Container summary for suse/manager/4.3/proxy-ssh

SUSE-CU-2024:5290-1

This update for gcc14 fixes the following issues:
This update ships the GNU Compiler Collection GCC 14.2. (jsc#PED-10474)
The compiler runtime libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 13 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP5 and SP6, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc14 compilers use:

• install 'gcc14' or 'gcc14-c++' or one of the other 'gcc14-COMPILER' frontend packages.
• override your Makefile to use CC=gcc14, CXX=g++14 and similar overrides for the other languages.

• Add libquadmath0-devel-gcc14 sub-package to allow installing quadmath.h and SO link without installing the fortran frontend

• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Remove timezone Recommends from the libstdc++6 package. [bsc#1221601]
• Revert libgccjit dependency change. [bsc#1220724]
• Fix libgccjit-devel dependency, a newer shared library is OK.
• Fix libgccjit dependency, the corresponding compiler isn't required.
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Re-enable AutoReqProv for cross packages but filter files processed via __requires_exclude_from and __provides_exclude_from. [bsc#1219031]
• Package m2rte.so plugin in the gcc14-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc14 from gcc14-m2 as m2 programs are linked against libstdc++6.

SUSE-CU-2024:5120-1

SUSE-CU-2024:5067-1

This update for bash fixes the following issues:

• Load completion file eveh if a brace expansion is in the command line included (bsc#1227807).

SUSE-CU-2024:5066-1

SUSE-CU-2024:4961-1

SUSE-CU-2024:4902-1

This update for e2fsprogs fixes the following issue:

• resize2fs: Check number of group descriptors only if meta_bg is disabled (bsc#1230145).

SUSE-CU-2024:4843-1

This update for glibc fixes the following issue:

• fix memory malloc problem: Initiate tcache shutdown even without allocations (bsc#1228661).

SUSE-CU-2024:4705-1

SUSE-CU-2024:4635-1

This update for python3 fixes the following issues:

• CVE-2024-6923: Fixed uncontrolled CPU resource consumption when in http.cookies module (bsc#1228780).
• CVE-2024-5642: Fixed buffer overread when NPN is used and invalid values are sent to the OpenSSL API (bsc#1227233).
• CVE-2024-7592: Fixed Email header injection due to unquoted newlines (bsc#1229596).
• CVE-2024-6232: excessive backtracking when parsing tarfile headers leads to ReDoS. (bsc#1230227)

• %{profileopt} variable is set according to the variable %{do_profiling} (bsc#1227999).
• Stop using %%defattr, it seems to be breaking proper executable attributes on /usr/bin/ scripts (bsc#1227378).
• Remove %suse_update_desktop_file macro as it is not useful any more.

SUSE-CU-2024:4509-1

SUSE-CU-2024:4421-1

This update for ncurses fixes the following issues:

• Allow the terminal description based on static fallback entries to be freed (bsc#1229028)

SUSE-CU-2024:4349-1

SUSE-CU-2024:4298-1

This update for expat fixes the following issues:

• CVE-2024-45492: integer overflow in function nextScaffoldPart. (bsc#1229932)
• CVE-2024-45491: integer overflow in dtdCopy. (bsc#1229931)
• CVE-2024-45490: negative length for XML_ParseBuffer not rejected. (bsc#1229930)

SUSE-CU-2024:4173-1

This update for glibc fixes the following issue:

• s390x: Fix segfault in wcsncmp (bsc#1228043).

SUSE-CU-2024:4109-1

This update for systemd fixes the following issues:

• CVE-2023-7008: Fixed man-in-the-middle due to unsigned name response in signed zone not refused when DNSSEC=yes (bsc#1218297)

• Unit: drop ProtectClock=yes from systemd-udevd.service (bsc#1226414)
• Don't mention any rpm macros inside comments, even if escaped (bsc#1228091)
• Skip redundant dependencies specified the LSB description that references the file name of the service itself for early boot scripts (bsc#1221479).

SUSE-CU-2024:3976-1

SUSE-CU-2024:3811-1

This update for pam fixes the following issue:

• Prevent cursor escape from the login prompt (bsc#1194818).

SUSE-CU-2024:3791-1

This update for openssl-1_1 fixes the following issues:
- CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)
Other fixes:

• Build with no-afalgeng (bsc#1226463)

SUSE-CU-2024:3736-1

This update for cloud-regionsrv-client contains the following fixes:

• Update to version 10.3.0 (bsc#1227308, bsc#1222985) + Add support for sidecar registry Podman and rootless Docker support to set up the necessary configuration for the container engines to run as defined + Add running command as root through sudoers file

• Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016) + In addition to logging, write message to stderr when registration fails + Detect transactional-update system with read only setup and use the transactional-update command to register + Handle operation in a different target root directory for credentials checking

SUSE-CU-2024:3700-1

SUSE-CU-2024:3636-1

SUSE-CU-2024:3566-1

This update for shadow fixes the following issues:

• Fixed not copying of skel files (bsc#1228770)

SUSE-CU-2024:3565-1

SUSE-CU-2024:3414-1

This update for shadow fixes the following issues:

• CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).

This update for patterns-base fixes the following issues:
Added a fips-certified pattern matching the exact certified FIPS versions of the Linux Kernel, openssl 1.1.1, gnutls/nettle, mozilla-nss and libgcrypt.
Note that applying this pattern might cause downgrade of various packages and so deinstall security and bugfix updates released after the certified binaries.

SUSE-CU-2024:3277-1

SUSE-CU-2024:3232-1

SUSE-CU-2024:3190-1

SUSE-CU-2024:3170-1

This update for python3 fixes the following issues:

• CVE-2023-52425: Fixed backport so it uses features sniffing, not just comparing version number (bsc#1219559).
• CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
• CVE-2024-4032: Rearranging definition of private v global IP. (bsc#1226448)
• CVE-2024-0397: Remove a memory race condition in ssl.SSLContext certificate store methods. (bsc#1226447)

SUSE-CU-2024:3154-1

SUSE-CU-2024:3153-1

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

SUSE-CU-2024:2995-1

SUSE-CU-2024:2816-1

This update for gcc13 fixes the following issues:
Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.

This update for openssl-1_1 fixes the following issues:

• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

SUSE-CU-2024:2725-1

This update for jitterentropy fixes the following issues:

• Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command.

• add FIPS 140 hints to man page
• simplify the test tool to search for optimal configurations
• fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
• enhancement: add ARM64 assembler code to read high-res timer

SUSE-CU-2024:2687-1

This update for libxcrypt fixes the following issues:

• fix variable name for datamember [bsc#1215496]
• added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

This update for pam fixes the following issues:

• CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475).
• Check localtime_r() return value to fix crashing (bsc#1217000)

This update for systemd fixes the following issues:

• resolved: actually check authenticated flag of SOA transaction
• core/mount: Make device deps from /proc/self/mountinfo and .mount unit file exclusive
• core: Add trace logging to mount_add_device_dependencies()
• core/mount: Remove default deps from /proc/self/mountinfo when it is updated (bsc#1217460)
• core/mount: Set Mount.from_proc_self_mountinfo flag before adding default dependencies
• core: wrap some long comment
• utmp-wtmp: Handle EINTR gracefully when waiting to write to tty
• utmp-wtmp: Fix error in case isatty() fails
• homed: Handle EINTR gracefully when waiting for device node
• resolved: Handle EINTR returned from fd_wait_for_event() better
• sd-netlink: Handle EINTR from poll() gracefully, as success
• varlink: Handle EINTR gracefully when waiting for EIO via ppoll()
• stdio-bridge: Don't be bothered with EINTR
• sd-bus: Handle EINTR return from bus_poll() (bsc#1215241)
• core: Replace slice dependencies as they get added (bsc#1214668)

This update for openssl-1_1 fixes the following issues:

• CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

This update for glibc fixes the following issues:
Security issues fixed:

• qsort: harden handling of degenerated / non transient compare function (bsc#1218866)

• getaddrinfo: translate ENOMEM to EAI_MEMORY (bsc#1217589, BZ #31163)
• aarch64: correct CFI in rawmemchr (bsc#1217445, BZ #31113)

This update for audit fixes the following issue:

• Fix plugin termination when using systemd service units (bsc#1215377)

This update for shadow fixes the following issues:

• Fix chage date miscalculation (bsc#1176006)
• Fix passwd segfault when nsswitch.conf defines 'files compat' (bsc#1188307
• Remove pam_keyinit from PAM config files (bsc#1203823)

This update for coreutils fixes the following issues:

• tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

This update for krb5 fixes the following issues:

• CVE-2024-26458: Fixed memory leak at /krb5/src/lib/rpc/pmap_rmt.c (bsc#1220770).
• CVE-2024-26461: Fixed memory leak at /krb5/src/lib/gssapi/krb5/k5sealv3.c (bsc#1220771).

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for glibc fixes the following issues:

• duplocale: protect use of global locale (bsc#1220441, BZ #23970)

This update for gcc13 fixes the following issues:

• Fix unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Fixed building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]

This update for glibc fixes the following issues:

• iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961, bsc#1222992)

This update for python39 fixes the following issues:

• Build python package for python311 (jsc#PED-5851) and python39 (jsc#PED-7886)

This update for coreutils fixes the following issues:

• ls: avoid triggering automounts (bsc#1221632)

This update for e2fsprogs fixes the following issues:
EA Inode handling fixes:

• ext2fs: avoid re-reading inode multiple times (bsc#1223596)
• e2fsck: fix potential out-of-bounds read in inc_ea_inode_refs() (bsc#1223596)
• e2fsck: add more checks for ea inode consistency (bsc#1223596)
• e2fsck: fix golden output of several tests (bsc#1223596)

This update for glibc fixes the following issues:

• CVE-2024-33599: Fixed a stack-based buffer overflow in netgroup cache in nscd (bsc#1223423)
• CVE-2024-33600: Avoid null pointer crashes after notfound response in nscd (bsc#1223424)
• CVE-2024-33600: Do not send missing not-found response in addgetnetgrentX in nscd (bsc#1223424)
• CVE-2024-33601, CVE-2024-33602: Fixed use of two buffers in addgetnetgrentX ( bsc#1223425)
• CVE-2024-33602: Use time_t for return type of addgetnetgrentX (bsc#1223425)

• Avoid creating userspace live patching prologue for _start routine (bsc#1221940)

This update for openssl-1_1 fixes the following issues:

• CVE-2024-2511: Fixed unconstrained session cache growth in TLSv1.3 (bsc#1222548).

SUSE-CU-2024:1924-1

SUSE-CU-2024:1901-1

SUSE-CU-2024:1682-1

This update for openssh fixes the following issues:

• Fix hostbased ssh login failing occasionally with 'signature unverified: incorrect signature' by fixing a typo in patch (bsc#1221123)
• Avoid closing IBM Z crypto devices nodes. (bsc#1218871)
• Allow usage of IBM Z crypto adapter cards in seccomp filters (bsc#1216474)

• Change the default value of UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled).

SUSE-CU-2024:1478-1

This update for python3 fixes the following issue:

• Fix syslog making default 'ident' from sys.argv (bsc#1222109)

SUSE-CU-2024:1290-1

This update for expat fixes the following issues:

• CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
• CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)

SUSE-CU-2024:1039-1

SUSE-CU-2024:944-1

This update for python3 fixes the following issues:

• CVE-2023-6597: Fixed symlink bug in cleanup of tempfile.TemporaryDirectory (bsc#1219666).
• CVE-2022-48566: Make compare_digest more constant-time (bsc#1214691).

SUSE-CU-2024:868-1

SUSE-CU-2024:683-1

This update for openssh fixes the following issues:

• CVE-2023-51385: Limit the use of shell metacharacters in host- and user names to avoid command injection. (bsc#1218215)

SUSE-CU-2024:663-1

This update for python3 fixes the following issues:

• CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).

SUSE-CU-2024:612-1

SUSE-CU-2024:378-1

SUSE-CU-2024:293-1

SUSE-CU-2023:4306-1

This update for curl fixes the following issues:

• libssh: Implement SFTP packet size limit (bsc#1216987)

SUSE-CU-2023:4230-1

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
• Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

This update for openssh fixes the following issues:

• CVE-2023-48795: Fixed prefix truncation breaking ssh channel integrity (bsc#1217950).

• Fix the 'no route to host' error when connecting via ProxyJump

SUSE-CU-2023:4186-1

SUSE-CU-2023:4172-1

SUSE-CU-2023:4123-1

This update for libtirpc fixes the following issue:

• fix sed parsing in specfile (bsc#1216862)

SUSE-CU-2023:4062-1

This update for curl fixes the following issues:

• CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
• CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

This update of man fixes the following problem:

• The 'man' commands is delivered to SUSE Linux Enterprise Micro to allow browsing man pages.

SUSE-CU-2023:4052-1

SUSE-CU-2023:3977-1

This update for sqlite3 fixes the following issues:

• CVE-2023-2137: Fixed heap buffer overflow (bsc#1210660).

SUSE-CU-2023:3887-1

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

SUSE-CU-2023:3828-1

This update for openssl-1_1 fixes the following issues:

• CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

SUSE-CU-2023:3771-1

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

SUSE-CU-2023:3699-1

SUSE-CU-2023:3689-1

This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage
Update to 1.3.3:

• Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
• _rpc_dtablesize: use portable system call
• libtirpc: Fix use-after-free accessing the error number
• Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch
• rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
• Eliminate deadlocks in connects with an MT environment
• clnt_dg_freeres() uncleared set active state may deadlock
• thread safe clnt destruction
• SUNRPC: mutexed access blacklist_read state variable
• SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

• Replace the final SunRPC licenses with BSD licenses
• blacklist: Add a few more well known ports
• libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

• Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors.
• svc_dg: Free xp_netid during destroy
• Fix memory management issues of fd locks
• libtirpc: replace array with list for per-fd locks
• __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
• __rpc_dtbsize: rlim_cur instead of rlim_max
• pkg-config: use the correct replacements for libdir/includedir

SUSE-CU-2023:3681-1

This update for glibc fixes the following issues:

• nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415)
• Restore lookup of IPv4 mapped addresses in files database (bsc#1212819, BZ #25457)
• elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688)
• elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676)
• ld.so: Always use MAP_COPY to map the first segment (BZ #30452)
• add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

This update for curl fixes the following issues:

• CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026)

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

This update for nghttp2 fixes the following issues:

• CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713).

This update for shadow fixes the following issues:

• CVE-2023-4641: Fixed potential password leak (bsc#1214806).

This update for curl fixes the following issues:

• CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888)
• CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889)

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

• elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676)

This update for openssl-1_1 fixes the following issues:

• Displays 'fips' in the version string (bsc#1215215)

This update for systemd fixes the following issues:

• Fix mismatch of nss-resolve version in Package Hub (no source code changes)

This update for aaa_base fixes the following issues:

• Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for nghttp2 fixes the following issues:

• CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

SUSE-CU-2023:3171-1

This update for shadow fixes the following issues:

• Prevent lock files from remaining after power interruptions (bsc#1213189)
• Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

This update for util-linux fixes the following issues:

• Fix blkid for floppy drives (bsc#1194900)
• Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
• Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)

This update for audit fixes the following issues:

• Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
• Fix rules not loaded when restarting auditd.service (bsc#1204844)

This update for systemd fixes the following issues:

• Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
• Decrease devlink priority for iso disks (bsc#1213185)
• Do not ignore mount point paths longer than 255 characters (bsc#1208194)
• Refuse hibernation if there's no possible way to resume (bsc#1186606)
• Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
• Drop some entries no longer needed by YaST (bsc#1194609)
• The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
• Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

This update for sysuser-tools fixes the following issues:

• Update to version 3.2
• Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
• Add 'quilt setup' friendly hint to %sysusers_requires usage
• Use append so if a pre file already exists it isn't overridden
• Invoke bash for bash scripts (bsc#1195391)
• Remove all systemd requires not supported on SLE15 (bsc#1214140)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

This update for hidapi ships the missing libhidapi-raw0 library to SLE and Leap Micro 5.3 and 5.4.

This update for python3 fixes the following issues:

• CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692).

SUSE-CU-2023:2517-1

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for openssl-1_1 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

• Update further expiring certificates that affect the testsuite (bsc#1201627).

This update for libcap fixes the following issues:

• CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for openssl-1_1 fixes the following issues:

• Check the OCSP RESPONSE in openssl s_client command and terminate connection if a revoked certificate is found. [bsc#1212623]

This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues:
This update provides a feature update to the FIDO2 stack.
Changes in libfido2:

• Version 1.13.0 (2023-02-20)

• Version 1.12.0 (2022-09-22)

• Version 1.11.0 (2022-05-03)

• Version 1.10.0 (2022-01-17)

• Version 1.9.0 (2021-10-27)

• Update to version 1.8.0:

• Update to version 1.7.0:

• Enabled hidapi again, issues related to hidapi are fixed upstream

• Update to version 1.6.0:

• Create a udev subpackage and ship the udev rule.

• update to 0.9.3:

• Update to version 0.9.1

• Version 0.8.1 (released 2019-11-25)

• Version 0.8.0 (released 2019-11-25)

• Version 0.7.2 (released 2019-10-24)

• Version 0.7.1 (released 2019-09-20)

• Version 0.7.0 (released 2019-06-17)

• Version 0.6.0 (released 2019-05-10)

• Update to version 4.0.9 (released 2022-06-17)

• Update to version 4.0.8 (released 2022-01-31)

• version update to 4.0.7

• version 4.0.6 (released 2021-09-08)

• version 4.0.5 (released 2021-07-16)

• Update to version 4.0.3

• Update to version 4.0.2

• Update to 3.1.1

• Version 3.1.0 (released 2019-08-20)

• Version 3.0.0 (released 2019-06-24)

• Version 2.1.1 (released 2019-05-28)

• update to 1.2.5:

• Update to version 1.2.4 (released 2021-10-26)

• Update to version 1.2.3

• Update to version 1.2.2

• update to 1.1.5

• Update to version 1.1.4

• Version 1.1.3 (released 2019-08-20)

• Version 1.1.2 (released 2019-06-24)

This update for libxml2 fixes the following issues:

• Build also for modern python version (jsc#PED-68)

This update for audit fixes the following issues:

• Check for AF_UNIX unnamed sockets (bsc#1210004)
• Enable livepatching on main library on x86_64

This update for openldap2 fixes the following issues:

• libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for glibc fixes the following issues:

• getlogin_r: fix missing fallback if loginuid is unset (bsc#1209229, BZ #30235)
• Exclude static archives from preparation for live patching (bsc#1208721)
• resolv_conf: release lock on allocation failure (bsc#1211828, BZ #30527)

This update for curl fixes the following issues:

• CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

This update for libfido2 fixes the following issues:

• Use openssl 1.1 still on SUSE Linux Enterprise 15 to avoid pulling unneeded openssl-3 dependency. (jsc#PED-4521)

This update for openssh fixes the following issues:

• CVE-2023-38408: Fixed a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if those libraries were present on the victim's system and if the agent was forwarded to an attacker-controlled system. [bsc#1213504, CVE-2023-38408]

• Close the right filedescriptor and also close fdh in read_hmac to avoid file descriptor leaks. [bsc#1209536]

• Attempts to mitigate instances of secrets lingering in memory after a session exits. [bsc#1186673, bsc#1213004, bsc#1213008]

This update for openssl-1_1 fixes the following issues:

• CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

SUSE-CU-2023:2050-1

This update for python3 fixes the following issues:

• CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).

• Eliminate unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355).

This update for curl fixes the following issues:

• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).

This update for patterns-base fixes the following issues:

• change label of FIPS 140-2 to 140-3 to reflect our current certifications (bsc#1203537)

This update for zstd fixes the following issues:

• CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975)

• Fix avx2 strncmp offset compare condition check (bsc#1208358)
• elf: Allow dlopen of filter object to work (bsc#1207571)
• powerpc: Fix unrecognized instruction errors with recent GCC
• x86: Cache computation for AMD architecture (bsc#1207957)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

This update for systemd fixes the following issues:

• Fix return non-zero value when disabling SysVinit service (bsc#1208432)
• Drop build requirement on libpci, it's not no longer needed
• Move systemd-boot and all components managing (secure) UEFI boot into udev sub-package, so they aren't installed in systemd based containers

This update for timezone fixes the following issues:

• Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later.

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
• CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

This update for sles-release fixes the following issue:

• Filter libhogweed4 and libnettle6 so they dont get orphaned on system upgrades. (bsc#1208529)

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).

• Remove unneeded dependency (bsc#1209918).

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for openssh fixes the following issues:

• Remove some patches that cause invalid environment assignments (bsc#1207014).

This update for zlib fixes the following issues:

• Add DFLTCC support for using inflate() with a small window (bsc#1206513)

This update for curl adds the following feature:
Update to version 8.0.1 (jsc#PED-2580)

• CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230).
• CVE-2023-28320: siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: POST-after-PUT confusion (bsc#1211233).

This update for systemd fixes the following issues:

• udev-rules: fix nvme symlink creation on namespace changes (bsc#1207410)
• Optimize when hundred workers claim the same symlink with the same priority (bsc#1203141)
• Add nss-resolve and systemd-network to Packagehub-Subpackages (MSC-626)

This update for util-linux fixes the following issue:

• Add upstream patch to prevent possible performance degradation of libuuid (bsc#1210164)

This update for zlib fixes the following issue:

• Fix function calling order to avoid crashes (bsc#1210593)

This update for openssl-1_1 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

This update for openldap2 fixes the following issues:

• CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

This update for python3 fixes the following issues:

• CVE-2007-4559: Fixed filter for tarfile.extractall (bsc#1203750).

• Fixed unittest.mock.patch.dict returns function when applied to coroutines (bsc#1211158).

SUSE-CU-2023:741-1

This update for curl fixes the following issues:

• CVE-2023-23914: Fixed HSTS ignored on multiple requests (bsc#1207990).
• CVE-2023-23915: Fixed HSTS amnesia with --parallel (bsc#1207991).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for systemd fixes the following issues:

• Merge of v249.15
• Drop workaround related to systemd-timesyncd that addressed a Factory issue.
• Conditionalize the use of /lib/modprobe.d only on systems with split usr support enabled (i.e. SLE).
• Make use of the %systemd_* rpm macros consistently. Using the upstream variants will ease the backports of Factory changes to SLE since Factory systemd uses the upstream variants exclusively.
• machines.target belongs to systemd-container, do its init/cleanup steps from the scriptlets of this sub-package.
• Make sure we apply the presets on units shipped by systemd package.
• systemd-testsuite: move the integration tests in a dedicated sub directory.
• Move systemd-cryptenroll into udev package.

This update for python3 fixes the following issues:
- CVE-2022-45061: Fixed DoS when IDNA decodes extremely long domain names (bsc#1205244).
Bugfixes:
- Fixed issue where email.generator.py replaces a non-existent header (bsc#1208443).

This update for openssl-1_1 fixes the following issues:

• FIPS: Serialize jitterentropy calls to avoid thread safety issues [bsc#1207994]

This update for jitterentropy fixes the following issues:

• build jitterentropy library with debuginfo (bsc#1207789)

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for libgcrypt fixes the following issues:

• FIPS: ECC: Transition to error-state if PCT fail [bsc#1208925]
• FIPS: ECDSA: Avoid no-keytest in ECDSA keygen [bsc#1208924]
• FIPS: PBKDF2: Added additional checks for the minimum key length, salt length, iteration count and passphrase length to the kdf FIPS indicator in _gcry_fips_indicator_kdf() [bsc#1208926]

This update for openssl-1_1 fixes the following issues:
FIPS: Service-level indicator changes [bsc#1208998]

• Add additional checks required by FIPS 140-3. Minimum values for PBKDF2 are: 112 bits for key, 128 bits for salt, 1000 for iteration count and 20 characters for password.

SUSE-CU-2023:337-1

SUSE-CU-2023:336-1

This update for openssh fixes the following issues:

• Make ssh connections update their dbus environment (bsc#1179465): * Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish

This update for curl fixes the following issues:

• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
• CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308).

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

• Support by-path devlink for multipath nvme block devices (bsc#1200723).

This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):

• In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
• Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time.
• Changes for pre-1996 northern Canada
• Update to past DST transition in Colombia (1993), Singapore (1981)
• 'timegm' is now supported by default

This update for libxml2 fixes the following issues:

• Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for shadow fixes the following issues:

• Fix issue with user id field that cannot be interpreted (bsc#1205502)

This update for util-linux fixes the following issues:

• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
• libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646).

This update for openssl-1_1 fixes the following issues:

• FIPS: Add Pair-wise Consistency Test when generating DH key [bsc#1207182]

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issues

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed an issue where users could access coredumps with changed uid, gid or capabilities (bsc#1205000).

• Enabled the pstore service (jsc#PED-2663).
• Fixed an issue accessing TPM when secure boot is enabled (bsc#1204944).
• Fixed an issue where a pamd file could get accidentally overwritten after an update (bsc#1207264).

This update for openssl-1_1 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

SUSE-CU-2022:3379-1

SUSE-CU-2022:3378-1

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-42916: Fixed HSTS bypass via IDN (bsc#1204386).

This update for permissions fixes the following issues:

• Fix regression introduced by backport of security fix (bsc#1203911)
• Add permissions for enlightenment helper on 32bit arches (bsc#1194047)

This update for openssl-1_1 fixes the following issues:

• FIPS: Add a missing dependency on jitterentropy-devel for libopenssl-1_1-devel (bsc#1202148)
• FIPS: OpenSSL service-level indicator: Allow AES XTS 256 (bsc#1190651)

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for openssh fixes the following issue:

• Prevent empty messages from being sent. (bsc#1192439)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• Fix file conflict during upgrade (bsc#1204211)
• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

This update for systemd fixes the following issues:

• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Import commit 0cd50eedcc0692c1f907b24424215f8db7d3b428 * 0469b9f2bc pstore: do not try to load all known pstore modules * ad05f54439 pstore: Run after modules are loaded * ccad817445 core: Add trigger limit for path units * 281d818fe3 core/mount: also add default before dependency for automount mount units * ffe5b4afa8 logind: fix crash in logind on user-specified message string

• Document udev naming scheme (bsc#1204179)
• Make 'sle15-sp3' net naming scheme still available for backward compatibility reason

This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

• Mexico will no longer observe DST except near the US border
• Chihuahua moves to year-round -06 on 2022-10-30
• Fiji no longer observes DST
• In vanguard form, GMT is now a Zone and Etc/GMT a link
• zic now supports links to links, and vanguard form uses this
• Simplify four Ontario zones
• Fix a Y2438 bug when reading TZif data
• Enable 64-bit time_t on 32-bit glibc platforms
• Omit large-file support when no longer needed
• Jordan and Syria switch from +02/+03 with DST to year-round +03
• Palestine transitions are now Saturdays at 02:00
• Simplify three Ukraine zones into one
• Improve tzselect on intercontinental Zones
• Chile's DST is delayed by a week in September 2022 (bsc#1202324)
• Iran no longer observes DST after 2022
• Rename Europe/Kiev to Europe/Kyiv
• New `zic -R` command option
• Vanguard form now uses %z

This update for libeconf fixes the following issues:

• Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165)

• Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters'

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

This update for openssl-1_1 fixes the following issues:

• FIPS: Mark PBKDF2 with key shorter than 112 bits as non-approved (bsc#1190651)
• FIPS: Consider RSA siggen/sigver with PKCS1 padding also approved (bsc#1190651)
• FIPS: Return the correct indicator for a given EC group order bits (bsc#1190651)

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for python3 fixes the following issues:

• CVE-2022-37454: Fixed a buffer overflow in hashlib.sha3_* implementations. (bsc#1204577)
• CVE-2020-10735: Fixed a bug to limit amount of digits converting text to int and vice vera. (bsc#1203125)

• Fixed a crash in the garbage collection (bsc#1188607).

SUSE-CU-2022:2730-1

This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries.

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for jitterentropy fixes the following issues:

• Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870)

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for glibc fixes the following issues:

• Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
• powerpc: Optimized memcmp for power10 (jsc#PED-987)

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for python3 fixes the following issues:

• CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).

This update for libgcrypt fixes the following issues:

• FIPS: Fixed gpg/gpg2 gets out of core handler in FIPS mode while typing Tab key to Auto-Completion. [bsc#1182983]

• FIPS: Ported libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941]

• FIPS: Get most of the entropy from rndjent_poll [bsc#1202117]
• FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700]

• FIPS: Zeroize buffer and digest in check_binary_integrity() [bsc#1191020]

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for openssl-1_1 fixes the following issues:

• FIPS: Default to RFC-7919 groups for genparam and dhparam
• FIPS: list only FIPS approved digest and public key algorithms [bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472]
• FIPS: Add KAT for the RAND_DRBG implementation [bsc#1203069]
• FIPS: openssl: RAND api should call into FIPS DRBG [bsc#1201293] * The FIPS_drbg implementation is not FIPS validated anymore. To provide backwards compatibility for applications that need FIPS compliant RNG number generation and use FIPS_drbg_generate, this function was re-wired to call the FIPS validated DRBG instance instead through the RAND_bytes() call.
• FIPS: Fix minor memory leaks by FIPS patch [bsc#1203046]
• FIPS: OpenSSL: Port openssl to use jitterentropy [bsc#1202148, jsc#SLE-24941] libcrypto.so now requires libjitterentropy3 library.
• FIPS: OpenSSL Provide a service-level indicator [bsc#1190651]
• FIPS: Add zeroization of temporary variables to the hmac integrity function FIPSCHECK_verify(). [bsc#1190653]

This update for libxml2 fixes the following issues:
- CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

SUSE-CU-2022:2125-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for timezone fixes the following issues:

• timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for glibc fixes the following issues:

• Add the correct name for the IBM Z16 (bsc#1198751).

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for curl fixes the following issues:

• CVE-2022-32205: Set-Cookie denial of service (bsc#1200734)
• CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
• CVE-2022-32207: Unpreserved file permissions (bsc#1200736)
• CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)
• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for python3 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for systemd fixes the following issues:

• Make {/etc,/usr/lib}/systemd/network owned by both udev and systemd-network. The configuration files put in these directories are read by both udevd and systemd-networkd (bsc#1201276)
• Allow control characters in environment variable values (bsc#1200170)
• Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
• Fix parsing error in s390 udev rules conversion script (bsc#1198732)
• core/device: device_coldplug(): don't set DEVICE_DEAD
• core/device: do not downgrade device state if it is already enumerated
• core/device: drop unnecessary condition

This update for rpm-config-SUSE fixes the following issues:

• Add SBAT values macros for other packages (bsc#1193282)

This update for glibc fixes the following issues:

• Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
• i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)

This update for libxml2 fixes the following issues:
Update to 2.9.14:

• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes. (bsc#1196490)

This update for permissions fixes the following issues:

• apptainer: fix starter-suid location (bsc#1198720)
• static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
• postfix: add postlog setgid for maildrop binary (bsc#1201385)

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for elfutils fixes the following issues:

• Fix runtime dependency for devel package

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

This update for systemd fixes the following issues:

• Don't replace /etc/systemd/system/tmp.mount symlink with a dangling one pointing to /usr/lib/systemd/ (bsc#1201795)
• Drop or soften some of the deprecation warnings (jsc#PED-944)
• Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
• Avoid applying presets to any services shipped by the experimental sub-package, as they aren't enabled by default
• analyze: Fix offline check for syscal filter
• calendarspec: Fix timer skipping the next elapse
• core: Allow command argument to be longer
• hwdb: Add AV production controllers to hwdb and add uaccess
• hwdb: Allow console users access to rfkill
• hwdb: Allow end-users root-less access to TL866 EPROM readers
• hwdb: Permit unsetting power/persist for USB devices
• hwdb: Tag IR cameras as such
• hwdb: Fix parsing issue
• hwdb: Make usb match patterns uppercase
• hwdb: Update the hardware database
• journal-file: Stop using the event loop if it's already shutting down
• journal-remote: Disable `--trust` option when gnutls is disabled and check_permission() should not be called
• journald: Ensure resources are properly allocated for SIGTERM handling
• kernel-install: Ensure modules.builtin.alias.bin is removed when no longer needed
• macro: Account for negative values in DECIMAL_STR_WIDTH()
• manager: Disallow clone3() function call in seccomp filters
• missing-syscall: Define MOVE_MOUNT_T_EMPTY_PATH if missing
• pid1,cgroup-show: Prevent failure if cgroup.procs in some subcgroups is not readable
• resolve: Fix typo in dns_class_is_pseudo()
• sd-event: Improve handling of process events and termination of processes
• sd-ipv4acd: Fix ARP packet conflicts occurring when sender hardware is one of the host's interfaces
• stdio-bridge: Improve the meaning of the error message
• tmpfiles: Check for the correct directory

This update for timezone fixes the following issue:

• Reflect new Chile DST change (bsc#1202310)

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This update for util-linux fixes the following issues:

• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)

This update for curl fixes the following issues:

• CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593).

SUSE-CU-2022:1341-1

SUSE-CU-2022:1156-1

This update for zlib provides the following fixes:

• Speedup zlib on power8. (fate#325307)
• Add safeguard against negative values in uInt. (bsc#1071321)

This update for aaa_base provides the following fixes:

• Let bash.bashrc work even for (m)ksh. (bsc#1104531)
• Fix an error at login if java system directory is empty. (bsc#1102310)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for aaa_base fixes the following issues:

• Restore old position of ssh/sudo source of profile (bsc#1118364).
• Update logic for JRE_HOME env variable (bsc#1128246)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for zlib fixes the following issues:

• Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for aaa_base fixes the following issue:
* Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191)

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for zlib fixes the following issues:

• Update the s390 patchset. (bsc#1137624)
• Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059)
• Use FAT LTO objects in order to provide proper static library.
• Do not enable the previous patchset on s390 but just s390x. (bsc#1137624)
• Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717)

This update for aaa_base fixes the following issues:

• Make systemd detection cgroup oblivious. (bsc#1140647)

This update for aaa_base fixes the following issues:
Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132)
Following settings have been tightened (and set to 0):

• net.ipv4.conf.all.accept_redirects
• net.ipv4.conf.default.accept_redirects
• net.ipv4.conf.default.accept_source_route
• net.ipv6.conf.all.accept_redirects
• net.ipv6.conf.default.accept_redirects

This update for sqlite3 fixes the following issues:
Security issue fixed:

• CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137).

This update for aaa_base provides the following fixes:

• Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869)
• Add s390x compressed kernel support. (bsc#1151023)
• service: Check if there is a second argument before using it. (bsc#1051143)

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for aaa_base fixes the following issues:

• Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
• Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
• Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)