Container summary for ses/7.1/ceph/prometheus-node-exporter

SUSE-CU-2023:3081-1

This update for libzypp fixes the following issues:

• Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]
• Do not unconditionally release a medium if provideFile failed. [bsc#1211661]

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for yast2-pkg-bindings fixes the following issues:
libzypp was updated to version 17.31.14 (22):

• Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins.
• build: honor libproxy.pc's includedir (bsc#1212222)

• targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261)
• targetos: Update help and man page (bsc#1211261)

• Added a new option for rebuilding the RPM database (--rebuilddb) (bsc#1209565)
• Selected products are not installed after resetting the package manager internally (bsc#1202234)

• Rebuild the RPM database during upgrade (--rebuilddb) (bsc#1209565)

This update for openldap2 fixes the following issues:

• libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for glibc fixes the following issues:

• getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
• Exclude static archives from preparation for live patching (bsc#1208721)
• resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

This update for gpgme fixes the following issues:
gpgme:

• Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

• Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

This update for libcap fixes the following issues:

• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for openssl-1_1 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).
• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

• Update further expiring certificates that affect tests [bsc#1201627]

This update for shadow fixes the following issues:

• Prevent lock files from remaining after power interruptions (bsc#1213189)
• Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

This update for libzypp, zypper fixes the following issues:

• Fix occasional isue with downloading very small files (bsc#1213673)
• Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
• Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
• Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
• Revised explanation of --force-resolution in man page (bsc#1213557)
• Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

• Fixed parsing files correctly which have space characters AND none space characters as delimiters (bsc#1198165).

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

SUSE-CU-2023:1846-1

This update for zlib fixes the following issues:

• Add DFLTCC support for using inflate() with a small window (bsc#1206513)

This update for golang-github-prometheus-alertmanager and golang-github-prometheus-node_exporter fixes the following issues:
golang-github-prometheus-alertmanager:

• Security issues fixed: * CVE-2022-46146: Fix authentication bypass via cache poisoning (bsc#1208051)

• Security issues fixed in this version update to version 1.5.0 (jsc#PED-3578): * CVE-2022-27191: Update go/x/crypto (bsc#1197284) * CVE-2022-27664: Update go/x/net (bsc#1203185) * CVE-2022-46146: Update exporter-toolkit (bsc#1208064)
• Other non-security bug fixes and changes in this version update to 1.5.0 (jsc#PED-3578): * NOTE: This changes the Go runtime 'GOMAXPROCS' to 1. This is done to limit the concurrency of the exporter to 1 CPU thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes with high numbers of CPUs/CPU threads. * [BUGFIX] Fix hwmon label sanitizer * [BUGFIX] Use native endianness when encoding InetDiagMsg * [BUGFIX] Fix btrfs device stats always being zero * [BUGFIX] Fix diskstats exclude flags * [BUGFIX] [node-mixin] Fix fsSpaceAvailableCriticalThreshold and fsSpaceAvailableWarning * [BUGFIX] Fix concurrency issue in ethtool collector * [BUGFIX] Fix concurrency issue in netdev collector * [BUGFIX] Fix diskstat reads and write metrics for disks with different sector sizes * [BUGFIX] Fix iostat on macos broken by deprecation warning * [BUGFIX] Fix NodeFileDescriptorLimit alerts * [BUGFIX] Sanitize rapl zone names * [BUGFIX] Add file descriptor close safely in test * [BUGFIX] Fix race condition in os_release.go * [BUGFIX] Skip ZFS IO metrics if their paths are missing * [BUGFIX] Handle nil CPU thermal power status on M1 * [BUGFIX] bsd: Ignore filesystems flagged as MNT_IGNORE * [BUGFIX] Sanitize UTF-8 in dmi collector * [CHANGE] Merge metrics descriptions in textfile collector * [FEATURE] Add multiple listeners and systemd socket listener activation * [FEATURE] [node-mixin] Add darwin dashboard to mixin * [FEATURE] Add 'isolated' metric on cpu collector on linux * [FEATURE] Add cgroup summary collector * [FEATURE] Add selinux collector * [FEATURE] Add slab info collector * [FEATURE] Add sysctl collector * [FEATURE] Also track the CPU Spin time for OpenBSD systems * [FEATURE] Add support for MacOS version * [ENHANCEMENT] Add RTNL version of netclass collector * [ENHANCEMENT] [node-mixin] Add missing selectors * [ENHANCEMENT] [node-mixin] Change current datasource to grafana's default * [ENHANCEMENT] [node-mixin] Change disk graph to disk table * [ENHANCEMENT] [node-mixin] Change io time units to %util * [ENHANCEMENT] Ad user_wired_bytes and laundry_bytes on *bsd * [ENHANCEMENT] Add additional vm_stat memory metrics for darwin * [ENHANCEMENT] Add device filter flags to arp collector * [ENHANCEMENT] Add diskstats include and exclude device flags * [ENHANCEMENT] Add node_softirqs_total metric * [ENHANCEMENT] Add rapl zone name label option * [ENHANCEMENT] Add slabinfo collector * [ENHANCEMENT] Allow user to select port on NTP server to query * [ENHANCEMENT] collector/diskstats: Add labels and metrics from udev * [ENHANCEMENT] Enable builds against older macOS SDK * [ENHANCEMENT] qdisk-linux: Add exclude and include flags for interface name * [ENHANCEMENT] systemd: Expose systemd minor version * [ENHANCEMENT] Use netlink for tcpstat collector * [ENHANCEMENT] Use netlink to get netdev stats * [ENHANCEMENT] Add additional perf counters for stalled frontend/backend cycles * [ENHANCEMENT] Add btrfs device error stats
• Change build requirement to go1.18 or higher (previously this was fixed to version 1.14)

This update for curl fixes the following issues:

• CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).

This update for libzypp, zypper fixes the following issues:

• Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
• multicurl: propagate ssl settings stored in repo url (bsc#1127591)
• MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
• zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
• Teach MediaNetwork to retry on HTTP2 errors.
• Fix selecting installed patterns from picklist (bsc#1209406)
• man: better explanation of --priority

This update for zlib fixes the following issue:

• Fix function calling order to avoid crashes (bsc#1210593)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

This update for util-linux fixes the following issues:

• Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164)

This update for openldap2 fixes the following issues:

• CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

SUSE-CU-2023:1464-1

This update for rpm fixes the following issues:

• Fix missing python(abi) for 3.XX versions (bsc#1207294)

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv:

• Do not autouninstall SUSE PTF packages
• Ensure 'duplinvolvedmap_all' is reset when a solver is reused
• Fix 'keep installed' jobs not disabling 'best update' rules
• New '-P' and '-W' options for `testsolv`
• New introspection interface for weak dependencies similar to ruleinfos
• Ensure special case file dependencies are written correctly in the testcase writer
• Support better info about alternatives
• Support decision reason queries
• Support merging of related decisions
• Support stringification of multiple solvables
• Support stringification of ruleinfo, decisioninfo and decision reasons

• Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233)
• Avoid redirecting 'history.logfile=/dev/null' into the target
• Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
• Enhance yaml-cpp detection
• Improve download of optional files
• MultiCurl: Make sure to reset the progress function when falling back.
• Properly reset range requests (bsc#1204548)
• Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version.
• Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls.
• Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side.
• ProgressData: enforce reporting the INIT||END state (bsc#1206949)
• ps: fix service detection on newer Tumbleweed systems (bsc#1205636)

• Allow to (re)add a service with the same URL (bsc#1203715)
• Bump dependency requirement to libzypp-devel 17.31.7 or greater
• Explain outdatedness of repositories
• patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
• Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions.
• Update man page and explain '.no_auto_prune' (bsc#1204956)

This update for golang-github-prometheus-node_exporter fixes the following issues:

• Move package for SUSE Linux Enterprise Micro to the correct codestream
• No source changes

This update for curl fixes the following issues:

• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

• Fix avx2 strncmp offset compare condition check (bsc#1208358)
• elf: Allow dlopen of filter object to work (bsc#1207571)
• powerpc: Fix unrecognized instruction errors with recent GCC
• x86: Cache computation for AMD architecture (bsc#1207957)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).
• CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
• CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

This update for timezone fixes the following issues:

• Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later.

This update for elfutils fixes the following issues:

• go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599)

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed:

• Added W3C conformance tests to the testsuite (bsc#1204585).
• Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

This update for zstd fixes the following issues:

• CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

This update for glib2 fixes the following issues:

• CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714).
• CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713).

• Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978).

This update for procps fixes the following issue:

• Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

SUSE-CU-2023:637-1

This update for libxml2 fixes the following issues:

• Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz

SUSE-CU-2023:508-1

This update for golang-github-prometheus-node_exporter fixes the following issues:
(bsc#1196338, jsc#SLE-24238, jsc#SLE-24239, jsc#SUMA-114, CVE-2022-21698)

This update for buildah fixes the following issues:

• CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
• CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
• CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

• run: add container gid to additional groups

• Add fix for CVE-2022-2990 / bsc#1202812

• Don't try to call runLabelStdioPipes if spec.Linux is not set
• build: support filtering cache by duration using --cache-ttl
• build: support building from commit when using git repo as build context
• build: clean up git repos correctly when using subdirs
• integration tests: quote '?' in shell scripts
• test: manifest inspect should have OCIv1 annotation
• vendor: bump to c/common@87fab4b7019a
• Failure to determine a file or directory should print an error
• refactor: remove unused CommitOptions from generateBuildOutput
• stage_executor: generate output for cases with no commit
• stage_executor, commit: output only if last stage in build
• Use errors.Is() instead of os.Is{Not,}Exist
• Minor test tweak for podman-remote compatibility
• Cirrus: Use the latest imgts container
• imagebuildah: complain about the right Dockerfile
• tests: don't try to wrap `nil` errors
• cmd/buildah.commitCmd: don't shadow 'err'
• cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
• Fix a copy/paste error message
• Fix a typo in an error message
• build,cache: support pulling/pushing cache layers to/from remote sources
• Update vendor of containers/(common, storage, image)
• Rename chroot/run.go to chroot/run_linux.go
• Don't bother telling codespell to skip files that don't exist
• Set user namespace defaults correctly for the library
• imagebuildah: optimize cache hits for COPY and ADD instructions
• Cirrus: Update VM images w/ updated bats
• docs, run: show SELinux label flag for cache and bind mounts
• imagebuildah, build: remove undefined concurrent writes
• bump github.com/opencontainers/runtime-tools
• Add FreeBSD support for 'buildah info'
• Vendor in latest containers/(storage, common, image)
• Add freebsd cross build targets
• Make the jail package build on 32bit platforms
• Cirrus: Ensure the build-push VM image is labeled
• GHA: Fix dynamic script filename
• Vendor in containers/(common, storage, image)
• Run codespell
• Remove import of github.com/pkg/errors
• Avoid using cgo in pkg/jail
• Rename footypes to fooTypes for naming consistency
• Move cleanupTempVolumes and cleanupRunMounts to run_common.go
• Make the various run mounts work for FreeBSD
• Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
• Move runSetupRunMounts to run_common.go
• Move cleanableDestinationListFromMounts to run_common.go
• Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
• Move setupMounts and runSetupBuiltinVolumes to run_common.go
• Tidy up - runMakeStdioPipe can't be shared with linux
• Move runAcceptTerminal to run_common.go
• Move stdio copying utilities to run_common.go
• Move runUsingRuntime and runCollectOutput to run_common.go
• Move fileCloser, waitForSync and contains to run_common.go
• Move checkAndOverrideIsolationOptions to run_common.go
• Move DefaultNamespaceOptions to run_common.go
• Move getNetworkInterface to run_common.go
• Move configureEnvironment to run_common.go
• Don't crash in configureUIDGID if Process.Capabilities is nil
• Move configureUIDGID to run_common.go
• Move runLookupPath to run_common.go
• Move setupTerminal to run_common.go
• Move etc file generation utilities to run_common.go
• Add run support for FreeBSD
• Add a simple FreeBSD jail library
• Add FreeBSD support to pkg/chrootuser
• Sync call signature for RunUsingChroot with chroot/run.go
• test: verify feature to resolve basename with args
• vendor: bump openshift/imagebuilder to master@4151e43
• GHA: Remove required reserved-name use
• buildah: set XDG_RUNTIME_DIR before setting default runroot
• imagebuildah: honor build output even if build container is not commited
• chroot: honor DefaultErrnoRet
• [CI:DOCS] improve pull-policy documentation
• tests: retrofit test since --file does not supports dir
• Switch to golang native error wrapping
• BuildDockerfiles: error out if path to containerfile is a directory
• define.downloadToDirectory: fail early if bad HTTP response
• GHA: Allow re-use of Cirrus-Cron fail-mail workflow
• add: fail on bad http response instead of writing to container
• [CI:DOCS] Update buildahimage comment
• lint: inspectable is never nil
• vendor: c/common to common@7e1563b
• build: support OCI hooks for ephemeral build containers
• [CI:BUILD] Install latest buildah instead of compiling
• Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
• Make sure cpp is installed in buildah images
• demo: use unshare for rootless invocations
• buildah.spec.rpkg: initial addition
• build: fix test for subid 4
• build, userns: add support for --userns=auto
• Fix building upstream buildah image
• Remove redundant buildahimages-are-sane validation
• Docs: Update multi-arch buildah images readme
• Cirrus: Migrate multiarch build off github actions
• retrofit-tests: we skip unused stages so use stages
• stage_executor: dont rely on stage while looking for additional-context
• buildkit, multistage: skip computing unwanted stages
• More test cleanup
• copier: work around freebsd bug for 'mkdir /'
• Replace $BUILDAH_BINARY with buildah() function
• Fix up buildah images
• Make util and copier build on FreeBSD
• Vendor in latest github.com/sirupsen/logrus
• Makefile: allow building without .git
• run_unix: don't return an error from getNetworkInterface
• run_unix: return a valid DefaultNamespaceOptions
• Update vendor of containers/storage
• chroot: use ActKillThread instead of ActKill
• use resolvconf package from c/common/libnetwork
• update c/common to latest main
• copier: add `NoOverwriteNonDirDir` option
• Sort buildoptions and move cli/build functions to internal
• Fix TODO: de-spaghettify run mounts
• Move options parsing out of build.go and into pkg/cli
• [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
• build, multiarch: support splitting build logs for --platform
• [CI:BUILD] WIP Cleanup Image Dockerfiles
• cli remove stutter
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• Fix use generic/ambiguous DEBUG name
• Cirrus: use Ubuntu 22.04 LTS
• Fix codespell errors
• Remove util.StringInSlice because it is defined in containers/common
• buildah: add support for renaming a device in rootless setups
• squash: never use build cache when computing last step of last stage
• Update vendor of containers/(common, storage, image)
• buildkit: supports additionalBuildContext in builds via --build-context
• buildah source pull/push: show progress bar
• run: allow resuing secret twice in different RUN steps
• test helpers: default to being rootless-aware
• Add --cpp-flag flag to buildah build
• build: accept branch and subdirectory when context is git repo
• Vendor in latest containers/common
• vendor: update c/storage and c/image
• Fix gentoo install docs
• copier: move NSS load to new process
• Add test for prevention of reusing encrypted layers
• Make `buildah build --label foo` create an empty 'foo' label again

• build, multiarch: support splitting build logs for --platform
• copier: add `NoOverwriteNonDirDir` option
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• buildkit: supports additionalBuildContext in builds via --build-context
• Add --cpp-flag flag to buildah build

• define.downloadToDirectory: fail early if bad HTTP response
• add: fail on bad http response instead of writing to container
• squash: never use build cache when computing last step of last stage
• run: allow resuing secret twice in different RUN steps
• integration tests: update expected error messages
• integration tests: quote '?' in shell scripts
• Use errors.Is() to check for storage errors
• lint: inspectable is never nil
• chroot: use ActKillThread instead of ActKill
• chroot: honor DefaultErrnoRet
• Set user namespace defaults correctly for the library
• contrib/rpm/buildah.spec: fix `rpm` parser warnings

• Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.

• buildah: add support for renaming a device in rootless setups

• Make `buildah build --label foo` create an empty 'foo' label again
• imagebuildah,build: move deepcopy of args before we spawn goroutine
• Vendor in containers/storage v1.40.2
• buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
• help output: get more consistent about option usage text
• Handle OS version and features flags
• buildah build: --annotation and --label should remove values
• buildah build: add a --env
• buildah: deep copy options.Args before performing concurrent build/stage
• test: inline platform and builtinargs behaviour
• vendor: bump imagebuilder to master/009dbc6
• build: automatically set correct TARGETPLATFORM where expected
• Vendor in containers/(common, storage, image)
• imagebuildah, executor: process arg variables while populating baseMap
• buildkit: add support for custom build output with --output
• Cirrus: Update CI VMs to F36
• fix staticcheck linter warning for deprecated function
• Fix docs build on FreeBSD
• copier.unwrapError(): update for Go 1.16
• copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
• copier.Put(): write to read-only directories
• Ed's periodic test cleanup
• using consistent lowercase 'invalid' word in returned err msg
• use etchosts package from c/common
• run: set actual hostname in /etc/hostname to match docker parity
• Update vendor of containers/(common,storage,image)
• manifest-create: allow creating manifest list from local image
• Update vendor of storage,common,image
• Initialize network backend before first pull
• oci spec: change special mount points for namespaces
• tests/helpers.bash: assert handle corner cases correctly
• buildah: actually use containers.conf settings
• integration tests: learn to start a dummy registry
• Fix error check to work on Podman
• buildah build should accept at most one arg
• tests: reduce concurrency for flaky bud-multiple-platform-no-run
• vendor in latest containers/common,image,storage
• manifest-add: allow override arch,variant while adding image
• Remove a stray `\` from .containerenv
• Vendor in latest opencontainers/selinux v1.10.1
• build, commit: allow removing default identity labels
• Create shorter names for containers based on image IDs
• test: skip rootless on cgroupv2 in root env
• fix hang when oci runtime fails
• Set permissions for GitHub actions
• copier test: use correct UID/GID in test archives
• run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

This update for permissions fixes the following issues:

• Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137)
• Fix regression introduced by backport of security fix (bsc#1203911)

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

This update for openssl-1_1 fixes the following issues:

• Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)
• Fix memory leaks (bsc#1203046)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for protobuf fixes the following issues:

• CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).
• CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)
• CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• Fix file conflict during upgrade (bsc#1204211)
• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

This update for systemd fixes the following issues:

• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2 * 8a70235d8a core: Add trigger limit for path units * 93e544f3a0 core/mount: also add default before dependency for automount mount units * 5916a7748c logind: fix crash in logind on user-specified message string

• Document udev naming scheme (bsc#1204179).

This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

• Mexico will no longer observe DST except near the US border
• Chihuahua moves to year-round -06 on 2022-10-30
• Fiji no longer observes DST
• In vanguard form, GMT is now a Zone and Etc/GMT a link
• zic now supports links to links, and vanguard form uses this
• Simplify four Ontario zones
• Fix a Y2438 bug when reading TZif data
• Enable 64-bit time_t on 32-bit glibc platforms
• Omit large-file support when no longer needed
• Jordan and Syria switch from +02/+03 with DST to year-round +03
• Palestine transitions are now Saturdays at 02:00
• Simplify three Ukraine zones into one
• Improve tzselect on intercontinental Zones
• Chile's DST is delayed by a week in September 2022 (bsc#1202324)
• Iran no longer observes DST after 2022
• Rename Europe/Kiev to Europe/Kyiv
• New `zic -R` command option
• Vanguard form now uses %z

This update for rpm fixes the following issues:

• Strip critical bit in signature subpackage parsing
• No longer deadlock DNF after pubkey import (bsc#1202750)

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

• Support by-path devlink for multipath nvme block devices (bsc#1200723).
• Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
• Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

This update for curl fixes the following issues:

• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):

• In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
• Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time.
• Changes for pre-1996 northern Canada
• Update to past DST transition in Colombia (1993), Singapore (1981)
• 'timegm' is now supported by default

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

This update for util-linux fixes the following issues:

• libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646).
• Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt does not exist.
• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

This update for glib2 fixes the following issues:

• CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

This update for permissions fixes the following issues:
Update to version 20181225:

• Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

This update for procps fixes the following issues:

• Improve memory handling/usage (bsc#1206412)
• Make sure that correct library version is installed (bsc#1206412)

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issues

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
• FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)

SUSE-CU-2022:2704-1

SUSE-CU-2022:2703-1

SUSE-CU-2022:2665-1

This update for golang-github-prometheus-node_exporter fixes the following issues:

• Exclude s390 arch.
• Update spec file in order to make --version work (bsc#1196652)

This update for rpm fixes the following issues:

• Support Ed25519 RPM signatures [jsc#SLE-24714]

This update for libzypp, zypper fixes the following issues:
libzypp:

• Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
• Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
• Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
• Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

• Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
• Reject install/remove modifier without argument (bsc#1201576)
• zypper-download: Handle unresolvable arguments as errors
• Put signing key supplying repository name in quotes

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

Implement ECO jsc#SLE-20950 to fix the channel configuration for libeconf-devel having L3 support (instead of unsupported).

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for glibc fixes the following issues:

• Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
• powerpc: Optimized memcmp for power10 (jsc#PED-987)

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for libzypp, zypper fixes the following issues:
libzypp:

• Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Remove migration code that is no longer needed (bsc#1203649)
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

• Fix contradiction in the man page: `--download-in-advance` option is the default behavior
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Fix tests to use locale 'C.UTF-8' rather than 'en_US'
• Make sure 'up' respects solver related CLI options (bsc#1201972)
• Remove unneeded code to compute the PPP status because it is now auto established
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

SUSE-CU-2022:2093-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for protobuf fixes the following issues:

• CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

This update for yaml-cpp fixes the following issues:

• CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
• CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
• CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
• CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

This update for aaa_base fixes the following issues:

• Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
• Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

This update for util-linux fixes the following issue:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)

This update for timezone fixes the following issues:

• timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

• Harden package signature checks (bsc#1184501).

• reworked choice rule generation to cover more usecases
• support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
• support parsing of Debian's Multi-Arch indicator
• fix segfault on conflict resolution when using bindings
• fix split provides not working if the update includes a forbidden vendor change
• support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
• support zstd compressed control files in debian packages
• add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
• support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
• support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
• support solv files with an idarray block
• allow accessing the toolversion at runtime

• ZConfig: Update solver settings if target changes (bsc#1196368)
• Fix possible hang in singletrans mode (bsc#1197134)
• Do 2 retries if mount is still busy.
• Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
• Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
• Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
• Fix handling of ISO media in releaseAll (bsc#1196061)
• Hint on common ptf resolver conflicts (bsc#1194848)
• Hint on ptf<>patch resolver conflicts (bsc#1194848)

• info: print the packages upstream URL if available (fixes #426)
• info: Fix SEGV with not installed PTFs (bsc#1196317)
• Don't prevent less restrictive umasks (bsc#1195999)

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for systemd fixes the following issues:

• Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
• When migrating from sysvinit to systemd (it probably won't happen anymore), let's use the default systemd target, which is the graphical.target one.
• Don't open /var journals in volatile mode when runtime_journal==NULL
• udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
• man: tweak description of auto/noauto (bsc#1191502)
• shared/install: ignore failures for auxiliary files
• install: make UnitFileChangeType enum anonymous
• shared/install: reduce scope of iterator variables
• systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
• Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
• Drop or soften some of the deprecation warnings (bsc#1193086)

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for e2fsprogs fixes the following issues:

• Add support for 'libreadline7' for Leap. (bsc#1196939)

This update for openldap2 fixes the following issues:

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for systemd fixes the following issues:

• tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
• journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
• tmpfiles: constify item_compatible() parameters
• test tmpfiles: add a test for 'w+'
• test: add test checking tmpfiles conf file precedence
• journald: make use of CLAMP() in cache_space_refresh()
• journal-file: port journal_file_open() to openat_report_new()
• fs-util: make sure openat_report_new() initializes return param also on shortcut
• fs-util: fix typos in comments
• fs-util: add openat_report_new() wrapper around openat()

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for curl fixes the following issues:

• CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
• CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
• CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issue:

• Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
• CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for glibc fixes the following issues:

• Add the correct name for the IBM Z16 (bsc#1198751).

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This security update for golang-github-prometheus-node_exporter provides:
Update golang-github-prometheus-node_exporter from version 1.1.2 to version 1.3.0 (bsc#1196338, jsc#SLE-24238, jsc#SLE-24239)

• CVE-2022-21698: Denial of service using InstrumentHandlerCounter
• Update vendor tarball with prometheus/client_golang 1.11.1
• Update to 1.3.0 * [CHANGE] Add path label to rapl collector #2146 * [CHANGE] Exclude filesystems under /run/credentials #2157 * [CHANGE] Add TCPTimeouts to netstat default filter #2189 * [FEATURE] Add lnstat collector for metrics from /proc/net/stat/ #1771 * [FEATURE] Add darwin powersupply collector #1777 * [FEATURE] Add support for monitoring GPUs on Linux #1998 * [FEATURE] Add Darwin thermal collector #2032 * [FEATURE] Add os release collector #2094 * [FEATURE] Add netdev.address-info collector #2105 * [FEATURE] Add clocksource metrics to time collector #2197 * [ENHANCEMENT] Support glob textfile collector directories #1985 * [ENHANCEMENT] ethtool: Expose node_ethtool_info metric #2080 * [ENHANCEMENT] Use include/exclude flags for ethtool filtering #2165 * [ENHANCEMENT] Add flag to disable guest CPU metrics #2123 * [ENHANCEMENT] Add DMI collector #2131 * [ENHANCEMENT] Add threads metrics to processes collector #2164 * [ENHANCMMENT] Reduce timer GC delays in the Linux filesystem collector #2169 * [ENHANCMMENT] Add TCPTimeouts to netstat default filter #2189 * [ENHANCMMENT] Use SysctlTimeval for boottime collector on BSD #2208 * [BUGFIX] ethtool: Sanitize metric names #2093 * [BUGFIX] Fix ethtool collector for multiple interfaces #2126 * [BUGFIX] Fix possible panic on macOS #2133 * [BUGFIX] Collect flag_info and bug_info only for one core #2156 * [BUGFIX] Prevent duplicate ethtool metric names #2187
• Update to 1.2.2 * Bug fixes Fix processes collector long int parsing #2112
• Update to 1.2.1 * Removed Remove obsolete capture permission denied error fix already included upstream * Bug fixes Fix zoneinfo parsing prometheus/procfs#386 Fix nvme collector log noise #2091 Fix rapl collector log noise #2092
• Update to 1.2.0 * Changes Rename filesystem collector flags to match other collectors #2012 Make node_exporter print usage to STDOUT #203 * Features Add conntrack statistics metrics #1155 Add ethtool stats collector #1832 Add flag to ignore network speed if it is unknown #1989 Add tapestats collector for Linux #2044 Add nvme collector #2062 * Enhancements Add ErrorLog plumbing to promhttp #1887 Add more Infiniband counters #2019 netclass: retrieve interface names and filter before parsing #2033 Add time zone offset metric #2060 * Bug fixes Handle errors from disabled PSI subsystem #1983 Fix panic when using backwards compatible flags #2000 Fix wrong value for OpenBSD memory buffer cache #2015 Only initiate collectors once #2048 Handle small backwards jumps in CPU idle #2067
• Capture permission denied error for 'energy_uj' file (bsc#1190535)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

This update for curl fixes the following issues:

• CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
• CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for systemd fixes the following issues:

• Allow control characters in environment variable values (bsc#1200170)
• Call pam_loginuid when creating user@.service (bsc#1198507)
• Fix parsing error in s390 udev rules conversion script (bsc#1198732)
• Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
• Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit
• Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed'
• basic/env-util: (mostly) follow POSIX for what variable names are allowed
• basic/env-util: make function shorter
• basic/escape: add mode where empty arguments are still shown as ''
• basic/escape: always escape newlines in shell_escape()
• basic/escape: escape control characters, but not utf-8, in shell quoting
• basic/escape: use consistent location for '*' in function declarations
• basic/string-util: inline iterator variable declarations
• basic/string-util: simplify how str_realloc() is used
• basic/string-util: split out helper function
• core/device: device_coldplug(): don't set DEVICE_DEAD
• core/device: do not downgrade device state if it is already enumerated
• core/device: drop unnecessary condition
• string-util: explicitly cast character to unsigned
• string-util: fix build error on aarch64
• test-env-util: Verify that \r is disallowed in env var values
• test-env-util: print function headers

This update for glibc fixes the following issues:

• Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
• i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
• Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125)

This update for libzypp, zypper fixes the following issues:
libzypp:

• appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
• zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
• PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
• Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
• singletrans: no dry-run commit if doing just download-only
• Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo.
• Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

• Basic JobReport for 'cmdout/monitor'
• versioncmp: if verbose, also print the edition 'parts' which are compared
• Make sure MediaAccess is closed on exception (bsc#1194550)
• Display plus-content hint conditionally
• Honor the NO_COLOR environment variable when auto-detecting whether to use color
• Define table columns which should be sorted natural [case insensitive]
• lr/ls: Use highlight color on name and alias as well

This update for dwarves and elfutils fixes the following issues:
elfutils was updated to version 0.177 (jsc#SLE-24501):

• elfclassify: New tool to analyze ELF objects.
• readelf: Print DW_AT_data_member_location as decimal offset. Decode DW_AT_discr_list block attributes.
• libdw: Add DW_AT_GNU_numerator, DW_AT_GNU_denominator and DW_AT_GNU_bias.
• libdwelf: Add dwelf_elf_e_machine_string. dwelf_elf_begin now only returns NULL when there is an error reading or decompressing a file. If the file is not an ELF file an ELF handle of type ELF_K_NONE is returned.
• backends: Add support for C-SKY.

• build: Add new --enable-install-elfh option. Do NOT use this for system installs (it overrides glibc elf.h).
• backends: riscv improved core file and return value location support.
• Fixes: - CVE-2019-7146, CVE-2019-7148, CVE-2019-7149, CVE-2019-7664 - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (CVE is a bit misleading, as this is not a bug in libelf as described) (bsc#1125007)

• libdw: Added new DWARF5 attribute, tag, character encoding, language code, calling convention, defaulted member function and macro constants to dwarf.h.

• backends: Add support for EM_PPC64 GNU_ATTRIBUTES. Frame pointer unwinding fallback support for i386, x86_64, aarch64.
• translations: Update Polish translation. - CVE-2017-7611: elfutils: DoS (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033088) - CVE-2017-7610: elflint: heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7609: memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7607: heap-based buffer overflow in handle_gnu_hashi (readelf.c) (bsc#1033084) - CVE-2017-7608: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c) (bsc#1033085) - CVE-2017-7613: elfutils: denial of service (memory consumption) via a crafted ELF file (bsc#1033090) - CVE-2017-7612: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033089)
• Don't make elfutils recommend elfutils-lang as elfutils-lang already supplements elfutils.

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for systemd fixes the following issues:

• Drop or soften some of the deprecation warnings (jsc#PED-944)
• Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
• tmpfiles: check for the correct directory

This update for timezone fixes the following issue:

• Reflect new Chile DST change (bsc#1202310)

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for curl fixes the following issues:

• CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593).

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

SUSE-CU-2022:336-1

This update for e2fsprogs fixes the following issues:
Security issues fixed:

• CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402).
• CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).

• bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system.
• bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system.
• bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.

This update for zlib provides the following fixes:

• Speedup zlib on power8. (fate#325307)
• Add safeguard against negative values in uInt. (bsc#1071321)

This update for openldap2 provides the following fix:

• Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)

This update for libxml2 fixes the following security issues:

• CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)
• CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166)
• CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)

This update for aaa_base provides the following fixes:

• Let bash.bashrc work even for (m)ksh. (bsc#1104531)
• Fix an error at login if java system directory is empty. (bsc#1102310)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for itstool and python-libxml2-python fixes the following issues:
Package: itstool - Updated version to support Python3. (bnc#1111019)
Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for aaa_base fixes the following issues:

• Restore old position of ssh/sudo source of profile (bsc#1118364).
• Update logic for JRE_HOME env variable (bsc#1128246)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for zlib fixes the following issues:

• Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

This update for aaa_base fixes the following issue:
* Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191)

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for e2fsprogs fixes the following issues:

• Check and fix tails of all bitmap blocks (bsc#1128383)

This update for elfutils fixes the following issues:
Security issues fixed:

• CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084)
• CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085)
• CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086)
• CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087)
• CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088)
• CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089)
• CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090)
• CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
• CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066)
• CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067)
• CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973)
• CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726)
• CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
• CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
• CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007)

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for libssh fixes the following issue:
Issue addressed:

• Added support for new AES-GCM encryption types (bsc#1134193).

This update for libgcrypt fixes the following issues:

• Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).

This update for libgcrypt fixes the following issues:
Security issue fixed:

• CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939).

This update for libxml2 fixes the following issues:

• Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123)

This update for bzip2 fixes the following issues:

• Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083).

This update for libgcrypt fixes the following issues:

• Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073).

This update for zlib fixes the following issues:

• Update the s390 patchset. (bsc#1137624)
• Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
• Use FAT LTO objects in order to provide proper static library.
• Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
• Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)

This update for aaa_base fixes the following issues:

• Make systemd detection cgroup oblivious. (bsc#1140647)

This update for pinentry fixes the following issues:

• Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883)

This update for openldap2 fixes the following issues:
Security issue fixed:

• CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194).
• CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273).
• CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313)

• Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845).
• Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388)
• Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388).

This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):

• net.ipv4.conf.all.accept_redirects
• net.ipv4.conf.default.accept_redirects
• net.ipv4.conf.default.accept_source_route
• net.ipv6.conf.all.accept_redirects
• net.ipv6.conf.default.accept_redirects

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for e2fsprogs fixes the following issues:
Security issue fixed:

• CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)

• libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)

This update for procps fixes the following issues:
procps was updated to 3.3.15. (bsc#1092100)
Following security issues were fixed:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

• library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures
• library: Just check for SIGLOST and don't delete it
• library: Fix integer overflow and LPE in file2strvec CVE-2018-1124
• library: Use size_t for alloc functions CVE-2018-1126
• library: Increase comm size to 64
• pgrep: Fix stack-based buffer overflow CVE-2018-1125
• pgrep: Remove >15 warning as comm can be longer
• ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123
• ps: Increase command name selection field to 64
• top: Don't use cwd for location of config CVE-2018-1122
• update translations
• library: build on non-glibc systems
• free: fix scaling on 32-bit systems
• Revert 'Support running with child namespaces'
• library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler
• doc: Document I idle state in ps.1 and top.1
• free: fix some of the SI multiples
• kill: -l space between name parses correctly
• library: dont use vm_min_free on non Linux
• library: don't strip off wchan prefixes (ps & top)
• pgrep: warn about 15+ char name only if -f not used
• pgrep/pkill: only match in same namespace by default
• pidof: specify separator between pids
• pkill: Return 0 only if we can kill process
• pmap: fix duplicate output line under '-x' option
• ps: avoid eip/esp address truncations
• ps: recognizes SCHED_DEADLINE as valid CPU scheduler
• ps: display NUMA node under which a thread ran
• ps: Add seconds display for cputime and time
• ps: Add LUID field
• sysctl: Permit empty string for value
• sysctl: Don't segv when file not available
• sysctl: Read and write large buffers
• top: add config file support for XDG specification
• top: eliminated minor libnuma memory leak
• top: show fewer memory decimal places (configurable)
• top: provide command line switch for memory scaling
• top: provide command line switch for CPU States
• top: provides more accurate cpu usage at startup
• top: display NUMA node under which a thread ran
• top: fix argument parsing quirk resulting in SEGV
• top: delay interval accepts non-locale radix point
• top: address a wishlist man page NLS suggestion
• top: fix potential distortion in 'Mem' graph display
• top: provide proper multi-byte string handling
• top: startup defaults are fully customizable
• watch: define HOST_NAME_MAX where not defined
• vmstat: Fix alignment for disk partition format
• watch: Support ANSI 39,49 reset sequences

This update for aaa_base provides the following fixes:

• Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869)
• Add s390x compressed kernel support. (bsc#1151023)
• service: Check if there is a second argument before using it. (bsc#1051143)

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update for cpio fixes the following issues:

• CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past.

This update for e2fsprogs fixes the following issues:

• Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)

This update for aaa_base fixes the following issues:

• Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
• Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
• Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

This update for libgcrypt fixes the following issues:
Security issues fixed:

• CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).

• Added CMAC AES self test (bsc#1155339).
• Added CMAC TDES self test missing (bsc#1155338).
• Fix test dsa-rfc6979 in FIPS mode.

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

This update for procps fixes the following issues:

• Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

This update for aaa_base fixes the following issues:

• Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
• Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)

This update for e2fsprogs fixes the following issues:

• CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

This update for openldap2 provides the following fix:

• Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)

This update for libgcrypt fixes the following issues:

• ECDSA: Check range of coordinates (bsc#1161216)
• FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
• FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
• FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
• FIPS: keywrap gives incorrect results [bsc#1161218]
• FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]

This update for aaa_base fixes the following issues:

• Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for libgcrypt fixes the following issues:

• FIPS: Run the self-tests from the constructor [bsc#1164950]

This update for aaa_base fixes the following issues:

• get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
• added '-h'/'--help' to the command old
• change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for libgcrypt fixes the following issues:

• FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
• FIPS: Fix drbg to be threadsafe (bsc#1167674)
• FIPS: Run self-tests from constructor during power-on [bsc#1166748]

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for e2fsprogs fixes the following issues:

• e2fsck: clarify overflow link count error message (bsc#1160979)
• ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
• ext2fs: implement dir entry creation in htree directories (bsc#1160979)
• tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
• tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

This update for libssh fixes the following issues:

• CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

This update for libgcrypt fixes the following issues:
This update for libgcrypt fixes the following issues:

• FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
• FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
• Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
• Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)

This update for libgcrypt fixes the following issues:

• FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)

This update for openldap2 fixes the following issues:

• CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for libxml2 fixes the following issues:

• CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
• CVE-2019-19956: Fixed a memory leak (bsc#1159928).
• CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for libgcrypt fixes the following issues:

• FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)

This update for zlib fixes the following issues:

• Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
• Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime.

This update for aaa_base fixes the following issues:

• Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
• Better support of Midnight Commander. (bsc#1170527)

This update for libxml2 fixes the following issues:

• CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).
• CVE-2020-8169: Fixed an issue where could have led to partial password leak over DNS on HTTP redirect (bsc#1173026).

This update for zstd fixes the following issues:

• Fix for build error caused by wrong static libraries. (bsc#1133297)
• Correction in spec file marking the license as documentation. (bsc#1082318)
• Add new package for SLE-15. (jsc#ECO-1886)

This update for openldap2 fixes the following issues:

• CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
• Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

This update for libsolv, libzypp, zypper fixes the following issues:
libsolv was updated to:

• Enable zstd compression support for sle15

• Print switch abbrev warning to stderr (bsc#1172925)
• Fix typo in man page (bsc#1169947)

• Fix core dump with corrupted history file (bsc#1170801)
• Enable zchunk metadata download if libsolv supports it.
• Better handling of the purge-kernels algorithm. (bsc#1173106)

This update for cracklib fixes the following issues:

• Fixed a buffer overflow when processing long words.

This update for golang-github-prometheus-node_exporter fixes the following issues:

• Update from version 0.17.0 to version 0.18.1 (jsc#ECO-2110)

This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues:
libsolv:

• No source changes, just shipping it as an installer update (required by yast2-pkg-bindings).

• Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011)
• ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)

• Handle variable expansion in repository name. (bsc#1172477)
• Improve medium type detection, do not report Online medium when the /media.1/products file is missing in the repository, SMT does not mirror this file. (bsc#1173336)

• Extensions to handle raw repository name. (bsc#1172477)

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for e2fsprogs fixes the following issues:

• Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

This update for zlib provides the following fixes:

• Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
• Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

This update for curl fixes the following issues:

• An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231]

This update for openldap2 fixes the following issues:

• bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125.

This update for libxml2 fixes the following issues:

• CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).

This update for zlib fixes the following issues:

• Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
• Enable hardware compression on s390/s390x (jsc#SLE-13776)

This update for openldap2 fixes the following issues:

• CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

This update for libzypp, zypper provides the following fixes:
Changes in libzypp:

• VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
• Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
• Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
• Make sure reading from lsof does not block forever. (bsc#1174240)
• Just collect details for the signatures found.

• man: Enhance description of the global package cache. (bsc#1175592)
• man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273)
• Directly list subcommands in 'zypper help'. (bsc#1165424)
• Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
• Point out that plaindir repos do not follow symlinks. (bsc#1174561)
• Fix help command for list-patches.

This update for golang-github-prometheus-node_exporter fixes the following issues:

• Add missing sysconfig file in rpm bsc#1151557

• Changes from 1.0.1 * Changes to build specification + Modify spec: update golang version to 1.14 + Remove update tarball script + Add _service file to allow for updates via `osc service disabledrun` * Bug fixes + [BUGFIX] filesystem_freebsd: Fix label values #1728 + [BUGFIX] Update prometheus/procfs to fix log noise #1735 + [BUGFIX] Fix build tags for collectors #1745 + [BUGFIX] Handle no data from powersupplyclass #1747, #1749

• Changes from 1.0.0 * Bug fixes + [BUGFIX] Read /proc/net files with a single read syscall #1380 + [BUGFIX] Renamed label state to name on node_systemd_service_restart_total. #1393 + [BUGFIX] Fix netdev nil reference on Darwin #1414 + [BUGFIX] Strip path.rootfs from mountpoint labels #1421 + [BUGFIX] Fix seconds reported by schedstat #1426 + [BUGFIX] Fix empty string in path.rootfs #1464 + [BUGFIX] Fix typo in cpufreq metric names #1510 + [BUGFIX] Read /proc/stat in one syscall #1538 + [BUGFIX] Fix OpenBSD cache memory information #1542 + [BUGFIX] Refactor textfile collector to avoid looping defer #1549 + [BUGFIX] Fix network speed math #1580 + [BUGFIX] collector/systemd: use regexp to extract systemd version #1647 + [BUGFIX] Fix initialization in perf collector when using multiple CPUs #1665 + [BUGFIX] Fix accidentally empty lines in meminfo_linux #1671 * Several enhancements + See https://github.com/prometheus/node_exporter/releases/tag/v1.0.0

• Changes from 1.0.0-rc.0

This update for openssl-1_1 fixes the following issues:
FIPS:

• Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1175844, bsc#1173470).
• Add shared secret KAT to FIPS DH selftest (bsc#1175844).

This update for aaa_base fixes the following issues:

• DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS
• check for Packages.db and use this instead of Packages. (bsc#1171762)
• Rename path() to _path() to avoid using a general name.
• refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
• etc/profile add some missing ;; in case esac statements
• profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
• backup-rpmdb: exit if zypper is running (bsc#1161239)
• Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

This update for openssl-1_1 fixes the following issues:

• Restore private key check in EC_KEY_check_key (bsc#1177479)

This update for bind fixes the following issues:
BIND was upgraded to version 9.16.6:
Note:

• bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC.

• CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain.
• CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740)
• CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051).
• CVE-2018-5741: Fixed the documentation (bsc#1109160).
• CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958).
• CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958).
• CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443).
• CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443).
• CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443).
• CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443).
• CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443).

• Add engine support to OpenSSL EdDSA implementation.
• Add engine support to OpenSSL ECDSA implementation.
• Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
• Warn about AXFR streams with inconsistent message IDs.
• Make ISC rwlock implementation the default again.
• Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
• Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
• Fixed an issue where bind was not working in FIPS mode (bsc#906079).
• Fixed dependency issues (bsc#1118367 and bsc#1118368).
• GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
• Fixed an issue with FIPS (bsc#1128220).
• The liblwres library is discontinued upstream and is no longer included.
• Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
• Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
• The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
• Zone timers are now exported via statistics channel.
• The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
• 'rndc dnstap -roll ' did not limit the number of saved files to .
• Add 'rndc dnssec -status' command.
• Addressed a couple of situations where named could crash.
• Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf]
• Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
• Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713)
• /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313]
• Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092).
• Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon.

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for procps fixes the following issues:

• Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included:

• python3-grpcio
• python3-protobuf
• python3-google-api-core
• python3-google-cloud-core
• python3-google-cloud-storage
• python3-google-resumable-media
• python3-googleapis-common-protos
• python3-grpcio-gcp
• python3-mock (updated to version 3.0.5)

This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:
libzypp was updated to 17.25.1:

• When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
• Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched.
• RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435)
• VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918)
• Update docs regarding 'opensuse' namepace matching.
• Link against libzstd to close libsolvs open references (as we link statically)

• The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency.

• info: Assume descriptions starting with '

  ' are richtext (bsc#935885)

• help: prevent 'whatis' from writing to stderr (bsc#1176712)
• wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271)

• make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238]
• fix deduceq2addedmap clearing bits outside of the map
• conda: feature depriorization first
• conda: fix startswith implementation
• move find_update_seeds() call in cleandeps calculation
• set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
• new testcase_mangle_repo_names() function
• new solv_fmemopen() function

This update for openldap2 fixes the following issues:

• CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for libusb-1_0 fixes the following issues:

• Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for aaa_base fixes the following issue:

• Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

This update for openssl-1_1 fixes the following issues:

• CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

This update for curl fixes the following issues:

• CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
• CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
• CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).