: Fixed an infinite loop due to excessive symbol length (bsc#1228047).
• CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check Elimination (bsc#1228048).
• CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling (bsc#1228052).
• CVE-2024-21145: Fixed an index overflow in RangeCheckElimination (bsc#1228051).

SUSE-CU-2024:3201-1

SUSE-CU-2024:3132-1

SUSE-CU-2024:3072-1

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

SUSE-CU-2024:3024-1

SUSE-CU-2024:2991-1

This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

• library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures
• library: Just check for SIGLOST and don't delete it
• library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
• library: Use size_t for alloc functions CVE-2018-1126
• library: Increase comm size to 64
• pgrep: Fix stack-based buffer overflow CVE-2018-1125
• pgrep: Remove >15 warning as comm can be longer
• ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
• ps: Increase command name selection field to 64
• top: Don't use cwd for location of config CVE-2018-1122
• update translations
• library: build on non-glibc systems
• free: fix scaling on 32-bit systems
• Revert 'Support running with child namespaces'
• library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
• doc: Document I idle state in ps.1 and top.1
• free: fix some of the SI multiples
• kill: -l space between name parses correctly
• library: dont use vm_min_free on non Linux
• library: don't strip off wchan prefixes (ps & top)
• pgrep: warn about 15+ char name only if -f not used
• pgrep/pkill: only match in same namespace by default
• pidof: specify separator between pids
• pkill: Return 0 only if we can kill process
• pmap: fix duplicate output line under '-x' option
• ps: avoid eip/esp address truncations
• ps: recognizes SCHED_DEADLINE as valid CPU scheduler
• ps: display NUMA node under which a thread ran
• ps: Add seconds display for cputime and time
• ps: Add LUID field
• sysctl: Permit empty string for value
• sysctl: Don't segv when file not available
• sysctl: Read and write large buffers
• top: add config file support for XDG specification
• top: eliminated minor libnuma memory leak
• top: show fewer memory decimal places (configurable)
• top: provide command line switch for memory scaling
• top: provide command line switch for CPU States
• top: provides more accurate cpu usage at startup
• top: display NUMA node under which a thread ran
• top: fix argument parsing quirk resulting in SEGV
• top: delay interval accepts non-locale radix point
• top: address a wishlist man page NLS suggestion
• top: fix potential distortion in 'Mem' graph display
• top: provide proper multi-byte string handling
• top: startup defaults are fully customizable
• watch: define HOST_NAME_MAX where not defined
• vmstat: Fix alignment for disk partition format
• watch: Support ANSI 39,49 reset sequences

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for procps fixes the following issues:

• Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

This update for procps fixes the following issues:

• Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

This update for procps fixes the following issues:

• Support up to 2048 CPU as well. (bsc#1185417)

This update for procps fixes the following issues:

• Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for procps fixes the following issue:

• Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

This update for gawk fixes the following issues:

• CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

This update for procps fixes the following issues:

• Update procps to 3.3.17 (jsc#PED-3244 jsc#PED-6369)

• For support up to 2048 CPU as well (bsc#1185417)
• Allow `-´ as leading character to ignore possible errors on systctl entries (bsc#1209122)
• Get the first CPU summary correct (bsc#1121753)
• Enable pidof for SLE-15 as this is provided by sysvinit-tools
• Use a check on syscall __NR_pidfd_open to decide if the pwait tool and its manual page will be build
• Do not truncate output of w with option -n
• Prefer logind over utmp (jsc#PED-3144)
• Don't install translated man pages for non-installed binaries (uptime, kill).
• Fix directory for Ukrainian man pages translations.
• Move localized man pages to lang package.

• Update to procps-ng-3.3.17

• Package translations in procps-lang.

• Fix pgrep: cannot allocate 4611686018427387903 bytes when ulimit -s is unlimited.

• Enable pidof by default

• Update to procps-ng-3.3.16

This update for byte-buddy, javadoc-parser, jurand, modulemaker-maven-plugin, open-test-reporting, plexus-xml fixes the following issues:
byte-buddy:

• New RPM package implementation at version 1.14.13

• New RPM package implementation at version 0.3.1

• New RPM package implementation at version 1.3.2

• New RPM package implementation at version 1.11

• New RPM package implementation at version 0.1.0-M2

• New RPM package implementation at version 3.0.0

This update for Java fixes the following issues:
javadoc-parser:

• Deliver javadoc-parser RPM package to meet new dependency requirements (no source changes)

• Build against the plexus-build-api0 package containing sonatype plexus build api
• Version 3.3.2: * Changes:

• Version 3.3.1:

• Version 3.3.0:

• Build against the plexus-build-api0 package containing sonatype plexus build api
• Added dependency on plexus-xml where relevant

• Build against the new codehaus plexus build api 1.2.0
• Build all modello plugins
• Version 2.4.0:

• Version 2.3.0:

• Version 2.2.0:

• Add dependency on plexus-xml where relevant

• Version 1.2.0:

• New package

• Deliver plexus-xml RPM package to meet new dependency requirements (no source changes)

This update for Gradle and Maven fixes the following issues:
gradle-bootstrap:

• Regenerate to account for the new plexus-xml dependency

• Fixed build with the `plexus-xml` split from plexus-utils

• Added dependency on `plexus-xml` where relevant
• Removed unnecessary dependency on xmvn tools and parent pom

• Added dependency on `plexus-xml` where relevant

This update for gcc13 fixes the following issues:
Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.

This update for util-linux fixes the following issue:

• Fix hang of lscpu -e (bsc#1225598)

This update for systemd contains the following fixes:

• testsuite: move a misplaced %endif

• Do not remove existing configuration files in /etc. If these files were modified on the systemd, that may cause unwanted side effects (bsc#1226415).

• Import upstream commit (merge of v254.13) Use the pty slave fd opened from the namespace when transient service is running in a container. This revert the backport of the broken commit until a fix is released in the v254-stable tree.

• Import upstream commit (merge of v254.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc

This update for Java fixes the following issues:
maven-file-management:

• Use sisu-plexus instead of plexus-containers-container-default
• Added dependency on plexus-xml where relevant
• Removed unnecessary dependency on xmvn tools and parent pom

• Do not add PROVIDED dependency on plexus-container-default
• Use sisu-plexus instead of plexus-containers-container-default
• Removed unnecessary dependency on xmvn tools and parent pom

• Use sisu-plexus instead of plexus-containers-container-default
• Fixed build with both sisu-plexus and plexus-containers-container-default
• Require the new plexus-xml package to fix build

• Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact in order to avoid conflict/choise of providers
• Checked exception converted to raw runtime
• PrettyPrintXmlWriter output is platform dependent
• Deprecated StringUtils.unifyLineSeparator
• Fixed environment variable with null value
• Dependencies upgraded: * Upgraded Jansi to 2.0.1 * Upgraded Jansi to 2.2.0

• Use the org.eclipse.sisu:org.eclipse.sisu.plexus to avoid conflict/choise of providers
• Use sisu-plexus instead of plexus-containers-container-default
• Fixed the code to build both with sisu-plexus and plexus-containers-container-default.

• Use the org.eclipse.sisu:org.eclipse.sisu.plexus to avoid conflict/choise of providers
• Use sisu-plexus instead of plexus-containers-container-default

• Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact to avoid conflict/choise of providers

• Use sisu-plexus instead of plexus-containers-container-default

• Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact to avoid conflict/choise of providers
• Use sisu-plexus instead of plexus-containers-container-default

• Removed unnecessary dependency on plexus-containers-container-default
• Add dependency on plexus-xml where relevant
• Build with source and target levels 8

• Use the org.eclipse.sisu:org.eclipse.sisu.plexus artifact to avoid conflict/choise of providers
• Use sisu-plexus instead of plexus-containers-container-default

• Fixed build with maven-plugin-plugin
• Fixed build with snakeyaml 2.2

This update for git fixes the following issues:

• CVE-2024-32002: Fix recursive clones on case-insensitive filesystems that support symbolic links are susceptible to case confusion. (bsc#1224168)
• CVE-2024-32004: Fixed arbitrary code execution during local clones. (bsc#1224170)
• CVE-2024-32020: Fix file overwriting vulnerability during local clones. (bsc#1224171)
• CVE-2024-32021: Git may create hardlinks to arbitrary user-readable files. (bsc#1224172)
• CVE-2024-32465: Fixed arbitrary code execution during clone operations. (bsc#1224173)

This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5.
This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro.

SUSE-CU-2024:2800-1

This update for less fixes the following issues:

• CVE-2024-32487: Fixed OS command injection via a newline character in the file name. (bsc#1222849)

This update for openssl-3 fixes the following issues:
Security issues fixed:

• CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388)
• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

• Enable livepatching support (bsc#1223428)
• Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456)

SUSE-CU-2024:2682-1

This update for jitterentropy fixes the following issues:

• Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command.

• add FIPS 140 hints to man page
• simplify the test tool to search for optimal configurations
• fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
• enhancement: add ARM64 assembler code to read high-res timer

SUSE-CU-2024:2617-1

This update for e2fsprogs fixes the following issues:

• EA Inode handling fixes: - e2fsck: add more checks for ea inode consistency (bsc#1223596) - e2fsck: fix golden output of several tests (bsc#1223596)

SUSE-CU-2024:2607-1

This update for google-errorprone, guava fixes the following issues:
guava:

• guava was updated to version 33.1.0:

• Fix version mismatch in the ant build files.
• The binaries are compatible with java 1.8

• google-errorprone and google-errorprone-annotations were updated to version 2.26.1:

• Do not require maven-javadoc-plugin as it's not being used

SUSE-CU-2024:2598-1

This update for util-linux fixes the following issues:

• CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831)

This update for glibc fixes the following issues:

• Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482)

SUSE-CU-2024:2556-1

SUSE-CU-2024:2536-1

This update for libxcb provides the following fix:

• Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:

• Update to Firefox ESR 60.4 (bsc#1119105)
• CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
• CVE-2018-18492: Fixed a use-after-free with select element
• CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
• CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
• CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
• CVE-2018-12405: Fixed a few memory safety bugs

• Update to NSS 3.40.1 (bsc#1119105)
• CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
• CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
• CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
• Fixed a decryption failure during FFDHE key exchange
• Various security fixes in the ASN.1 code

• Update mozilla-nspr to 4.20 (bsc#1119105)

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for samba fixes the following issues:
Security issue fixed:

• CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).

• Out of bound read in ldb_wildcard_compare
• Hold at most 10 outstanding paged result cookies
• Put 'results_store' into a doubly linked list
• Refuse to build Samba against a newer minor version of ldb

• Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
• Abide to the load_printers parameter in smb.conf (bsc#1124223).
• Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for libtasn1 fixes the following issues:
Security issue fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :

• New function in pk11pub.h: PK11_FindRawCertsWithSubject
• The following CA certificates were Removed: CN = Certinomis - Root CA (bmo#1552374)
• Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403) This adds a new experimental function SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360). Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
• Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
• Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
• Add IPSEC IKE support to softoken (bmo#1546229)
• Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
• Expose an external clock for SSL (bmo#1543874) This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed.
• Various changes in response to the ongoing FIPS review (bmo#1546477) Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.

• Changed prbit.h to use builtin function on aarch64.
• Removed Gonk/B2G references.

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:

• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
• CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
• CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).

• Whitespace in C files was cleaned up and no longer uses tab characters for indenting.

This update for libXi fixes the following issue:

• The libXi6-32bit library on x86_64 are now shipped in the Basesystem module. (bsc#1153311)

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for freetype2 to version 2.10.1 fixes the following issues:
Security issue fixed:

• CVE-2018-6942: Fixed a NULL pointer dereference within ttinerp.c (bsc#1079603).

• Update to version 2.10.1 * The bytecode hinting of OpenType variation fonts was flawed, since the data in the `CVAR' table wasn't correctly applied. * Auto-hinter support for Mongolian. * The handling of the default character in PCF fonts as introduced in version 2.10.0 was partially broken, causing premature abortion of charmap iteration for many fonts. * If `FT_Set_Named_Instance' was called with the same arguments twice in a row, the function returned an incorrect error code the second time. * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug introduced in version 2.10.0). * Increased precision while computing OpenType font variation instances. * The flattening algorithm of cubic Bezier curves was slightly changed to make it faster. This can cause very subtle rendering changes, which aren't noticeable by the eye, however. * The auto-hinter now disables hinting if there are blue zones defined for a `style' (i.e., a certain combination of a script and its related typographic features) but the font doesn't contain any characters needed to set up at least one blue zone.
• Add tarball signatures and freetype2.keyring

• Update to version 2.10.0 * A bunch of new functions has been added to access and process COLR/CPAL data of OpenType fonts with color-layered glyphs. * As a GSoC 2018 project, Nikhil Ramakrishnan completely overhauled and modernized the API reference. * The logic for computing the global ascender, descender, and height of OpenType fonts has been slightly adjusted for consistency. * `TT_Set_MM_Blend' could fail if called repeatedly with the same arguments. * The precision of handling deltas in Variation Fonts has been increased.The problem did only show up with multidimensional designspaces. * New function `FT_Library_SetLcdGeometry' to set up the geometry of LCD subpixels. * FreeType now uses the `defaultChar' property of PCF fonts to set the glyph for the undefined character at glyph index 0 (as FreeType already does for all other supported font formats). As a consequence, the order of glyphs of a PCF font if accessed with FreeType can be different now compared to previous versions. This change doesn't affect PCF font access with cmaps. * `FT_Select_Charmap' has been changed to allow parameter value `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT formats to access built-in cmaps that don't have a predefined `FT_Encoding' value. * A previously reserved field in the `FT_GlyphSlotRec' structure now holds the glyph index. * The usual round of fuzzer bug fixes to better reject malformed fonts. * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have been removed.These two functions were public by oversight only and were never documented. * A new function `FT_Error_String' returns descriptions of error codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is defined. * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new functions limited to Adobe MultiMaster fonts to directly set and get the weight vector.

• Enable subpixel rendering with infinality config:

• Re-enable freetype-config, there is just too many fallouts.

• Update to version 2.9.1 * Type 1 fonts containing flex features were not rendered correctly (bug introduced in version 2.9). * CVE-2018-6942: Older FreeType versions can crash with certain malformed variation fonts. * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. * Emboldening of bitmaps didn't work correctly sometimes, showing various artifacts (bug introduced in version 2.8.1). * The auto-hinter script ranges have been updated for Unicode 11. No support for new scripts have been added, however, with the exception of Georgian Mtavruli.
• freetype-config is now deprecated by upstream and not enabled by default.

• Update to version 2.10.1 * The `ftmulti' demo program now supports multiple hidden axes with the same name tag. * `ftview', `ftstring', and `ftgrid' got a `-k' command line option to emulate a sequence of keystrokes at start-up. * `ftview', `ftstring', and `ftgrid' now support screen dumping to a PNG file. * The bytecode debugger, `ttdebug', now supports variation TrueType fonts; a variation font instance can be selected with the new `-d' command line option.
• Add tarball signatures and freetype2.keyring

• Update to version 2.10.0 * The `ftdump' demo program has new options `-c' and `-C' to display charmaps in compact and detailed format, respectively. Option `-V' has been removed. * The `ftview', `ftstring', and `ftgrid' demo programs use a new command line option `-d' to specify the program window's width, height, and color depth. * The `ftview' demo program now displays red boxes for zero-width glyphs. * `ftglyph' has limited support to display fonts with color-layered glyphs.This will be improved later on. * `ftgrid' can now display bitmap fonts also. * The `ttdebug' demo program has a new option `-f' to select a member of a TrueType collection (TTC). * Other various improvements to the demo programs.

• Remove 'Supplements: fonts-config' to avoid accidentally pulling in Qt dependencies on some non-Qt based desktops.(bsc#1091109) fonts-config is fundamental but ft2demos seldom installs by end users. only fonts-config maintainers/debuggers may use ft2demos along to debug some issues.

• Update to version 2.9.1 * No changelog upstream.

This update for publicsuffix fixes the following issues:

• Update from version 20180312 to version 20200506. (bsc#1171819).

• New in version 20200506: * gTLD autopull: 2020-05-06 (#1030) * Update public_suffix_list.dat (#993) * Add shopware.store domain (#958) * Add clic2000.net to Private Section (#1010) * Add Fabrica apps domain: onfabrica.com (#999) * Add dyndns.dappnode.io (#912) * Added curv.dev to public_suffix_list.dat (#968) * Add panel.gg and daemon.panel.gg (#978) * adding sth.ac.at (#997) * Add netlify.app (#1012) * Added Wiki Link as info resource (#1011) * Add schulserver.de, update IServ GmbH contact information (#996) * Add conn.uk, copro.uk, couk.me and ukco.me domains (#963) * Remove flynnhub.com (#971) * Added graphox.us domain (#960) * Add domains for FASTVPS EESTI OU (#941) * Add platter.dev user app domains (#935) * Add playstation-cloud.com (#1006) * gTLD autopull: 2020-04-02 (#1005) * ACI prefix (#930) * Update public_suffix_list.dat (#923) * Add toolforge.org and wmcloud.org (#970) * gTLD autopull: 2020-03-29 (#1003)

• New in version 20200326: * aero registry removal * Add Mineduc subregistry for public schools: aprendemas.cl * Update public_suffix_list.dat - Existing Section * gTLD autopull: 2020-03-15 * Add 'urown.cloud' and 'dnsupdate.info' * Remove site.builder.nu * Remove unnecessary trailing whitespace for name.fj * Update .eu IDNs to add Greek and URL for Cyrillic * Update fj entry

• New in version 20200201: * gTLD autopull: 2020-02-01 (#952) * gTLD autopull: 2020-01-31 (#951) * Add WoltLab Cloud domains (#947) * Add qbuser.com domain (#943) * Added senseering domain (#946) * Add u.channelsdvr.net to PSL (#950) * Add discourse.team (#949) * gTLD autopull: 2020-01-06 (#942) * gTLD autopull: 2019-12-25 (#939) * Urgent removal of eq.edu.au (#924) * gTLD autopull: 2019-12-20 (#938) * gTLD autopull: 2019-12-11 (#932) * Added adobeaemcloud domains (#931) * Add Observable domain: observableusercontent.com. (#914) * Correct v.ua sorting * add v.ua (#919) * Add en-root.fr domain (#910) * add Datawire private domain (#925) * Add amsw.nl private domain to PSL (#929) * Add *.on-k3s.io (#922) * Add *.r.appspot.com to public suffix list (#920) * Added gentapps.com (#916) * Add oya.to (#908) * Add Group 53, LLC Domains (#900) * Add perspecta.cloud (#898) * Add 0e.vc to PSL (#896) * Add skygearapp.com (#892) * Update Hostbip Section (#871) * Add qcx.io and *.sys.qcx.io (#868) * Add builtwithdark.com to the public suffix list (#857) * Add_customer-oci.com (#811) * Move out old .ru reserved domains * gTLD autopull: 2019-12-02 (#928) * gTLD autopull: 2019-11-20 (#926)

• New in version 20191115: * Add gov.scot for Scottish Government * update gTLD list to 2019-11-15 state * remove go-vip.co, go-vip.net, wpcomstaging.com

• New in version 20191025: * gTLD list updated to 2019-10-24 state * Update .so suffix list * Add the new TLD .ss * Add xn--mgbah1a3hjkrd (Ů…Ů�ريتانيا) * Add lolipop.io * Add altervista.org * Remove zone.id from list * Add new domain to Synology dynamic dns service

• New in version 20190808: * tools: update newgtlds.go to filter removed gTLDs (#860) * gTLD autopull: 2019-08-08 (#862) * Remove non-public nuernberg.museum nuremberg.museum domains (#859) * gTLD autopull: 2019-08-02 (#858) * Update public_suffix_list.dat (#825) * Update reference as per #855 * add nic.za * Update contact for SymfonyCloud (#854) * Add lelux.site (#849) * Add *.webhare.dev (#847) * Update Hostbip Section (#846) * Add Yandex Cloud domains (#850) * Add ASEINet domains (#844) * Update nymnom section (#771) * Add Handshake zones (#796) * Add iserv.dev for IServ GmbH (#826) * Add trycloudflare.com to Cloudflare's domains (#835) * Add shopitsite.com (#838) * Add pubtls.org (#839) * Add qualifio.com domains (#840) * Update newgtlds tooling & associated gTLD data. (#834) * Add web.app for Google (#830) * Add iobb.net (#828) * Add cloudera.site (#829)

• New in version 20190529: * Add Balena domains (#814) * Add KingHost domains (#827) * Add dyn53.io (#820) * Add azimuth.network and arvo.network (#812) * Update .rw domains per ccTLD (#821) * Add b-data.io (#759) * Add co.bn (#789) * Add Zitcom domains (#817) * Add Carrd suffixes (#816) * Add Linode Suffixes (#810) * Add lab.ms (#807) * Add wafflecell.com (#805) * Add häkkinen.fi (#804) * Add prvcy.page (#803) * Add SRCF user domains: soc.srcf.net, user.srcf.net (#802) * Add KaasHosting (#801) * Adding cloud66.zone (#797) * Add gehirn.ne.jp and usercontent.jp for Gehirn Inc. (#795) * Add Clerk user domains (#791) * Add loginline (.app, .dev, .io, .services, .site) (#790) * Add wnext.app (#785) * Add Hostbip Registry Domains (#770) * Add glitch.me (#769) * added thingdustdata.com (#767) * Add dweb.link (#766) * Add onred.one (#764) * Add mo-siemens.io (#762) * Add Render domains (#761) * Add *.moonscale.io (#757) * Add Stackhero domain (#755) * Add voorloper.cloud (#750) * Add repl.co and repl.run (#748) * Add edugit.org (#736) * Add Hakaran domains (#733) * Add barsy.ca (#732) * Add Names.of.London Domains (#543) * Add nctu.me (#746) * Br 201904 update (#809) * Delete DOHA * Add app.banzaicloud.io (#730) * Update .TR (#741) * Add Nabu Casa (#781) * Added uk0.bigv.io under Bytemark Hosting (#745) * Add GOV.UK PaaS client domains (#765) * Add discourse.group for Civilized Discourse Construction Kit, Inc. (#768) * Add on-rancher.cloud and on-rio.io (#779) * Syncloud dynamic dns service (#727) * Add git-pages.rit.edu (#690) * Add workers.dev (#772) * Update .AM (#756) * Add go-vip.net. (#793) * Add site.builder.nu (#723) * Update .FR sectorial domains (#527) * Remove ACTIVE * Remove SPIEGEL * Remove EPOST * Remove ZIPPO * Remove BLANCO

• New in version 20190205: * Add domains of Individual Network Berlin e.V. (#711) * Added bss.design to PSL (#685) * Add fastly-terrarium.com (#729) * Add Swisscom Application Cloud domains (#698) * Update public_suffix_list.dat with api.stdlib.com (#751) * Add regional domain for filegear.me (#713) * Remove bv.nl (#758) * Update public_suffix_list.dat

• Link public_suffix_list.dat to effective_tld_names.dat for the purpose of httpcomponents-client

• Do not pull in full python3, psl-make-dafsa already pulls in what it needs to generate the things

• New in version 20181227: * Add run.app and a.run.app to the psl (#681) * Add telebit.io .app .xyz (#726) * Add Leadpages domains (#731) * Add public suffix entries for dapps.earth (#708) * Add Bytemark Hosting domains (#620) * Remove .STATOIL * linter: Expect rules to be in NFKC (#725) * Convert list data from NFKD to NFKC (#720) * Update LS (#718)

• New in version 20181030: * Add readthedocs.io (#722) * Remove trailing whitespace from L11948 (#721) * Add krasnik.pl, leczna.pl, lubartow.pl, lublin.pl, poniatowa.pl and swidnik.pl domains to the Public Suffix List (#670) * Add instantcloud.cn by Redstar Consultants (#696) * Add Fermax and mydobiss.com domain (#706) * Add shop.th & online.th (#716) * Add siteleaf.net (#655) * Add wpcomstaging.com and go-vip.co to the PSL (#719)

• Update to version 20181003: * Remove deleted TLDs (#710) * Added apigee.io (#712) * Add AWS ElasticBeanstalk Ningxia, CN region (#597) * Add Github PULL REQUEST TEMPLATE (#699) * Add ong.br 2nd level domain (#707)

• Update to version 20180813: * Update .ID list (#703) * Updated .bn ccTLD. Removed wildcard. (#702) * Remove stackspace.space from PSL (#691) * Remove XPERIA (#697)

• Update to version 20180719: * Remove .IWC * Update Kuwait's ccTLD (.kw) * Use https for www.transip.nl * Remove MEO and SAPO

• New in version 20180523: * Remove 1password domains (#632) * Add cleverapps.io (Clever Cloud) (#634) * Remove .BOOTS * Add azurecontainer.io to Microsoft domains (#637) * Change the patchnewgtlds tool for the updated .zw domain * Add new gTLDs up to 2018-04-17 and new ccTLDs up to 2018-04-17 * cloud.muni.cz cloud subdomains (#622) * Add YunoHost DynDns domains: nohost.me & noho.st (#615) * Use a custom token for the newGTLD list (#645) * lug.org.uk (#514) * Adding xnbay.com,u2.xnbay.com,u2-local.xnbay.com to public_suffix_list.dat. (#506) * Adding customer.speedpartner.de (#585) * Adding ravendb.net subdomains (#535) * Adding own.pm (#544) * pcloud.host (#531) * Add additional Lukanet Ltd domains (#652) * Add zone.id (#575) * Add half.host (#571) * Update 香港 TLD (#568) * Add Now-DNS domains (#560) * Added blackbaudcdn.net private domain to PSL (#558) * Adding IServ GmbH domains (#552) * Add FASTVPS EESTI OU domains (#541) * nic.it - update regions and provinces (#524) * Update Futureweb OG Private Domains (#520) * add United Gameserver virtualuser domains (#600) * Add Lightmaker Property Manager, Inc domains (#604) * Update Uberspace domains (#616) * Add Datto, Inc domains * Add memset hosting domains (#625) * Add utwente.io (#626) * Add bci.dnstrace.pro (#630) * Add May First domains (#635) * Add Linki Tools domains (#636) * Update NymNom domains * Add Co & Co domains (#650) * Add new gTLDs up to 2018-05-08 (#653) * Correct linter issues (#654) * Add cnpy.gdn as private domain (#633) * Add freedesktop.org (#619) * Add Omnibond Systems (#656) * Add hasura.app to the list (#668) * Update gu ccTLD suffixes (#669)

• New in version 20180328: * Add gwiddle.co.uk (#521) * Add ox.rs (#522) * Add myjino.ru (#512) * Add ras.ru domains (#511) * Add AWS ElasticBeanstalk Osaka, JP region (#628) * Remove trailing whitespace (#621)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53

• CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
• CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).

This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:
Changes in fontforge:

• Support transforming bitmap glyphs from python. (bsc#1169444)
• Allow python-Sphinx >= 3

• Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once.

• Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage
• Include the subfamily in the filename of converted fonts
• Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)
• Replace some unicode values in cu-pua12.pcf.gz to fix them
• Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not.
• Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular

• Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for libX11 fixes the following issues:

• Fixed XIM client heap overflows (CVE-2020-14344, bsc#1174628)

This consolidated update includes multiple patchinfos for SUSE Manager Server and Proxy. This patchinfo is used for the codestream release only.

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for freetype2 fixes the following issues:

• CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).

This update for MozillaThunderbird and mozilla-nspr fixes the following issues:

• Mozilla Thunderbird 78.4 * new: MailExtensions: browser.tabs.sendMessage API added * new: MailExtensions: messageDisplayScripts API added * changed: Yahoo and AOL mail users using password authentication will be migrated to OAuth2 * changed: MailExtensions: messageDisplay APIs extended to support multiple selected messages * changed: MailExtensions: compose.begin functions now support creating a message with attachments * fixed: Thunderbird could freeze when updating global search index * fixed: Multiple issues with handling of self-signed SSL certificates addressed * fixed: Recipient address fields in compose window could expand to fill all available space * fixed: Inserting emoji characters in message compose window caused unexpected behavior * fixed: Button to restore default folder icon color was not keyboard accessible * fixed: Various keyboard navigation fixes * fixed: Various color-related theme fixes * fixed: MailExtensions: Updating attachments with onBeforeSend.addListener() did not work MFSA 2020-47 (bsc#1177977) * CVE-2020-15969 Use-after-free in usersctp * CVE-2020-15683 Memory safety bugs fixed in Thunderbird 78.4
• Mozilla Thunderbird 78.3.3 * OpenPGP: Improved support for encrypting with subkeys * OpenPGP message status icons were not visible in message header pane * Creating a new calendar event did not require an event title
• Mozilla Thunderbird 78.3.2 (bsc#1176899) * OpenPGP: Improved support for encrypting with subkeys * OpenPGP: Encrypted messages with international characters were sometimes displayed incorrectly * Single-click deletion of recipient pills with middle mouse button restored * Searching an address book list did not display results * Dark mode, high contrast, and Windows theming fixes
• Mozilla Thunderbird 78.3.1 * fix crash in nsImapProtocol::CreateNewLineFromSocket
• Mozilla Thunderbird 78.3.0 MFSA 2020-44 (bsc#1176756) * CVE-2020-15677 Download origin spoofing via redirect * CVE-2020-15676 XSS when pasting attacker-controlled data into a contenteditable element * CVE-2020-15678 When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after- free scenario * CVE-2020-15673 Memory safety bugs fixed in Thunderbird 78.3

• update mozilla-nspr to version 4.25.1 * The macOS platform code for shared library loading was changed to support macOS 11. * Dependency needed for the MozillaThunderbird udpate

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for hamcrest fixes the following issue:

• Add obsoletes in the core API to solve conflicts during updates. (bsc#1174544)

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for hamcrest fixes the following issues:

• Make hamcrest build reproducibly. (bsc#1120493)
• Fix typo in hamcrest-core description. (bsc#1179994)

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for MozillaFirefox fixes the following issues:

• Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs

This update for apache-commons-io fixes the following issues:

• CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755)

This update for giflib fixes the following issues:

• Enable Position Independent Code and inherit CFLAGS from the build system (bsc#1184123).

This update for systemtap fixes the following issues:

• Releasing maven for SLE-15 SP1 and SP2. (bsc#1184022)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for sqlite3 fixes the following issues:

• Update to version 3.36.0
• CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641)
• CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719)
• CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
• CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
• CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309)
• CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
• CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
• CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
• CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491)
• CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960)
• CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959)
• CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958)
• CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812)
• CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
• CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
• CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
• CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
• CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
• CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
• CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
• CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

This update for publicsuffix fixes the following issues:

• Updates the list of known/accepted domains with recent data (bsc#1189124).

This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:

• implement new socket option PR_SockOpt_DontFrag
• support larger DNS records by increasing the default buffer size for DNS queries
• Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138
• PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version.

• bmo#1713562 - Fix test leak.
• bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
• bmo#1693206 - Implement PKCS8 export of ECDSA keys.
• bmo#1712883 - DTLS 1.3 draft-43.
• bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
• bmo#1713562 - Validate ECH public names.
• bmo#1717610 - Add function to get seconds from epoch from pkix::Time.

• bmo#1683710 - Add a means to disable ALPN.
• bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
• bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
• bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
• bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.

• bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
• bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
• bmo#1708307 - Remove Trustis FPS Root CA from NSS.
• bmo#1707097 - Add Certum Trusted Root CA to NSS.
• bmo#1707097 - Add Certum EC-384 CA to NSS.
• bmo#1703942 - Add ANF Secure Server Root CA to NSS.
• bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
• bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
• bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
• bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
• bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
• bmo#1709291 - Add VerifyCodeSigningCertificateChain.

• bmo#1709654 - Update for NetBSD configuration.
• bmo#1709750 - Disable HPKE test when fuzzing.
• bmo#1566124 - Optimize AES-GCM for ppc64le.
• bmo#1699021 - Add AES-256-GCM to HPKE.
• bmo#1698419 - ECH -10 updates.
• bmo#1692930 - Update HPKE to final version.
• bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
• bmo#1703936 - New coverity/cpp scanner errors.
• bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
• bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
• bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.

• bmo#1705286 - Properly detect mips64.
• bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and

• bmo#1697380 - Make a clang-format run on top of helpful contributions.
• bmo#1683520 - ECCKiila P384, change syntax of nested structs

• bmo#1688374 - Fix parallel build NSS-3.61 with make
• bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()

• bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key

• TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information.
• December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information.

• bmo#1679290 - Fix potential deadlock with certain third-party

• Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData

• bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
• bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
• bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
• bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
• bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed

• bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode.
• bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni).
• bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions.
• bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows.
• bmo#1667153 - Add PK11_ImportDataKey for data object import.
• bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value.

• The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
• The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
• Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed.
• https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

• bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
• bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
• bmo#1654142 - Add CPU feature detection for Intel SHA extension.
• bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
• bmo#1656986 - Properly detect arm64 during GYP build architecture

• P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
• PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633)
• DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)

• bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
• bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
• bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
• bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length.
• bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
• bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED.
• bmo#1646594 - Fix AVX2 detection in makefile builds.
• bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate.
• bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
• bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
• bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
• bmo#1649226 - Add Wycheproof ECDSA tests.
• bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
• bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover.
• bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension.

• Support for TLS 1.3 external pre-shared keys (bmo#1603042).
• Use ARM Cryptography Extension for SHA256, when available (bmo#1528113)
• The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
• The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.

• A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list.

• bmo#1528113 - Use ARM Cryptography Extension for SHA256.
• bmo#1603042 - Add TLS 1.3 external PSK support.
• bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
• bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
• bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
• bmo#1641716 - Add Microsoft's non-EV root certificates.
• bmo1621151 - Disable email trust bit for 'O=Government

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for brotli fixes the following issues:

• CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This recommended update for cairo, jbigkit, libjpeg-turbo, libwebp, libxcb, openjpeg2, pixman, poppler, tiff provides the following fix:

• Ship some missing binaries to PackageHub.

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for jsoup, jsr-305 fixes the following issues:

• CVE-2021-37714: Fixed infinite in untrusted HTML or XML data parsing (bsc#1189749).

• Build with java source and target levels 8
• Upgrade to upstream version 3.0.2

• Upgrade to upstream version 1.14.2
• Generate tarball using source service instead of a script

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for giflib fixes the following issues:

• CVE-2019-15133: Fixed a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero (bsc#1146299).
• CVE-2018-11490: Fixed a heap-based buffer overflow in DGifDecompressLine function in dgif_lib.c (bsc#1094832).
• CVE-2016-3977: Fixed a heap buffer overflow in gif2rgb (bsc#974847).

• build path independent objects and inherit CFLAGS from the build system (bsc#1184123)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for publicsuffix fixes the following issue:

• Update to version 20220405 (bsc#1198068)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

• Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
• FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
• FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
• FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325).
• Run test suite at build time, and make it pass (bsc#1198486).
• FIPS: skip algorithms that are hard disabled in FIPS mode.
• Prevent expired PayPalEE cert from failing the tests.
• Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc.
• FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
• Update FIPS validation string to version-release format.
• FIPS: remove XCBC MAC from list of FIPS approved algorithms.
• Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
• FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
• FIPS: allow testing of unapproved algorithms (bsc#1192228).
• FIPS: add version indicators. (bmo#1729550, bsc#1192086).
• FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

• Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
• Update mercurial in clang-format docker image.
• Use of uninitialized pointer in lg_init after alloc fail.
• selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
• Add SECMOD_LockedModuleHasRemovableSlots.
• Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
• Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
• TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
• Correct invalid record inner and outer content type alerts.
• NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
• improve error handling after nssCKFWInstance_CreateObjectHandle.
• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
• NSS 3.79 should depend on NSPR 4.34

• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

• Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
• Reworked overlong record size checks and added TLS1.3 specific boundaries.
• Add ECH Grease Support to tstclnt
• Add a strict variant of moz::pkix::CheckCertHostname.
• Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
• Make SEC_PKCS12EnableCipher succeed
• Update zlib in NSS to 1.2.12.

• Fix link to TLS page on wireshark wiki
• Add two D-TRUST 2020 root certificates.
• Add Telia Root CA v2 root certificate.
• Remove expired explicitly distrusted certificates from certdata.txt.
• support specific RSA-PSS parameters in mozilla::pkix
• Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
• Remove token member from NSSSlot struct.
• Provide secure variants of mpp_pprime and mpp_make_prime.
• Support UTF-8 library path in the module spec string.
• Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
• Update googletest to 1.11.0
• Add SetTls13GreaseEchSize to experimental API.
• TLS 1.3 Illegal legacy_version handling/alerts.
• Fix calculation of ECH HRR Transcript.
• Allow ld path to be set as environment variable.
• Ensure we don't read uninitialized memory in ssl gtests.
• Fix DataBuffer Move Assignment.
• internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
• rework signature verification in mozilla::pkix

• Remove token member from NSSSlot struct.
• Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
• Check return value of PK11Slot_GetNSSToken.
• Use Wycheproof JSON for RSASSA-PSS
• Add SHA256 fingerprint comments to old certdata.txt entries.
• Avoid truncating files in nss-release-helper.py.
• Throw illegal_parameter alert for illegal extensions in handshake message.

• Make DottedOIDToCode.py compatible with python3.
• Avoid undefined shift in SSL_CERT_IS while fuzzing.
• Remove redundant key type check.
• Update ABI expectations to match ECH changes.
• Enable CKM_CHACHA20.
• check return on NSS_NoDB_Init and NSS_Shutdown.
• Run ECDSA test vectors from bltest as part of the CI tests.
• Add ECDSA test vectors to the bltest command line tool.
• Allow to build using clang's integrated assembler.
• Allow to override python for the build.
• test HKDF output rather than input.
• Use ASSERT macros to end failed tests early.
• move assignment operator for DataBuffer.
• Add test cases for ECH compression and unexpected extensions in SH.
• Update tests for ECH-13.
• Tidy up error handling.
• Add tests for ECH HRR Changes.
• Server only sends GREASE HRR extension if enabled by preference.
• Update generation of the Associated Data for ECH-13.
• When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
• Allow for compressed, non-contiguous, extensions.
• Scramble the PSK extension in CHOuter.
• Split custom extension handling for ECH.
• Add ECH-13 HRR Handling.
• Client side ECH padding.
• Stricter ClientHelloInner Decompression.
• Remove ECH_inner extension, use new enum format.
• Update the version number for ECH-13 and adjust the ECHConfig size.

• mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
• Ensure clients offer consistent ciphersuites after HRR
• NSS does not properly restrict server keys based on policy
• Set nssckbi version number to 2.54
• Replace Google Trust Services LLC (GTS) R4 root certificate
• Replace Google Trust Services LLC (GTS) R3 root certificate
• Replace Google Trust Services LLC (GTS) R2 root certificate
• Replace Google Trust Services LLC (GTS) R1 root certificate
• Replace GlobalSign ECC Root CA R4
• Remove Expired Root Certificates - DST Root CA X3
• Remove Expiring Cybertrust Global Root and GlobalSign root certificates
• Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
• Add iTrusChina ECC root certificate
• Add iTrusChina RSA root certificate
• Add ISRG Root X2 root certificate
• Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
• Avoid a clang 13 unused variable warning in opt build
• Check for missing signedData field
• Ensure DER encoded signatures are within size limits

• enable key logging option (boo#1195040)

• Add SHA-2 support to mozilla::pkix's OSCP implementation

• check for missing signedData field.
• Ensure DER encoded signatures are within size limits.
• NSS needs FiPS 140-3 version indicators.
• pkix_CacheCert_Lookup doesn't return cached certs
• sunset Coverity from NSS

• Fix nsinstall parallel failure.
• Increase KDF cache size to mitigate perf regression in about:logins

• Set nssckbi version number to 2.52.
• Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
• Import of PKCS#12 files with Camellia encryption is not supported
• Add HARICA Client ECC Root CA 2021.
• Add HARICA Client RSA Root CA 2021.
• Add HARICA TLS ECC Root CA 2021.
• Add HARICA TLS RSA Root CA 2021.
• Add TunTrust Root CA certificate to NSS.

• Update test case to verify fix.
• Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
• Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
• Avoid using a lookup table in nssb64d.
• Use HW accelerated SHA2 on AArch64 Big Endian.
• Change default value of enableHelloDowngradeCheck to true.
• Cache additional PBE entries.
• Read HPKE vectors from official JSON.

• Disable DTLS 1.0 and 1.1 by default
• integrity checks in key4.db not happening on private components with AES_CBC

• Disable DTLS 1.0 and 1.1 by default (backed out again)
• integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
• SSL handling of signature algorithms ignores environmental invalid algorithms.
• sqlite 3.34 changed it's open semantics, causing nss failures.
• Gtest update changed the gtest reports, losing gtest details in all.sh reports.
• NSS incorrectly accepting 1536 bit DH primes in FIPS mode
• SQLite calls could timeout in starvation situations.
• Coverity/cpp scanner errors found in nss 3.67
• Import the NSS documentation from MDN in nss/doc.
• NSS using a tempdir to measure sql performance not active

• CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

• add an API that returns a preferred loopback IP on hosts that have two IP stacks available.

This update for mozilla-nss fixes the following issues:
Various FIPS 140-3 related fixes were backported from SUSE Linux Enterprise 15 SP4:

• Makes the PBKDF known answer test compliant with NIST SP800-132. (bsc#1192079).
• FIPS: Add on-demand integrity tests through sftk_FIPSRepeatIntegrityCheck() (bsc#1198980).
• FIPS: mark algorithms as approved/non-approved according to security policy (bsc#1191546, bsc#1201298).
• FIPS: remove hard disabling of unapproved algorithms. This requirement is now fulfilled by the service level indicator (bsc#1200325).
• Run test suite at build time, and make it pass (bsc#1198486).
• FIPS: skip algorithms that are hard disabled in FIPS mode.
• Prevent expired PayPalEE cert from failing the tests.
• Allow checksumming to be disabled, but only if we entered FIPS mode due to NSS_FIPS being set, not if it came from /proc.
• FIPS: Make the PBKDF known answer test compliant with NIST SP800-132.
• Update FIPS validation string to version-release format.
• FIPS: remove XCBC MAC from list of FIPS approved algorithms.
• Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID for build.
• FIPS: claim 3DES unapproved in FIPS mode (bsc#1192080).
• FIPS: allow testing of unapproved algorithms (bsc#1192228).
• FIPS: add version indicators. (bmo#1729550, bsc#1192086).
• FIPS: fix some secret clearing (bmo#1697303, bsc#1192087).

• Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
• Update mercurial in clang-format docker image.
• Use of uninitialized pointer in lg_init after alloc fail.
• selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
• Add SECMOD_LockedModuleHasRemovableSlots.
• Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
• Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
• TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
• Correct invalid record inner and outer content type alerts.
• NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
• improve error handling after nssCKFWInstance_CreateObjectHandle.
• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
• NSS 3.79 should depend on NSPR 4.34

• Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple

• Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
• Reworked overlong record size checks and added TLS1.3 specific boundaries.
• Add ECH Grease Support to tstclnt
• Add a strict variant of moz::pkix::CheckCertHostname.
• Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
• Make SEC_PKCS12EnableCipher succeed
• Update zlib in NSS to 1.2.12.

• Fix link to TLS page on wireshark wiki
• Add two D-TRUST 2020 root certificates.
• Add Telia Root CA v2 root certificate.
• Remove expired explicitly distrusted certificates from certdata.txt.
• support specific RSA-PSS parameters in mozilla::pkix
• Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
• Remove token member from NSSSlot struct.
• Provide secure variants of mpp_pprime and mpp_make_prime.
• Support UTF-8 library path in the module spec string.
• Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
• Update googletest to 1.11.0
• Add SetTls13GreaseEchSize to experimental API.
• TLS 1.3 Illegal legacy_version handling/alerts.
• Fix calculation of ECH HRR Transcript.
• Allow ld path to be set as environment variable.
• Ensure we don't read uninitialized memory in ssl gtests.
• Fix DataBuffer Move Assignment.
• internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
• rework signature verification in mozilla::pkix

• Remove token member from NSSSlot struct.
• Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
• Check return value of PK11Slot_GetNSSToken.
• Use Wycheproof JSON for RSASSA-PSS
• Add SHA256 fingerprint comments to old certdata.txt entries.
• Avoid truncating files in nss-release-helper.py.
• Throw illegal_parameter alert for illegal extensions in handshake message.

• Make DottedOIDToCode.py compatible with python3.
• Avoid undefined shift in SSL_CERT_IS while fuzzing.
• Remove redundant key type check.
• Update ABI expectations to match ECH changes.
• Enable CKM_CHACHA20.
• check return on NSS_NoDB_Init and NSS_Shutdown.
• Run ECDSA test vectors from bltest as part of the CI tests.
• Add ECDSA test vectors to the bltest command line tool.
• Allow to build using clang's integrated assembler.
• Allow to override python for the build.
• test HKDF output rather than input.
• Use ASSERT macros to end failed tests early.
• move assignment operator for DataBuffer.
• Add test cases for ECH compression and unexpected extensions in SH.
• Update tests for ECH-13.
• Tidy up error handling.
• Add tests for ECH HRR Changes.
• Server only sends GREASE HRR extension if enabled by preference.
• Update generation of the Associated Data for ECH-13.
• When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
• Allow for compressed, non-contiguous, extensions.
• Scramble the PSK extension in CHOuter.
• Split custom extension handling for ECH.
• Add ECH-13 HRR Handling.
• Client side ECH padding.
• Stricter ClientHelloInner Decompression.
• Remove ECH_inner extension, use new enum format.
• Update the version number for ECH-13 and adjust the ECHConfig size.

• mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
• Ensure clients offer consistent ciphersuites after HRR
• NSS does not properly restrict server keys based on policy
• Set nssckbi version number to 2.54
• Replace Google Trust Services LLC (GTS) R4 root certificate
• Replace Google Trust Services LLC (GTS) R3 root certificate
• Replace Google Trust Services LLC (GTS) R2 root certificate
• Replace Google Trust Services LLC (GTS) R1 root certificate
• Replace GlobalSign ECC Root CA R4
• Remove Expired Root Certificates - DST Root CA X3
• Remove Expiring Cybertrust Global Root and GlobalSign root certificates
• Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
• Add iTrusChina ECC root certificate
• Add iTrusChina RSA root certificate
• Add ISRG Root X2 root certificate
• Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
• Avoid a clang 13 unused variable warning in opt build
• Check for missing signedData field
• Ensure DER encoded signatures are within size limits

• enable key logging option (boo#1195040)

• Add SHA-2 support to mozilla::pkix's OSCP implementation

• check for missing signedData field.
• Ensure DER encoded signatures are within size limits.
• NSS needs FiPS 140-3 version indicators.
• pkix_CacheCert_Lookup doesn't return cached certs
• sunset Coverity from NSS

• Fix nsinstall parallel failure.
• Increase KDF cache size to mitigate perf regression in about:logins

• Set nssckbi version number to 2.52.
• Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
• Import of PKCS#12 files with Camellia encryption is not supported
• Add HARICA Client ECC Root CA 2021.
• Add HARICA Client RSA Root CA 2021.
• Add HARICA TLS ECC Root CA 2021.
• Add HARICA TLS RSA Root CA 2021.
• Add TunTrust Root CA certificate to NSS.

• Update test case to verify fix.
• Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
• Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
• Avoid using a lookup table in nssb64d.
• Use HW accelerated SHA2 on AArch64 Big Endian.
• Change default value of enableHelloDowngradeCheck to true.
• Cache additional PBE entries.
• Read HPKE vectors from official JSON.

• Disable DTLS 1.0 and 1.1 by default
• integrity checks in key4.db not happening on private components with AES_CBC

• Disable DTLS 1.0 and 1.1 by default (backed out again)
• integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
• SSL handling of signature algorithms ignores environmental invalid algorithms.
• sqlite 3.34 changed it's open semantics, causing nss failures.
• Gtest update changed the gtest reports, losing gtest details in all.sh reports.
• NSS incorrectly accepting 1536 bit DH primes in FIPS mode
• SQLite calls could timeout in starvation situations.
• Coverity/cpp scanner errors found in nss 3.67
• Import the NSS documentation from MDN in nss/doc.
• NSS using a tempdir to measure sql performance not active

• CVE-2022-31741: Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. (bmo#1767590)

This update for permissions fixes the following issues:

• apptainer: fix starter-suid location (bsc#1198720)
• static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
• postfix: add postlog setgid for maildrop binary (bsc#1201385)

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries.

This update for mozilla-nss fixes the following issues:
Update to NSS 3.79.1 (bsc#1202645)

• compare signature and signatureAlgorithm fields in legacy certificate verifier.
• Uninitialized value in cert_ComputeCertType.
• protect SFTKSlot needLogin with slotLock.
• avoid data race on primary password change.
• check for null template in sec_asn1{d,e}_push_state.

• FIPS: unapprove the rest of the DSA ciphers, keeping signature verification only (bsc#1201298).

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for freetype2 fixes the following issues:

• CVE-2022-27404 Fixed a segmentation fault via a crafted typeface (bsc#1198830).
• CVE-2022-27405 Fixed a buffer overflow via a crafted typeface (bsc#1198832).
• CVE-2022-27406 Fixed a segmentation fault via a crafted typeface (bsc#1198823).

• Updated to version 2.10.4

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for jitterentropy fixes the following issues:

• Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870)

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

This update for permissions fixes the following issues:

• Fix regression introduced by backport of security fix (bsc#1203911)
• Add permissions for enlightenment helper on 32bit arches (bsc#1194047)

This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nspr was updated to version 4.34.1:

• add file descriptor sanity checks in the NSPR poll function.

• Bump minimum NSPR version to 4.34.1.
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.

• FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
• FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980).
• FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546).
• FIPS: Prevent TLS sessions from getting flagged as non-FIPS (bsc#1191546).
• FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
• FIPS: Use libjitterentropy for entropy (bsc#1202870).
• FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.79.2 (bsc#1204729)

• Bump minimum NSPR version to 4.34.1.
• Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.

• FIPS: Allow the use of DSA keys (verification only) (bsc#1201298).
• FIPS: Add sftk_FIPSRepeatIntegrityCheck() to softoken's .def file (bsc#1198980).
• FIPS: Allow the use of longer symmetric keys via the service level indicator (bsc#1191546).
• FIPS: Export sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
• FIPS: Prevent sessions from getting flagged as non-FIPS (bsc#1191546).
• FIPS: Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
• FIPS: Enable userspace entropy gathering via libjitterentropy (bsc#1202870).
• FIPS: Prevent keys from getting flagged as non-FIPS and add remaining TLS mechanisms.
• FIPS: Use libjitterentropy for entropy.
• FIPS: Fixed an abort() when both NSS_FIPS and /proc FIPS mode are enabled.

This update for jsoup fixes the following issues:
Updated to version 1.15.3:
- CVE-2022-36033: Fixed incorrect sanitization of user input in SafeList.preserveRelativeLinks (bsc#1203459).

This update for jsoup fixes the following issues:

• Fix typo in the ant *-build.xml file that caused errors while building eclipse.

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for libeconf fixes the following issues:

• Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165)

• Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters'

This update for publicsuffix fixes the following issues:

• Update to version 20220903

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for mozilla-nss fixes the following issues:

• FIPS: Disapprove the creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)
• FIPS: Allow the use SHA keygen mechs (bsc#1191546).
• FIPS: ensure abort() is called when the repeat integrity check fails (bsc#1198980).

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for mozilla-nss fixes the following issues:

• CVE-2022-3479: Fixed a potential crash that could be triggered when a server requested a client authentication certificate, but the client had no certificates stored (bsc#1204272).
• Updated to version 3.79.3 (bsc#1207038): - CVE-2022-23491: Removed trust for 3 root certificates from TrustCor.

This update for mozilla-nss fixes the following issues:
Updated to NSS 3.79.4 (bsc#1208138):
- CVE-2023-0767: Fixed handling of unknown PKCS#12 safe bag types.

This update for jitterentropy fixes the following issues:

• build jitterentropy library with debuginfo (bsc#1207789)

This update for jsoup, jsr-305 fixes the following issues:

• Redistribute packages to fix dependency inconsistencies in some products.

This feature update for the Java stack provides:
ant:

• Update ant from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar. * Do not build against the log4j12 packages, use the new reload4j

• Update ant-antlr from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar. * Do not build against the log4j12 packages, use the new reload4j

• Fix build with apache-ivy 2.5.1 (jsc#SLE-23217)

• Update ant-junit from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar. * Do not build against the log4j12 packages, use the new reload4j

• Update ant-junit5 from version 1.10.7 to version 1.10.12. (jsc#SLE-23217) * CVE-2021-36374: Excessive memory allocation when reading a crafted ZIP archive or a derived formats. (bsc#1188469) * CVE-2021-36373: Excessive memory allocation when reading a crafted TAR archive. (bsc#1188468) * Do not follow redirects if the 'followRedirects' attribute is set to 'false'. * Make sure setting build.compiler to the fully qualified classname that corresponds to extJavac or modern has the same effect as using the shorter alias names. * Prevent potential deadlocks in org.apache.tools.ant.IntrospectionHelper. * Avoid file name canonicalization when possible. * Upgraded AntUnit to 1.4.1. * CVE-2020-11979: Fixed an insecure temporary file vulnerability. (bnc#1177180) * CVE-2020-1945: insecure temporary file vulnerability. (bsc#1171696) * sshexec, sshsession and scp now support a new sshConfig parameter. It specifies the SSH configuration file (typically ${user.home}/.ssh/config) defining the username and keyfile to be used per host. * Add rhino to the ant-apache-bsf optional tasks. (bsc#1134001) * Remove jakarta-commons-* dependencies and use apache-commons-logging and apache-commons-net in optional tasks. (bsc#1133997) * Use xml-commons-apis-bootstrap as jar in classpath instead of the common xml-apis jar.
• Do not build against the log4j12 packages, use the new reload4j

• Build antlr-manual package without examples files. (bsc#1120360)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update antlr4 from version 4.7.2 to version 4.9.3. (jsc#SLE-23217) * The libantlr4-runtime-devel now requires utfcpp-devel * For more details check: https://github.com/antlr/antlr4/compare/4.7.2...4.9.3

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide apache-commons-beanutils 1.9.4 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Update apache-commons-cli from version 1.4 to version 1.5.0. (jsc#SLE-23217) * Replace deprecated FindBugs with SpotBugs * Replace CLIRR with JApiCmp. * Update Java from version 5 to 7 * Remove deprecated sudo setting * Bump junit:junit to 4.13.2 * Bump commons-parent to 52 * Bump maven-pmd-plugin to 3.15.0 * Bump actions/checkout to v2.3.5 * Bump actions/setup-java to v2 * Bump maven-antrun-plugin to 3.0.0 * Bump maven-checkstyle-plugin to 3.1.2 * Bump checkstyle to 9.0.1 * Bump actions/cache to 2.1.6 * Bump commons.animal-sniffer.version to 1.20 * Bump maven-bundle-plugin to 5.1.2 * Bump biz.aQute.bndlib.version to 6.0.0 * Bump spotbugs to 4.4.2 * Bump spotbugs-maven-plugin to 4.4.2.2 * Add OSGi manifest to the build files. * Set java source/target levels to 6

• Update apache-commons-codec from version 1.11 to version 1.15. (jsc#SLE-23217) * Do not alias the artifact to itself * Base16Codec and Base16Input/OutputStream. * Hex encode/decode with existing arrays. * Base32/Base64 Input/OutputStream: Added strict decoding property to control handling of trailing bits. Default lenient mode discards them without error. Strict mode raise an exception. * Update tests from JUnit to 4.13. * Update actions/checkout to v2.3.2 * Update actions/setup-java to v1.4.1. * MurmurHash3: Deprecate hash64 methods and hash methods accepting a String that use the default encoding. * Allow repeat calls to MurmurHash3.IncrementalHash32.end() to generate the same value. * Add RandomAccessFile digest methods * Add Path APIs to org.apache.commons.codec.digest.DigestUtils similar to File APIs. * Add SHA-512/224 and SHA-512/256 to DigestUtils for Java 9 and up. * Deprecate Charset constants in org.apache.commons.codec.Charsets in favor of java.nio.charset.StandardCharsets. * Reject any decode request for a value that is impossible to encode to for Base32/Base64. * MurmurHash2 for 32-bit or 64-bit value. * MurmurHash3 for 32-bit or 128-bit value. * Update from Java 6 to Java 7. * Add Percent-Encoding Codec (described in RFC3986 and RFC7578) * Add SHA-3 methods in DigestUtils.

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not use a dummy pom that only declares dependencies for the testframework artifact

• Remove support for pack200 which depends on old asm3. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide apache-commons-csv version 1.9.0 (jsc#SLE-23217)

• Update apache-commons-daemon from version 1.0.15 to version 1.2.4. (jsc#SLE-23217) * Build with source/target levels 8 * Ensure that log messages written to stdout and stderr are not lost during start-up. * Enable the service to start if the Options value is not present in the registry. * jsvc. Don't fail if the CAP_DAC_READ_SEARCH capability is not available. Fall back to using argv[0] rather than /proc/self/exe to determine the path for the current binary. * Improved JRE/JDK detection to support increased range of both JVM versions and vendors * Correct multiple issues related to enabling a service to interact with the desktop. Provide a better error message if this option is used with an invalid user, install the service with the option enabled if requested and correctly save the setting if it is enabled in the GUI. * Update the list of paths searched for libjvm.so to include the path used by OpenJDK 11. * Add additional debug logging for Java start mode. * Remove incorrect definition 'supported_os' which defined in psupport.m4 file to fix jsvc build error on s390, arm, aarch64, mipsel and mips. * More debug logging in prunsrv.c and javajni.c. * Update arguments.c to support Java 11 --enable-preview. * jsvc and Procrun: ad support for Java native memory tracking. * Procrun. Add a new command, print, that outputs the command to (re-)configure the service with the current settings. This is intended to be used to save settings such as before an upgrade. * Update: Update Commons-Parent to version 49. * Add AArch64 support to src/native/unix/support/apsupport.m4. * Procrun. When running in jre mode, if the standard Java registry entries for JavaHome and RuntimeLib are not present, attempt to use the Procrun JavaHome key to find the runtime library. * Procrun. Add an option to configure the service to use the 'Automatic (Delayed Start)' startup mode. * jsvc. Include the full path to the jsvc executable in the debug log. * Remove support for building Procrun for the Itanium platform.

• Provide apache-commons-dbcp version 2.1.1 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update apache-commons-io from version 2.6 to version 2.11.0. (jsc#SLE-23217) * CVE-2021-29425: Limited path traversal in Apache Commons IO (bsc#1184755) * Java 8 or later is required * This update provides several fixes and enhancements. For a full overview please, visit: https://commons.apache.org/proper/commons-io/changes-report.html

• Build with source and target levels 8 (jsc#SLE-23217)

• Update apache-commons-lang3 from version 3.8.1 to version 3.12.0. (jsc#SLE-23217) * Remove the junit bom dependency as it breaks the build of other packages like log4j. * Fix component version in default.properties to 3.12 * Add BooleanUtils.booleanValues(). * Add BooleanUtils.primitiveValues(). * Add StringUtils.containsAnyIgnoreCase(CharSequence, CharSequence...). * Add StopWatch.getStopTime(). * Add fluent-style ArraySorter. * Add and use LocaleUtils.toLocale(Locale) to avoid NPEs. * Add FailableShortSupplier, handy for JDBC APIs. * Add JavaVersion.JAVA_17. * Add missing boolean[] join method. * Add StringUtils.substringBefore(String, int). * Add Range.INTEGER. * Add DurationUtils. * Introduce the use of @Nonnull, and @Nullable, and the Objects class as a helper tool. * Add and use true and false String constants. * Add and use ObjectUtils.requireNonEmpty(). * Correct implementation of RandomUtils.nextLong(long, long). * Restore handling of collections for non-JSON ToStringStyle. * ContextedException Javadoc add missing semicolon. * Resolve JUnit pioneer transitive dependencies using JUnit BOM. * NumberUtilsTest - incorrect types in min/max tests. * Improve StringUtils.stripAccents conversion of remaining accents. * StringUtils.countMatches - clarify Javadoc. * Remove redundant argument from substring call. * BigDecimal is created when you pass it the min and max values. * TypeUtils.isAssignable returns wrong result for GenericArrayType and ParameterizedType. * testGetAllFields and testGetFieldsWithAnnotation sometimes fail. * TypeUtils. containsTypeVariables does not support GenericArrayType. * Refine StringUtils.lastIndexOfIgnoreCase. * Refine StringUtils.abbreviate. * Refine StringUtils.isNumericSpace. * Refine StringUtils.deleteWhitespace. * MethodUtils.invokeMethod NullPointerException in case of null in args list. * Fix 2 digit week year formatting. * Add and use ThreadUtils.sleep(Duration). * Add and use ThreadUtils.join(Thread, Duration). * Add ObjectUtils.wait(Duration). * ArrayUtils.toPrimitive(Object) does not support boolean and other types. * Processor.java: check enum equality with == instead of .equals() method. * Use own validator ObjectUtils.anyNull to check null String input. * Add ArrayUtils.isSameLength() to compare more array types. * Added the Locks class as a convenient possibility to deal with locked objects. * Add to Functions: FailableBooleanSupplier, FailableIntSupplier, FailableLongSupplier, FailableDoubleSupplier... * Add ArrayUtils.get(T[], index, T) to provide an out-of-bounds default value. * Add JavaVersion enum constants for Java 14, 15 and 16. * Use Java 8 lambdas and Map operations. * Change removeLastFieldSeparator to use endsWith. * Change a Pattern to a static final field, for not letting it compile each time the function invoked. * Add ImmutablePair factory methods left() and right(). * Add ObjectUtils.toString(Object, Supplier). * Add org.apache.commons.lang3.StringUtils.substringAfter(String, int). * Add org.apache.commons.lang3.StringUtils.substringAfterLast(String, int). * Use StandardCharsets.UTF_8. * Use Collections.singletonList insteadof Arrays.asList when there be only one element. * Change array style from `int a[]` to `int[] a`. * Change from addAll to constructors for some List. * Simplify if as some conditions are covered by others. * Fixed Javadocs for setTestRecursive(). * ToStringBuilder.reflectionToString - Wrong JSON format when object has a List of Enum. * Make org.apache.commons.lang3.CharSequenceUtils.toCharArray(CharSequence) public. * Update actions/cache from v2 to v2.1.4. * Update actions/checkout from v2.3.1 to v2.3.4. * Update actions/setup-java from v1.4.0 to v1.4.2. * Update biz.aQute.bndlib from 5.1.1 to 5.3.0. * Update com.puppycrawl.tools:checkstyle to 8.34. * Update commons.jacoco.version 0.8.5 to 0.8.6 (Fixes Java 15 builds). * Update commons.japicmp.version to 0.15.2. * Update jmh.version from 1.21 to 1.27. * Update junit-bom from 5.7.0 to 5.7.1. * Update junit-jupiter to 5.7.0. * Update junit-pioneer to 1.3.0. * Update maven-checkstyle-plugin to 3.1.2. * Update maven-pmd-plugin from 3.13.0 to 3.14.0. * Update maven-surefire-plugin 2.22.2 -> 3.0.0-M5. * Update org.apache.commons:commons-parent to 51. * Update org.easymock:easymock to 4.2. * Update org.hamcrest:hamcrest 2.1 -> 2.2. * Update org.junit.jupiter:junit-jupiter to 5.6.2. * Update spotbugs to 4.2.1. * Update spotbugs-maven-plugin from 4.0.0 to 4.2.0. * Add ExceptionUtils.throwableOfType(Throwable, Class) and friends. * Add EMPTY_ARRAY constants to classes in org.apache.commons.lang3.tuple. * Add null-safe StringUtils APIs to wrap String#getBytes([Charset|String]). * Add zero arg constructor for org.apache.commons.lang3.NotImplementedException. * Add ArrayUtils.addFirst() methods. * Add Range.fit(T) to fit a value into a range. * Added Functions.as*, and tests thereof, as suggested by Peter Verhas * Add getters for lhs and rhs objects in DiffResult. * Generify builder classes Diffable, DiffBuilder, and DiffResult. * Add ClassLoaderUtils with toString() implementations. * Add null-safe APIs as StringUtils.toRootLowerCase(String) and StringUtils.toRootUpperCase(String). * Add org.apache.commons.lang3.time.Calendars. * Add EnumUtils getEnum() methods with default values. * Added indexesOf methods and simplified removeAllOccurences. * Add support of lambda value evaluation for defaulting methods. * Add factory methods to Pair classes with Map.Entry input. * Add StopWatch convenience APIs to format times and create a simple instance. * Allow a StopWatch to carry an optional message. * Add ComparableUtils. * Add org.apache.commons.lang3.SystemUtils.getUserName(). * Add ObjectToStringComparator. * Add org.apache.commons.lang3.arch.Processor.Arch.getLabel(). * Add IS_JAVA_14 and IS_JAVA_15 to org.apache.commons.lang3.SystemUtils. * ObjectUtils: Get first non-null supplier value. * Added the Streams class, and Functions.stream() as an accessor thereof. * Make test more stable by wrapping assertions in hashset. * Use synchronize on a set created with Collections.synchronizedSet before iterating. * StringUtils.unwrap incorrect throw StringIndexOutOfBoundsException. * StringIndexOutOfBoundsException in StringUtils.replaceIgnoreCase. * StringUtils.removeIgnoreCase('?a', 'a') throws IndexOutOfBoundsException. * StringUtils abbreviate returns String of length greater than maxWidth. * Deprecate org.apache.commons.lang3.ArrayUtils.removeAllOccurences(*) for org.apache.commons.lang3.ArrayUtils.removeAllOccurrences(*). * Requires jdk >= 1.8 * Add more SystemUtils.IS_JAVA_XX variants * Adding the Functions class * Add @FunctionalInterface to ThreadPredicate and ThreadGroupPredicate * Add isEmpty method to ObjectUtils * null-safe StringUtils.valueOf(char[]) to delegate to String.valueOf(char[]). * Add API org.apache.commons.lang3.SystemUtils.isJavaVersionAtMost(JavaVersion) * Consolidate the StringUtils equals and equalsIgnoreCase * Add OSGi manifest

• Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)

• Provide apache-commons-math version 3.6.1 (jsc#SLE-23217)

• Update from version 3.6 to version 3.9.0 (jsc#SLE-23217) * CVE-2021-37533: FTP client trusts the host from PASV response by default (bsc#1206018) * Build with source and target levels 8

• Provide apache-commons-ognl version 4.0-20191021git51cf8f4. (jsc#SLE-23217)

• Update apache-commons-parent from version 47 to version 52. (jsc#SLE-23217) * For a full changelog, please visit: https://github.com/apache/commons-parent/compare/commons-parent-47...rel/commons-parent-52

• Provide apache-commons-pool2 2.4.2 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide apache-commons-text version 1.10.0 (jsc#SLE-23217) * CVE-2022-42889: code execution when processing untrusted input due to insecure interpolation defaults. (bsc#1204284) * This is a new dependency of maven-javadoc-plugin. * Build with ant in order to avoid build cycles.

• Upgrade from version 2.4.0 to version 2.5.1. (jsc#SLE-23217) * CVE-2022-37866: path traversal via user-supplied pattern (bsc#1205142) * CVE-2022-37865: apache-ivy: Apache Ivy allow create/overwrite any file on the system. (bsc#1205138) * Breaking: + Removed old `fr\jayasoft\ivy\ant\antlib.xml` AntLib definition file. * Force building with JDK < 14, since it imports statically a class removed in JDK14. * Change dependencies for the httpclient to httpcomponents-client instead of apache-commons-httpclient.

• Update apache-logging-parent from version 2 to version 5. (jsc#SLE-23217) * Do not require maven-local, since it can be handled by javapackages-local

• Check upstream source signature

• Update apache-pdfbox from version 1.8.16 to version 2.0.23. (jsc#SLE-23217) * CVE-2021-27807: infinite loop while loading a crafted PDF file. (bsc#1184356) * CVE-2021-27906: OutOfMemory-Exception while loading a crafted PDF file. (bsc#1184357) * Fix build with bouncycastle 1.71 and the new bcutil artifact * Build with source/target levels 8 * Package all resources in pdfbox module * Improve document signing * Allow reuse of subsetted fonts by inverting the ToUnicode CMap * Improve performance in signature validation * Add more checks to PDFXrefStreamParser and reduce memory footprint * Use StringBuilder for key in PDDeviceN.toRGBWithTintTransform() * Don't use RGB loop in PDDeviceN.toRGBWithTintTransform() * Add source signature and keyring * Move from 1.x release line to the 2.x one. This is a ABI change * Generate the ant build system from the maven one and customize it.

• Provide apache-resource-bundles version 2 (jsc#SLE-23217) * This package contains templates for generating necessary license files and notices for all Apache releases. * This is a build dependency of apache-sshd

• Provide apache-sshd version 2.7.0 as dependency of eclipse-jgit (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update aqute-bnd from version 3.5.0 to version 5.2.0. (jsc#SLE-23217) * ant plugin is in separate artifact. * Produce bytecode compatible with Java 8 * Port to OSGI 7.0.0 * Require aqute-bndlib

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Update atinject from version 1+20100611git1f74ea7 to version 1+20160610git1f74ea7. (jsc#SLE-23217) * Alias to the new jakarta name * Fetch the sources using a source service * Do not use the upstream build.sh, but use it to write a necessary part directly to the spec file * Build with source/target levels 8 * Fix build with javadoc 17.

• Update auto from version 1.3 to version 1.6.1. (jsc#SLE-23217) * Provide the auto-value-annotations artifact needed by google-errorprone * Provide auto-service-annotations and fix dependencies issues.

• Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)

• Do not build against the log4j12 packages, use the new reload4j. (jsc#SLE-23217)
• Do not build the org.apache.log.output.lf5 package

• Build with java source and target levels 8. (jsc#SLE-23217)
• Build against the standalone JavaEE modules unconditionally
• Double the maximum memory for javadoc to avoid out-of-memory on certain architectures
• Force generating javadoc with maven-javadoc-plugin, since the xmvn javadoc mojo doesn't work here.

• Require glassfish-activation-api in order to prevent missing APIs when running the ant task. (jsc#SLE-23217)
• Unify the dependency on glassfish-activation-api instead of jaf and gnu-jaf. (jsc#SLE-23217)
• On systems where the JavaEE modules exist, allow building against newer versions of APIs (jsc#SLE-23217)
• Alias relevant artifacts to org.apache.axis (jsc#SLE-23217)
• Do not build against the log4j12 packages, use the new reload4j (jsc#SLE-23217)
• Require Java >= 1.8 (jsc#SLE-23217)

• Provide base64coder 20101219 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide beust-jcommander 1.71 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Update bnd-maven-plugin from version 3.5.2 to version 5.2.0. (jsc#SLE-23217) * Produce bytecode compatible with Java 8 * Port to OSGI 7.0.0 * Require maven-mapping

• Update bouncycastle from version 1.64 to version 1.71. (jsc#SLE-23217) * Relevant fixes - CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password. (bsc#1180215) - CVE-2020-15522: Timing issue within the EC math library. (bsc#1186328) - Blake 3 output limit is enforced. - The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation. - ASN.1: More robust handling of high tag numbers and definite-length forms. - BCJSSE: Don't log sensitive system property values (GH#976). - The IES AlgorithmParameters object has been re-written to properly support all the variations of IESParameterSpec. - PGPPublicKey.getBitStrength() now properly recognises EdDSA keys. - In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters. - An accidental partial dependency on Java 1.7 has been removed from the TLS API. - Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This has been fixed. - Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed. - ESTService could fail for some valid Content-Type headers. This has been fixed. - CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least one object found. - PGP ArmoredInputStream now fails earlier on malformed headers. - Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory. - Blowfish keys are now range checked on cipher construction. - The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280. - Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers. - TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3. - Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed. - PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed. - BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed. - Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate implmentation - In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on engineGetParameters() - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec based on an RSAPrivateKey - CMSTypedStream$FullReaderStream now handles zero length reads correctly - CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256. - Use of GCMParameterSpec could cause an AccessControlException under some circumstances. - DTLS: Fixed high-latency HelloVerifyRequest handshakes. - An encoding bug for rightEncoded() in KMAC has been fixed. - For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced encoded data that was block aligned. - DLExternal would encode using DER encoding for tagged SETs. - ChaCha20Poly1305 could fail for large (>~2GB) files. - ChaCha20Poly1305 could fail for small updates when used via the provider. - Properties.getPropertyValue could ignore system property when other local overrides set. - The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application shutting down due to it. - A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS. - BCJSSE: TrustManager now tolerates having no trusted certificates. - BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension properly. * Additional Features and Functionality - Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on ArmoredInputStream. - PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a PGPDigestCalculator is passed in. - PGP ASCII armored data now skips '\t', '\v', and '\f'. - PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes filtered out, rather than the duplicate causing an exception. - PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream. - The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension where it is possible to do so. - Removed support for maxXofLen in Kangaroo digest. - Ignore marker packets in PGP Public and Secret key ring collection. - An implementation of LEA has been added to the low-level API. - Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing encrypted data. - A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for text and UTF-8 mode. - A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class. - ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been deprecated and re-implemented in terms of TaggedObject. - ASN.1: Improved support for nested tagging. - ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID. - ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values. - TLS: Added support for external PSK handshakes. - TLS: Check policy restrictions on key size when determining cipher suite support. - A performance issue in KeccakDigest due to left over debug code has been identified and dealt with. - BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause an exception). - A method for recovering user keying material has been added to KeyAgreeRecipientInformation. - Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA. - The low level BcDefaultDigestProvider now supports the SHAKEfamily of algorithms and the SM3 alogirthm. - PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys. - The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API. - ArmoredInputStream now explicitly checks for a '\n' if in crLF mode. - Direct support for NotationDataOccurances, Exportable,Revocable, IntendedRecipientFingerPrints, and AEAD algorithm preferences has been added to PGPSignatureSubpacketVector. - Further support has been added for keys described using S-Expressions in GPG 2.2.X. - Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added. - Additional checks have been added for PGP marker packets in the parsing of PGP objects. - A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers to CMS SignedData structures when required. - Support has been added to CMS for the LMS/HSS signature algorithm. - The system property 'org.bouncycastle.jsse.client.assumeOriginalHostName' (default false) has been added for dealing with SNI problems related to the host name not being propagate by the JVM. - The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm parameters (e.g. AESKWP). - Support is now added for certificates using ETSI TS 103 097, 'Intelligent Transport Systems (ITS)' in the bcpkix package. - Added support for OpenPGP regular expression signature packets. - added support for OpenPGP PolicyURI signature packets. - A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey. - The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider. - The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider. - The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider. - The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider. - KMAC128, KMAC256 has been added to the BC provider (empty customization string). - TupleHash128, TupleHash256 has been added to the BC provider (empty customization string). - ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string, block size 1024 bits). - Two new properties: 'org.bouncycastle.rsa.max_size' (default 15360) and 'org.bouncycastle.ec.fp_max_size' (default 1042) have been added to cap the maximum size of RSA and EC keys. - RSA modulus are now checked to be provably composite using the enhanced MR probable prime test. - Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level of the prime test can be determined by 'org.bouncycastle.ec.fp_certainty' (default 100). - The BC entropy thread now has a specific name: 'BC-ENTROPY-GATHERER'. - Utility methods have been added for joining/merging PGP public keys and signatures. - Blake3-256 has been added to the BC provider. - DTLS: optimisation to delayed handshake hash. - Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message generation and verification now supported. - CMSSignedDataGenerator now supports the direct generation of definite-length data. - The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string. - Support for additional input has been added for deterministic (EC)DSA. - The OpenPGP API provides better support for subkey generation. - BCJSSE: Added boolean system properties 'org.bouncycastle.jsse.client.dh.disableDefaultSuites' and 'org.bouncycastle.jsse.server.dh.disableDefaultSuites'. Default 'false'. Set to 'true' to disable inclusion of DH cipher suites in the default cipher suites for client/server respectively. - GCM-SIV has been added to the lightweight API and the provider. - Blake3 has been added to the lightweight API. - The OpenSSL PEMParser can now be extended to add specialised parsers. - Base32 encoding has now been added, the default alphabet is from RFC 4648. - The KangarooTwelve message digest has been added to the lightweight API. - An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API and the JCE provider. - An implementation of ParallelHash has been added to the lightweight API. - An implementation of TupleHash has been added to the lightweight API. - RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest. - ECDSA now supports the use of SHAKE128 and SHAKE256. - PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried. - Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret key rings they contain. - KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator information. - PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print details. - The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested in hearing from anyone that needs to do this. - PLAIN-ECDSA now supports the SHA3 digests. - Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes are in the org.bouncycastle.tsp.ers package. - ECIES has now also support SHA256, SHA384, and SHA512. - digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible. - A new property 'org.bouncycastle.jsse.config' has been added which can be used to configure the BCJSSE provider when it is created using the no-args constructor. - In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest. - PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature. - Support for ASN.1 PRIVATE tags has been added. - Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher. - Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API - BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10). - BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768). - BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false'). - BCJSSE: Added support for jdk.tls.client.cipherSuites system property. - BCJSSE: Added support for jdk.tls.server.cipherSuites system property. - BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252. - BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including brainpool). - TLS: Add TLS 1.3 support for brainpool curves per RFC 8734. - BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a default value of 'true'. - BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For now it is only enabled by default for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or SSLEngine, or via SSLParameters. - BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For now it is disabled by default, and can be enabled by setting the boolean system property org.bouncycastle.jsse.server.enableSessionResumption to 'true'. - The provider RSA-PSS signature names that follow the JCA naming convention. - FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates. - PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list. - Performance improvement of Argon2 and Noekeon - A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key obfuscation (default is on, method primarily to get around early version GPG issues with AES-128 keys) - Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. This improves side-channel protection, and also gives a significant performance boost - Performance of custom binary ECC curves and Edwards Curves has been improved - BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain) - Initial support has been added for 'Composite Keys and Signatures For Use In Internet PKI' using the test OID. Please note there will be further refinements to this as the draft is standardised - The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces directly - Further optimization work has been done on GCM - A NewHope based processor, similar to the one for Key Agreement has been added for trying to 'quantum hard' KEM algorithms - PGP clear signed signatures now support SHA-224 - Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled - Mode name checks in Cipher strings should now make sure an improper mode name always results in a NoSuchAlgorithmException - In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding - The qTESLA signature algorithm has been updated to v2.8 (20191108). - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension. - Support has been added for 'ocsp.enable', 'ocsp.responderURL' and PKIXRevocationChecker for users of Java 8 and later. - Support has been added for 'org.bouncycastle.x509.enableCRLDP' to the PKIX validator. - BCJSSE: Now supports system property 'jsse.enableFFDHE' - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'. - Multi-release support has been added for Java 11 XECKeys. - Multi-release support has been added for Java 15 EdECKeys. - The MiscPEMGenerator will now output general PrivateKeyInfo structures. - A new property 'org.bouncycastle.pkcs8.v1_info_only' has been added to make the provider only produce version 1 PKCS8 PrivateKeyInfo structures. - The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific certificate is given to the selector. - BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list. - BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards). - Performance of the Base64 encoder has been improved. - The PGPPublicKey class will now include direct key signatures when checking for key expiry times. - LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider. - SipHash128 support has been added to the low level library and the JCE provider. - BCJSSE: BC API now supports explicitly specifying the session to resume. - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret. - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains. - BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any). - BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch). - BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support). - TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in default provider. * Notes - The deprecated QTESLA implementation has been removed from the BCPQC provider. - The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly deterministic ones. - While this release should maintain source code compatibility, developers making use of some parts of the ASN.1 library will find that some classes need recompiling. Apologies for the inconvenience. - There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find() method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation. - A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar). - Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the size of the provider jar and should also make it easier for developers to patch the classes involved as they no longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar. - The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public key at the end, and signatures are no longer interoperable with previous versions.
• Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api)
• Remove unneeded script bouncycastle_getpoms.sh from sources
• Build against the standalone JavaEE modules unconditionally
• Build with source/target levels 8
• Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules
• Add bouncycastle_getpoms.sh to get pom files from Maven repos
• Add OSGi manifests to the distributed jars so that they can be used from eclipse (default enabled protocols).

• Provide bsf 2.4.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Provide bsh2 2.0.0.b6 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Update cal10n from version 0.7.7 to version 0.8.1.10. (jsc#SLE-23217) * Fetch sources using source service from ch.qos git * Upgrade to the 10th commit after 0.8.1 calling it 0.8.1.10 * Add the cal10n-ant-task to built artifacts * This release adds JSR-269 support. In other words, verification of bundles can be performed at compilation time. See the related documentation for more details. * Fix issue with Eclipse not finding existing resources. Eclipse will find bundles located under 'src/main/resources' but still fail to find bundles located under 'src/test/resources/'. * When reading in bundles, the verify method in MessageKeyVerifier now uses the locale passed as parameter instead of always Locale.FR. * Update build.xml-0.7.7.tar.xz to build.xml-0.8.1.tar.xz with references to version 0.8.1 to build correctly versioned jar files.

• Build only on architectures where eclipse is supported. (jsc#SLE-23217)
• Do not build against the legacy version of guava any more. (jsc#SLE-23217)
• Fix build with newer auto version by adding the auto-value-annotations artifact to the dependencies

• Update cdi-api from version 1.2 to version 2.0.2. (jsc#SLE-23217) * Build with java source and target levels 8 * Remove dependency on glassfish-el

• Update cglib from version 3.2.4 to version 3.3.0. (jsc#SLE-23217) * Remove links between artifacts and their parent since we are not building with maven * Don't inject true in cglib pom, as 3.3.0 already provides that option and it makes the POM xml incorrect.

• Provide checker-qual version 3.22.0. (jsc#SLE-23217) * Checker Qual contains annotations (type qualifiers) that a programmer writes to specify Java code for type-checking by the Checker Framework. * This is a dependency of Guava

• Provide classmate version 1.5.1 (jsc#SLE-23217)

• Provide codemodel version 2.6 (jsc#SLE-23217)

• Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build.
• Build with source and target levels 8 (jsc#SLE-23217)

• Provide concurrentlinkedhashmap-lru version 1.3.2 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build against the standalone JavaEE modules unconditionally. (jsc#SLE-23217)
• Add alias to the new artifact coordinates org.dom4j:dom4j. (jsc#SLE-23217)
• Add jaxb-api dependency for relevant distribution versions so that we can build with JDKs that do not include the JavaEE modules. (jsc#SLE-23217)

• Update ecj from version 4.12 to version 4.18. (jsc#SLE-23217) * the encoding needs to be set for all JDK versions * Upgrade to eclipse 4.18 ecj * Switch java14api to java15api to be compatible to JDK 15 * Switch to JDK 11 for build a JDK 8 is not supported anymore by ecj * Switch java10api to java14api to be compatible to JDK 14

• Update eclipse from version 4.9.0 to version 4.15. (jsc#SLE-23217) * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Add support for riscv64 * Allow building with objectweb-asm 9.x * Do not require Java10 APIs artifact when building with java 11 * Fix unresolved symbols when trying to load libkeystorelinuxnative.so on platforms that have it * Build only on 64-bit architectures, since 32-bit support was dropped upstream * Fix build with gcc 10 * Build against jgit, since jgit-bootstrap does not exist * The dependencies of felix-scr changed. So stop linking xpp3 and kxml and link osgi.cmpn as symlink plugins. * Filter out the *SUNWprivate_1.1* symbols from requires

• Update eclipse-ecffrom version 3.14.1 to version 3.14.8. (jsc#SLE-23217) * Build against jgit, since jgit-bootstrap does not exist * Allow building with objectweb-asm 9.x * Force building with Java 11, since tycho is not knowing about any Java >= 15

• Update eclipse-egit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217) * Needed because of change of eclipse-jgit to 5.11.0 * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Build only on 64-bit architectures, since 32-bit support was dropped upstream

• Update eclipse-emf from version 2.15.0~gitd1e5fdd to version 2.22.0. (jsc#SLE-23217) * Build against jgit, since jgit-bootstrap does not exist * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Build only on 64-bit architectures, since 32-bit support was dropped upstream

• Update eclipse-jgit from version 5.1.3 to version 5.11.0. (jsc#SLE-23217) * Fix build against apache-sshd 2.7.0 * Restore java 8 compatibility when building with java 9+ * Split the build into two spec files instead of multibuild. One produces the maven artifacts, the jgit command-line and the other produces eclipse features.

• Update eclipse-license from version 2.0.1 to version 2.0.2. (jsc#SLE-23217) * Build only on architectures where eclipse is supported * Force building with Java 11, since tycho is not knowing about any Java >= 15 * Update the eclipse-license2 feature to 2.0.0

• Provide eclipse-swt version 4.9.0 for i586 architecture. (jsc#SLE-23217)

• Provide ed25519-java version 0.3.0. (jsc#SLE-23217)

• Provide ee4j veersion 1.0.7

• Update exec-maven-plugin from version 1.6.0 to version 3.0.0. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not build against the log4j12 packages. (jsc#SLE-23217)
• Build with source and target levels 8. (jsc#SLE-23217)

• Provide felix-bundlerepository version 2.0.10. (jsc#SLE-23217)

• Remove forcing of maven.compiler.release, since it is not needed anymore. (jsc#SLE-23217)

• Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle built against felix-bundlerepository. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide felix-osgi-obr version 1.0.2. (jsc#SLE-23217)

• Update felix-scr from version 2.0.14 to version 2.1.16. (jsc#SLE-23217) * Drop dependencies on kxml and xpp, use the system SAX implementation instead * Do not embed dependencies, use import-package instead

• Rewrite the build system to ant so that is it possible to eventually avoid build cycles with maven-plugin-bundle built against felix-bundlerepository. (jsc#SLE-23217)
• Build against OSGi R7 APIs

• Update felix-utils from version 1.10.4 to version 1.11.4. (jsc#SLE-23217) * Migrate away from the old felix-osgi implementation

• Build with source and target levels 8 (jsc#SLE-23217)

• Update freemarker from version 2.3.28 to version 2.3.31. (jsc#SLE-23217) * Fix build with javacc 7.0.11 * Package the manual. Add build dependency on docbook5-xsl-stylesheets * On supported platforms, avoid building with OpenJ9, in order to prevent build cycles

• Set version for the specs comming from tag 1_1_1 in order to avoid unexpanded version macros in pom files.
• On supported platforms, avoid building with OpenJ9, in order to prevent build cycles.

• Provide glassfish-activation version 1.2.0. (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide glassfish-dtd-parser version 1.4 (jsc#SLE-23217)

• Provide glassfish-fastinfoset version 1.2.15. (jsc#SLE-23217)

• Provide glassfish-activation version 2.4.0. (jsc#SLE-23217)

• Provide glassfish-jaxb version 2.3.1. (jsc#SLE-23217)

• Change the tarball location, since the old location does not work anymore

• Build with source and target levels 8 (jsc#SLE-23217)

• Provide glassfish-servlet-api 3.1.0 and solve installation issues. (jsc#SLE-23217)
• There are no source changes.

• Build with target source and target levels 8. (jsc#SLE-23217)
• Specify specMode=javaee to be able to use newer spec-version-maven-plugin.

• Update gmavenplus-plugin from version 1.5 to version 1.13.1. (jsc#SLE-23217) * Relevant fixes: + Using bindAllProjectProperties and bindSessionUserOverrideProperties together can cause an NPE. + Certain AST transformations had classloader issues because 1.12.0 was no longer setting the context classloader. + The classloader project dependencies are loaded onto is reused between modules, so each module was a superset of all modules that preceded it. Also, the console, execute, and shell mojos didn't pass the classloader to use into the instantiated GroovyConsole/GroovyShell, so it accidentally was using the plugin classloader, even when configured to use PROJECT_ONLY classpath. Potentially breaking changes: This should be a non-breaking change (except for unusual situations that were relying on the previous incorrect behavior). However, since it's a significant change, there's a version bump for highlighitng the potential issue. + Disable system exits by default, to avoid potential thread safety issues. * Potentially breaking changes: changes the default of not allowing System.exits to allowing them. * Enhancements: + Add support for targetting Java 10, 11, 13, 14, 15, 17, 18. + Update Ant from 1.10.8 to 1.10.11. + Update Jansi to 2.x. + Change JDK compatibility check to also account for Java 16. + Some tweaks for Groovy 4 (most notably, invokedynamic is enabled by default for Groovy 4 and cannot be disabled). + New parameter (attachGroovyDocAnnotation) to enable attaching GroovyDoc annotation. + New parameter (parallelParsing) to enable parallel parsing (enabled by default with Groovy 4). + Remove previewFeatures parameter from stub generation goals, since it's not used there. + Ability to override classes used to generate GroovyDoc (#91) + Ability to override GStringTemplates used for GroovyDoc (#105) + Ability to bind overridden properties (by binding project properties and/or session user properties) (#72) + Ability to load a script when launching GroovyConsole (#165) + Change default GroovyDoc jar artifact type to javadoc, so its extension gets set to 'jar' by the artifact handler instead of 'groovydoc' by the default handler logic which uses the type for the extension in the case of unknown types (#151). + Add skipBytecodeCheck property and parameter, so if a Java version comes out the plugin doesn't recognize, you can use it without having to wait for an update. + Use groovy.ant.AntBuilder instead of groovy.util.AntBuilder (if available). + Support Java preview features (#125) + New goals to create GroovyDoc jars (#124) + Use the new 'groovy.console.ui.Console' package, if available, fall back to 'groovy.ui.Console' + [36] - Allow script files to be executed as filenames as well as URLs (see Significant changes of note for an example) + [41] - Verify Groovy version supports target bytecode (See Potentially breaking changes for a description) + [46] - Remove scriptExtensions config option + [31/58] - Goals not consistantly named / IntelliJ improperly adding stub directories to sources + [61] - You can now skip Groovydoc generation with new skipGroovyDoc property (Thanks rvenutolo!) + [45] - GROOVY-7423 (JEP 118) Support (requires Groovy 2.5.0-alpha-1 or newer and enabled with new parameters boolean property) * Potentially breaking changes: + 46 will break your build if you are using scriptExtensions. But the fix is simple, just the delete the configuration option and GMavenPlus will automatically do the right thing. + 41 will break your build if you were passing an invalid target bytecode. GMavenPlus will no longer allow Groovy to silently default to 1.4 or 1.5. It will verify that the bytecode is supported by your Groovy version (that is, the option exists in org.codehaus.groovy.control.CompilerConfiguration), and fail if it isn't. + 58 will require renaming goals testGenerateStubs to generateTestStubs and testCompile to compileTests. IntelliJ has hard-coded the goal names in their plugin, and these names will make IntelliJ work with both GMaven and GMavenPlus. + In order to support using the latest Maven plugins (and to make GMavenPlus easier to maintain), GMavenPlus now requires Java 6 or newer and Maven 3.0.1 or newer (previously was Java 5 or newer and Maven 2.2.1 or newer). + testStubsOutputDirectory and stubsOutputDirectory inadvertently got renamed to outputDirectory, which conflicts with the configuration in the compile and compileTests goals. You may need to setup separate executions with separate configurations for each if you need to set that configuration option. + The Jansi upgrade should generally be compatible, but could cause issues with scripts that were using Jansi 1.x specific classes. + If you were using the previewFeatures parameter without also including a compilation goal that would make that config valid, the build will fail because it's no longer a valid parameter. The fix would be to move that configuration to the appropriate execution(s). + GroovyDoc jars and test GroovyDoc jars will now be of type 'javadoc' and have extension 'jar'. Rather than type and extension 'groovydoc'. If you do not wish to transition to this new behavior, set the new artifactType or testArtifactType property to 'groovydoc' to revert to the previous behavior. Notes: while the artifact type of GroovyDoc jars has changed, the Maven classifier has not. It remains 'groovydoc', and you can still override that, just as before. + maven.groovydoc.skip property was renamed to skipGroovydoc so it matches the pattern of the other properties and won't seem to imply it's a property for a standard Maven plugin. + Using groovy.ant.AntBuilder instead of groovy.util.AntBuilder (when available on classpath). + Bundling Ant 1.10.7 instead of 1.10.5. + Bundling Ivy 2.5.0 instead of 2.4.0. + If you were using useSharedClasspath before, you will need to replace it with new values. Please, check the docuemntation for the full details. + Another notable difference is that when using this new configuration parameter in compile, compileTests, generateStubs, or generateTestStubs goals, now also uses the configurator to add the project dependencies to the classpath with the plugin's dependencies. Previously, this only happened in the goals other than the ones mentioned. + corrects an inadvertent breaking change made in 1.6.0 Please, check the documentation the full list of changes. + In addition, unused parameters have been removed: * addSources * -> skipTests * -> testSources * addStubSources * -> skipTests * -> sources * -> testSources * addTestSources * -> outputDirectory * -> skipTests * -> sources * addTestStubSources * -> sources * -> testSources * compile * -> skipTests * -> testSources * compileTests * -> sources * console * -> skipTests * execute * -> skipTests * generateStubs * -> skipTests * -> testSources * generateTestStubs * -> sources * groovydoc * -> skipTests * -> testSources * -> testGroovyDocOutputDirectory * groovydocTests * -> skipTests * -> sources * removeStubs * -> skipTests * -> sources * -> testSources * removeTestStubs * -> sources * -> testSources * shell * -> skipTests + Lastly, addTestStubSources and removeTestStubs now respect the skipTests flag, for consistency. * Notes: + Now officially requires Java 7 instead of 6. This is not a breaking change, however, since this was actually already required because of plexus-classworlds. This just wasn't discovered until an enforcer rule was added to check bytecode versions of dependencies.

• Do not generate test stubs by gmavenplus-plugin, since we are not building or running tests during build. (jsc#SLE-23217)

• Provide google-errorprone-annotations 2.11.0. (jsc#SLE-23217) * This is a new dependency of Guava

• Update google-gson to version 2.8.9. (jsc#SLE-24261) * Make OSGi bundle's dependency on sun.misc optional. * Deprecate Gson.excluder() exposing internal Excluder class. * Prevent Java deserialization of internal classes. * Improve number strategy implementation. * Fix LongSerializationPolicy null handling being inconsistent with Gson. * Support arbitrary Number implementation for Object and Number deserialization. * Bump proguard-maven-plugin from 2.4.0 to 2.5.1. * Fix RuntimeTypeAdapterFactory depending on internal Streams class. * Build with Java >= 9 in order to produce a modular jar by compiling the module-info.java sources with all other classes built with release 8 and still compatible with Java 8

• Avoid using xmvn-resolve and xmvn-install in order to avoid build cycles with new dependencies in dependent packages
• Build only the NO_AOP version of the guice.jar and alias accordingly so that it provides both (jsc#SLE-23217)
• Build with source/target 8 so that the default override from the interface can be used
• Build javadoc with source level 8
• Do not build against the compatibility guava20 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Build with source and target levels 8 (jsc#SLE-23217)

• Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
• Build against the org.jboss.netty:netty artifact, since the compat versions are not existing any more
• Build with source and target levels 8

• Update gradle-bootstrap from version 2.4.16 to version 2.4.21. (jsc#SLE-23217) * Regenerate to account for changes in gradle and groovy packages * Modify the launcher so that gradle-bootstrap can work with Java 17 * Adapt to the change in jline/jansi dependencies of gradle * The org.jboss.netty:netty artifact does not exist any more under compatibility versions * Regenerate to account for maven-resolver upgrade to 1.7.3 and the new added maven-resolver-named-locks artifact * Regenerate to account for aqute-bnd upgrade to 5.1.1 and related changes in other libraries * Regenerate to account for guava upgrade to 30.1.1 * Regenerate to account for groovy upgrade to 2.4.21

• Allow actually build gradle using Java 16+
• Modify the launcher so that gradle can work with Java 17
• Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
• Build against jansi 2.x
• Remove the jansi-native and hawtjni-runtime dependencies, since jansi 2.x does not depend on them
• Fix build with maven-resolver 1.7.x
• Remove from build dependencies some artifacts that are not needed
• Add osgi-compendium to the dependencies, since newer qute-bnd uses it
• Do not build against the legacy guava20 package any more
• Port gradle 4.4.1 to guava 30.1.1
• Set source level to 1.8, since guava 30 uses default functions in interfaces, which is Java 8+ feature

• Solve illegal reflective access with Java 16+
• Do not force building with java <= 15, since we now can run gradle-bootstrap with Java 17 too. (jsc#SLE-23217)
• Add the content of org.gradle.jvmargs to to the forked jvm in root compileJava task
• Fixes build with Java 17
• Port to build against jansi 2.4.0
• Build the whole with java source and target levels 8
• Resolve parameter ambiguities with recent Java versions
• Remove a bogus dependency on old asm3

• Fix build against jansi 2.4.0
• Port to use jline 2.x instead of 1.x
• Do not fork the groovyc and java tasks in the ant build.xml file, so that the ANT_OPTS are propagated to the tasks
• Fix build with jdk17
• Build with source and target levels 8. (jsc#SLE-23217)
• Cast to Collection to help compiler to resolve ambiguities with new JDKs
• Remove dependency on the old asm3

• Build with java source and target levels 8. (jsc#SLE-23217)
• Add bundle manifest to the guava jar so that it might be usable from eclipse

• Update Guava from version 25.0 to version 30.1.1. (jsc#SLE-23217) * CVE-2020-8908: A temp directory creation vulnerability allows an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). (bsc#1179926) * Remove parent reference from ALL distributed pom files

• Build with source/target levels 8
• Fix build with jdk17

• Update hawtjni-maven-pluginfrom version 1.17 to version 1.18. (jsc#SLE-23217) * Build with java source and target levels 8 * Use commons-lang3 instead of the old commons-lang

• Update hawtjni-runtime from version 1.17 to version 1.18. (jsc#SLE-23217) * Build with java source and target levels 8 * Use commons-lang3 instead of the old commons-lang * Use in the path of hawtjni-generator the asm-all.jar that is not modular. This solves some problems with ASM version mismatch.

• Build with source and target levels 8. (jsc#SLE-23217)
• Do not require gmavenplus-plugin, since it is only necessary to generate test stubs, but we do not run tests during build

• Update httpcomponents-client from version 4.5.6 to version 4.5.12. (jsc#SLE-23217) * Build with source/target levels 8

• Update httpcomponents-core from version 4.4.10 to version 4.4.13. (jsc#SLE-23217) * Build with source/target levels 8

• Update icu4j from version 63.1 to version 71.1. (jsc#SLE-23217) * Remove build-dependency on java-javadoc, since it is not necessary with this version. * Updates to CLDR 41 locale data with various additions and corrections. * Adds phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for body text but do not work well for short Japanese text, such as in titles and headings. This new feature is optimized for these use cases. * Adds support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount of English, and can also be referred to as 'Hinglish'. * ICU 71 and CLDR 41 are minor releases, mostly focused on bug fixes and small enhancements. * Updates to the time zone data version 2022a. Note that pre-1970 data for a number of time zones has been removed, as has been the case in the upstream tzdata release since 2021b. * Unicode 13 (ICU-20893, same as in ICU 66) * CLDR 37 + New language at Modern coverage: Nigerian Pidgin + New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese + Unicode 13 root collation data and Chinese data for collation and transliteration * DateTimePatternGenerator now obeys the 'hc' preference in the locale identifier (ICU-20442) * Various other improvements for ECMA-402 conformance * Number skeletons have a new 'concise' form that can be used in MessageFormat strings (ICU-20418) * Currency formatting options for formal and other currency display name variants (ICU-20854) * ListFormatter: new public API to select the style and type * Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272) * LocaleMatcher: New option to ignore one-way matches, and other tweaks to the code and data

• Build with java target and source version 1.8 (jsc#SLE-23217)

• Provide istack-commons version 3.0.7 (jsc#SLE-23217)

• Provide j2objc-annotations version 2.2 (jsc#SLE-23217) * This is a new dependency of Guava

• Provide jackson-modules-base version 2.13.3 (jsc#SLE-23217)

• Update jackson-parent from version 2.10 to version 2.13. (jsc#SLE-23217) * Add 'mvnw' wrapper * 'JsonSubType.Type' should accept array of names * Jackson version alignment with Gradle 6 * Add '@JsonIncludeProperties' * Add '@JsonTypeInfo(use=DEDUCTION)' * Ability to use '@JsonAnyGetter' on fields * Add '@JsonKey' annotation * Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping * Add 'namespace' property for '@JsonProperty' (for XML module) * Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' (was missing for some reason) * 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null' * Remove `jackson-annotations` baseline dependency, version * Upgrade to oss-parent 43 (jacoco, javadoc plugin versions) * Remove managed junit version (due to [jackson-bom#43]), promoted higher up on parent pom stack (to 'jackson-base') * JDK baseline now JDK 8

• Remove all dependencies on asm3
• Build with java source and target levels 1.8 (jsc#SLE-23217)
• Do not hardcode source and target levels, so that they can be overriden on command-line
• Set classpath correctly so that the project builds with standalone JavaEE modules too

• Provide jakarta-activation version 2.1.0. (jsc#SLE-23217) * Required by bouncycastle-jmail.

• Distribute commons-discovery as maven artifact
• Build with source and target levels 8
• Added build support for Enterprise Linux.