Container summary for bci/python

SUSE-CU-2023:145-1

SUSE-CU-2023:97-1

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

SUSE-CU-2023:46-1

SUSE-CU-2023:23-1

This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):

• In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
• Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time.
• Changes for pre-1996 northern Canada
• Update to past DST transition in Colombia (1993), Singapore (1981)
• 'timegm' is now supported by default

SUSE-CU-2023:6-1

SUSE-CU-2022:3477-1

This update for sqlite3 fixes the following issues:

• CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

• Support by-path devlink for multipath nvme block devices (bsc#1200723).
• Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
• Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

This update for curl fixes the following issues:

• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

SUSE-CU-2022:3461-1

SUSE-CU-2022:3425-1

SUSE-CU-2022:3396-1

This update for openssh fixes the following issues:

• Make ssh connections update their dbus environment (bsc#1179465): * Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish

SUSE-CU-2022:3347-1

SUSE-CU-2022:3336-1

SUSE-CU-2022:3331-1

SUSE-CU-2022:3276-1

SUSE-CU-2022:3240-1

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

SUSE-CU-2022:3157-1

SUSE-CU-2022:3118-1

This update for rpm fixes the following issues:

• Strip critical bit in signature subpackage parsing
• No longer deadlock DNF after pubkey import (bsc#1202750)

SUSE-CU-2022:3087-1

This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

• Mexico will no longer observe DST except near the US border
• Chihuahua moves to year-round -06 on 2022-10-30
• Fiji no longer observes DST
• In vanguard form, GMT is now a Zone and Etc/GMT a link
• zic now supports links to links, and vanguard form uses this
• Simplify four Ontario zones
• Fix a Y2438 bug when reading TZif data
• Enable 64-bit time_t on 32-bit glibc platforms
• Omit large-file support when no longer needed
• Jordan and Syria switch from +02/+03 with DST to year-round +03
• Palestine transitions are now Saturdays at 02:00
• Simplify three Ukraine zones into one
• Improve tzselect on intercontinental Zones
• Chile's DST is delayed by a week in September 2022 (bsc#1202324)
• Iran no longer observes DST after 2022
• Rename Europe/Kiev to Europe/Kyiv
• New `zic -R` command option
• Vanguard form now uses %z

This update for python39 fixes the following issues:
Security fixes:

• CVE-2022-42919: Fixed local privilege escalation via the multiprocessing forkserver start method (bsc#1204886).
• CVE-2022-45061: Fixed a quadratic IDNA decoding time (bsc#1205244).

• Allow building of documentation with the latest Sphinx 5.3.0 (gh#python/cpython#98366).
• Update to 3.9.15: - Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. - Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. (originally filed as CVE-2022-37460, later withdrawn) - Fix command line parsing: reject -X int_max_str_digits option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. - When ValueError is raised if an integer is larger than the limit, mention the sys.set_int_max_str_digits() function in the error message. - Update bundled libexpat to 2.4.9

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

SUSE-CU-2022:3023-1

This update for systemd fixes the following issues:

• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2 * 8a70235d8a core: Add trigger limit for path units * 93e544f3a0 core/mount: also add default before dependency for automount mount units * 5916a7748c logind: fix crash in logind on user-specified message string

• Document udev naming scheme (bsc#1204179).

SUSE-CU-2022:3001-1

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

This update for util-linux fixes the following issues:

• Fix file conflict during upgrade (bsc#1204211)
• libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid.

SUSE-CU-2022:2940-1

This update for git fixes the following issues:
- CVE-2022-39260: Fixed overflow in split_cmdline() (bsc#1204456). - CVE-2022-39253: Fixed dereference issue with symbolic links via the `--local` clone mechanism (bsc#1204455).

SUSE-CU-2022:2898-1

This update for protobuf fixes the following issues:

• CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530).
• CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681)
• CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256)

SUSE-CU-2022:2881-1

This update for openssl-1_1 fixes the following issues:

• Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)
• Fix memory leaks (bsc#1203046)

This update for openssh fixes the following issue:

• Prevent empty messages from being sent. (bsc#1192439)

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

SUSE-CU-2022:2850-1

SUSE-CU-2022:2839-1

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

SUSE-CU-2022:2806-1

SUSE-CU-2022:2783-1

SUSE-CU-2022:2743-1

This update for buildah fixes the following issues:

• CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
• CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
• CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

• run: add container gid to additional groups

• Add fix for CVE-2022-2990 / bsc#1202812

• Don't try to call runLabelStdioPipes if spec.Linux is not set
• build: support filtering cache by duration using --cache-ttl
• build: support building from commit when using git repo as build context
• build: clean up git repos correctly when using subdirs
• integration tests: quote '?' in shell scripts
• test: manifest inspect should have OCIv1 annotation
• vendor: bump to c/common@87fab4b7019a
• Failure to determine a file or directory should print an error
• refactor: remove unused CommitOptions from generateBuildOutput
• stage_executor: generate output for cases with no commit
• stage_executor, commit: output only if last stage in build
• Use errors.Is() instead of os.Is{Not,}Exist
• Minor test tweak for podman-remote compatibility
• Cirrus: Use the latest imgts container
• imagebuildah: complain about the right Dockerfile
• tests: don't try to wrap `nil` errors
• cmd/buildah.commitCmd: don't shadow 'err'
• cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
• Fix a copy/paste error message
• Fix a typo in an error message
• build,cache: support pulling/pushing cache layers to/from remote sources
• Update vendor of containers/(common, storage, image)
• Rename chroot/run.go to chroot/run_linux.go
• Don't bother telling codespell to skip files that don't exist
• Set user namespace defaults correctly for the library
• imagebuildah: optimize cache hits for COPY and ADD instructions
• Cirrus: Update VM images w/ updated bats
• docs, run: show SELinux label flag for cache and bind mounts
• imagebuildah, build: remove undefined concurrent writes
• bump github.com/opencontainers/runtime-tools
• Add FreeBSD support for 'buildah info'
• Vendor in latest containers/(storage, common, image)
• Add freebsd cross build targets
• Make the jail package build on 32bit platforms
• Cirrus: Ensure the build-push VM image is labeled
• GHA: Fix dynamic script filename
• Vendor in containers/(common, storage, image)
• Run codespell
• Remove import of github.com/pkg/errors
• Avoid using cgo in pkg/jail
• Rename footypes to fooTypes for naming consistency
• Move cleanupTempVolumes and cleanupRunMounts to run_common.go
• Make the various run mounts work for FreeBSD
• Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
• Move runSetupRunMounts to run_common.go
• Move cleanableDestinationListFromMounts to run_common.go
• Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
• Move setupMounts and runSetupBuiltinVolumes to run_common.go
• Tidy up - runMakeStdioPipe can't be shared with linux
• Move runAcceptTerminal to run_common.go
• Move stdio copying utilities to run_common.go
• Move runUsingRuntime and runCollectOutput to run_common.go
• Move fileCloser, waitForSync and contains to run_common.go
• Move checkAndOverrideIsolationOptions to run_common.go
• Move DefaultNamespaceOptions to run_common.go
• Move getNetworkInterface to run_common.go
• Move configureEnvironment to run_common.go
• Don't crash in configureUIDGID if Process.Capabilities is nil
• Move configureUIDGID to run_common.go
• Move runLookupPath to run_common.go
• Move setupTerminal to run_common.go
• Move etc file generation utilities to run_common.go
• Add run support for FreeBSD
• Add a simple FreeBSD jail library
• Add FreeBSD support to pkg/chrootuser
• Sync call signature for RunUsingChroot with chroot/run.go
• test: verify feature to resolve basename with args
• vendor: bump openshift/imagebuilder to master@4151e43
• GHA: Remove required reserved-name use
• buildah: set XDG_RUNTIME_DIR before setting default runroot
• imagebuildah: honor build output even if build container is not commited
• chroot: honor DefaultErrnoRet
• [CI:DOCS] improve pull-policy documentation
• tests: retrofit test since --file does not supports dir
• Switch to golang native error wrapping
• BuildDockerfiles: error out if path to containerfile is a directory
• define.downloadToDirectory: fail early if bad HTTP response
• GHA: Allow re-use of Cirrus-Cron fail-mail workflow
• add: fail on bad http response instead of writing to container
• [CI:DOCS] Update buildahimage comment
• lint: inspectable is never nil
• vendor: c/common to common@7e1563b
• build: support OCI hooks for ephemeral build containers
• [CI:BUILD] Install latest buildah instead of compiling
• Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
• Make sure cpp is installed in buildah images
• demo: use unshare for rootless invocations
• buildah.spec.rpkg: initial addition
• build: fix test for subid 4
• build, userns: add support for --userns=auto
• Fix building upstream buildah image
• Remove redundant buildahimages-are-sane validation
• Docs: Update multi-arch buildah images readme
• Cirrus: Migrate multiarch build off github actions
• retrofit-tests: we skip unused stages so use stages
• stage_executor: dont rely on stage while looking for additional-context
• buildkit, multistage: skip computing unwanted stages
• More test cleanup
• copier: work around freebsd bug for 'mkdir /'
• Replace $BUILDAH_BINARY with buildah() function
• Fix up buildah images
• Make util and copier build on FreeBSD
• Vendor in latest github.com/sirupsen/logrus
• Makefile: allow building without .git
• run_unix: don't return an error from getNetworkInterface
• run_unix: return a valid DefaultNamespaceOptions
• Update vendor of containers/storage
• chroot: use ActKillThread instead of ActKill
• use resolvconf package from c/common/libnetwork
• update c/common to latest main
• copier: add `NoOverwriteNonDirDir` option
• Sort buildoptions and move cli/build functions to internal
• Fix TODO: de-spaghettify run mounts
• Move options parsing out of build.go and into pkg/cli
• [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
• build, multiarch: support splitting build logs for --platform
• [CI:BUILD] WIP Cleanup Image Dockerfiles
• cli remove stutter
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• Fix use generic/ambiguous DEBUG name
• Cirrus: use Ubuntu 22.04 LTS
• Fix codespell errors
• Remove util.StringInSlice because it is defined in containers/common
• buildah: add support for renaming a device in rootless setups
• squash: never use build cache when computing last step of last stage
• Update vendor of containers/(common, storage, image)
• buildkit: supports additionalBuildContext in builds via --build-context
• buildah source pull/push: show progress bar
• run: allow resuing secret twice in different RUN steps
• test helpers: default to being rootless-aware
• Add --cpp-flag flag to buildah build
• build: accept branch and subdirectory when context is git repo
• Vendor in latest containers/common
• vendor: update c/storage and c/image
• Fix gentoo install docs
• copier: move NSS load to new process
• Add test for prevention of reusing encrypted layers
• Make `buildah build --label foo` create an empty 'foo' label again

• build, multiarch: support splitting build logs for --platform
• copier: add `NoOverwriteNonDirDir` option
• docker-parity: ignore sanity check if baseImage history is null
• build, commit: allow disabling image history with --omit-history
• buildkit: supports additionalBuildContext in builds via --build-context
• Add --cpp-flag flag to buildah build

• define.downloadToDirectory: fail early if bad HTTP response
• add: fail on bad http response instead of writing to container
• squash: never use build cache when computing last step of last stage
• run: allow resuing secret twice in different RUN steps
• integration tests: update expected error messages
• integration tests: quote '?' in shell scripts
• Use errors.Is() to check for storage errors
• lint: inspectable is never nil
• chroot: use ActKillThread instead of ActKill
• chroot: honor DefaultErrnoRet
• Set user namespace defaults correctly for the library
• contrib/rpm/buildah.spec: fix `rpm` parser warnings

• Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.

• buildah: add support for renaming a device in rootless setups

• Make `buildah build --label foo` create an empty 'foo' label again
• imagebuildah,build: move deepcopy of args before we spawn goroutine
• Vendor in containers/storage v1.40.2
• buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
• help output: get more consistent about option usage text
• Handle OS version and features flags
• buildah build: --annotation and --label should remove values
• buildah build: add a --env
• buildah: deep copy options.Args before performing concurrent build/stage
• test: inline platform and builtinargs behaviour
• vendor: bump imagebuilder to master/009dbc6
• build: automatically set correct TARGETPLATFORM where expected
• Vendor in containers/(common, storage, image)
• imagebuildah, executor: process arg variables while populating baseMap
• buildkit: add support for custom build output with --output
• Cirrus: Update CI VMs to F36
• fix staticcheck linter warning for deprecated function
• Fix docs build on FreeBSD
• copier.unwrapError(): update for Go 1.16
• copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
• copier.Put(): write to read-only directories
• Ed's periodic test cleanup
• using consistent lowercase 'invalid' word in returned err msg
• use etchosts package from c/common
• run: set actual hostname in /etc/hostname to match docker parity
• Update vendor of containers/(common,storage,image)
• manifest-create: allow creating manifest list from local image
• Update vendor of storage,common,image
• Initialize network backend before first pull
• oci spec: change special mount points for namespaces
• tests/helpers.bash: assert handle corner cases correctly
• buildah: actually use containers.conf settings
• integration tests: learn to start a dummy registry
• Fix error check to work on Podman
• buildah build should accept at most one arg
• tests: reduce concurrency for flaky bud-multiple-platform-no-run
• vendor in latest containers/common,image,storage
• manifest-add: allow override arch,variant while adding image
• Remove a stray `\` from .containerenv
• Vendor in latest opencontainers/selinux v1.10.1
• build, commit: allow removing default identity labels
• Create shorter names for containers based on image IDs
• test: skip rootless on cgroupv2 in root env
• fix hang when oci runtime fails
• Set permissions for GitHub actions
• copier test: use correct UID/GID in test archives
• run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

This update for permissions fixes the following issues:

• Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137)
• Fix regression introduced by backport of security fix (bsc#1203911)

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

SUSE-CU-2022:2670-1

SUSE-CU-2022:2643-1

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

SUSE-CU-2022:2563-1

SUSE-CU-2022:2559-1

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

SUSE-CU-2022:2521-1

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for libzypp, zypper fixes the following issues:
libzypp:

• Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Remove migration code that is no longer needed (bsc#1203649)
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

• Fix contradiction in the man page: `--download-in-advance` option is the default behavior
• Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
• Fix tests to use locale 'C.UTF-8' rather than 'en_US'
• Make sure 'up' respects solver related CLI options (bsc#1201972)
• Remove unneeded code to compute the PPP status because it is now auto established
• Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

SUSE-CU-2022:2478-1

SUSE-CU-2022:2464-1

This update for python39 fixes the following issues:
python39 was updated to version 3.9.14:

• CVE-2020-10735: Fixed DoS due to int() type in PyLong_FromString() not limiting amount of digits when converting text to int (bsc#1203125).
• CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).

SUSE-CU-2022:2388-1

This update for glibc fixes the following issues:

• Reversing calculation of __x86_shared_non_temporal_threshold (bsc#1201942)
• powerpc: Optimized memcmp for power10 (jsc#PED-987)

SUSE-CU-2022:2360-1

This update for libassuan fixes the following issues:

• Add a timeout for writing to a SOCKS5 proxy
• Add workaround for a problem with LD_LIBRARY_PATH on newer systems
• Fix issue in the logging code
• Fix some build trivialities
• Upgrade autoconf

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for sqlite3 fixes the following issues:

• CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
• CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
• Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

SUSE-CU-2022:2256-1

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

Implement ECO jsc#SLE-20950 to fix the channel configuration for libeconf-devel having L3 support (instead of unsupported).

SUSE-CU-2022:2214-1

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

SUSE-CU-2022:2213-1

SUSE-CU-2022:2159-1

This update for libzypp, zypper fixes the following issues:
libzypp:

• Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
• Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
• Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
• Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

• Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
• Reject install/remove modifier without argument (bsc#1201576)
• zypper-download: Handle unresolvable arguments as errors
• Put signing key supplying repository name in quotes

SUSE-CU-2022:2130-1

This update for rpm fixes the following issues:

• Support Ed25519 RPM signatures [jsc#SLE-24714]

SUSE-CU-2022:2122-1

SUSE-CU-2022:2099-1

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

SUSE-CU-2022:2050-1

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)
No codechanges were done in this update.

This update for curl fixes the following issues:

• CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593).

SUSE-CU-2022:1997-1

This update for procps fixes the following issues:

• Fix 'free' command reporting misleading 'used' value (bsc#1181475)

SUSE-CU-2022:1965-1

This update for timezone fixes the following issue:

• Reflect new Chile DST change (bsc#1202310)

SUSE-CU-2022:1919-1

This update for systemd fixes the following issues:

• Drop or soften some of the deprecation warnings (jsc#PED-944)
• Ensure root user can login even if systemd-user-sessions.service is not activated yet (bsc#1195059)
• tmpfiles: check for the correct directory

SUSE-CU-2022:1918-1

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

SUSE-CU-2022:1884-1

SUSE-CU-2022:1867-1

SUSE-CU-2022:1848-1

SUSE-CU-2022:1812-1

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

SUSE-CU-2022:1774-1

This update for pcre2 fixes the following issues:

• CVE-2019-20454: Fixed out-of-bounds read in JIT mode when \X is used in non-UTF mode (bsc#1164384).
• CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235).

SUSE-CU-2022:1716-1

This update for dwarves and elfutils fixes the following issues:
elfutils was updated to version 0.177 (jsc#SLE-24501):

• elfclassify: New tool to analyze ELF objects.
• readelf: Print DW_AT_data_member_location as decimal offset. Decode DW_AT_discr_list block attributes.
• libdw: Add DW_AT_GNU_numerator, DW_AT_GNU_denominator and DW_AT_GNU_bias.
• libdwelf: Add dwelf_elf_e_machine_string. dwelf_elf_begin now only returns NULL when there is an error reading or decompressing a file. If the file is not an ELF file an ELF handle of type ELF_K_NONE is returned.
• backends: Add support for C-SKY.

• build: Add new --enable-install-elfh option. Do NOT use this for system installs (it overrides glibc elf.h).
• backends: riscv improved core file and return value location support.
• Fixes: - CVE-2019-7146, CVE-2019-7148, CVE-2019-7149, CVE-2019-7664 - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (CVE is a bit misleading, as this is not a bug in libelf as described) (bsc#1125007)

• libdw: Added new DWARF5 attribute, tag, character encoding, language code, calling convention, defaulted member function and macro constants to dwarf.h.

• backends: Add support for EM_PPC64 GNU_ATTRIBUTES. Frame pointer unwinding fallback support for i386, x86_64, aarch64.
• translations: Update Polish translation. - CVE-2017-7611: elfutils: DoS (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033088) - CVE-2017-7610: elflint: heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7609: memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7607: heap-based buffer overflow in handle_gnu_hashi (readelf.c) (bsc#1033084) - CVE-2017-7608: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c) (bsc#1033085) - CVE-2017-7613: elfutils: denial of service (memory consumption) via a crafted ELF file (bsc#1033090) - CVE-2017-7612: elfutils: denial of service (heap-based buffer over-read and application crash) via a crafted ELF file (bsc#1033089)
• Don't make elfutils recommend elfutils-lang as elfutils-lang already supplements elfutils.

SUSE-CU-2022:1708-1

This update for libzypp, zypper fixes the following issues:
libzypp:

• appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
• zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
• PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
• Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
• singletrans: no dry-run commit if doing just download-only
• Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo.
• Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

• Basic JobReport for 'cmdout/monitor'
• versioncmp: if verbose, also print the edition 'parts' which are compared
• Make sure MediaAccess is closed on exception (bsc#1194550)
• Display plus-content hint conditionally
• Honor the NO_COLOR environment variable when auto-detecting whether to use color
• Define table columns which should be sorted natural [case insensitive]
• lr/ls: Use highlight color on name and alias as well

SUSE-CU-2022:1651-1

This update for git fixes the following issues:

• CVE-2022-29187: Incomplete fix for CVE-2022-24765: potential command injection via git worktree (bsc#1201431).

SUSE-CU-2022:1627-1

This update for systemd fixes the following issues:

• Allow control characters in environment variable values (bsc#1200170)
• Call pam_loginuid when creating user@.service (bsc#1198507)
• Fix parsing error in s390 udev rules conversion script (bsc#1198732)
• Fix issues with multipath setup (bsc#1137373, bsc#1181658, bsc#1194708, bsc#1195157, bsc#1197570)
• Flagsify EscapeStyle and make ESCAPE_BACKSLASH_ONELINE implicit
• Revert 'basic/env-util: (mostly) follow POSIX for what variable names are allowed'
• basic/env-util: (mostly) follow POSIX for what variable names are allowed
• basic/env-util: make function shorter
• basic/escape: add mode where empty arguments are still shown as ''
• basic/escape: always escape newlines in shell_escape()
• basic/escape: escape control characters, but not utf-8, in shell quoting
• basic/escape: use consistent location for '*' in function declarations
• basic/string-util: inline iterator variable declarations
• basic/string-util: simplify how str_realloc() is used
• basic/string-util: split out helper function
• core/device: device_coldplug(): don't set DEVICE_DEAD
• core/device: do not downgrade device state if it is already enumerated
• core/device: drop unnecessary condition
• string-util: explicitly cast character to unsigned
• string-util: fix build error on aarch64
• test-env-util: Verify that \r is disallowed in env var values
• test-env-util: print function headers

This update for glibc fixes the following issues:

• Remove tunables from static tls surplus patch which caused crashes (bsc#1200855)
• i386: Disable check_consistency for GCC 5 and above (bsc#1201640, BZ #25788)

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).
• Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125)

SUSE-CU-2022:1554-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for timezone fixes the following issues:

• timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

SUSE-CU-2022:1539-1

SUSE-CU-2022:1529-1

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for p11-kit fixes the following issues:

• CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

SUSE-CU-2022:1461-1

SUSE-CU-2022:1448-1

SUSE-CU-2022:1447-1

This update for curl fixes the following issues:

• CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
• CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

This update for openssl-1_1 fixes the following issues:

• CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

SUSE-CU-2022:1405-1

This update for openssl-1_1 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).
• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

SUSE-CU-2022:1393-1

SUSE-CU-2022:1385-1

This update for python39 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

• Update to 3.9.13: - Core and Builtins - gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list comprehension could misbehave or crash. - gh-92112: Fix crash triggered by an evil custom mro() on a metaclass. - gh-92036: Fix a crash in subinterpreters related to the garbage collector. When a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a crash in deallocator functions expecting objects to be tracked by the GC, leak a strong reference to these objects on purpose, so they are never deleted and their deallocator functions are not called. Patch by Victor Stinner. - gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex. - bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na. - bpo-46962: Classes and functions that unconditionally declared their docstrings ignoring the --without-doc-strings compilation flag no longer do so. - The classes affected are pickle.PickleBuffer, testcapi.RecursingInfinitelyError, and types.GenericAlias. - The functions affected are 24 methods in ctypes. - Patch by Oleg Iarygin. - bpo-36819: Fix crashes in built-in encoders with error handlers that return position less or equal than the starting position of non-encodable characters. - Library - gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure Python implementation, since the fold is never 1 in UTC. In addition to being slightly faster in the common case, this also prevents some errors when the timestamp is close to datetime.min. Patch by Paul Ganssle. - gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify(). - gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, pickling did not fail, but the result could not be unpickled. - bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue after the last write of buffered data to the write end of the pipe to avoid BrokenPipeError at garbage collection and at multiprocessing.Queue.close() calls. Patch by Géry Ogam. - gh-91910: Add missing f prefix to f-strings in error messages from the multiprocessing and asyncio modules. - gh-91810: ElementTree method write() and function tostring() now use the text file''s encoding ('UTF-8' if not available) instead of locale encoding in XML declaration when encoding='unicode' is specified. - gh-91832: Add required attribute to argparse.Action repr output. - gh-91734: Fix OSS audio support on Solaris. - gh-91700: Compilation of regular expression containing a conditional expression (?(group)...) now raises an appropriate re.error if the group number refers to not defined group. Previously an internal RuntimeError was raised. - gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event loop executor before returning from its run method so that a not yet stopped or garbage collected executor state does not persist beyond the test. - gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular expression raises now re.error instead of TypeError. - gh-91595: Fix the comparison of character and integer inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu. - gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no longer spawned on demand (a feature added in 3.9) when the multiprocessing context start method is 'fork' as that can lead to deadlocks in the child processes due to a fork happening while threads are running. - gh-91575: Update case-insensitive matching in the re module to the latest Unicode version. - gh-91581: Remove an unhandled error case in the C implementation of calls to datetime.fromtimestamp with no time zone (i.e. getting a local time from an epoch timestamp). This should have no user-facing effect other than giving a possibly more accurate error message when called with timestamps that fall on 10000-01-01 in the local time. Patch by Paul Ganssle. - bpo-34480: Fix a bug where _markupbase raised an UnboundLocalError when an invalid keyword was found in marked section. Patch by Marek Suscak. - bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for other families, like socket.AF_BLUETOOTH and socket.AF_UNIX. - bpo-43323: Fix errors in the email module if the charset itself contains undecodable/unencodable characters. - bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak - bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError instead of ValueError if given invalid tuple as address parameter. - bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception while cancelling leaked tasks. Patch by Bar Harel. - bpo-44493: Add missing terminated NUL in sockaddr_un's length - This was potentially observable when using non-abstract AF_UNIX datagram sockets to processes written in another programming language. - bpo-42627: Fix incorrect parsing of Windows registry proxy settings - bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev. - Documentation - gh-91888: Add a new gh role to the documentation to link to GitHub issues. - gh-91783: Document security issues concerning the use of the function shutil.unpack_archive() - gh-91547: Remove 'Undocumented modules' page. - bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree(). - bpo-38668: Update the introduction to documentation for os.path to remove warnings that became irrelevant after the implementations of PEP 383 and PEP 529. - bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4. - bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to follow the guideline of PEP 7's Documentation Strings paragraph. Patch by Oleg Iarygin. - bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). Original patch by Andrew Brezovsky. - bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial about the ob_base field and the macros used to access its contents. - bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the code to enter an inconsistent state. Provided a sample workaround to avoid it if needed. - bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their respective section in Doc/library/errno.rst, and vice versa. Previously this was only done for EINTR and InterruptedError. Patch by Yan 'yyyyyyyan' Orestes. - bpo-38056: Overhaul the Error Handlers documentation in codecs. - bpo-13553: Document tkinter.Tk args. - Tests - gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start method context in several cases where the test logic mixed this up. - bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case on FreeBSD. - bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface construction with tuple arguments. Original patch and tests by louisom. - Build - bpo-47103: Windows PGInstrument builds now copy a required DLL into the output directory, making it easier to run the profile stage of a PGO build. - Windows - bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032. - bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, by using errors codes returned by FindFirstFileW() when appropriate in win32_xstat_impl. - bpo-40859: Update Windows build to use xz-5.2.5 - Tools/Demos - gh-91583: Fix regression in the code generated by Argument Clinic for functions with the defining_class parameter.

• Update to 3.9.12: - bpo-46968: Check for the existence of the 'sys/auxv.h' header in faulthandler to avoid compilation problems in systems where this header doesn't exist. Patch by Pablo Galindo - bpo-47101: hashlib.algorithms_available now lists only algorithms that are provided by activated crypto providers on OpenSSL 3.0. Legacy algorithms are not listed unless the legacy provider has been loaded into the default OSSL context. - bpo-23691: Protect the re.finditer() iterator from re-entering. - bpo-42369: Fix thread safety of zipfile._SharedFile.tell() to avoid a 'zipfile.BadZipFile: Bad CRC-32 for file' exception when reading a ZipFile from multiple threads. - bpo-38256: Fix binascii.crc32() when it is compiled to use zlib'c crc32 to work properly on inputs 4+GiB in length instead of returning the wrong result. The workaround prior to this was to always feed the function data in increments smaller than 4GiB or to just call the zlib module function. - bpo-39394: A warning about inline flags not at the start of the regular expression now contains the position of the flag. - bpo-47061: Deprecate the various modules listed by PEP 594: - aifc, asynchat, asyncore, audioop, cgi, cgitb, chunk, crypt, imghdr, msilib, nntplib, nis, ossaudiodev, pipes, smtpd, sndhdr, spwd, sunau, telnetlib, uu, xdrlib - bpo-2604: Fix bug where doctests using globals would fail when run multiple times. - bpo-45997: Fix asyncio.Semaphore re-aquiring FIFO order. - bpo-47022: The asynchat, asyncore and smtpd modules have been deprecated since at least Python 3.6. Their documentation has now been updated to note they will removed in Python 3.12 (PEP 594). - bpo-46421: Fix a unittest issue where if the command was invoked as python -m unittest and the filename(s) began with a dot (.), a ValueError is returned. - bpo-40296: Fix supporting generic aliases in pydoc. - bpo-14156: argparse.FileType now supports an argument of '-'; in binary mode, returning the .buffer attribute of sys.stdin/sys.stdout as appropriate. Modes including 'x' and 'a' are treated equivalently to 'w' when argument is '-'. Patch contributed by Josh Rosenberg
• Update to 3.9.11: - bpo-46852: Rename the private undocumented float.__set_format__() method to float.__setformat__() to fix a typo introduced in Python 3.7. The method is only used by test_float. Patch by Victor Stinner. - bpo-46794: Bump up the libexpat version into 2.4.6 - bpo-46762: Fix an assert failure in debug builds when a '<', '>', or '=' is the last character in an f-string that's missing a closing right brace. - bpo-46732: Correct the docstring for the __bool__() method. Patch by Jelle Zijlstra. - bpo-40479: Add a missing call to va_end() in Modules/_hashopenssl.c. - bpo-46615: When iterating over sets internally in setobject.c, acquire strong references to the resulting items from the set. This prevents crashes in corner-cases of various set operations where the set gets mutated. - bpo-43721: Fix docstrings of getter, setter, and deleter to clarify that they create a new copy of the property. - bpo-46503: Fix an assert when parsing some invalid N escape sequences in f-strings. - bpo-46417: Fix a race condition on setting a type __bases__ attribute: the internal function add_subclass() now gets the PyTypeObject.tp_subclasses member after calling PyWeakref_NewRef() which can trigger a garbage collection which can indirectly modify PyTypeObject.tp_subclasses. Patch by Victor Stinner. - bpo-46383: Fix invalid signature of _zoneinfo's module_free function to resolve a crash on wasm32-emscripten platform. - bpo-43253: Fix a crash when closing transports where the underlying socket handle is already invalid on the Proactor event loop. - bpo-47004: Apply bugfixes from importlib_metadata 4.11.3, including bugfix for EntryPoint.extras, which was returning match objects and not the extras strings. - bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4) - bpo-46968: faulthandler: On Linux 5.14 and newer, dynamically determine size of signal handler stack size CPython allocates using getauxval(AT_MINSIGSTKSZ). This changes allows for Python extension's request to Linux kernel to use AMX_TILE instruction set on Sapphire Rapids Xeon processor to succeed, unblocking use of the ISA in frameworks. - bpo-46955: Expose asyncio.base_events.Server as asyncio.Server. Patch by Stefan Zabka. - bpo-46932: Update bundled libexpat to 2.4.7 - bpo-25707: Fixed a file leak in xml.etree.ElementTree.iterparse() when the iterator is not exhausted. Patch by Jacob Walls. - bpo-44886: Inherit asyncio proactor datagram transport from asyncio.DatagramTransport. - bpo-46827: Support UDP sockets in asyncio.loop.sock_connect() for selector-based event loops. Patch by Thomas Grainger. - bpo-46811: Make test suite support Expat >=2.4.5 - bpo-46252: Raise TypeError if ssl.SSLSocket is passed to transport-based APIs. - bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or statically linked libexpat in embedded Python. - bpo-39327: shutil.rmtree() can now work with VirtualBox shared folders when running from the guest operating-system. - bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI example.org/foobar was allowed if the user was authorized for URI example.org/foo. - bpo-45863: When the tarfile module creates a pax format archive, it will put an integer representation of timestamps in the ustar header (if possible) for the benefit of older unarchivers, in addition to the existing full-precision timestamps in the pax extended header. - bpo-46672: Fix NameError in asyncio.gather() when initial type check fails. - bpo-45948: Fixed a discrepancy in the C implementation of the xml.etree.ElementTree module. Now, instantiating an xml.etree.ElementTree.XMLParser with a target=None keyword provides a default xml.etree.ElementTree.TreeBuilder target as the Python implementation does. - bpo-46591: Make the IDLE doc URL on the About IDLE dialog clickable. - bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4 - bpo-46487: Add the get_write_buffer_limits method to asyncio.transports.WriteTransport and to the SSL transport. - bpo-46539: In typing.get_type_hints(), support evaluating stringified ClassVar and Final annotations inside Annotated. Patch by Gregory Beauregard. - bpo-46491: Allow typing.Annotated to wrap typing.Final and typing.ClassVar. Patch by Gregory Beauregard. - bpo-46436: Fix command-line option -d/--directory in module http.server which is ignored when combined with command-line option --cgi. Patch by Géry Ogam. - bpo-41403: Make mock.patch() raise a TypeError with a relevant error message on invalid arg. Previously it allowed a cryptic AttributeError to escape. - bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential REDoS by limiting ambiguity in consecutive whitespace. - bpo-46469: asyncio generic classes now return types.GenericAlias in __class_getitem__ instead of the same class. - bpo-46434: pdb now gracefully handles help when __doc__ is missing, for example when run with pregenerated optimized .pyc files. - bpo-46333: The __eq__() and __hash__() methods of typing.ForwardRef now honor the module parameter of typing.ForwardRef. Forward references from different modules are now differentiated. - bpo-43118: Fix a bug in inspect.signature() that was causing it to fail on some subclasses of classes with a __text_signature__ referencing module globals. Patch by Weipeng Hong. - bpo-21987: Fix an issue with tarfile.TarFile.getmember() getting a directory name with a trailing slash. - bpo-20392: Fix inconsistency with uppercase file extensions in MimeTypes.guess_type(). Patch by Kumar Aditya. - bpo-46080: Fix exception in argparse help text generation if a argparse.BooleanOptionalAction argument's default is argparse.SUPPRESS and it has help specified. Patch by Felix Fontein. - bpo-44439: Fix .write() method of a member file in ZipFile, when the input data is an object that supports the buffer protocol, the file length may be wrong. - bpo-45703: When a namespace package is imported before another module from the same namespace is created/installed in a different sys.path location while the program is running, calling the importlib.invalidate_caches() function will now also guarantee the new module is noticed. - bpo-24959: Fix bug where unittest sometimes drops frames from tracebacks of exceptions raised in tests. - bpo-46463: Fixes escape4chm.py script used when building the CHM documentation file - bpo-46913: Fix test_faulthandler.test_sigfpe() if Python is built with undefined behavior sanitizer (UBSAN): disable UBSAN on the faulthandler_sigfpe() function. Patch by Victor Stinner. - bpo-46708: Prevent default asyncio event loop policy modification warning after test_asyncio execution. - bpo-46616: Ensures test_importlib.test_windows cleans up registry keys after completion. - bpo-44359: test_ftplib now silently ignores socket errors to prevent logging unhandled threading exceptions. Patch by Victor Stinner. - bpo-46542: Fix a Python crash in test_lib2to3 when using Python built in debug mode: limit the recursion limit. Patch by Victor Stinner. - bpo-46576: test_peg_generator now disables compiler optimization when testing compilation of its own C extensions to significantly speed up the testing on non-debug builds of CPython. - bpo-46542: Fix test_json tests checking for RecursionError: modify these tests to use support.infinite_recursion(). Patch by Victor Stinner. - bpo-13886: Skip test_builtin PTY tests on non-ASCII characters if the readline module is loaded. The readline module changes input() behavior, but test_builtin is not intented to test the readline module. Patch by Victor Stinner. - bpo-38472: Fix GCC detection in setup.py when cross-compiling. The C compiler is now run with LC_ALL=C. Previously, the detection failed with a German locale. - bpo-46513: configure no longer uses AC_C_CHAR_UNSIGNED macro and pyconfig.h no longer defines reserved symbol __CHAR_UNSIGNED__. - bpo-45925: Update Windows installer to use SQLite 3.37.2. - bpo-45296: Clarify close, quit, and exit in IDLE. In the File menu, 'Close' and 'Exit' are now 'Close Window' (the current one) and 'Exit' is now 'Exit IDLE' (by closing all windows). In Shell, 'quit()' and 'exit()' mean 'close Shell'. If there are no other windows, this also exits IDLE. - bpo-45447: Apply IDLE syntax highlighting to pyi files. Patch by Alex Waygood and Terry Jan Reedy.

SUSE-CU-2022:1373-1

SUSE-CU-2022:1344-1

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

SUSE-CU-2022:1304-1

SUSE-CU-2022:1285-1

SUSE-CU-2022:1261-1

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for glibc fixes the following issues:

• Add the correct name for the IBM Z16 (bsc#1198751).

SUSE-CU-2022:1227-1

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

SUSE-CU-2022:1225-1

This update for pcre2 fixes the following issues:

• CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).

SUSE-CU-2022:1205-1

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for curl fixes the following issues:

• CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
• CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
• CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issue:

• Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

This update for libcbor fixes the following issues:

• Fix build errors occuring on SUSE Linux Enterprise 15 Service Pack 4

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
• CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
• CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

SUSE-CU-2022:969-1

This update for git fixes the following issues:

• Updated to version 2.35.3: - CVE-2022-24765: Fixed a potential command injection via git worktree (bsc#1198234).

This update for python39 fixes the following issues:

• CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

• Update to 3.9.10 (jsc#SLE-23849)

• Remove shebangs from from python-base libraries in _libdir. (bsc#1193179)

• Update to 3.9.9: * Core and Builtins + bpo-30570: Fixed a crash in issubclass() from infinite recursion when searching pathological __bases__ tuples. + bpo-45494: Fix parser crash when reporting errors involving invalid continuation characters. Patch by Pablo Galindo. + bpo-45385: Fix reference leak from descr_check. Patch by Dong-hee Na. + bpo-45167: Fix deepcopying of types.GenericAlias objects. + bpo-44219: Release the GIL while performing isatty system calls on arbitrary file descriptors. In particular, this affects os.isatty(), os.device_encoding() and io.TextIOWrapper. By extension, io.open() in text mode is also affected. This change solves a deadlock in os.isatty(). Patch by Vincent Michel in bpo-44219. + bpo-44959: Added fallback to extension modules with '.sl' suffix on HP-UX + bpo-44050: Extensions that indicate they use global state (by setting m_size to -1) can again be used in multiple interpreters. This reverts to behavior of Python 3.8. + bpo-45121: Fix issue where Protocol.__init__ raises RecursionError when it's called directly or via super(). Patch provided by Yurii Karabas. + bpo-45083: When the interpreter renders an exception, its name now has a complete qualname. Previously only the class name was concatenated to the module name, which sometimes resulted in an incorrect full name being displayed. + bpo-45738: Fix computation of error location for invalid continuation characters in the parser. Patch by Pablo Galindo. + Library + bpo-45678: Fix bug in Python 3.9 that meant functools.singledispatchmethod failed to properly wrap the attributes of the target method. Patch by Alex Waygood. + bpo-45679: Fix caching of multi-value typing.Literal. Literal[True, 2] is no longer equal to Literal[1, 2]. + bpo-45438: Fix typing.Signature string representation for generic builtin types. + bpo-45581: sqlite3.connect() now correctly raises MemoryError if the underlying SQLite API signals memory error. Patch by Erlend E. Aasland. + bpo-39679: Fix bug in functools.singledispatchmethod that caused it to fail when attempting to register a classmethod() or staticmethod() using type annotations. Patch contributed by Alex Waygood. + bpo-45515: Add references to zoneinfo in the datetime documentation, mostly replacing outdated references to dateutil.tz. Change by Paul Ganssle. + bpo-45467: Fix incremental decoder and stream reader in the 'raw-unicode-escape' codec. Previously they failed if the escape sequence was split. + bpo-45461: Fix incremental decoder and stream reader in the 'unicode-escape' codec. Previously they failed if the escape sequence was split. + bpo-45239: Fixed email.utils.parsedate_tz() crashing with UnboundLocalError on certain invalid input instead of returning None. Patch by Ben Hoyt. + bpo-44904: Fix bug in the doctest module that caused it to fail if a docstring included an example with a classmethod property. Patch by Alex Waygood. + bpo-45406: Make inspect.getmodule() catch FileNotFoundError raised by :'func:inspect.getabsfile, and return None to indicate that the module could not be determined. + bpo-45262: Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop + bpo-45386: Make xmlrpc.client more robust to C runtimes where the underlying C strftime function results in a ValueError when testing for year formatting options. + bpo-45371: Fix clang rpath issue in distutils. The UnixCCompiler now uses correct clang option to add a runtime library directory (rpath) to a shared library. + bpo-20028: Improve error message of csv.Dialect when initializing. Patch by Vajrasky Kok and Dong-hee Na. + bpo-45343: Update bundled pip to 21.2.4 and setuptools to 58.1.0 + bpo-41710: On Unix, if the sem_clockwait() function is available in the C library (glibc 2.30 and newer), the threading.Lock.acquire() method now uses the monotonic clock (time.CLOCK_MONOTONIC) for the timeout, rather than using the system clock (time.CLOCK_REALTIME), to not be affected by system clock changes. Patch by Victor Stinner. + bpo-45328: Fixed http.client.HTTPConnection to work properly in OSs that don't support the TCP_NODELAY socket option. + bpo-1596321: Fix the threading._shutdown() function when the threading module was imported first from a thread different than the main thread: no longer log an error at Python exit. + bpo-45274: Fix a race condition in the Thread.join() method of the threading module. If the function is interrupted by a signal and the signal handler raises an exception, make sure that the thread remains in a consistent state to prevent a deadlock. Patch by Victor Stinner. + bpo-45238: Fix unittest.IsolatedAsyncioTestCase.debug(): it runs now asynchronous methods and callbacks. + bpo-36674: unittest.TestCase.debug() raises now a unittest.SkipTest if the class or the test method are decorated with the skipping decorator. + bpo-45235: Fix an issue where argparse would not preserve values in a provided namespace when using a subparser with defaults. + bpo-45234: Fixed a regression in copyfile(), copy(), copy2() raising FileNotFoundError when source is a directory, which should raise IsADirectoryError + bpo-45228: Fix stack buffer overflow in parsing J1939 network address. + bpo-45192: Fix the tempfile._infer_return_type function so that the dir argument of the tempfile functions accepts an object implementing the os.PathLike protocol. + bpo-45160: When tracing a tkinter variable used by a ttk OptionMenu, callbacks are no longer made twice. + bpo-35474: Calling mimetypes.guess_all_extensions() with strict=False no longer affects the result of the following call with strict=True. Also, mutating the returned list no longer affects the global state. + bpo-45166: typing.get_type_hints() now works with Final wrapped in ForwardRef. + bpo-45097: Remove deprecation warnings about the loop argument in asyncio incorrectly emitted in cases when the user does not pass the loop argument. + bpo-45081: Fix issue when dataclasses that inherit from typing.Protocol subclasses have wrong __init__. Patch provided by Yurii Karabas. + bpo-24444: Fixed an error raised in argparse help display when help for an option is set to 1+ blank spaces or when choices arg is an empty container. + bpo-45021: Fix a potential deadlock at shutdown of forked children when using concurrent.futures module + bpo-45030: Fix integer overflow in pickling and copying the range iterator. + bpo-39039: tarfile.open raises ReadError when a zlib error occurs during file extraction. + bpo-44594: Fix an edge case of ExitStack and AsyncExitStack exception chaining. They will now match with block behavior when __context__ is explicitly set to None when the exception is in flight. * Documentation + bpo-45726: Improve documentation for functools.singledispatch() and functools.singledispatchmethod. + bpo-45680: Amend the docs on GenericAlias objects to clarify that non-container classes can also implement __class_getitem__. Patch contributed by Alex Waygood. + bpo-45655: Add a new 'relevant PEPs' section to the top of the documentation for the typing module. Patch by Alex Waygood. + bpo-45604: Add level argument to multiprocessing.log_to_stderr function docs. + bpo-45464: Mention in the documentation of Built-in Exceptions that inheriting from multiple exception types in a single subclass is not recommended due to possible memory layout incompatibility. + bpo-45449: Add note about PEP 585 in collections.abc. + bpo-45516: Add protocol description to the importlib.abc.Traversable documentation. + bpo-20692: Add Programming FAQ entry explaining that int literal attribute access requires either a space after or parentheses around the literal. + bpo-45216: Remove extra documentation listing methods in difflib. It was rendering twice in pydoc and was outdated in some places. + bpo-45772: socket.socket documentation is corrected to a class from a function. + bpo-45392: Update the docstring of the type built-in to remove a redundant line and to mention keyword arguments for the constructor. * Tests + bpo-45578: Add tests for dis.distb() + bpo-45577: Add subtests for all pickle protocols in test_zoneinfo. + bpo-43592: test.libregrtest now raises the soft resource limit for the maximum number of file descriptors when the default is too low for our test suite as was often the case on macOS. + bpo-40173: Fix test.support.import_helper.import_fresh_module(). + bpo-45280: Add a test case for empty typing.NamedTuple. + bpo-45269: Cover case when invalid markers type is supplied to c_make_encoder. + bpo-45209: Fix UserWarning: resource_tracker warning in _test_multiprocessing._TestSharedMemory.test_shared_memory_cleaned_after_process_termination + bpo-45195: Fix test_readline.test_nonascii(): sometimes, the newline character is not written at the end, so don't expect it in the output. Patch by Victor Stinner. + bpo-45156: Fixes infinite loop on unittest.mock.seal() of mocks created by create_autospec(). + bpo-45042: Fixes that test classes decorated with @hashlib_helper.requires_hashdigest were skipped all the time. + bpo-45235: Reverted an argparse bugfix that caused regression in the handling of default arguments for subparsers. This prevented leaf level arguments from taking precedence over root level arguments. + bpo-45765: In importlib.metadata, fix distribution discovery for an empty path. + bpo-45644: In-place JSON file formatting using python3 -m json.tool infile infile now works correctly, previously it left the file empty. Patch by Chris Wesseling. * Build + bpo-43158: setup.py now uses values from configure script to build the _uuid extension module. Configure now detects util-linux's libuuid, too. + bpo-45571: Modules/Setup now use PY_CFLAGS_NODIST instead of PY_CFLAGS to compile shared modules. + bpo-45532: Update sys.version to use main as fallback information. Patch by Jeong YunWon. + bpo-45405: Prevent internal configure error when running configure with recent versions of non-Apple clang. Patch by David Bohman. + bpo-45220: Avoid building with the Windows 11 SDK previews automatically. This may be overridden by setting the DefaultWindowsSDKVersion environment variable before building. * C API + bpo-44687: BufferedReader.peek() no longer raises ValueError when the entire file has already been buffered. + bpo-44751: Remove crypt.h include from the public Python.h header.

• rpm-build-python dependency is available on the current Factory, not with SLE.

• BuildRequire rpm-build-python: The provider to inject python(abi) has been moved there. rpm-build pulls rpm-build-python automatically in when building anything against python3-base, but this implies that the initial build of python3-base does not trigger the automatic installation.

• Update to 3.9.7: - Security - Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition. - Add auditing events to the marshal module, and stop raising code.__init__ events for every unmarshalled code object. Directly instantiated code objects will continue to raise an event, and audit event handlers should inspect or collect the raw marshal data. This reduces a significant performance overhead when loading from .pyc files. - Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection. - Core and Builtins - Fixed pickling of range iterators that iterated for over 2**32 times. - Fix a race in WeakKeyDictionary, WeakValueDictionary and WeakSet when two threads attempt to commit the last pending removal. This fixes asyncio.create_task and fixes a data loss in asyncio.run where shutdown_asyncgens is not run - Fixed a corner case bug where the result of float.fromhex('0x.8p-1074') was rounded the wrong way. - Refine the syntax error for trailing commas in import statements. Patch by Pablo Galindo. - Restore behaviour of complex exponentiation with integer-valued exponent of type float or complex. - Correct the ast locations of f-strings with format specs and repeated expressions. Patch by Pablo Galindo - Use new trashcan macros (Py_TRASHCAN_BEGIN/END) in frameobject.c instead of the old ones (Py_TRASHCAN_SAFE_BEGIN/END). - Fix segmentation fault with deep recursion when cleaning method objects. Patch by Augusto Goulart and Pablo Galindo. - Fix bug where PyErr_SetObject hangs when the current exception has a cycle in its context chain. - Fix reference leaks in the error paths of update_bases() and __build_class__. Patch by Pablo Galindo. - Fix undefined behaviour in complex object exponentiation. - Remove uses of PyObject_GC_Del() in error path when initializing types.GenericAlias. - Remove the pass-through for hash() of weakref.proxy objects to prevent unintended consequences when the original referred object dies while the proxy is part of a hashable object. Patch by Pablo Galindo. - Fix ltrace functionality when exceptions are raised. Patch by Pablo Galindo - Fix a crash at Python exit when a deallocator function removes the last strong reference to a heap type. Patch by Victor Stinner. - Fix crash when using passing a non-exception to a generator's throw() method. Patch by Noah Oxer - Library - run() now always return a TestResult instance. Previously it returned None if the test class or method was decorated with a skipping decorator. - Fix bugs in cleaning up classes and modules in unittest: - Functions registered with addModuleCleanup() were not called unless the user defines tearDownModule() in their test module. - Functions registered with addClassCleanup() were not called if tearDownClass is set to None. - Buffering in TestResult did not work with functions registered with addClassCleanup() and addModuleCleanup(). - Errors in functions registered with addClassCleanup() and addModuleCleanup() were not handled correctly in buffered and debug modes. - Errors in setUpModule() and functions registered with addModuleCleanup() were reported in wrong order. - And several lesser bugs. - Made email date parsing more robust against malformed input, namely a whitespace-only Date: header. Patch by Wouter Bolsterlee. - Fix a crash in the signal handler of the faulthandler module: no longer modify the reference count of frame objects. Patch by Victor Stinner. - Method stopTestRun() is now always called in pair with method startTestRun() for TestResult objects implicitly created in run(). Previously it was not called for test methods and classes decorated with a skipping decorator. - argparse.BooleanOptionalAction's default value is no longer printed twice when used with argparse.ArgumentDefaultsHelpFormatter. - Upgrade bundled pip to 21.2.3 and setuptools to 57.4.0 - Fix the os.set_inheritable() function on FreeBSD 14 for file descriptor opened with the O_PATH flag: ignore the EBADF error on ioctl(), fallback on the fcntl() implementation. Patch by Victor Stinner. - The @functools.total_ordering() decorator now works with metaclasses. - sqlite3 user-defined functions and aggregators returning strings with embedded NUL characters are no longer truncated. Patch by Erlend E. Aasland. - Always show loop= arg deprecations in asyncio.gather() and asyncio.sleep() - Non-protocol subclasses of typing.Protocol ignore now the __init__ method inherited from protocol base classes. - The tokenize.tokenize() doesn't incorrectly generate a NEWLINE token if the source doesn't end with a new line character but the last line is a comment, as the function is already generating a NL token. Patch by Pablo Galindo - Fix http.client.HTTPSConnection fails to download >2GiB data. - rcompleter does not call getattr() on property objects to avoid the side-effect of evaluating the corresponding method. - weakref.proxy objects referencing non-iterators now raise TypeError rather than dereferencing the null tp_iternext slot and crashing. - The implementation of collections.abc.Set._hash() now matches that of frozenset.__hash__(). - Fixed issue in compileall.compile_file() when sys.stdout is redirected. Patch by Stefan Hölzl. - Give priority to using the current class constructor in inspect.signature(). Patch by Weipeng Hong. - Fix memory leak in _tkinter._flatten() if it is called with a sequence or set, but not list or tuple. - Update shutil.copyfile() to raise FileNotFoundError instead of confusing IsADirectoryError when a path ending with a os.path.sep does not exist; shutil.copy() and shutil.copy2() are also affected. - handle StopIteration subclass raised from @contextlib.contextmanager generator - Make the implementation consistency of indexOf() between C and Python versions. Patch by Dong-hee Na. - Fixes TypedDict to work with typing.get_type_hints() and postponed evaluation of annotations across modules. - Fix bug with pdb's handling of import error due to a package which does not have a __main__ module - Fixed an exception thrown while parsing a malformed multipart email by email.message.EmailMessage. - pathlib.PureWindowsPath.is_reserved() now identifies a greater range of reserved filenames, including those with trailing spaces or colons. - Handle exceptions from parsing the arg of pdb's run/restart command. - The sqlite3 context manager now performs a rollback (thus releasing the database lock) if commit failed. Patch by Luca Citi and Erlend E. Aasland. - Improved string handling for sqlite3 user-defined functions and aggregates: - It is now possible to pass strings with embedded null characters to UDFs - Conversion failures now correctly raise MemoryError - Patch by Erlend E. Aasland. - Handle RecursionError in TracebackException's constructor, so that long exceptions chains are truncated instead of causing traceback formatting to fail. - Fix email.message.EmailMessage.set_content() when called with binary data and 7bit content transfer encoding. - The compresslevel and preset keyword arguments of tarfile.open() are now both documented and tested. - Fixed a Y2k38 bug in the compileall module where it would fail to compile files with a modification time after the year 2038. - Fix test___all__ on platforms lacking a shared memory implementation. - Pass multiprocessing BaseProxy argument manager_owned through AutoProxy. - email.utils.getaddresses() now accepts email.header.Header objects along with string values. Patch by Zackery Spytz. - lib2to3 now recognizes async generators everywhere. - Fix TypeError when required subparsers without dest do not receive arguments. Patch by Anthony Sottile. - Documentation - Removed the othergui.rst file, any references to it, and the list of GUI frameworks in the FAQ. In their place I've added links to the Python Wiki page on GUI frameworks. - Update the definition of __future__ in the glossary by replacing the confusing word 'pseudo-module' with a more accurate description. - Add typical examples to os.path.splitext docs - Clarify that shutil.make_archive() is not thread-safe due to reliance on changing the current working directory. - Update of three expired hyperlinks in Doc/distributing/index.rst: 'Project structure', 'Building and packaging the project', and 'Uploading the project to the Python Packaging Index'. - Updated the docstring and docs of filecmp.cmp() to be more accurate and less confusing especially in respect to shallow arg. - Match the docstring and python implementation of countOf() to the behavior of its c implementation. - List all kwargs for textwrap.wrap(), textwrap.fill(), and textwrap.shorten(). Now, there are nav links to attributes of TextWrap, which makes navigation much easier while minimizing duplication in the documentation. - Clarify that atexit uses equality comparisons internally. - Documentation of csv.Dialect is more descriptive. - Fix documentation for the return type of sysconfig.get_path(). - Add a 'Security Considerations' index which links to standard library modules that have explicitly documented security considerations. - Remove the unqualified claim that tkinter is threadsafe. It has not been true for several years and likely never was. An explanation of what is true may be added later, after more discussion, and possibly after patching _tkinter.c, - Tests - Add calls of gc.collect() in tests to support PyPy. - Made tests relying on the _asyncio C extension module optional to allow running on alternative Python implementations. Patch by Serhiy Storchaka. - Fix auto history tests of test_readline: sometimes, the newline character is not written at the end, so don't expect it in the output. - Add ability to wholesale silence DeprecationWarnings while running the regression test suite. - Notify users running test_decimal regression tests on macOS of potential harmless 'malloc can't allocate region' messages spewed by test_decimal. - Fixed floating point precision issue in turtle tests. - Regression tests, when run with -w, are now re-running only the affected test methods instead of re-running the entire test file. - Add test for nested queues when using multiprocessing shared objects AutoProxy[Queue] inside ListProxy and DictProxy

• Add building with --with-system-libmpdec option (bsc#1189356).

• test_faulthandler is still problematic under qemu linux-user emulation, disable it there
• Reenable profileopt with qemu emulation, test_faulthandler is no longer run during profiling

This update for systemd fixes the following issues:

• tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
• journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
• tmpfiles: constify item_compatible() parameters
• test tmpfiles: add a test for 'w+'
• test: add test checking tmpfiles conf file precedence
• journald: make use of CLAMP() in cache_space_refresh()
• journal-file: port journal_file_open() to openat_report_new()
• fs-util: make sure openat_report_new() initializes return param also on shortcut
• fs-util: fix typos in comments
• fs-util: add openat_report_new() wrapper around openat()

SUSE-CU-2022:849-1

SUSE-CU-2022:824-1

SUSE-CU-2022:823-1

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for glib2 fixes the following issues:

• CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

SUSE-CU-2022:772-1

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

SUSE-CU-2022:747-1

This update for openldap2 fixes the following issues:

• allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
• libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
• restore CLDAP functionality in CLI tools (jsc#PM-3288)

SUSE-CU-2022:746-1

SUSE-CU-2022:707-1

SUSE-CU-2022:706-1

This update for e2fsprogs fixes the following issues:

• Add support for 'libreadline7' for Leap. (bsc#1196939)

SUSE-CU-2022:677-1

SUSE-CU-2022:676-1

SUSE-CU-2022:651-1

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

SUSE-CU-2022:613-1

This update for libsolv, libzypp, zypper fixes the following issues:
Security relevant fix:

• Harden package signature checks (bsc#1184501).

• reworked choice rule generation to cover more usecases
• support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
• support parsing of Debian's Multi-Arch indicator
• fix segfault on conflict resolution when using bindings
• fix split provides not working if the update includes a forbidden vendor change
• support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
• support zstd compressed control files in debian packages
• add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20)
• support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata
• support queying of the custom vendor check function new function: pool_get_custom_vendorcheck
• support solv files with an idarray block
• allow accessing the toolversion at runtime

• ZConfig: Update solver settings if target changes (bsc#1196368)
• Fix possible hang in singletrans mode (bsc#1197134)
• Do 2 retries if mount is still busy.
• Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing.
• Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry.
• Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925)
• Fix handling of ISO media in releaseAll (bsc#1196061)
• Hint on common ptf resolver conflicts (bsc#1194848)
• Hint on ptf<>patch resolver conflicts (bsc#1194848)

• info: print the packages upstream URL if available (fixes #426)
• info: Fix SEGV with not installed PTFs (bsc#1196317)
• Don't prevent less restrictive umasks (bsc#1195999)

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for systemd fixes the following issues:

• Fix the default target when it's been incorrectly set to one of the runlevel targets (bsc#1196567)
• When migrating from sysvinit to systemd (it probably won't happen anymore), let's use the default systemd target, which is the graphical.target one.
• Don't open /var journals in volatile mode when runtime_journal==NULL
• udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
• man: tweak description of auto/noauto (bsc#1191502)
• shared/install: ignore failures for auxiliary files
• install: make UnitFileChangeType enum anonymous
• shared/install: reduce scope of iterator variables
• systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23867)
• Update s390 udev rules conversion script to include the case when the legacy rule was also 41-* (bsc#1195247)
• Drop or soften some of the deprecation warnings (bsc#1193086)

SUSE-CU-2022:553-1

This update for aaa_base fixes the following issues:

• Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
• Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library

This update for util-linux fixes the following issue:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)

SUSE-CU-2022:489-1

This update for yaml-cpp fixes the following issues:

• CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
• CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
• CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
• CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

SUSE-CU-2022:465-1

This update for protobuf fixes the following issues:

• CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

SUSE-CU-2022:431-1

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

SUSE-CU-2022:371-1

This update for libeconf fixes the following issue:

• Solve a downgrade issue between SUSE Linux Enterprise SP3 and lower (bsc#1188348)

This update for yast2-network fixes the following issues:

• Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This security update for libeconf, shadow and util-linux fix the following issues:
libeconf:

• Add libeconf to SLE-Module-Basesystem_15-SP3 because needed by 'util-linux' and 'shadow' to fix autoyast handling of security related parameters (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

• Reading numbers with different bases (e.g. oktal) (bsc#1193632) (#157)
• Fixed different issues while writing string values to file.
• Writing comments to file too.
• Fixed crash while merging values.
• Added econftool cat option (#146)
• new API call: econf_readDirsHistory (showing ALL locations)
• new API call: econf_getPath (absolute path of the configuration file)
• Man pages libeconf.3 and econftool.8.
• Handling multiline strings.
• Added libeconf_ext which returns more information like line_nr, comments, path of the configuration file,...
• Econftool, an command line interface for handling configuration files.
• Generating HTML API documentation with doxygen.
• Improving error handling and semantic file check.
• Joining entries with the same key to one single entry if env variable ECONF_JOIN_SAME_ENTRIES has been set.

• The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)

• The legacy code does not support /etc/login.defs.d used by YaST. Enable libeconf to read it (bsc#1192954, jsc#SLE-23384, jsc#SLE-23402)
• Allow use of larger values for start sector to prevent `blockdev --report` aborting (bsc#1188507)
• Fixed `blockdev --report` using non-space characters as a field separator (bsc#1188507)
• CVE-2021-3995: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)
• CVE-2021-3996: Fixed unauthorized unmount in util-linux's libmount. (bsc#1194976)

This update for cyrus-sasl fixes the following issues:

• CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

• postfix: sasl authentication with password fails (bsc#1194265).

This update for openldap2 fixes the following issue:

• restore CLDAP functionality in CLI tools (jsc#PM-3288)

This update for libzypp, zypper fixes the following issues:

• Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete.

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for procps fixes the following issues:

• Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468)

This update for expat fixes the following issues:

• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
* Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server

• Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
• Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

• Enable syscallfilter unconditionally [bsc#1181826].

• By default we don't write log files but log to journald, so only recommend logrotate.

• Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

• Add support for more accurate reading of PHC on Linux 5.0
• Add support for hardware timestamping on interfaces with read-only timestamping configuration
• Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
• Update seccomp filter to work on more architectures
• Validate refclock driver options
• Fix bindaddress directive on FreeBSD
• Fix transposition of hardware RX timestamp on Linux 4.13 and later
• Fix building on non-glibc systems

• Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

• Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.
• Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for openldap2 fixes the following issue:

• Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

This update for util-linux fixes the following issues:

• Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
• Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)
• Fix `su -s` bash completion. (bsc#1172427)

SUSE-CU-2022:217-1

This update for cyrus-sasl fixes the following issues:

• Fixed an issue when in postfix 'sasl' authentication with password fails. (bsc#1194265)
• Add config parameter '--with-dblib=gdbm'
• Avoid converting of '/etc/sasldb2 by every update. Convert '/etc/sasldb2' only if it is a Berkeley DB.

This update for expat fixes the following issues:

• CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
• CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

This update for rpm fixes the following issues:

• Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968)

This update for systemd fixes the following issues:

• CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles (bsc#1194178).

• udev/net_id: don't generate slot based names if multiple devices might claim the same slot (bsc#1192637)
• localectl: don't omit keymaps files that are symlinks (bsc#1191826)

SUSE-CU-2022:172-1

SUSE-CU-2022:142-1

This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included:

• python3-grpcio
• python3-protobuf
• python3-google-api-core
• python3-google-cloud-core
• python3-google-cloud-storage
• python3-google-resumable-media
• python3-googleapis-common-protos
• python3-grpcio-gcp
• python3-mock (updated to version 3.0.5)

libprotobuf was updated to fix:

• ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911)

This update for protobuf fixes the following issues:

• Add missing dependency of python subpackages on python-six. (bsc#1177127)

This update for util-linux fixes the following issues:

• CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921)

This update for yast2-network fixes the following issues:

• Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
• Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
• Consider aliases sections as case insensitive (bsc#1190739).
• Display user defined device name in the devices overview (bnc#1190645).
• Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
• Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
• Fix desktop file so the control center tooltip is translated (bsc#1187270).
• Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
• Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for libzypp, zypper, libsolv and protobuf fixes the following issues:

• Choice rules: treat orphaned packages as newest (bsc#1190465)
• Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602)
• Do not check of signatures and keys two times(redundant) (bsc#1190059)
• Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760)
• Show key fpr from signature when signature check fails (bsc#1187224)
• Fix solver jobs for PTFs (bsc#1186503)
• Fix purge-kernels fails (bsc#1187738)
• Fix obs:// platform guessing for Leap (bsc#1187425)
• Make sure to keep states alives while transitioning. (bsc#1190199)
• Manpage: Improve description about patch updates(bsc#1187466)
• Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
• Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
• Fix crashes in logging code when shutting down (bsc#1189031)
• Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
• Add need reboot/restart hint to XML install summary (bsc#1188435)
• Prompt: choose exact match if prompt options are not prefix free (bsc#1188156)
• Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for less fixes the following issues:

• Add missing runtime dependency on package 'which', that is used by lessopen.sh (bsc#1190552)

This update for rpm-config-SUSE fixes the following issues:

• Support ZSTD compressed kernel modules. (bsc#1190850)

This update for git fixes the following issues:

• Installation of the 'git-daemon' package needs nogroup group dependency (bsc#1192023)

This update for rpm-config-SUSE fixes the following issues:

• Add support for the kernel xz-compressed firmware files (bsc#1192160)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for systemd fixes the following issues:

• Add timestamp to D-Bus events to improve traceability (jsc#SLE-17798)
• Fix fd_is_mount_point() when both the parent and directory are network file systems (bsc#1190984)
• Support detection for ARM64 Hyper-V guests (bsc#1186071)
• Fix systemd-detect-virt not detecting Amazon EC2 Nitro instance (bsc#1190440)
• Enable support for Portable Services in openSUSE Leap only (jsc#SLE-21694)
• Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)

This update for libzypp, zypper fixes the following issues:
libzypp:

• Check log writer before accessing it (bsc#1192337)
• Zypper should keep cached files if transaction is aborted (bsc#1190356)
• Require a minimum number of mirrors for multicurl (bsc#1191609)
• Fixed slowdowns when rlimit is too high by using procfs to detect niumber of open file descriptors (bsc#1191324)
• Fixed zypper incomplete messages when using non English localization (bsc#1191370)
• RepoManager: Don't probe for plaindir repository if the URL schema is a plugin (bsc#1191286)
• Disable logger in the child process after fork (bsc#1192436)

• Fixed Zypper removing a kernel explicitely pinned that uses uname -r output format as name (openSUSE/zypper#418)

This update for cracklib fixes the following issues:

• Enable build time tests (bsc#1191736)

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for aaa_base fixes the following issues:

• Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
• Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
• Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
• Support xz compressed kernel (bsc#1162581)

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This update for openssh fixes the following issues:

• CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).

This update for system-users fixes the following issues:

• system-user-tss.conf: Removed group entry because it's not needed and contained syntax errors (bsc#1190401)

glibc was updated to fix the following issue:

• Support for new IBM Z Hardware (bsc#1191592, jsc#IBM-869)

This update for openssl-1_1 fixes the following issues:

• Remove previously applied patch because it interferes with FIPS validation (bsc#1161276)

This update for openssh fixes the following issues:

• CVE-2021-28041: Fixed double free in ssh-agent (bsc#1183137).

This update for p11-kit fixes the following issues:

• CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
• Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

This update for systemd fixes the following issues:

• Bump the max number of inodes for /dev to a million (bsc#1192858)
• sleep: don't skip resume device with low priority/available space (bsc#1192423)
• test: use kbd-mode-map we ship in one more test case
• test-keymap-util: always use kbd-model-map we ship
• Add rules for virtual devices and enforce 'none' for loop devices. (bsc#1193759)

This update for zlib fixes the following issues:

• Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

This update for permissions fixes the following issues:

• Update to version 20181225: * drop ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504)

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

This update for systemd fixes the following issues:

• CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles which could cause a minor denial of service. (bsc#1194178)

This update for python39-pip fixes the following issues:

• CVE-2021-3572: Fixed incorrect handling of unicode separators in git references (bsc#1186819).

This update for openssl-1_1 fixes the following issues:

• Add RSA_get0_pss_params() accessor that is used by nodejs16 and provide openssl-has-RSA_get0_pss_params (bsc#1192489)

This update for rpm fixes the following issues:

• Fix header check so that old rpms no longer get rejected (bsc#1190824)
• Add explicit requirement on python-rpm-macros (bsc#1180125, bsc#1193711)

This update for permissions fixes the following issues:

• Update to version 20181225: setuid bit for cockpit session binary (bsc#1169614).

This update for expat fixes the following issues:

• CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
• CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
• CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
• CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
• CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
• CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
• CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
• CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).

This update for glibc fixes the following issues:

• Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).

This update for git fixes the following issues:

• update to 2.34.1 (bsc#1193722): * 'git grep' looking in a blob that has non-UTF8 payload was completely broken when linked with certain versions of PCREv2 library in the latest release. * 'git pull' with any strategy when the other side is behind us should succeed as it is a no-op, but doesn't. * An earlier change in 2.34.0 caused JGit application (that abused GIT_EDITOR mechanism when invoking 'git config') to get stuck with a SIGTTOU signal; it has been reverted. * An earlier change that broke .gitignore matching has been reverted. * SubmittingPatches document gained a syntactically incorrect mark-up, which has been corrected.

• git 2.33.0: * 'git send-email' learned the '--sendmail-cmd' command line option and the 'sendemail.sendmailCmd' configuration variable, which is a more sensible approach than the current way of repurposing the 'smtp-server' that is meant to name the server to instead name the command to talk to the server. * The userdiff pattern for C# learned the token 'record'. * 'git rev-list' learns to omit the 'commit ' header lines from the output with the `--no-commit-header` option. * 'git worktree add --lock' learned to record why the worktree is locked with a custom message. * internal improvements including performance optimizations * a number of bug fixes

• git 2.32.0: * '.gitattributes', '.gitignore', and '.mailmap' files that are symbolic links are ignored * 'git apply --3way' used to first attempt a straight application, and only fell back to the 3-way merge algorithm when the straight application failed. Starting with this version, the command will first try the 3-way merge algorithm and only when it fails (either resulting with conflict or the base versions of blobs are missing), falls back to the usual patch application. * 'git stash show' can now show the untracked part of the stash * Improved 'git repack' strategy * http code can now unlock a certificate with a cached password respectively. * 'git clone --reject-shallow' option fails the clone as soon as we notice that we are cloning from a shallow repository. * 'gitweb' learned 'e-mail privacy' feature * Multiple improvements to output and configuration options * Bug fixes and developer visible fixes

This update for boost fixes the following issues:

• Fix compilation errors (bsc#1194522)

This update for glibc fixes the following issues:

• CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
• CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)

• IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)

This update for coreutils fixes the following issues:

• Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).

This update for systemd fixes the following issues:

• disable DNSSEC until the following issue is solved: https://github.com/systemd/systemd/issues/10579
• disable fallback DNS servers and fail when no DNS server info could be obtained from the links.
• DNSSEC support requires openssl therefore document this build dependency in systemd-network sub-package.
• Improve warning messages (bsc#1193086).

This update for libzypp fixes the following issues:

• RepoManager: remember execution errors in exception history (bsc#1193007)
• Fix exception handling when reading or writing credentials (bsc#1194898)
• Fix install path for parser (bsc#1194597)
• Fix Legacy include (bsc#1194597)
• Public header files on older distros must use c++11 (bsc#1194597)
• Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
• Fix wrong encoding of URI compontents of ISO images (bsc#954813)
• When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
• Introduce zypp-curl as a sublibrary for CURL related code
• zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
• Save all signatures associated with a public key in its PublicKeyData

• CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share; (bso#14911); (bsc#1193690);
• CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution; (bso#14914); (bsc#1194859);
• CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services; (bso#14950); (bsc#1195048);

• Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928);
• Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
• kill_tcp_connections does not work; (bso#14934);
• Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935);
• smbclient -L doesn't set 'client max protocol' to NT1 before calling the 'Reconnecting with SMB1 for workgroup listing' path; (bso#14939);
• Cross device copy of the crossrename module always fails; (bso#14940);
• symlinkat function from VFS cap module always fails with an error; (bso#14941);
• Fix possible fsp pointer deference; (bso#14942);
• Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944);
• 'smbd --build-options' no longer works without an smb.conf file; (bso#14945);

• CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bsc#1139519);
• CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bsc#1191227);
• Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel.
• Rename package samba-core-devel to samba-devel
• Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba

• Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222);
• Fix a memory leak when gss_inquire_cred() is called without a credential handle.

• Fix a linking issue with Samba.
• Better support multiple pkinit_identities values by checking whether certificates can be loaded for each value.

• Fix a denial of service vulnerability when decoding Kerberos protocol messages.
• Fix a locking issue with the LMDB KDB module which could cause KDC and kadmind processes to lose access to the database.
• Fix an assertion failure when libgssapi_krb5 is repeatedly loaded and unloaded while libkrb5support remains loaded.

• Fix a SPNEGO regression where an acceptor using the default credential would improperly filter mechanisms, causing a negotiation failure.
• Fix a bug where the KDC would fail to issue tickets if the local krbtgt principal's first key has a single-DES enctype.
• Add stub functions to allow old versions of OpenSSL libcrypto to link against libkrb5.
• Fix a NegoEx bug where the client name and delegated credential might not be reported.

• Fix a crash when qualifying short hostnames when the system has no primary DNS domain.
• Fix a regression when an application imports 'service@' as a GSS host-based name for its acceptor credential handle.
• Fix KDC enforcement of auth indicators when they are modified by the KDB module.
• Fix removal of require_auth string attributes when the LDAP KDB module is used.
• Fix a compile error when building with musl libc on Linux.
• Fix a compile error when building with gcc 4.x.
• Change the KDC constrained delegation precedence order for consistency with Windows KDCs.

• Fix a bug preventing 'addprinc -randkey -kvno' from working in kadmin.
• Fix a bug preventing time skew correction from working when a KCM credential cache is used.

• A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release.
• 'kdb5_util dump' will no longer dump policy entries when specific principal names are requested.

• Build with full Cyrus SASL support. Negotiating SASL credentials with an EXTERNAL bind mechanism requires interaction. Kerberos provides its own interaction function that skips all interaction, thus preventing the mechanism from working.

• Release 2.4.1

• Release 2.4.0

• various bugfixes
• python: Ensure reference counts are properly incremented
• Change pytalloc source to LGPL
• Upgrade waf to 2.0.18 to fix a cross-compilation issue; (bso#13846).

• various bugfixes

• Add custom tag to events
• Add event trace api

• Fix tests test_copy_ccache & test_copy_keytab for later versions of krb5
• Update the private ldb modules installation following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba

• Cater for changes to ldb packaging to allow parallel installation with libldb (bsc#1192684).
• add profile for samba-bgqd (bsc#1191532).

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

SUSE-CU-2021:446-1

This update for e2fsprogs fixes the following issues:
Security issues fixed:

• CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402).
• CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346).

• bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system.
• bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system.
• bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}.

This update for zlib provides the following fixes:

• Speedup zlib on power8. (fate#325307)
• Add safeguard against negative values in uInt. (bsc#1071321)

This update for openldap2 provides the following fix:

• Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640)

This update for libxml2 fixes the following security issues:

• CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)
• CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166)
• CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)

This update for aaa_base provides the following fixes:

• Let bash.bashrc work even for (m)ksh. (bsc#1104531)
• Fix an error at login if java system directory is empty. (bsc#1102310)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for itstool and python-libxml2-python fixes the following issues:
Package: itstool - Updated version to support Python3. (bnc#1111019)
Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for aaa_base fixes the following issues:

• Restore old position of ssh/sudo source of profile (bsc#1118364).
• Update logic for JRE_HOME env variable (bsc#1128246)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for python-rpm-macros fixes the following issues:
The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323)

• Add missing $ expansion on the pytest call
• Rewrite pytest and pytest_arch into Lua macros with multiple arguments.
• We should preserve existing PYTHONPATH.
• Add --ignore to pytest calls to ignore build directories.
• Actually make pytest into function to capture arguments as well
• Add pytest definitions.
• Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros.
• Fix an issue with epoch printing having too many \
• add epoch while printing 'Provides:'

This update for zlib fixes the following issues:

• Fixes a segmentation fault error (bsc#1110304, bsc#1129576)

This update for samba fixes the following issues:
Security issue fixed:

• CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).

• Out of bound read in ldb_wildcard_compare
• Hold at most 10 outstanding paged result cookies
• Put 'results_store' into a doubly linked list
• Refuse to build Samba against a newer minor version of ldb

• Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
• Abide to the load_printers parameter in smb.conf (bsc#1124223).
• Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.

This update for sqlite3 to version 3.28.0 fixes the following issues:
Security issues fixed:

• CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326).
• CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

This update for aaa_base fixes the following issue:
* Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191)

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for libtasn1 fixes the following issues:
Security issue fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).

This update for e2fsprogs fixes the following issues:

• Check and fix tails of all bitmap blocks (bsc#1128383)

This update for elfutils fixes the following issues:
Security issues fixed:

• CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084)
• CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085)
• CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086)
• CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087)
• CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088)
• CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089)
• CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090)
• CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390)
• CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066)
• CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067)
• CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973)
• CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726)
• CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723)
• CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685)
• CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007)

This update for xz fixes the following issues:
Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709]

This update for krb5 provides the following fix:

• Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217)

This update for libssh fixes the following issue:
Issue addressed:

• Added support for new AES-GCM encryption types (bsc#1134193).

This update for libgcrypt fixes the following issues:

• Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).

This update for libgcrypt fixes the following issues:
Security issue fixed:

• CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939).

This update for libxml2 fixes the following issues:

• Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123)

This update for bzip2 fixes the following issues:

• Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083).