Container summary for suse/manager/5.0/x86_64/server

• Security issues fixed:

• Changes of version 7.10.1:

• Changes of version 7.10.0:

• Changes of version 7.9.0:

• Changes of version 7.8.0:

• Changes of version 7.7.1:

• Changes of version 7.7.0:

• Changes of version 7.6.0:

This update for sssd fixes the following issue:

• Revert the change dropping the default configuration file. If /usr/etc exists will be installed there, otherwise in /etc (bsc#1226157)

This update for openssh fixes the following issues:

• Remove empty line at the end of sshd-sle.pamd (bsc#1227456)

This update for apache2 fixes the following issues:

• CVE-2024-36387: Fixed DoS by null pointer in websocket over HTTP/2 (bsc#1227272)
• CVE-2024-38475: Fixed improper escaping of output in mod_rewrite (bsc#1227268)
• CVE-2024-38476: Fixed server may use exploitable/malicious backend application output to run local handlers via internal redirect (bsc#1227269)

This update for libgit2 fixes the following issues:

• CVE-2024-24577: Fixed arbitrary code execution due to heap corruption in git_index_add (bsc#1219660)

This update for java-17-openjdk fixes the following issues:
Updated to version 17.0.12+7 (July 2024 CPU):

• CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
• CVE-2024-21138: Fixed an infinite loop due to excessive symbol length (bsc#1228047).
• CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check Elimination (bsc#1228048).
• CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling (bsc#1228052).
• CVE-2024-21145: Fixed an index overflow in RangeCheckElimination (bsc#1228051).

This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.24+8 (July 2024 CPU):

• CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
• CVE-2024-21138: Fixed an infinite loop due to excessive symbol length (bsc#1228047).
• CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check Elimination (bsc#1228048).
• CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling (bsc#1228052).
• CVE-2024-21145: Fixed an index overflow in RangeCheckElimination (bsc#1228051).
• CVE-2024-21144: Fixed an excessive loading time in Pack200 due to improper header validation (bsc#1228050).

This update for shadow fixes the following issues:

• CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).

This update for openssl-3 fixes the following issues:
Security fixes:

• CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138)

• Build with no-afalgeng (bsc#1226463)
• Build with enabled sm2 and sm4 support (bsc#1222899)
• Fix non-reproducibility issue (bsc#1223336)

This update for bind fixes the following issues:
Update to release 9.18.28
Security fixes:

• CVE-2024-0760: Fixed a flood of DNS messages over TCP may make the server unstable (bsc#1228255)
• CVE-2024-1737: Fixed BIND's database will be slow if a very large number of RRs exist at the same name (bsc#1228256)
• CVE-2024-1975: Fixed SIG(0) can be used to exhaust CPU resources (bsc#1228257)
• CVE-2024-4076: Fixed assertion failure when serving both stale cache data and authoritative zone content (bsc#1228258)

This update for systemd fixes the following issues:
systemd was updated from version 254.13 to version 254.15:

• Changes in version 254.15:

• Changes in version 254.14:

This update for python-dnspython fixes the following issues:
- CVE-2023-29483: Fixed an issue that allowed remote attackers to interfere with DNS name resolution (bsc#1222693).

This update for python-urllib3 fixes the following issues:

• CVE-2024-37891: Fixed proxy-authorization request header is not stripped during cross-origin redirects (bsc#1226469)

This update of libxkbcommon fixes the following issue:

• ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)

This update for wicked fixes the following issues:

• Update to version 0.6.76
• compat-suse: warn user and create missing parent config of infiniband children
• client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125)
• ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
• wireless: add frequency-list in station mode (jsc#PED-8715)
• client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664)
• man: add supported bonding options to ifcfg-bonding(5) man page
• arputil: Document minimal interval for getopts
• man: (re)generate man pages from md sources
• client: warn on interface wait time reached
• compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces
• compat-suse: fix infiniband and infiniband child type detection from ifname

This update for mozilla-nss fixes the following issues:

• Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
• Added 'Provides: nss' so other RPMs that require 'nss' can be installed (jira PED-6358).

• FIPS: added safe memsets (bsc#1222811)
• FIPS: restrict AES-GCM (bsc#1222830)
• FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
• FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
• FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)

• Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh depends on it and will create a broken, empty config, if sed is missing (bsc#1227918)

• bmo#1905691 - ChaChaXor to return after the function

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.

• add diagnostic assertions for SFTKObject refcount.
• freeing the slot in DeleteCertAndKey if authentication failed
• fix formatting issues.
• Add Firmaprofesional CA Root-A Web to NSS.
• remove invalid acvp fuzz test vectors.
• pad short P-384 and P-521 signatures gtests.
• remove unused FreeBL ECC code.
• pad short P-384 and P-521 signatures.
• be less strict about ECDSA private key length.
• Integrate HACL* P-521.
• Integrate HACL* P-384.
• memory leak in create_objects_from_handles.
• ensure all input is consumed in a few places in mozilla::pkix
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• clean up escape handling
• Use lib::pkix as default validator instead of the old-one
• Need to add high level support for PQ signing.
• Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
• SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
• Allow for non-full length ecdsa signature when using softoken
• Modification of .taskcluster.yml due to mozlint indent defects
• Implement support for PBMAC1 in PKCS#12
• disable VLA warnings for fuzz builds.
• remove redundant AllocItem implementation.
• add PK11_ReadDistrustAfterAttribute.
• - Clang-formatting of SEC_GetMgfTypeByOidTag update
• Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
• sftk_getParameters(): Fix fallback to default variable after error with configfile.
• Switch to the mozillareleases/image_builder image

• switch from ec_field_GFp to ec_field_plain

• merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
• remove ckcapi.
• avoid a potential PK11GenericObject memory leak.
• Remove incomplete ESDH code.
• Decrypt RSA OAEP encrypted messages.
• Fix certutil CRLDP URI code.
• Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
• Add ability to encrypt and decrypt CMS messages using ECDH.
• Correct Templates for key agreement in smime/cmsasn.c.
• Moving the decodedCert allocation to NSS.
• Allow developers to speed up repeated local execution of NSS tests that depend on certificates.

• Removing check for message len in ed25519 (bmo#1325335)
• add ed25519 to SECU_ecName2params. (bmo#1884276)
• add EdDSA wycheproof tests. (bmo#1325335)
• nss/lib layer code for EDDSA. (bmo#1325335)
• Adding EdDSA implementation. (bmo#1325335)
• Exporting Certificate Compression types (bmo#1881027)
• Updating ACVP docker to rust 1.74 (bmo#1880857)
• Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
• Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

• (CVE-2023-5388) Timing attack against RSA decryption in TLS
• Certificate Compression: enabling the check that the compression was advertised
• Move Windows workers to nss-1/b-win2022-alpha
• Remove Email trust bit from OISTE WISeKey Global Root GC CA
• Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
• Certificate Compression: Updating nss_bogo_shim to support Certificate compression
• TLS Certificate Compression (RFC 8879) Implementation
• Add valgrind annotations to freebl kyber operations for constant-time execution tests
• Set nssckbi version number to 2.66
• Add Telekom Security roots
• Add D-Trust 2022 S/MIME roots
• Remove expired Security Communication RootCA1 root
• move keys to a slot that supports concatenation in PK11_ConcatSymKeys
• remove unmaintained tls-interop tests
• bogo: add support for the -ipv6 and -shim-id shim flags
• bogo: add support for the -curves shim flag and update Kyber expectations
• bogo: adjust expectation for a key usage bit test
• mozpkix: add option to ignore invalid subject alternative names
• Fix selfserv not stripping `publicname:` from -X value
• take ownership of ecckilla shims
• add valgrind annotations to freebl/ec.c
• PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
• Update zlib to 1.3.1

• make Xyber768d00 opt-in by policy
• add libssl support for xyber768d00
• add PK11_ConcatSymKeys
• add Kyber and a PKCS#11 KEM interface to softoken
• add a FreeBL API for Kyber
• part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
• part 1: add a script for vendoring kyber from pq-crystals repo
• Removing the calls to RSA Blind from loader.*
• fix worker type for level3 mac tasks
• RSA Blind implementation
• Remove DSA selftests
• read KWP testvectors from JSON
• Backed out changeset dcb174139e4f
• Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
• Wrap CC shell commands in gyp expansions

• Use pypi dependencies for MacOS worker in ./build_gyp.sh
• p7sign: add -a hash and -u certusage (also p7verify cleanups)
• add a defensive check for large ssl_DefSend return values
• Add dependency to the taskcluster script for Darwin
• Upgrade version of the MacOS worker for the CI

• Bump builtins version number.
• Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
• Remove 4 DigiCert (Symantec/Verisign) Root Certificates
• Remove 3 TrustCor Root Certificates from NSS.
• Remove Camerfirma root certificates from NSS.
• Remove old Autoridad de Certificacion Firmaprofesional Certificate.
• Add four Commscope root certificates to NSS.
• Add TrustAsia Global Root CA G3 and G4 root certificates.
• Include P-384 and P-521 Scalar Validation from HACL*
• Include P-256 Scalar Validation from HACL*.
• After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
• Add means to provide library parameters to C_Initialize
• add OSXSAVE and XCR0 tests to AVX2 detection.
• Typo in ssl3_AppendHandshakeNumber
• Introducing input check of ssl3_AppendHandshakeNumber
• Fix Invalid casts in instance.c

• Updated code and commit ID for HACL*
• update ACVP fuzzed test vector: refuzzed with current NSS
• Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
• NSS needs a database tool that can dump the low level representation of the database
• declare string literals using char in pkixnames_tests.cpp
• avoid implicit conversion for ByteString
• update rust version for acvp docker
• Moving the init function of the mpi_ints before clean-up in ec.c
• P-256 ECDH and ECDSA from HACL*
• Add ACVP test vectors to the repository
• Stop relying on std::basic_string
• Transpose the PPC_ABI check from Makefile to gyp

• Update zlib in NSS to 1.3.
• softoken: iterate hashUpdate calls for long inputs.
• regenerate NameConstraints test certificates (bsc#1214980).

• Set nssckbi version number to 2.62
• Add 4 Atos TrustedRoot Root CA certificates to NSS
• Add 4 SSL.com Root CA certificates
• Add Sectigo E46 and R46 Root CA certificates
• Add LAWtrust Root CA2 (4096)
• Remove E-Tugra Certification Authority root
• Remove Camerfirma Chambers of Commerce Root.
• Remove Hongkong Post Root CA 1
• Remove E-Tugra Global Root CA ECC v3 and RSA v3
• Avoid redefining BYTE_ORDER on hppa Linux

• Implementation of the HW support check for ADX instruction
• Removing the support of Curve25519
• Fix comment about the addition of ticketSupportsEarlyData
• Adding args to enable-legacy-db build
• dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
• Initialize flags in slot structures
• Improve the length check of RSA input to avoid heap overflow
• Followup Fixes
• avoid processing unexpected inputs by checking for m_exptmod base sign
• add a limit check on order_k to avoid infinite loop
• Update HACL* to commit 5f6051d2
• add SHA3 to cryptohi and softoken
• HACL SHA3
• Disabling ASM C25519 for A but X86_64

• GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
• clean up escape handling.
• remove redundant AllocItem implementation.
• Disable ASM support for Curve25519.
• Disable ASM support for Curve25519 for all but X86_64.

This update for Public Cloud fixes the following issues:

• Added Public Cloud packages and dependencies to SLE Micro 5.5 to enhance SUSE Manager 5.0 (jsc#SMO-345): * google-guest-agent (no source changes) * google-guest-configs (no source changes) * google-guest-oslogin (no source changes) * google-osconfig-agent (no source changes) * growpart-rootgrow (no source changes) * python-azure-agent (includes bug fixes see below) * python-cssselect (no source changes) * python-instance-billing-flavor-check (no source changes) * python-toml (no source changes) * python3-lxml (inlcudes a bug fix, see below)

• python-azure-agent received the following fixes: * Use the proper option to force btrfs to overwrite a file system on the resource disk if one already exists (bsc#1227711) * Set Provisioning.Agent parameter to 'cloud-init' in SLE Micro 5.5 and newer (bsc#1227106) * Do not package `waagent2.0` in Python 3 builds * Do not require `wicked` in non-SUSE build environments * Apply python3 interpreter patch in non SLE build environments (bcs#1227067)

• python3-lxml also received the following fix: * Fixed compatibility with system libexpat in tests (bnc#1222075)

This update for fence-agents fixes the following issues:

• Fix Azure native fencing does not start due to Python version. (bsc#1224797) (jsc#PED-8887)

• The updated fence-agents does not include anymore the Azure fence-agents.

• If you are on Azure, you need to install in addition the package fence-agents-azure-arm. This package (fence-agents-azure-arm) is only installable with Public Cloud Module enabled which provides the required Python3.11 dependencies.

This update for suseconnect-ng fixes the following issues:

• Version update * Added uname as collector * Added SAP workload detection * Added detection of container runtimes * Multiple fixes on ARM64 detection * Use `read_values` for the CPU collector on Z * Fixed data collection for ppc64le * Grab the home directory from /etc/passwd if needed (bsc#1226128) * Build zypper-migration and zypper-packages-search as standalone binaries rather then one single binary * Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004) * Include /etc/products.d in directories whose content are backed up and restored if a zypper-migration rollback happens (bsc#1219004) * Add the ability to upload the system uptime logs, produced by the suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report (jsc#PED-7982) (jsc#PED-8018) * Add support for third party packages in SUSEConnect * Refactor existing system information collection implementation self-signed SSL certificate (bsc#1223107)

This update for permissions fixes the following issue:

• cockpit: moved setuid executable (bsc#1228548)

This update for patch fixes the following issues:

• CVE-2019-20633: Fixed double-free/OOB read in pch.c (bsc#1167721)

This update for curl fixes the following issues:

• CVE-2024-7264: Fixed ASN.1 date parser overread (bsc#1228535)
• CVE-2024-6197: Fixed freeing stack buffer in utf8asn1str (bsc#1227888)

This update for sudo fixes the following issue:

• Fix Wrong permissions on /usr/share/polkit-1/rules.d (bsc#1227574).

This update of various packages delivers 32bit variants to allow running Wine on SLE PackageHub 15 SP6.

This update for shadow fixes the following issues:

• Fixed not copying of skel files (bsc#1228770)

This update for ca-certificates-mozilla fixes the following issues:

• Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020

• Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3

This update for dmidecode fixes the following issues:

• Version update (jsc#PED-8574): * Support for SMBIOS 3.6.0. This includes new memory device types, new processor upgrades, and Loongarch support * Support for SMBIOS 3.7.0. This includes new port types, new processor upgrades, new slot characteristics and new fields for memory modules * Add bash completion * Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245 * Implement options --list-strings and --list-types * Update HPE OEM records 203, 212, 216, 221, 233 and 236 * Update Redfish support * Bug fixes: - Fix enabled slot characteristics not being printed * Minor improvements: - Print slot width on its own line - Use standard strings for slot width * Add a --no-quirks option * Drop the CPUID exception list * Obsoletes patches removed : dmidecode-do-not-let-dump-bin-overwrite-an-existing-file, dmidecode-fortify-entry-point-length-checks, dmidecode-split-table-fetching-from-decoding, dmidecode-write-the-whole-dump-file-at-once, dmioem-fix-segmentation-fault-in-dmi_hp_240_attr, dmioem-hpe-oem-record-237-firmware-change, dmioem-typo-fix-virutal-virtual, ensure-dev-mem-is-a-character-device-file, news-fix-typo, use-read_file-to-read-from-dump

This update for util-linux fixes the following issues:

• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).
• Improved man page for chcpu (bsc#1218609).

This update for cloud-regionsrv-client contains the following fixes:

• Update to version 10.3.0 (bsc#1227308, bsc#1222985) + Add support for sidecar registry Podman and rootless Docker support to set up the necessary configuration for the container engines to run as defined + Add running command as root through sudoers file

• Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016) + In addition to logging, write message to stderr when registration fails + Detect transactional-update system with read only setup and use the transactional-update command to register + Handle operation in a different target root directory for credentials checking

This update for grub2 fixes the following issues:

• Fix btrfs subvolume for platform modules not mounting at runtime when the default subvolume is the topmost root tree (bsc#1228124)
• Fix error in grub-install when root is on tmpfs (bsc#1226100)
• Fix input handling in ppc64le grub2 has high latency (bsc#1223535)

This update for supportutils fixes the following issues:
Changes to version 3.2.8

• Avoid getting duplicate kernel verifications in boot.text (pr#190)
• lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
• docker_info: Add timestamps to container logs (pr#196)
• Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
• Update supportconfig get pam.d sorted (pr#199)
• yast_files: Exclude .zcat (pr#201)
• Sanitize grub bootloader (bsc#1227127, pr#203)
• Sanitize regcodes (pr#204)
• Improve product detection (pr#205)
• Add read_values for s390x (bsc#1228265, pr#206)
• hardware_info: Remove old alsa ver check (pr#209)
• drbd_info: Fix incorrect escape of quotes (pr#210)

This update for openssl-1_1 fixes the following issues:

• CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)

• Build with no-afalgeng. (bsc#1226463)
• Fixed C99 violations to allow the package to build with GCC 14. (bsc#1225907)

This update for ldb, samba fixes the following issues:

• Many qsort() comparisons are non-transitive, which can lead to out-of-bounds access in some circumstances.
• Fix a crash when joining offline and 'kerberos method' includes keytab (bsc#1228732).
• Fix reading the password from STDIN or environment vars if it was already given in the command line (bsc#1228732).
• netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0.
• Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022).
• Panic in dreplsrv_op_pull_source_apply_changes_trigger.
• winbindd, net ads join and other things don't work on an ipv6 only host.
• Smbcacls incorrectly propagates inheritance with Inherit-Only flag.
• http library doesn't support 'chunked transfer encoding'.
• fd_handle_destructor() panics within an smbd_smb2_close() if vfs_stat_fsp() fails in fd_close()
• samba-gpupdate: Correctly implement site support.
• libgpo: Segfault in python bindings.

This update for pam fixes the following issue:

• Prevent cursor escape from the login prompt (bsc#1194818).

This update for perl-DBD-Pg, perl-DBD-SQLite, perl-DBI, perl-YAML-LibYAML fixes the following issues:
perl-DBI was updated from version 1.642 to 1.643:

• Updated Devel::PPPort and removed redundant compatibility macros
• Correct minor typo in documentation
• Correct documentation introducing $dbh->selectall_array()
• Introduced select and do wrappers earlier in the documentation
• Mark as deprecated old API functions which overflow or are affected by Unicode issues
• Add new attribute RaiseWarn, similar to RaiseError

• Fixed disabling of __perllib_provides
• Upgraded SQLite to 3.42.0
• Added missing possible table_type values to POD
• Set UTF8CACHE to avoid slowdown with -DDEBUGGING
• Lowercase datatype in table column metadata for back-compatibility
• Fixed test failure on perl built with -DDEBUGGING
• Improve sqlite_load_extension documentation
• Add a feature to unregister a created function
• Fixed accented characters in POD
• Link embedded sqlite devel files to system files
• Use the system sqlite rather than the built-in one
• Fixed documentation to use the correct attribute with sqlite_
• Modify the fix to silence the sqlite_unicode warning not to check the attribute twice
• Fix an encoding issue of naive
• Made DBD_SQLITE_STRING_MODE constants exportable
• Stop setting THREADSAFE=0 if perl has pthread (ie. 5.20+)
• Fixed a memory leak in ::VirtualTable
• Introduced 'string_mode' handle attribute to fix long-standing issues of sqlite_unicode
• Added a dependency from dbdimp.o to the *.inc files included into dbdimp.c
• Fixed an offset issue of VirtualTable
• Fixed quadmath issues
• Added sqlite_txn_state method to see internal state of the backend
• Switched to XSLoader
• Use quadmath_snprintf if USE_QUADMATH is defined
• Use av_fetch instead of av_shift

• Support new PQclosePrepared function, added in Postgres 17
• Improved documentation about ping always returning a value
• New database handle attribute pg_skip_deallocate Prevents any deallocation of automatically prepared statements to support new pgBouncer feature
• Fix to handle escaped quotes in connection string
• Return number of affected rows from a MERGE command
• Added support for Github CI actions
• Removed undocumented internal-only pg_pid_number attribute
• Small warning in docs about PG_CHAR
• Added new attribute 'pg_int8_as_string', for backwards compatibility.
• Added a META.json file; rename META.yml to META.yaml
• Fix 03smethod.t $sth->last_insert_id skip count for DBI < 1.642
• Documentation improvements for service files
• Automatically use 64-bit versions of large object functions when available
• Set UTF8 flag as needed for error messages
• In tests, do not assume what the default transaction isolation level will be
• Make tests smarter about detecting pg_ctl results in different locales
• Adjust tests for the fact that reltuples can be -1 in Postgres version 13 and later. This is mostly reflected in the CARDINALITY column for $dbh->statistics_info.
• Correctly pull back pg_async status from statement handle. Previously, $dbh->{pg_async} would return undef.
• Remove the experimental 'fulltest' Makefile target.
• The $dbh->primary_key_info and $dbh->foreign_key_info methods will now always return a statement handle, even with no matches. Previously, they returned undef directly. Callers can check if the returned handle contains any rows.
• The $dbh->tables method will always return a list, even if it is empty.
• Add pg_lo_tell64, pg_lo_seek64, and pg_lo_truncate64, for anyone dealing with really, really, really large 'large objects'. Requires Postgres 9.3 or better.
• Allow test to run again when using a non-superuser to connect
• Adjust tests to force loading proper version of DBD::Pg every time.
• Removed the long-deprecated _pg_use_catalog method.
• Many improvements and changes to the test suite.
• Redo the 'last_result' internals in dbdimp.c, which fixes a memory leak.
• Fixed regression in Perl length() for returned query results
• Make $sth->finish() do a little less. Notably, even after calling finish(), pg_error_field will still work on the last action performed.
• Tweak tests so Windows boxes pass
• Run tests in verbose mode
• Prevent DBI from flipping AutoCommit to 'on' after a failed commit
• Revert overly aggressive testing shortcut as it can cause installs to fail
• Return the table info row last in statistics_info. This fixes statistics_info on pre-8.3 servers.
• Fixed ASC_OR_DESC field in statistics_info
• Indicate NULL ordering in statistics_info
• Adjust Makefile to fix failing 'fulltest' target on BSD systems
• Indicate non-key index columns (INCLUDE) in statistics_info
• Return an empty result set instead of undef from statistics_info when the requested table doesn't exist and $unique_only is false.
• Fixed segfault during st destroy
• Improved testing for table_info()
• Improved UTF-8 wording in documentaion

• Breaking Change: Set $YAML::XS::LoadBlessed default to false to make it more secure
• Fixed disabling of __perllib_provides
• Recognise core booleans on Perl 5.36+ at dump time
• Fixed YAML::XS pod in cpanminus
• Convert doc from Swim to Markdown
• Added option ForbidDuplicateKeys
• Recognize tied variables
• Updated libyaml sources to 0.2.4. Changes affecting YAML::XS are
• Output '...' at the stream end after a block scalar with trailing empty lines
• Accept '%YAML 1.2' directives (they are ignored and do not change behaviour though)
• Fix memory leak when loading invalid YAML
• Support aliasing scalars resolved as null or booleans
• Add YAML::XS::LibYAML::libyaml_version()
• Support standard !!int/!!float tags instead of dying
• Fixed double free/core dump when Dump()ing binary data
• Update config.h from libyaml
• Update libyaml to version 0.2.2. Most important change for users is that plain urls in flow style can be parsed now. Example: `[ http://yaml.org]`.
• Added $Indent - number of spaces when dumping
• Implemented $LoadCode
• Update to libyaml 0.2.1. It's forbidden now to escape single quotes inside double quotes
• When disabling $LoadBlessed, return scalars not refs
• Save anchors also for blessed scalars
• Fixed format specifier/argument mismatch
• Fixed a C90-compatibility issue
• Prevent warning about unused variables

This update for python3-setuptools fixes the following issues:

• CVE-2024-6345: Fixed code execution via download functions in the package_index module (bsc#1228105)

This update for openssl-3 fixes the following issues:

• CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465)

• FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365).
• FIPS: RSA keygen PCT requirements.
• FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: Block non-Approved Elliptic Curves (bsc#1221786).
• FIPS: Service Level Indicator (bsc#1221365).
• FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751).
• FIPS: Add required selftests: (bsc#1221760).
• FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821).
• FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827).
• FIPS: Zero initialization required (bsc#1221752).
• FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696).
• FIPS: NIST SP 800-56Brev2 (bsc#1221824).
• FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: NIST SP 800-56Arev3 (bsc#1221822).
• FIPS: Error state has to be enforced (bsc#1221753).

This update for yast2-users fixes the following issues:

• Relax check in GECOS field, allow any data except colons (bsc#1228149).
• Backport changes to avoid namespace collisions.
• Branch package for SP6 (bsc#1208913).
• YaST can no longer modify NIS users and groups (bnc#1206627).
• YaST2: Adding several users via yast fails sometimes (bnc#1209377).
• Importing user during installation can lead to password malformation (bnc#1211583).
• YaST2 ayast_setup setup broken on SLES15-SP4 (bnc#1211753).

This update for cryptsetup fixes the following issues:

• FIPS: Extend the password for PBKDF2 benchmarking to be more than 20 chars to meet FIPS 140-3 requirements (bsc#1229975)

This update for unzip fixes the following issues:

• Add patch to fix issue with some files being incorrectly detected as symlinks (boo#1190273)

This update for mozilla-nss fixes the following issues:

• FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).

This update for permissions fixes the following issues:

• Update to version 20240826: * permissions: remove outdated entries (bsc#1228968)

• Update to version 20240826: * cockpit: revert path change (bsc#1229329)

This update for rsyslog fixes the following issues:

• Version upgrade
• patches replaced by upgrade (details in upgrade logs) * Revert 'Update omlibdbi.c' * imkmsg: add params 'readMode' and 'expectedBootCompleteSeconds' * testbench: fix 'typo' in test case * omazureeventhubs: Corrected handling of transport closed failures * imkmsg: add module param parseKernelTimestamp * imfile: remove state file on file delete fix * imklog bugfix: keepKernelTimestamp=off config param did not work * Netstreamdriver: deallocate certificate related resources * TLS subsystem: add remote hostname to error reporting * Fix forking issue do to close_range call * replace debian sample systemd service file by readme * testbench: bump zookeeper version to match current offering * Update rsyslog.service sample unit to the latest version used in Debian Trixie * Only keep a single rsyslog.service for Debian * Remove no longer used --with-systemdsystemunitdir configure switch * use logind instead of utmp for wall messages with systemd * Typo fixes * Drop CAP_IPC_LOCK capability * Add CAP_NET_RAW capability due to the omudpspoof module * Add new global config option 'libcapng.enable' * tcp net subsystem: handle data race gracefully * Avoid crash on restart in imrelp SIGTTIN handler
• patches replaced by upgrade * fix startup issue on modern systemd systems * Fix misspeling in message. * tcpflood bugfix: plain tcp send error not properly reported * omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set * testbench: cleanup and improve some more imfile tests * lookup tables: fix static analyzer issue * lookup tables bugfix: reload on HUP did not work when backgrounded * CI: fix and cleaup github workflow * imjournal: Support input module * testbench: make test more reliable * tcpflood: add -A option to NOT abort when sending fails * tcpflood: fix today's programming error * openssl: Replaced depreceated method SSLv23_method with TLS_method * testbench improvement: define state file directories for imfile tests * testbench: cleanup a test and some nitfixes to it * tcpflood bugfix: TCP sending was not implemented properly * testbench: make waiting for HUP processing more reliable * build system: make rsyslogd execute when --disable-inet is configured * CI: update zookeper download to newer version * ossl driver: Using newer INIT API for OpenSSL 1.1+ Versions * ossl: Fix CRL File Expire from 1 day to 100 years. * PR5175: Add TLS CRL Support for GnuTLS driver and OpenSSL 1.0.2+ * omazureeventhubs: Initial implementation of new output module * TLS CRL Support Issue 5081 * action.resumeintervalmax: the parameter was not respected * IMHIREDIS::FIXED:: Restore compatiblity with hiredis < v1.0.0 * Add the 'batchsize' parameter to imhiredis * Clear undefined behavior in libgcry.c (GH #5167) * Do not try to drop capabilities when we don't have any * testbench: use newer zookeeper version in tests * build system: more precise error message on too-old lib * Fix quoting for omprog, improg, mmexternal

This update for postgresql16 fixes the following issues:

• Upgrade to 16.4 (bsc#1229013)
• CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013)
• CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See the release notes for the steps that have to be taken to fix existing PostgreSQL instances. (bsc#1224038)

This update for glibc fixes the following issue:

• s390x-wcsncmp patch for s390x: Fix segfault in wcsncmp (bsc#1228042).

This update for apache2 fixes the following issues:

• CVE-2024-38474: Fixed substitution encoding issue in mod_rewrite (bsc#1227278)
• CVE-2024-38473: Fixed encoding problem in mod_proxy (bsc#1227276)
• CVE-2024-39884: Fixed source code disclosure with handlers configured via AddType (bsc#1227353)

This update for libzypp, zypper, libsolv, zypp-plugin, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings fixes the following issues:

• Make sure not to statically linked installed tools (bsc#1228787)
• MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208)
• Export asSolvable for YAST (bsc#1228420)
• Export CredentialManager for legacy YAST versions (bsc#1228420)
• Fix 4 typos in zypp.conf
• Fix typo in the geoip update pipeline (bsc#1228206)
• Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
• Removed dependency on external find program in the repo2solv tool
• Fix return value of repodata.add_solv()
• New SOLVER_FLAG_FOCUS_NEW flag
• Fix return value of repodata.add_solv() in the bindings
• Fix SHA-224 oid in solv_pgpvrfy
• Translation: updated .pot file.
• Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
• Fix int overflow in Provider
• Fix error reporting on repoindex.xml parse error (bsc#1227625)
• Keep UrlResolverPlugin API public
• Blacklist /snap executables for 'zypper ps' (bsc#1226014)
• Fix handling of buddies when applying locks (bsc#1225267)
• Fix readline setup to handle Ctrl-C and Ctrl-D correctly (bsc#1227205)
• Show rpm install size before installing (bsc#1224771)
• Install zypp/APIConfig.h legacy include
• Update soname due to RepoManager refactoring and cleanup
• Workaround broken libsolv-tools-base requirements
• Strip ssl_clientkey from repo urls (bsc#1226030)
• Remove protobuf build dependency
• Lazily attach medium during refresh workflows (bsc#1223094)
• Refactor RepoManager and add Service workflows
• Let_readline_abort_on_Ctrl-C (bsc#1226493)
• packages: add '--system' to show @System packages (bsc#222971)
• Provide python3-zypp-plugin down to SLE12 (bsc#1081596)

This update for binutils fixes the following issues:
Update to current 2.43.1 branch [jsc#PED-10474]:
Update to version 2.43:

• new .base64 pseudo-op, allowing base64 encoded data as strings
• Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF (APX_F now fully supported)
• x86 Intel syntax now warns about more mnemonic suffixes
• macros and .irp/.irpc/.rept bodies can use \+ to get at number of times the macro/body was executed
• aarch64: support 'armv9.5-a' for -march, add support for LUT and LUT2
• s390: base register operand in D(X,B) and D(L,B) can now be omitted (ala 'D(X,)'); warn when register type doesn't match operand type (use option 'warn-regtype-mismatch=[strict|relaxed|no]' to adjust)
• riscv: support various extensions: Zacas, Zcmp, Zfbfmin, Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw, XSfCease, all at version 1.0; remove support for assembly of privileged spec 1.9.1 (linking support remains)
• arm: remove support for some old co-processors: Maverick and FPA
• mips: '--trap' now causes either trap or breakpoint instructions to be emitted as per current ISA, instead of always using trap insn and failing when current ISA was incompatible with that
• LoongArch: accept .option pseudo-op for fine-grained control of assembly code options; add support for DT_RELR
• readelf: now displays RELR relocations in full detail; add -j/--display-section to show just those section(s) content according to their type
• objdump/readelf now dump also .eh_frame_hdr (when present) when dumping .eh_frame
• gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake processors; add minimal support for riscv
• linker: - put .got and .got.plt into relro segment - add -z isa-level-report=[none|all|needed|used] to the x86 ELF linker to report needed and used x86-64 ISA levels - add --rosegment option which changes the -z separate-code option so that only one read-only segment is created (instead of two) - add --section-ordering-file option to add extra mapping of input sections to output sections - add -plugin-save-temps to store plugin intermediate files permanently

• Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16, RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2', '+rcpc2' and '+wfxt'
• Add experimantal support for GAS to synthesize call-frame-info for some hand-written asm (--scfi=experimental) on x86-64.
• Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2, PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16.
• Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0, SiFive VCIX v1.0.
• BPF assembler: ';' separates statements now, and does not introduce line comments anymore (use '#' or '//' for this).
• x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with dynamic tags.
• risc-v ld: Add '--[no-]check-uleb128'.
• New linker script directive: REVERSE, to be combined with SORT_BY_NAME or SORT_BY_INIT_PRIORITY, reverses the generated order.
• New linker options --warn-execstack-objects (warn only about execstack when input object files request it), and --error-execstack plus --error-rxw-segments to convert the existing warnings into errors.
• objdump: Add -Z/--decompress to be used with -s/--full-contents to decompress section contents before displaying.
• readelf: Add --extra-sym-info to be used with --symbols (currently prints section name of references section index).
• objcopy: Add --set-section-flags for x86_64 to include SHF_X86_64_LARGE.
• s390 disassembly: add target-specific disasm option 'insndesc', as in 'objdump -M insndesc' to display an instruction description as comment along with the disassembly.

• Add binutils-use-less-memory.diff to be a little nicer to 32bit userspace and huge links. [bsc#1216908]
• Add libzstd-devel to Requires of binutils-devel. (bsc#1215341)

This update for yast2-installation fixes the following issue:

• Don't block in AutoYaST upgrade (bsc#1181625).

This update for curl fixes the following issues:

• CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093)

SUSE-CU-2024:3212-1

SUSE-CU-2024:3211-1

This update for python-Werkzeug fixes the following issues:

• CVE-2023-25577: Fixed high resource usage when parsing multipart form data with many fields (bsc#1208283).

This update for python-Flask fixes the following issues:

• CVE-2023-30861: Fixed a potential cookie confusion due to incorrect caching (bsc#1211246).

This update for python-Werkzeug fixes the following issues:

• CVE-2024-34069: Fixed a remote code execution through debugger when interacting with attacker controlled domain (bsc#1223979).

This update for jackson fixes the following issues:
jackson-annotations was upgraded to version 2.16.1:

• Added new OptBoolean valued property in @JsonTypeInfo to allow per-type configuration of strict type id handling
• Allow per-type configuration of strict type id handling
• Added JsonTypeInfo.Value object (backport from 3.0)
• Added new JsonTypeInfo.Id.SIMPLE_NAME

• Added dependency for jackson-module-android-record. This new module offers support for Record type on Android platform, where Java records are supported through 'de-sugaring'

• NPE in Version.equals() if snapshot-info null
• NPE in 'FastDoubleParser', method 'JavaBigDecimalParser.parseBigDecimal()'
• JsonPointer.append(JsonPointer.tail()) includes the original pointer
• Change StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION default to false in Jackson 2.16
• Improve error message for StreamReadConstraints violations
• JsonFactory implementations should respect CANONICALIZE_FIELD_NAMES
• Root cause for failing test for testMangledIntsBytes() in ParserErrorHandlingTest
• Allow all array elements in JsonPointerBasedFilter
• Indicate explicitly blocked sources as 'REDACTED' instead of 'UNKNOWN' in JsonLocation
• Start using AssertJ in unit tests
• Allow configuring spaces before and/or after the colon in DefaultPrettyPrinter (for Canonical JSON)
• Add configurable limit for the maximum number of bytes/chars of content to parse before failing
• Add configurable limit for the maximum length of Object property names to parse before failing
• Add configurable processing limits for JSON generator (StreamWriteConstraints)
• Compare _snapshotInfo in Version
• Add JsonGeneratorDecorator to allow decorating JsonGenerators
• Add full set of BufferRecyclerPool implementations
• Add configurable error report behavior via ErrorReportConfiguration
• Make ByteSourceJsonBootstrapper use StringReader for < 8KiB byte[] inputs
• Allow pluggable buffer recycling via new RecyclerPool extension point
• Change parsing error message to mention -INF

• JsonSetter(contentNulls = FAIL) is ignored in delegating @JsonCreator argument
• Primitive array deserializer not being captured by DeserializerModifier
• JsonNode.findValues() and findParents() missing expected values in 2.16.0
• Incorrect deserialization for BigDecimal numbers
• Add a way to configure caches Jackson uses
• Mix-ins do not work for Enums
• Map deserialization results in different numeric classes based on json ordering (BigDecimal / Double) when used in combination with @JsonSubTypes
• Generic class with generic field of runtime type Double is deserialized as BigDecimal when used with @JsonTypeInfo and JsonTypeInfo.As.EXISTING_PROPERTY
• Combination of @JsonUnwrapped and @JsonAnySetter results in BigDecimal instead of Double
• @JsonIgnoreProperties not working with @JsonValue
• Deprecated JsonNode.with(String) suggests using JsonNode.withObject(String) but it is not the same thing
• Difference in the handling of ObjectId-property inJsonIdentityInfo depending on the deserialization route
• Add new OptBoolean valued property in @JsonTypeInfo, handling, to allow per-polymorphic type loose Type Id handling
• Fixed regression in 2.15.0 that reaks deserialization for records when mapper.setVisibility(PropertyAccessor.ALL, Visibility.NONE)
• Incorrect target type when disabling coercion, trying to deserialize String from Array/Object
• @JsonProperty on constructor parameter changes default field serialization order
• Create new JavaType subtype IterationType (extending SimpleType)
• Use JsonTypeInfo.Value for annotation handling
• Add JsonNodeFeature.WRITE_PROPERTIES_SORTED for sorting ObjectNode properties on serialization (for Canonical JSON)
• Optimize ObjectNode findValue(s) and findParent(s) fast paths
• Locale '' is deserialised as null if ACCEPT_EMPTY_STRING_AS_NULL_OBJECT is enabled
• Add guardrail setting for TypeParser handling of type parameters
• Use @JsonProperty for Enum values also when READ_ENUMS USING_TO_STRING enabled
• Fix Enum deserialization to use @JsonProperty, @JsonAlias even if EnumNamingStrategy used
• Use @JsonProperty and lowercase feature when serializing Enums despite using toString()
• Use @JsonProperty over EnumNamingStrategy for Enum serialization
• Actually cache EnumValues#internalMap
• ObjectMapper.valueToTree() will ignore the configuration SerializationFeature.WRAP_ROOT_VALUE
• Provide the 'ObjectMapper.treeToValue(TreeNode, TypeReference)' method
• Expose NativeImageUtil.isRunningInNativeImage() method
• Add JsonTypeInfo.Id.SIMPLE_NAME which defaults type id to Class.getSimpleName()
• Impossible to deserialize custom Throwable sub-classes that do not have single-String constructors
• java.desktop module is no longer optional
• ClassUtil fails with java.lang.reflect.InaccessibleObjectException trying to setAccessible on OptionalInt with JDK 17+
• Support sequenced collections (JDK 21)
• Add withObjectProperty(String), withArrayProperty(String) in JsonNode
• Change JsonNode.withObject(String) to work similar to withArray() wrt argument
• Log WARN if deprecated subclasses of PropertyNamingStrategy is used
• NPE when transforming a tree to a model class object, at ArrayNode.elements()
• Deprecated ObjectReader.withType(Type) has no direct replacement; need forType(Type)
• Add new DefaultTyping.NON_FINAL_AND_ENUMS to allow Default Typing for Enums
• Do not rewind position when serializing direct ByteBuffer
• Exception when deserialization of private record with default constructor
• BeanDeserializer updates currentValue incorrectly when deserialising empty Object

• (ion) NullPointerException in IonParser.nextToken()
• (smile) Remove Smile-specific buffer-recycling

• (afterburner) Disable when running in native-image
• (afterburner) IncompatibleClassChangeError when deserializing a class implementing an interface with default get/set implementations
• (blackbird) BlackBird proxy object error in Java 17
• (blackbird) Disable when running in native-image
• (guice) Add guice7 (jakarta.inject) module

• Upgrade to oss-parent 56 (tons of plugin updates to resolve Maven warnings, new Moditect plugin)

• Added to SUSE Manager 4.3 as it is needed by `jackson-modules-base`

This update for sg3_utils fixes the following issue:

• sg_inq: re-add Unit serial number field (bsc#1219547)

This update for dwz fixes the following issues:

• Clean up leftover temporary file (bsc#1221634)

This update for wicked fixes the following issues:

• client: fix ifreload to pull UP ports/links again when the config of their master/lower changed (bsc#1224100, gh#openSUSE/wicked#1014) - cleanup: fix ni_fsm_state_t enum-int-mismatch warnings - cleanup: fix overflow warnings in a socket testcase on i586 - ifcheck: report new and deleted configs as changed (bsc#1218926) - man: improve ARP configuration options in the wicked-config.5 - bond: add ports when master is UP to avoid port MTU revert (bsc#1219108) - cleanup: fix interface dependencies and shutdown order (bsc#1205604)
• removed patches included in the source archive

This update for python-Jinja2 fixes the following issues:

• Fixed HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-34064, bsc#1223980, CVE-2024-22195, bsc#1218722)

This update for Java fixes thefollowing issues:
apiguardian was updated to vesion 1.1.2:

• Added LICENSE/NOTICE to the generated jar
• Allow @API to be declared at the package level
• Explain usage of Status.DEPRECATED
• Include OSGi metadata in manifest

• New package implementation needed by Junit5

• `byte-buddy` is required by `assertj-core`
• Changes in version v1.14.16:

• Changes in version v1.14.15:

• Changes of v1.14.14:

• Improvements and potentially breaking changes:

• Other changes:

• `hamcrest-core` has been replaced by `hamcrest` (no source changes)

• Require hamcrest >= 2.2

• Conditional execution based on OS architectures
• Configurable cleanup mode for @TempDir
• Configurable thread mode for @Timeout
• Custom class loader support for class/method selectors, @MethodSource, @EnabledIf, and @DisabledIf
• Dry-run mode for test execution
• Failure threshold for @RepeatedTest
• Fixed build with the latest open-test-reporting milestone
• Fixed dependencies in module-info.java files
• Fixed unreported exception error that is fatal with JDK 21
• Improved configurability of parallel execution
• New @SelectMethod support in test @Suite classes.
• New ConsoleLauncher subcommand for test discovery without execution
• New convenience base classes for implementing ArgumentsProvider and ArgumentConverter
• New IterationSelector
• New LauncherInterceptor SPI
• New NamespacedHierarchicalStore for use in third-party test engines
• New TempDirFactory SPI for customizing how temporary directories are created
• New testfeed details mode for ConsoleLauncher
• New TestInstancePreConstructCallback extension API
• Numerous bug fixes and minor improvements
• Parameter injection for @MethodSource methods
• Promotion of various experimental APIs to stable
• Reusable parameter resolution for custom extension methods via ExecutableInvoker
• Stacktrace pruning to hide internal JUnit calls
• The binaries are compatible with java 1.8
• Various improvements to ConsoleLauncher
• XML reports in new Open Test Reporting format

• Security issues fixed:

• Other changes and bugs fixed: * Fixed wrong entries in changelog (bsc#1224410) * The packages `jaxen`, `saxpath` and `xom` are now separate standalone packages instead of being part of `jdom`

• New standalone RPM package implementation, originally part of `jdom` source package
• Classpaths are much smaller and less complex, and will suppress a lot of noise from static analysis tools.
• The Jaxen core code is also a little smaller and has fixed a few minor bugs in XPath evaluation
• Despite the major version bump, this should be a drop in replacement for almost every project. The two major possible incompatibilities are: * The minimum supported Java version is now 1.5, up from 1.4 in 1.2.0 and 1.3 in 1.1.6. * dom4j, XOM, and JDOM are now optional dependencies so if a project was depending on them to be loaded transitively it will need to add explicit dependencies to build.

• Included jopt-simple to Package Hub 15 SP5 (no source changes)

• New Opcodes.V23 constant for Java 23
• Bugs fixed * Fixed unit test regression in dex2jar. * Fixed 'ClassNode#outerClass' with incorrect JavaDocs. * asm-bom packaging should be 'pom'. * The Textifier prints a supplementary space at the end of each method that throws at least one exception.

• Included `open-test-reporting-events` and `open-test-reporting-schema` to the channels as they are runtime dependencies of Junit5 (no source changes)

• New standalone RPM package implementation, originally part of `jdom` source package (openSUSE Leap 15.5 package only)

• New standalone RPM package implementation, originally part of `jdom` source package
• The Nodes and Elements classes are iterable so you can use the enhanced for loop syntax on instances of these classes.
• The copy() method is now covariant.
• Adds Automatic-Moduole-Name to jar
• Remove direct dependency on xml-apis:xml-apis artifact since these classes are now available in the core runtime.
• Eliminate usage of com.sun classes to make XOM compatible with JDK 16.
• Replace remaining usages of StringBuffer with StringBuilder to slightly improve performance.

This update for aaa_base fixes the following issues:

• Fix the typo to set JAVA_BINDIR in the csh variant of the alljava profile script (bsc#1221361)

This update for fdupes fixes the following issues:

• Do not use sqlite, as this pulls sqlite into Ring0 at no real benefit performance wise
• Update to 2.3.0: * Add --cache option to speed up file comparisons * Use nanosecond precision for file times, if available * Fix compilation issue on OpenBSD * Other changes like fixing typos, wording, etc.
• update to 2.2.1: * Fix bug in code meant to skip over the current log file when --log option is given * Updates to copyright notices in source code * Add --deferconfirmation option * Check that files marked as duplicates haven't changed during program execution before deleting them * Update documentation to indicate units for SIZE in command-line options * Move some configuration settings to configure.ac file
• Fixes for the new wrapper: * Order duplicates by name, to get a reproducible file set (bsc#1197484) * Remove redundant order parameter from fdupes invocation * Modernize code, significantly reduce allocations * Exit immediately when mandatory parameters are missing * Remove obsolete buildroot parameter * Add some tests for the wrapper
• Do not link the files as given by fdupes, but turn them into relative links
• Support multiple directories given (as glob to the macro)
• Handle symlinks (-s argument) correctly
• Simplify macros.fdupes to speed up the process (bsc#1195709)

This update for python-requests fixes the following issues:

• CVE-2024-35195: Fixed cert verification regardless of changes to the value of `verify` (bsc#1224788).

This update for iputils fixes the following issue:

• 'arping: Fix 1s delay on exit for unsolicited arpings', backport upstream fix (bsc#1224877)
• Backport proposed fix for regression in upstream commit 4db1de6 (bsc#1224877)

This update for suse-module-tools fixes the following issues:

• Include unblacklist in initramfs (bsc#1224320)
• regenerate-initrd-posttrans: run update-bootloader --refresh for XEN (bsc#1223278)
• 60-io-scheduler.rules: test for 'scheduler' sysfs attribute (bsc#1216717)
• README: Update blacklist description (gh#openSUSE/suse-module-tools#71)
• macros.initrd: %regenerate_initrd_post: don't fail if mkdir is unavailable (bsc#1217979)
• Don't rebuild existing initramfs images if the environment variable SKIP_REGENERATE_ALL=1 is set (bsc#1192014)

This update for postfix fixes the following issues:

• config.postfix needs updating (bsc#1224207) * chkconfig to systemctl * Link Cyrus lmtp only if this exsists * /usr/lib64/sasl2 does not need to exist * Fetch timezone via readlink from /etc/localtime
• Set inet_interfaces to loopback-only instead of localhost as proposed in man 5 postconf (bsc#1223264)

This update for sssd fixes the following issues:

• CVE-2023-3758: Fixed race condition during authorization leads to GPO policies functioning inconsistently (bsc#1223100).

• Use the name from the cached entries when updating them to avoid capitalization problems (bsc#1223050).
• Extend sssctl command line tool to manage the cached GPOs; (jsc#PED-7677).

This update for util-linux fixes the following issues:

• CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831)

This update for glib2 fixes the following issues:
Update to version 2.78.6:

• Fix a regression with IBus caused by the fix for CVE-2024-34397

• Fix CVE-2024-34397: GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing. (bsc#1224044)
• Bugs fixed: - gvfs-udisks2-volume-monitor SIGSEGV in g_content_type_guess_for_tree() due to filename with bad encoding - gcontenttype: Make filename valid utf-8 string before processing. - gdbusconnection: Don't deliver signals if the sender doesn't match.

• Bugs fixed: - Fix generated RST anchors for methods, signals and properties. - docs/reference: depend on a native gtk-doc. - gobject_gdb.py: Do not break bt on optimized build. - gregex: clean up usage of _GRegex.jit_status.

This update for libbpf fixes the following issues:

• Fixed potential null pointer dereference in bpf_object__collect_prog_relos() (bsc#1221101)

This update for glibc fixes the following issues:

• Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482)

This update for google-errorprone, guava fixes the following issues:
guava:

• guava was updated to version 33.1.0:

• Fix version mismatch in the ant build files.
• The binaries are compatible with java 1.8

• google-errorprone and google-errorprone-annotations were updated to version 2.26.1:

• Do not require maven-javadoc-plugin as it's not being used

This update for libvirt fixes the following issues:

• CVE-2024-4418: Fixed a stack use-after-free by ensuring temporary GSource is removed from client event loop. (bsc#1223849)

This update for apache2 fixes the following issues:

• CVE-2023-38709: Fixed HTTP response splitting (bsc#1222330).
• CVE-2024-24795: Fixed HTTP response splitting in multiple modules (bsc#1222332).
• CVE-2024-27316: Fixed HTTP/2 CONTINUATION frames can be utilized for DoS attacks (bsc#1221401).

This update for iputils fixes the following issue:

• After upstream merged the fix, update git commit hashes.

This update for e2fsprogs fixes the following issues:

• EA Inode handling fixes: - e2fsck: add more checks for ea inode consistency (bsc#1223596) - e2fsck: fix golden output of several tests (bsc#1223596)

This update for yast2-registration fixes the following issue:

• Ensure add_on_others in autoyast profile are added (bsc#1223301)

This update for jitterentropy fixes the following issues:

• Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command.

• add FIPS 140 hints to man page
• simplify the test tool to search for optimal configurations
• fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
• enhancement: add ARM64 assembler code to read high-res timer

This update for libsolv, libzypp, zypper, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings fixes the following issues:

• Fix the dependency for Packagekit-backend-zypp in SUMa 4.3 (bsc#1224242)
• Improve updating of installed multiversion packages
• Fix decision introspection going into an endless loop in some cases
• Split libsolv-tools into libsolv-tools-base [jsc#PED-8153]
• Improve checks against corrupt rpm
• Fixed check for outdated repo metadata as non-root user (bsc#1222086)
• Add ZYPP_API for exported functions and switch to visibility=hidden (jsc#PED-8153)
• Dynamically resolve libproxy (jsc#PED-8153)
• Fix download from gpgkey URL (bsc#1223430)
• Delay zypp lock until command options are parsed (bsc#1223766)
• Unify message format

This update for openssl-1_1 fixes the following issues:

• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

This update for less fixes the following issues:

• CVE-2024-32487: Fixed OS command injection via a newline character in the file name. (bsc#1222849)

This update for openssl-3 fixes the following issues:
Security issues fixed:

• CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388)
• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

• Enable livepatching support (bsc#1223428)
• Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456)

This update for sudo fixes the following issues:

• Revert the 'Match using canonicalized directories where possible.' feature just for SLE-15 This causes a breaking change in behavior for some customers (bsc#1222104, bsc#1226008)

This update for libarchive fixes the following issues:

• CVE-2024-20697: Fixed Out of bounds Remote Code Execution Vulnerability (bsc#1225972).
• CVE-2024-20696: Fixed heap based out-of-bounds write (bsc#1225971).

This update for python-requests fixes the following issue:

• Allow the usage of 'verify' parameter as a directory. (bsc#1225912)

This update for gcc13 fixes the following issues:
Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.

This update for protobuf and python-grpcio fixes the following issue:

• Add python311 binaries to Python Module.

This update for iproute2 fixes the following issues:
iproute2 was updated to version 6.4 (jsc#PED-6820 jsc#PED-6844, jsc#PED-8358):

• Fixed display of bound but unconnected sockets (bsc#1204562)
• Changes in version 6.4: * bridge: mdb: added underlay destination IP support, UDP destination port support, destination VNI support, source VNI support, outgoing interface support * macvlan: added the 'bclim' parameter

• Changes in version 6.3: * New release of iproute2 corresponding to the 6.3 kernel. No large feature improvements only incremental improvements to the bridge mdb support, mostly just bug fixes.

• Changes in version 6.2:

• Changes in version 6.1:

• Changes in version 6.0:

• Changes in version 5.19:

• Changes in version 5.18:

• Changes in version 5.17:

• Add tmpfiles.d conf for /run/netns

• Changes in version 5.16:

• Changes in version 5.15:

This update for sssd fixes the following issue:

• Reenable pam_sss after upgrade, was removed by sssd-common postun (bsc#1226407)

This update for avahi fixes the following issues:

• CVE-2023-38471: Fixed a reachable assertion in dbus_set_host_name. (bsc#1216594)
• CVE-2023-38469: Fixed a reachable assertion in avahi_dns_packet_append_record. (bsc#1216598)

This update for util-linux fixes the following issue:

• Fix hang of lscpu -e (bsc#1225598)

This update for apache2 fixes the following issues:

• Apache ignores headers sent by CGI scripts (bsc#1226217)

This update for suse-module-tools fixes the following issue:

• Version update, udevrules: activate CPUs on hotplug for s390, too (bsc#1224400)

This update for systemd contains the following fixes:

• testsuite: move a misplaced %endif

• Do not remove existing configuration files in /etc. If these files were modified on the systemd, that may cause unwanted side effects (bsc#1226415).

• Import upstream commit (merge of v254.13) Use the pty slave fd opened from the namespace when transient service is running in a container. This revert the backport of the broken commit until a fix is released in the v254-stable tree.

• Import upstream commit (merge of v254.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc

This update for wicked fixes the following issues:

• Fix VLANs/bonds randomly not coming up after reboot or wicked restart. [bsc#1218668]

This update for python-rpm-macros fixes the following issues:

• Update to version 20240618.1e386da:

• Update to version 20240614.02920b8:

• Update to version 20240415.c664b45:

• Update to version 20240202.501440e:

• Update to version 20231220.98427f3:

• Update to version 20231207.46c2ec3:

• Update to version 20231204.dd64e74:

• Update to version 20231010.0a1f0d9:

• Update to version 20231010.a32e110:

• Update to version 20231005.bf2d3ab:

• Update to version 20230609.6fe8111:

This update for postgresql16 fixes the following issues:
PostgreSQL upgrade to version 16.3 (bsc#1224051):

• CVE-2024-4317: Fixed visibility restriction of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (bsc#1224038).

• Fix incompatibility with LLVM 18.
• Prepare for PostgreSQL 17.
• Make sure all compilation and doc generation happens in %build.
• Require LLVM <= 17 for now, because LLVM 18 doesn't seem to work.
• Remove constraints file because improved memory usage for s390x
• Use %patch -P N instead of deprecated %patchN.

• https://www.postgresql.org/docs/release/16.3/

This update for openssh fixes the following issues:

• CVE-2024-6387: Fixed race condition in a signal handler (bsc#1226642)

This update for scap-security-guide and openscap provides the SCAP tooling for SLE Micro 5.3, 5.4, 5.5.
This includes shipping openscap dependencies libxmlsec1-1 and libxmlsec1-openssl for SLE Micro.

This update for gmavenplus-plugin, istack-commons, replacer, xmvn fixes the following issues:
gmavenplus-plugin, istack-commons, replacer, xmvn:

• Fixed build with `maven-plugin-plugin`

This update for libxml2 fixes the following issues:

• CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282).

This update for libvirt fixes the following issue:

• qemu: Fix migration with custom XML (bsc#1226492)

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

This optional update for NetworkManager fixes the following issue:

• No-change rebuild to include NetworkManager-wwan in the SLE-Module-Desktop-Applications_15-SP6 product (bsc#1227333)

This update for openssh fixes the following issues:
Security fixes:

• CVE-2024-39894: Fixed timing attacks against echo-off password entry (bsc#1227318).

• Add obsoletes for openssh-server-config-rootlogin (bsc#1227350).
• Add #include in some files added by the ldap patch to fix build with gcc14 (bsc#1225904).
• Remove the recommendation for openssh-server-config-rootlogin from openssh-server (bsc#1224392).

SUSE-CU-2024:2290-1

This update for gssproxy fixes the following issues:

• Fix paths in tests and replace python's f-string usage
• Initial check-in of gssproxy is needed on the NFS server if krb5 is used for NFS authentication using an AD directory server. (bsc#1024309)(FATE#322526)
• 'krb5' may need 'auth_to_local = RULE:[1:$1@$0]' on the 'realms' section when 'winbind' is used for nsswitch.conf. (bsc#1024309)(FATE#322526)

• libini now supports validators that check for well-formed INI files.

This update for c-ares fixes the following issues:
c-ares version update to 1.15.0:

• Add ares_init_options() configurability for path to resolv.conf file
• Ability to exclude building of tools (adig, ahost, acountry) in CMake
• Report ARES_ENOTFOUND for .onion domain names as per RFC7686 (bsc#1125306)
• Apply the IPv6 server blacklist to all nameserver sources
• Prevent changing name servers while queries are outstanding
• ares_set_servers_csv() on failure should not leave channel in a bad state
• getaddrinfo - avoid infinite loop in case of NXDOMAIN
• ares_getenv - return NULL in all cases
• implement ares_getaddrinfo

• Fixed a regression in DNS results that contain both A and AAAA answers.
• Add netcfg as the build requirement and runtime requirement.

This update for c-ares fixes the following issues:

• Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html

• Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882).

This update for c-ares fixes the following issues:
Version update to git snapshot 1.17.1+20200724:

• CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
• If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
• Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
• Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
• Use unbuffered /dev/urandom for random data to prevent early startup performance issues

This update for c-ares fixes the following issue:

• Allow '_' as part of DNS response. (bsc#1190225) - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which contained underscores.

This update for java-17-openjdk fixes the following issues:
Update to upstream tag jdk-17.0.4+8 (July 2022 CPU)

• CVE-2022-21540: Improve class compilation (bsc#1201694)
• CVE-2022-21541: Enhance MethodHandle invocations (bsc#1201692)
• CVE-2022-34169: Improve Xalan supports (bsc#1201684)
• CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions (bsc#1201685)

This update for adcli fixes the following issues:

• Remove errx() calls on error conditions to execute the cleanup function and delete the krb5 snippets created in /tmp (bsc#1202647)
• Set umask before calling mkdtemp (bsc#1202647)

This update for java-17-openjdk fixes the following issues:

• Update to jdk-17.0.5+8 (October 2022 CPU)
• CVE-2022-39399: Improve HTTP/2 client usage(bsc#1204480)
• CVE-2022-21628: Better HttpServer service (bsc#1204472)
• CVE-2022-21624: Enhance icon presentations (bsc#1204475)
• CVE-2022-21619: Improve NTLM support (bsc#1204473)
• CVE-2022-21618: Wider MultiByte (bsc#1204468)

This update for java-17-openjdk fixes the following issues:

• Modified patches: Revert fips patch to a version used with 17.0.4.0 (bsc#1205916) Apply nss-security-provider patch after the fips patch, thus rediff the hunk to changed context.

• Fix jconsole.desktop icon

This update for java-17-openjdk fixes the following issues:
Updated to version jdk-17.0.6.0+10:
- CVE-2023-21835: Fixed handshake DoS attack against DTLS connections (bsc#1207246). - CVE-2023-21843: Fixed soundbank URL remote loading (bsc#1207248).
Bugfixes:
- Avoid calling C_GetInfo() too early, before cryptoki is initialized (bsc#1205916).

This update for c-ares fixes the following issues:
Updated to version 1.19.0:
- CVE-2022-4904: Fixed missing string length check in config_sortlist() (bsc#1208067).

This update for java-17-openjdk fixes the following issues:

• Remove the accessibility RPM sub-package because it causes problems (bsc#1206549)

This update for java-17-openjdk fixes the following issues:
Update to upstrem tag jdk-17.0.7+7 (April 2023 CPU)
Security fixes:

• CVE-2023-21930: Fixed AES support (bsc#1210628).
• CVE-2023-21937: Fixed String platform support (bsc#1210631).
• CVE-2023-21938: Fixed runtime support (bsc#1210632).
• CVE-2023-21939: Fixed Swing platform support (bsc#1210634).
• CVE-2023-21954: Fixed object reclamation process (bsc#1210635).
• CVE-2023-21967: Fixed TLS session negotiation (bsc#1210636).
• CVE-2023-21968: Fixed path handling (bsc#1210637).

• Fixed socket setTrafficClass not working for IPv4 connections when IPv6 is enabled (bsc#1209333).

This update for c-ares fixes the following issues:
Update to version 1.19.1:

• CVE-2023-32067: 0-byte UDP payload causes Denial of Service (bsc#1211604)
• CVE-2023-31147: Insufficient randomness in generation of DNS query IDs (bsc#1211605)
• CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton() (bsc#1211606)
• CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607)
• Fix uninitialized memory warning in test
• ares_getaddrinfo() should allow a port of 0
• Fix memory leak in ares_send() on error
• Fix comment style in ares_data.h
• Fix typo in ares_init_options.3
• Sync ax_pthread.m4 with upstream
• Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support

This update for java-17-openjdk fixes the following issues:

• In SSLSessionImpl, interpret length of SNIServerName as an unsigned byte so that it can have length up to 255 rather

This update for java-17-openjdk fixes the following issues:

• Bring back our nss.fips.cfg file, as the variable expansion in the upstream file does not work (bsc#1211679)

This update for java-17-openjdk fixes the following issues:
Updated to version jdk-17.0.8+7 (July 2023 CPU):
- CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473). - CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474). - CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475). - CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479). - CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481). - CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482). - CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).
- JDK-8294323: Improve Shared Class Data - JDK-8296565: Enhanced archival support - JDK-8298676, JDK-8300891: Enhanced Look and Feel - JDK-8300285: Enhance TLS data handling - JDK-8300596: Enhance Jar Signature validation - JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1 - JDK-8302475: Enhance HTTP client file downloading - JDK-8302483: Enhance ZIP performance - JDK-8303376: Better launching of JDI - JDK-8304460: Improve array usages - JDK-8304468: Better array usages - JDK-8305312: Enhanced path handling - JDK-8308682: Enhance AES performance
Bugfixes:
- JDK-8178806: Better exception logging in crypto code - JDK-8201516: DebugNonSafepoints generates incorrect information - JDK-8224768: Test ActalisCA.java fails - JDK-8227060: Optimize safepoint cleanup subtask order - JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java fails with AssertionError - JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel - JDK-8244976: vmTestbase/nsk/jdi/Event/request/request001.java doesn' initialize eName - JDK-8245877: assert(_value != __null) failed: resolving NULL _value in JvmtiExport::post_compiled_method_load - JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are broken - JDK-8252990: Intrinsify Unsafe.storeStoreFence - JDK-8254711: Add java.security.Provider.getService JFR Event - JDK-8257856: Make ClassFileVersionsTest.java robust to JDK version updates - JDK-8261495: Shenandoah: reconsider update references memory ordering - JDK-8268288: jdk/jfr/api/consumer/streaming/ /TestOutOfProcessMigration.java fails with 'Error: ShouldNotReachHere()' - JDK-8268298: jdk/jfr/api/consumer/log/TestVerbosity.java fails: unexpected log message - JDK-8268582: javadoc throws NPE with --ignore-source-errors option - JDK-8269821: Remove is-queue-active check in inner loop of write_ref_array_pre_work - JDK-8270434: JDI+UT: Unexpected event in JDI tests - JDK-8270859: Post JEP 411 refactoring: client libs with maximum covering > 10K - JDK-8270869: G1ServiceThread may not terminate - JDK-8271519: java/awt/event/SequencedEvent/ /MultipleContextsFunctionalTest.java failed with 'Total [200] - Expected [400]' - JDK-8273909: vmTestbase/nsk/jdi/Event/request/request001 can still fail with 'ERROR: new event is not ThreadStartEvent' - JDK-8274243: Implement fast-path for ASCII-compatible CharsetEncoders on aarch64 - JDK-8274615: Support relaxed atomic add for linux-aarch64 - JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile - JDK-8275233: Incorrect line number reported in exception stack trace thrown from a lambda expression - JDK-8275287: Relax memory ordering constraints on updating instance class and array class counters - JDK-8275721: Name of UTC timezone in a locale changes depending on previous code - JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit) - JDK-8276058: Some swing test fails on specific CI macos system - JDK-8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/ /bug6276188.java fails to compile after JDK-8276058 - JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java - add 4357905 - JDK-8278146: G1: Rework VM_G1Concurrent VMOp to clearly identify it as pause - JDK-8278434: timeouts in test java/time/test/java/time/ /format/TestZoneTextPrinterParser.java - JDK-8278834: Error 'Cannot read field 'sym' because 'this.lvar[od]' is null' when compiling - JDK-8282077: PKCS11 provider C_sign() impl should handle CKR_BUFFER_TOO_SMALL error - JDK-8282201: Consider removal of expiry check in VerifyCACerts.java test - JDK-8282227: Locale information for nb is not working properly - JDK-8282704: runtime/Thread/StopAtExit.java may leak memory - JDK-8283057: Update GCC to version 11.2.0 for Oracle builds on Linux - JDK-8283062: Uninitialized warnings in libgtest with GCC 11.2 - JDK-8283520: JFR: Memory leak in dcmd_arena - JDK-8283566: G1: Improve G1BarrierSet::enqueue performance - JDK-8284331: Add sanity check for signal handler modification warning. - JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java failed with Default Button not pressed for L&F: com.sun.java.swing.plaf.motif.MotifLookAndFeel - JDK-8285987: executing shell scripts without #! fails on Alpine linux - JDK-8286191: misc tests fail due to JDK-8285987 - JDK-8286287: Reading file as UTF-16 causes Error which 'shouldn't happen' - JDK-8286331: jni_GetStringUTFChars() uses wrong heap allocator - JDK-8286346: 3-parameter version of AllocateHeap should not ignore AllocFailType - JDK-8286398: Address possibly lossy conversions in jdk.internal.le - JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code - JDK-8287246: DSAKeyValue should check for missing params instead of relying on KeyFactory provider - JDK-8287541: Files.writeString fails to throw IOException for charset 'windows-1252' - JDK-8287854: Dangling reference in ClassVerifier::verify_class - JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable - JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md with information on 4th party dependencies - JDK-8288589: Files.readString ignores encoding errors for UTF-16 - JDK-8289509: Improve test coverage for XPath Axes: descendant, descendant-or-self, following, following-sibling - JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space - JDK-8289949: Improve test coverage for XPath: operators - JDK-8290822: C2: assert in PhaseIdealLoop::do_unroll() is subject to undefined behavior - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067 - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately - JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage() is lower than expected - JDK-8292301: [REDO v2] C2 crash when allocating array of size too large - JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests resilience under spurious failures - JDK-8292713: Unsafe.allocateInstance should be intrinsified without UseUnalignedAccesses - JDK-8292755: Non-default method in interface leads to a stack overflow in JShell - JDK-8292990: Improve test coverage for XPath Axes: parent - JDK-8293295: Add type check asserts to java_lang_ref_Reference accessors - JDK-8293492: ShenandoahControlThread missing from hs-err log and thread dump - JDK-8293858: Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG - JDK-8293887: AArch64 build failure with GCC 12 due to maybe-uninitialized warning in libfdlibm k_rem_pio2.c - JDK-8294183: AArch64: Wrong macro check in SharedRuntime::generate_deopt_blob - JDK-8294281: Allow warnings to be disabled on a per-file basis - JDK-8294673: JFR: Add SecurityProviderService#threshold to TestActiveSettingEvent.java - JDK-8294717: (bf) DirectByteBuffer constructor will leak if allocating Deallocator or Cleaner fails with OOME - JDK-8294906: Memory leak in PKCS11 NSS TLS server - JDK-8295564: Norwegian Nynorsk Locale is missing formatting - JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames - JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java fails intermittently on a VM - JDK-8296318: use-def assert: special case undetected loops nested in infinite loops - JDK-8296343: CPVE thrown on missing content-length in OCSP response - JDK-8296412: Special case infinite loops with unmerged backedges in IdealLoopTree::check_safepts - JDK-8296545: C2 Blackholes should allow load optimizations - JDK-8296934: Write a test to verify whether Undecorated Frame can be iconified or not - JDK-8297000: [jib] Add more friendly warning for proxy issues - JDK-8297154: Improve safepoint cleanup logging - JDK-8297450: ScaledTextFieldBorderTest.java fails when run with -show parameter - JDK-8297587: Upgrade JLine to 3.22.0 - JDK-8297730: C2: Arraycopy intrinsic throws incorrect exception - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs - JDK-8298488: [macos13] tools/jpackage tests failing with 'Exit code: 137' on macOS - JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors - JDK-8299179: ArrayFill with store on backedge needs to reduce length by 1 - JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE - JDK-8299544: Improve performance of CRC32C intrinsics (non-AVX-512) for small inputs - JDK-8299570: [JVMCI] Insufficient error handling when CodeBuffer is exhausted - JDK-8299959: C2: CmpU::Value must filter overflow computation against local sub computation - JDK-8300042: Improve CPU related JFR events descriptions - JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument - JDK-8300823: UB: Compile::_phase_optimize_finished is initialized too late - JDK-8300939: sun/security/provider/certpath/OCSP/ /OCSPNoContentLength.java fails due to network errors - JDK-8301050: Detect Xen Virtualization on Linux aarch64 - JDK-8301119: Support for GB18030-2022 - JDK-8301123: Enable Symbol refcounting underflow checks in PRODUCT - JDK-8301190: [vectorapi] The typeChar of LaneType is incorrect when default locale is tr - JDK-8301216: ForkJoinPool invokeAll() ignores timeout - JDK-8301338: Identical branch conditions in CompileBroker::print_heapinfo - JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument - JDK-8301637: ThreadLocalRandom.current().doubles().parallel() contention - JDK-8301661: Enhance os::pd_print_cpu_info on macOS and Windows - JDK-8302151: BMPImageReader throws an exception reading BMP images - JDK-8302172: [JVMCI] HotSpotResolvedJavaMethodImpl.canBeInlined must respect ForceInline - JDK-8302320: AsyncGetCallTrace obtains too few frames in sanity test - JDK-8302491: NoClassDefFoundError omits the original cause of an error - JDK-8302508: Add timestamp to the output TraceCompilerThreads - JDK-8302594: use-after-free in Node::destruct - JDK-8302595: use-after-free related to GraphKit::clone_map - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message - JDK-8302849: SurfaceManager might expose partially constructed object - JDK-8303069: Memory leak in CompilerOracle::parse_from_line - JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than O_BUFLEN - JDK-8303130: Document required Accessibility permissions on macOS - JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return - JDK-8303433: Bump update version for OpenJDK: jdk-17.0.8 - JDK-8303440: The 'ZonedDateTime.parse' may not accept the 'UTC+XX' zone id - JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show all trusted certificates - JDK-8303476: Add the runtime version in the release file of a JDK image - JDK-8303482: Update LCMS to 2.15 - JDK-8303508: Vector.lane() gets wrong value on x86 - JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during unrolling - JDK-8303564: C2: 'Bad graph detected in build_loop_late' after a CMove is wrongly split thru phi - JDK-8303575: adjust Xen handling on Linux aarch64 - JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call in early potential CHECK_NULL return - JDK-8303588: [JVMCI] make JVMCI source directories conform with standard layout - JDK-8303809: Dispose context in SPNEGO NegotiatorImpl - JDK-8303822: gtestMain should give more helpful output - JDK-8303861: Error handling step timeouts should never be blocked by OnError and others - JDK-8303937: Corrupted heap dumps due to missing retries for os::write() - JDK-8303949: gcc10 warning Linux ppc64le - note: the layout of aggregates containing vectors with 8-byte alignment has changed in GCC 5 - JDK-8304054: Linux: NullPointerException from FontConfiguration.getVersion in case no fonts are installed - JDK-8304063: tools/jpackage/share/AppLauncherEnvTest.java fails when checking LD_LIBRARY_PATH - JDK-8304134: jib bootstrapper fails to quote filename when checking download filetype - JDK-8304291: [AIX] Broken build after JDK-8301998 - JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998 - JDK-8304350: Font.getStringBounds calculates wrong width for TextAttribute.TRACKING other than 0.0 - JDK-8304671: javac regression: Compilation with --release 8 fails on underscore in enum identifiers - JDK-8304683: Memory leak in WB_IsMethodCompatible - JDK-8304760: Add 2 Microsoft TLS roots - JDK-8304867: Explicitly disable dtrace for ppc builds - JDK-8304880: [PPC64] VerifyOops code in C1 doesn't work with ZGC - JDK-8305088: SIGSEGV in Method::is_method_handle_intrinsic - JDK-8305113: (tz) Update Timezone Data to 2023c - JDK-8305400: ISO 4217 Amendment 175 Update - JDK-8305403: Shenandoah evacuation workers may deadlock - JDK-8305481: gtest is_first_C_frame failing on ARM - JDK-8305690: [X86] Do not emit two REX prefixes in Assembler::prefix - JDK-8305711: Arm: C2 always enters slowpath for monitorexit - JDK-8305721: add `make compile-commands` artifacts to .gitignore - JDK-8305975: Add TWCA Global Root CA - JDK-8305993: Add handleSocketErrorWithMessage to extend nio Net.c exception message - JDK-8305994: Guarantee eventual async monitor deflation - JDK-8306072: Open source several AWT MouseInfo related tests - JDK-8306133: Open source few AWT Drag & Drop related tests - JDK-8306409: Open source AWT KeyBoardFocusManger, LightWeightComponent related tests - JDK-8306432: Open source several AWT Text Component related tests - JDK-8306466: Open source more AWT Drag & Drop related tests - JDK-8306489: Open source AWT List related tests - JDK-8306543: GHA: MSVC installation is failing - JDK-8306640: Open source several AWT TextArea related tests - JDK-8306652: Open source AWT MenuItem related tests - JDK-8306658: GHA: MSVC installation could be optional since it might already be pre-installed - JDK-8306664: GHA: Update MSVC version to latest stepping - JDK-8306681: Open source more AWT DnD related tests - JDK-8306683: Open source several clipboard and color AWT tests - JDK-8306752: Open source several container and component AWT tests - JDK-8306753: Open source several container AWT tests - JDK-8306755: Open source few Swing JComponent and AbstractButton tests - JDK-8306768: CodeCache Analytics reports wrong threshold - JDK-8306774: Make runtime/Monitor/ /GuaranteedAsyncDeflationIntervalTest.java more reliable - JDK-8306825: Monitor deflation might be accidentally disabled by zero intervals - JDK-8306850: Open source AWT Modal related tests - JDK-8306871: Open source more AWT Drag & Drop tests - JDK-8306883: Thread stacksize is reported with wrong units in os::create_thread logging - JDK-8306941: Open source several datatransfer and dnd AWT tests - JDK-8306943: Open source several dnd AWT tests - JDK-8306954: Open source five Focus related tests - JDK-8306955: Open source several JComboBox jtreg tests - JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep - JDK-8306996: Open source Swing MenuItem related tests - JDK-8307080: Open source some more JComboBox jtreg tests - JDK-8307128: Open source some drag and drop tests 4 - JDK-8307130: Open source few Swing JMenu tests - JDK-8307133: Open source some JTable jtreg tests - JDK-8307134: Add GTS root CAs - JDK-8307135: java/awt/dnd/NotReallySerializableTest/ /NotReallySerializableTest.java failed - JDK-8307331: Correctly update line maps when class redefine rewrites bytecodes - JDK-8307346: Add missing gc+phases logging for ObjectCount(AfterGC) JFR event collection code - JDK-8307347: serviceability/sa/ClhsdbDumpclass.java could leave files owned by root on macOS - JDK-8307378: Allow collectors to provide specific values for GC notifications' actions - JDK-8307381: Open Source JFrame, JIF related Swing Tests - JDK-8307425: Socket input stream read burns CPU cycles with back-to-back poll(0) calls - JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has invalid jtreg `@requires` clause - JDK-8308554: [17u] Fix commit of 8286191. vm.musl was not removed from ExternalEditorTest - JDK-8308880: [17u] micro bench ZoneStrings missed in backport of 8278434 - JDK-8308884: [17u/11u] Backout JDK-8297951 - JDK-8311467: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.8

This update for java-17-openjdk fixes the following issues:

• Fix a regression where the validation would reject valid zip64 (zip with 64-bit offset extensions)

This update for java-17-openjdk fixes the following issues:

• Updated to JDK 17.0.9+9 (October 2023 CPU):

This update for adcli fixes the following issues:

• Populate Samba's secrets database using offline domain join (bsc#1214076)
• Write SID before secret to Samba's db (bsc#1214076)

This update for java-17-openjdk fixes the following issues:
Updated to version 17.0.10 (January 2024 CPU):
- CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM due to a missing bounds check (bsc#1218907). - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class file verifier (bsc#1218903). - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM that could lead to corruption of JVM memory (bsc#1218905). - CVE-2024-20932: Fixed an incorrect handling of ZIP files with duplicate entries (bsc#1218908). - CVE-2024-20945: Fixed a potential private key leak through debug logs (bsc#1218909). - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel attack against TLS (bsc#1218911).
Find the full release notes at:
https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029089.html

This update for java-17-openjdk fixes the following issues:

• Recommend mozilla-nss-sysinit in order to have available the /etc/pki/nssdb directory and its content, required in fips mode (bsc#1219662).
• Do not install our crafted nss.fips.cfg file, but use the one that the build produces with our fips.patch applied.

This update for c-ares fixes the following issues:

• CVE-2024-25629: Fixed out of bounds read in ares__read_line() (bsc#1220279).

This update for tftp fixes the following issue:

• Allow enabling the service via `systemctl enable tftp` to create the tftp.socket symlink (bsc#1215520)

This update for libzypp, zypper fixes the following issues:

• Fix creation of sibling cache dirs with too restrictive mode (bsc#1222398)
• Update RepoStatus fromCookieFile according to the files mtime (bsc#1222086)
• TmpFile: Don't call chmod if makeSibling failed
• Fixup New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014)
• Add resolver option 'removeOrphaned' for distupgrade (bsc#1221525)
• New VendorSupportOption flag VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014)
• Add default stripe minimum
• Don't expose std::optional where YAST/PK explicitly use c++11.
• Digest: Avoid using the deprecated OPENSSL_config
• version 17.32.0
• ProblemSolution::skipsPatchesOnly overload to handout the patches
• Show active dry-run/download-only at the commit propmpt
• Add --skip-not-applicable-patches option
• Fix printing detailed solver problem description
• Fix bash-completion to work with right adjusted numbers in the 1st column too
• Set libzypp shutdown request signal on Ctrl+C
• In the detailed view show all baseurls not just the first one (bsc#1218171)

This update for tomcat fixes the following issues:

• CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
• CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)

• Update to Tomcat 9.0.87 * Catalina + Fix: Minor performance improvement for building filter chains. Based on ideas from #702 by Luke Miao. (remm) + Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt) + Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm) + Fix: 68495: When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. (markt) + Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt) + Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm) + Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm) + Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt) + Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt) + Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) + Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt) + Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt) * Coyote + Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write, it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt) + Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed, further asynchronous processing cannot change that. (markt) + Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container, only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext. + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular, most of the HTTP/2 debug logging has been changed to trace level. (remm) + Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altındağ. (markt) + Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of a JVM crash during Tomcat shutdown. (markt) + Fix: Partial fix for 68558: Cache the result of converting to String for request URI, HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt) + Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt) + Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt) * Jasper + Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt) + Fix: 68546: Generate optimal size and types for JSP imports maps, as suggested by John Engebretson. (remm) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) * Cluster + Fix: Avoid updating request count stats on async. (remm) * WebSocket + Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) + Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt) * Web applications + Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz) * Other + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Update: Update Checkstyle to 10.13.0. (markt) + Update: Update JSign to 6.0. (markt) + Update: Add strings for debug level messages. (remm) + Update: Update Tomcat Native to 1.3.0. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt)

This update for shim fixes the following issues:

• Update shim-install to set the TPM2 SRK algorithm (bsc#1213945)
• Limit the requirement of fde-tpm-helper-macros to the distro with suse_version 1600 and above (bsc#1219460)

• mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
• avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
• Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
• Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
• pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
• pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)

• Generate dbx during build so we don't include binary files in sources
• Don't require grub so shim can still be used with systemd-boot
• Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855)
• Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade

• Update shim-install to amend full disk encryption support - Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector - Use the long name to specify the grub2 key protector - cryptodisk: support TPM authorized policies - Do not use tpm_record_pcrs unless the command is in command.lst

• Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588)

This update for ca-certificates fixes the following issue:

• Update version (bsc#1221184) * Use flock to serialize calls (bsc#1188500) * Make certbundle.run container friendly * Create /var/lib/ca-certificates if needed

This update for python-idna fixes the following issues:

• CVE-2024-3651: Fixed potential DoS via resource consumption via specially crafted inputs to idna.encode() (bsc#1222842).

This update for vim fixes the following issues:

• Fix segmentation fault after updating to version 9.1.0111-150500.20.9.1 (bsc#1220763)

This update for aaa_base fixes the following issues:

• home and end button not working from ssh client (bsc#1221407)
• use autosetup in prep stage of specfile
• drop the stderr redirection for csh (bsc#1221361)
• drop sysctl.d/50-default-s390.conf (bsc#1211721)
• make sure the script does not exit with 1 if a file with content is found (bsc#1222547)

This update for java-11-openjdk fixes the following issues:

• CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
• CVE-2024-21012: Fixed unauthorized data modification due HTTP/2 client improper reverse DNS lookup (JDK-8315708,bsc#1222987)
• CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
• CVE-2024-21085: Fixed denial of service due to Pack200 excessive memory allocation (JDK-8322114,bsc#1222984)
• CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986)

• Upgrade to upstream tag jdk-11.0.23+9 (April 2024 CPU) * Security fixes + JDK-8318340: Improve RSA key implementations * Other changes + JDK-6928542: Chinese characters in RTF are not decoded + JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/ /bug4517214.java fails on MacOS + JDK-7148092: [macosx] When Alt+down arrow key is pressed, the combobox popup does not appear. + JDK-8054022: HttpURLConnection timeouts with Expect: 100-Continue and no chunking + JDK-8054572: [macosx] JComboBox paints the border incorrectly + JDK-8058176: [mlvm] tests should not allow code cache exhaustion + JDK-8067651: LevelTransitionTest.java, fix trivial methods levels logic + JDK-8068225: nsk/jdi/EventQueue/remove_l/remove_l005 intermittently times out + JDK-8156889: ListKeychainStore.sh fails in some virtualized environments + JDK-8166275: vm/mlvm/meth/stress/compiler/deoptimize keeps timeouting + JDK-8166554: Avoid compilation blocking in OverloadCompileQueueTest.java + JDK-8169475: WheelModifier.java fails by timeout + JDK-8180266: Convert sun/security/provider/KeyStore/DKSTest.sh to Java Jtreg Test + JDK-8186610: move ModuleUtils to top-level testlibrary + JDK-8192864: defmeth tests can hide failures + JDK-8193543: Regression automated test '/open/test/jdk/java/ /awt/TrayIcon/SystemTrayInstance/SystemTrayInstanceTest.java' fails + JDK-8198668: MemoryPoolMBean/isUsageThresholdExceeded/ /isexceeded001/TestDescription.java still failing + JDK-8202282: [TESTBUG] appcds TestCommon .makeCommandLineForAppCDS() can be removed + JDK-8202790: DnD test DisposeFrameOnDragTest.java does not clean up + JDK-8202931: [macos] java/awt/Choice/ChoicePopupLocation/ /ChoicePopupLocation.java fails + JDK-8207211: [TESTBUG] Remove excessive output from CDS/AppCDS tests + JDK-8207214: Broken links in JDK API serialized-form page + JDK-8207855: Make applications/jcstress invoke tests in batches + JDK-8208243: vmTestbase/gc/lock/jni/jnilock002/ /TestDescription.java fails in jdk/hs nightly + JDK-8208278: [mlvm] [TESTBUG] vm.mlvm.mixed.stress.java .findDeadlock.INDIFY_Test Deadlocked threads are not always detected + JDK-8208623: [TESTBUG] runtime/LoadClass/LongBCP.java fails in AUFS file system + JDK-8208699: remove unneeded imports from runtime tests + JDK-8208704: runtime/appcds/MultiReleaseJars.java timed out often in hs-tier7 testing + JDK-8208705: [TESTBUG] The -Xlog:cds,cds+hashtables vm option is not always required for appcds tests + JDK-8209549: remove VMPropsExt from TEST.ROOT + JDK-8209595: MonitorVmStartTerminate.java timed out + JDK-8209946: [TESTBUG] CDS tests should use '@run driver' + JDK-8211438: [Testbug] runtime/XCheckJniJsig/XCheckJSig.java looks for libjsig in wrong location + JDK-8211978: Move testlibrary/jdk/testlibrary/ /SimpleSSLContext.java and testkeys to network testlibrary + JDK-8213622: Windows VS2013 build failure - ''snprintf': identifier not found' + JDK-8213926: WB_EnqueueInitializerForCompilation requests compilation for NULL + JDK-8213927: G1 ignores AlwaysPreTouch when UseTransparentHugePages is enabled + JDK-8214908: add ctw tests for jdk.jfr and jdk.management.jfr modules + JDK-8214915: CtwRunner misses export for jdk.internal.access + JDK-8216408: XMLStreamWriter setDefaultNamespace(null) throws NullPointerException + JDK-8217475: Unexpected StackOverflowError in 'process reaper' thread + JDK-8218754: JDK-8068225 regression in JDIBreakpointTest + JDK-8219475: javap man page needs to be updated + JDK-8219585: [TESTBUG] sun/management/jmxremote/bootstrap/ /JMXInterfaceBindingTest.java passes trivially when it shouldn't + JDK-8219612: [TESTBUG] compiler.codecache.stress.Helper .TestCaseImpl can't be defined in different runtime package as its nest host + JDK-8225471: Test utility jdk.test.lib.util.FileUtils .areAllMountPointsAccessible needs to tolerate duplicates + JDK-8226706: (se) Reduce the number of outer loop iterations on Windows in java/nio/channels/Selector/RacyDeregister.java + JDK-8226905: unproblem list applications/ctw/modules/* tests on windows + JDK-8226910: make it possible to use jtreg's -match via run-test framework + JDK-8227438: [TESTLIB] Determine if file exists by Files.exists in function FileUtils.deleteFileIfExistsWithRetry + JDK-8231585: java/lang/management/ThreadMXBean/ /MaxDepthForThreadInfoTest.java fails with java.lang.NullPointerException + JDK-8232839: JDI AfterThreadDeathTest.java failed due to 'FAILED: Did not get expected IllegalThreadStateException on a StepRequest.enable()' + JDK-8233453: MLVM deoptimize stress test timed out + JDK-8234309: LFGarbageCollectedTest.java fails with parse Exception + JDK-8237222: [macos] java/awt/Focus/UnaccessibleChoice/ /AccessibleChoiceTest.java fails + JDK-8237777: 'Dumping core ...' is shown despite claiming that '# No core dump will be written.' + JDK-8237834: com/sun/jndi/ldap/LdapDnsProviderTest.java failing with LDAP response read timeout + JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel + JDK-8239801: [macos] java/awt/Focus/UnaccessibleChoice/ /AccessibleChoiceTest.java fails + JDK-8244679: JVM/TI GetCurrentContendedMonitor/contmon001 failed due to '(IsSameObject#3) unexpected monitor object: 0x000000562336DBA8' + JDK-8246222: Rename javac test T6395981.java to be more informative + JDK-8247818: GCC 10 warning stringop-overflow with symbol code + JDK-8249087: Always initialize _body[0..1] in Symbol constructor + JDK-8251349: Add TestCaseImpl to OverloadCompileQueueTest.java's build dependencies + JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/ /btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR + JDK-8253543: sanity/client/SwingSet/src/ /ButtonDemoScreenshotTest.java failed with 'AssertionError: All pixels are not black' + JDK-8253739: java/awt/image/MultiResolutionImage/ /MultiResolutionImageObserverTest.java fails + JDK-8253820: Save test images and dumps with timestamps from client sanity suite + JDK-8255277: randomDelay in DrainDeadlockT and LoggingDeadlock do not randomly delay + JDK-8255546: Missing coverage for javax.smartcardio.CardPermission and ResponseAPDU + JDK-8255743: Relax SIGFPE match in in runtime/ErrorHandling/SecondaryErrorTest.java + JDK-8257505: nsk/share/test/StressOptions stressTime is scaled in getter but not when printed + JDK-8259801: Enable XML Signature secure validation mode by default + JDK-8264135: UnsafeGetStableArrayElement should account for different JIT implementation details + JDK-8265349: vmTestbase/../stress/compiler/deoptimize/ /Test.java fails with OOME due to CodeCache exhaustion. + JDK-8269025: jsig/Testjsig.java doesn't check exit code + JDK-8269077: TestSystemGC uses 'require vm.gc.G1' for large pages subtest + JDK-8271094: runtime/duplAttributes/DuplAttributesTest.java doesn't check exit code + JDK-8271224: runtime/EnclosingMethodAttr/EnclMethodAttr.java doesn't check exit code + JDK-8271828: mark hotspot runtime/classFileParserBug tests which ignore external VM flags + JDK-8271829: mark hotspot runtime/Throwable tests which ignore external VM flags + JDK-8271890: mark hotspot runtime/Dictionary tests which ignore external VM flags + JDK-8272291: mark hotspot runtime/logging tests which ignore external VM flags + JDK-8272335: runtime/cds/appcds/MoveJDKTest.java doesn't check exit codes + JDK-8272551: mark hotspot runtime/modules tests which ignore external VM flags + JDK-8272552: mark hotspot runtime/cds tests which ignore external VM flags + JDK-8273803: Zero: Handle 'zero' variant in CommandLineOptionTest.java + JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + JDK-8274621: NullPointerException because listenAddress[0] is null + JDK-8276796: gc/TestSystemGC.java large pages subtest fails with ZGC + JDK-8280007: Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 + JDK-8281149: (fs) java/nio/file/FileStore/Basic.java fails with java.lang.RuntimeException: values differ by more than 1GB + JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/ /ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from problemlist. + JDK-8281717: Cover logout method for several LoginModule + JDK-8282665: [REDO] ByteBufferTest.java: replace endless recursion with RuntimeException in void ck(double x, double y) + JDK-8284090: com/sun/security/auth/module/AllPlatforms.java fails to compile + JDK-8285756: clean up use of bad arguments for `@clean` in langtools tests + JDK-8285785: CheckCleanerBound test fails with PasswordCallback object is not released + JDK-8285867: Convert applet manual tests SelectionVisible.java to Frame and automate + JDK-8286846: test/jdk/javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java fails on mac aarch64 + JDK-8286969: Add a new test library API to execute kinit in SecurityTools.java + JDK-8287113: JFR: Periodic task thread uses period for method sampling events + JDK-8289511: Improve test coverage for XPath Axes: child + JDK-8289764: gc/lock tests failed with 'OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects' + JDK-8289948: Improve test coverage for XPath functions: Node Set Functions + JDK-8290399: [macos] Aqua LAF does not fire an action event if combo box menu is displayed + JDK-8290909: MemoryPoolMBean/isUsageThresholdExceeded tests failed with 'isUsageThresholdExceeded() returned false, and is still false, while threshold = MMMMMMM and used peak = NNNNNNN' + JDK-8292182: [TESTLIB] Enhance JAXPPolicyManager to setup required permissions for jtreg version 7 jar + JDK-8292946: GC lock/jni/jnilock001 test failed 'assert(gch->gc_cause() == GCCause::_scavenge_alot || !gch->incremental_collection_failed()) failed: Twice in a row' + JDK-8293819: sun/util/logging/PlatformLoggerTest.java failed with 'RuntimeException: Retrieved backing PlatformLogger level null is not the expected CONFIG' + JDK-8294158: HTML formatting for PassFailJFrame instructions + JDK-8294254: [macOS] javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java failure + JDK-8294402: Add diagnostic logging to VMProps.checkDockerSupport + JDK-8294535: Add screen capture functionality to PassFailJFrame + JDK-8296083: javax/swing/JTree/6263446/bug6263446.java fails intermittently on a VM + JDK-8296384: [TESTBUG] sun/security/provider/SecureRandom/ /AbstractDrbg/SpecTest.java intermittently timeout + JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java failed: ExceptionInInitializerError: target class not found + JDK-8300269: The selected item in an editable JComboBox with titled border is not visible in Aqua LAF + JDK-8300727: java/awt/List/ListGarbageCollectionTest/ /AwtListGarbageCollectionTest.java failed with 'List wasn't garbage collected' + JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + JDK-8301377: adjust timeout for JLI GetObjectSizeIntrinsicsTest.java subtest again + JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + JDK-8302017: Allocate BadPaddingException only if it will be thrown + JDK-8302109: Trivial fixes to btree tests + JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/TestAMEnotNPE.java + JDK-8302607: increase timeout for ContinuousCallSiteTargetChange.java + JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM + JDK-8304314: StackWalkTest.java fails after CODETOOLS-7903373 + JDK-8304725: AsyncGetCallTrace can cause SIGBUS on M1 + JDK-8305502: adjust timeouts in three more M&M tests + JDK-8305505: NPE in javazic compiler + JDK-8305972: Update XML Security for Java to 3.0.2 + JDK-8306072: Open source several AWT MouseInfo related tests + JDK-8306076: Open source AWT misc tests + JDK-8306409: Open source AWT KeyBoardFocusManger, LightWeightComponent related tests + JDK-8306640: Open source several AWT TextArea related tests + JDK-8306652: Open source AWT MenuItem related tests + JDK-8306681: Open source more AWT DnD related tests + JDK-8306683: Open source several clipboard and color AWT tests + JDK-8306752: Open source several container and component AWT tests + JDK-8306753: Open source several container AWT tests + JDK-8306755: Open source few Swing JComponent and AbstractButton tests + JDK-8306812: Open source several AWT Miscellaneous tests + JDK-8306871: Open source more AWT Drag & Drop tests + JDK-8306996: Open source Swing MenuItem related tests + JDK-8307123: Fix deprecation warnings in DPrinter + JDK-8307130: Open source few Swing JMenu tests + JDK-8307299: Move more DnD tests to open + JDK-8307311: Timeouts on one macOS 12.6.1 host of two Swing JTableHeader tests + JDK-8307381: Open Source JFrame, JIF related Swing Tests + JDK-8307683: Loop Predication should not hoist range checks with trap on success projection by negating their condition + JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC while allocating + JDK-8308116: jdk.test.lib.compiler.InMemoryJavaCompiler .compile does not close files + JDK-8308223: failure handler missed jcmd.vm.info command + JDK-8308232: nsk/jdb tests don't pass -verbose flag to the debuggee + JDK-8308245: Add -proc:full to describe current default annotation processing policy + JDK-8308336: Test java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java failed: java.net.BindException: Address already in use + JDK-8309104: [JVMCI] compiler/unsafe/ /UnsafeGetStableArrayElement test asserts wrong values with Graal + JDK-8309119: [17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication + JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/ /agentthr001/TestDescription.java crashing due to empty while loop + JDK-8309778: java/nio/file/Files/CopyAndMove.java fails when using second test directory + JDK-8309870: Using -proc:full should be considered requesting explicit annotation processing + JDK-8310106: sun.security.ssl.SSLHandshake .getHandshakeProducer() incorrectly checks handshakeConsumers + JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/ /bug6889007.java fails + JDK-8310551: vmTestbase/nsk/jdb/interrupt/interrupt001/ /interrupt001.java timed out due to missing prompt + JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + JDK-8311511: Improve description of NativeLibrary JFR event + JDK-8311585: Add JRadioButtonMenuItem to bug8031573.java + JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + JDK-8313164: src/java.desktop/windows/native/libawt/windows/ /awt_Robot.cpp GetRGBPixels adjust releasing of resources + JDK-8313252: Java_sun_awt_windows_ThemeReader_paintBackground release resources in early returns + JDK-8313643: Update HarfBuzz to 8.2.2 + JDK-8313816: Accessing jmethodID might lead to spurious crashes + JDK-8314144: gc/g1/ihop/TestIHOPStatic.java fails due to extra concurrent mark with -Xcomp + JDK-8314164: java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + JDK-8314883: Java_java_util_prefs_FileSystemPreferences_lockFile0 write result errno in missing case + JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + JDK-8315042: NPE in PKCS7.parseOldSignedData + JDK-8315415: OutputAnalyzer.shouldMatchByLine() fails in some cases + JDK-8315499: build using devkit on Linux ppc64le RHEL puts path to devkit into libsplashscreen + JDK-8315594: Open source few headless Swing misc tests + JDK-8315600: Open source few more headless Swing misc tests + JDK-8315602: Open source swing security manager test + JDK-8315606: Open source few swing text/html tests + JDK-8315611: Open source swing text/html and tree test + JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + JDK-8315731: Open source several Swing Text related tests + JDK-8315761: Open source few swing JList and JMenuBar tests + JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/ /bug4654927.java: component must be showing on the screen to determine its location + JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + JDK-8316028: Update FreeType to 2.13.2 + JDK-8316030: Update Libpng to 1.6.40 + JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + JDK-8316461: Fix: make test outputs TEST SUCCESS after unsuccessful exit + JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + JDK-8317307: test/jdk/com/sun/jndi/ldap/ /LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + JDK-8317327: Remove JT_JAVA dead code in jib-profiles.js + JDK-8318154: Improve stability of WheelModifier.java test + JDK-8318410: jdk/java/lang/instrument/BootClassPath/ /BootClassPathTest.sh fails on Japanese Windows + JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with 'transport error 202: bind failed: Address already in use' + JDK-8318889: C2: add bailout after assert Bad graph detected in build_loop_late + JDK-8318951: Additional negative value check in JPEG decoding + JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + JDK-8318983: Fix comment typo in PKCS12Passwd.java + JDK-8319124: Update XML Security for Java to 3.0.3 + JDK-8319456: jdk/jfr/event/gc/collection/ /TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + JDK-8320208: Update Public Suffix List to b5bf572 + JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + JDK-8320798: Console read line with zero out should zero out underlying buffer + JDK-8320884: Bump update version for OpenJDK: jdk-11.0.23 + JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + JDK-8321408: Add Certainly roots R1 and E1 + JDK-8321480: ISO 4217 Amendment 176 Update + JDK-8322178: Error. can't find jdk.testlibrary .SimpleSSLContext in test directory or libraries + JDK-8322417: Console read line with zero out should zero out when throwing exception + JDK-8322725: (tz) Update Timezone Data to 2023d + JDK-8322750: Test 'api/java_awt/interactive/ /SystemTrayTests.html' failed because A blue ball icon is added outside of the system tray + JDK-8322752: [11u] GetStackTraceAndRetransformTest.java is failing assert + JDK-8322772: Clean up code after JDK-8322417 + JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + JDK-8323515: Create test alias 'all' for all test roots + JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/ /platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + JDK-8324184: Windows VS2010 build failed with 'error C2275: 'int64_t'' + JDK-8324307: [11u] hotspot fails to build with GCC 12 and newer (non-static data member initializers) + JDK-8324347: Enable 'maybe-uninitialized' warning for FreeType 2.13.1 + JDK-8324659: GHA: Generic jtreg errors are not reported + JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/ /AKISerialNumber.java is failing + JDK-8325150: (tz) Update Timezone Data to 2024a + JDK-8326109: GCC 13 reports maybe-uninitialized warnings for jni.cpp with dtrace enabled + JDK-8326503: [11u] java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java fail because of package org.junit.jupiter.api does not exist + JDK-8327391: Add SipHash attribution file + JDK-8329837: [11u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.23

• Removed the possibility to use the system timezone-java (bsc#1213470)

This update for java-17-openjdk fixes the following issues:

• CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
• CVE-2024-21012: Fixed unauthorized data modification due HTTP/2 client improper reverse DNS lookup (JDK-8315708,bsc#1222987)
• CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
• CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with 'Exceeded _node_regs array' (JDK-8317507,JDK-8325348,bsc#1222986)

• Update to upstream tag jdk-17.0.11+9 (April 2024 CPU) * Security fixes + JDK-8318340: Improve RSA key implementations * Other changes + JDK-6928542: Chinese characters in RTF are not decoded + JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/ /bug4517214.java fails on MacOS + JDK-7148092: [macosx] When Alt+down arrow key is pressed, the combobox popup does not appear. + JDK-7167356: (javac) investigate failing tests in JavacParserTest + JDK-8054022: HttpURLConnection timeouts with Expect: 100-Continue and no chunking + JDK-8054572: [macosx] JComboBox paints the border incorrectly + JDK-8169475: WheelModifier.java fails by timeout + JDK-8205076: [17u] Inet6AddressImpl.c: `lookupIfLocalHost` accesses `int InetAddress.preferIPv6Address` as a boolean + JDK-8209595: MonitorVmStartTerminate.java timed out + JDK-8210410: Refactor java.util.Currency:i18n shell tests to plain java tests + JDK-8261404: Class.getReflectionFactory() is not thread-safe + JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from + JDK-8263256: Test java/net/Inet6Address/serialize/ /Inet6AddressSerializationTest.java fails due to dynamic reconfigurations of network interface during test + JDK-8269258: java/net/httpclient/ManyRequestsLegacy.java failed with connection timeout + JDK-8271118: C2: StressGCM should have higher priority than frequency-based policy + JDK-8271616: oddPart in MutableBigInteger::mutableModInverse contains info on final result + JDK-8272811: Document the effects of building with _GNU_SOURCE in os_posix.hpp + JDK-8272853: improve `JavadocTester.runTests` + JDK-8273454: C2: Transform (-a)*(-b) into a*b + JDK-8274060: C2: Incorrect computation after JDK-8273454 + JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java fails in Windows 11 + JDK-8274621: NullPointerException because listenAddress[0] is null + JDK-8274632: Possible pointer overflow in PretouchTask chunk claiming + JDK-8274634: Use String.equals instead of String.compareTo in java.desktop + JDK-8276125: RunThese24H.java SIGSEGV in JfrThreadGroup::thread_group_id + JDK-8278028: [test-library] Warnings cleanup of the test library + JDK-8278312: Update SimpleSSLContext keystore to use SANs for localhost IP addresses + JDK-8278363: Create extented container test groups + JDK-8280241: (aio) AsynchronousSocketChannel init fails in IPv6 only Windows env + JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/ /ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from problemlist. + JDK-8281543: Remove unused code/headerfile dtraceAttacher.hpp + JDK-8281585: Remove unused imports under test/lib and jtreg/gc + JDK-8283400: [macos] a11y : Screen magnifier does not reflect JRadioButton value change + JDK-8283626: AArch64: Set relocInfo::offset_unit to 4 + JDK-8283994: Make Xerces DatatypeException stackless + JDK-8286312: Stop mixing signed and unsigned types in bit operations + JDK-8286846: test/jdk/javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java fails on mac aarch64 + JDK-8287832: jdk/jfr/event/runtime/TestActiveSettingEvent.java failed with 'Expected two batches of Active Setting events' + JDK-8288663: JFR: Disabling the JfrThreadSampler commits only a partially disabled state + JDK-8288846: misc tests fail 'assert(ms < 1000) failed: Un-interruptable sleep, short time use only' + JDK-8289764: gc/lock tests failed with 'OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects' + JDK-8290041: ModuleDescriptor.hashCode is inconsistent + JDK-8290203: ProblemList vmTestbase/nsk/jvmti/scenarios/ /capability/CM03/cm03t001/TestDescription.java on linux-all + JDK-8290399: [macos] Aqua LAF does not fire an action event if combo box menu is displayed + JDK-8292458: Atomic operations on scoped enums don't build with clang + JDK-8292946: GC lock/jni/jnilock001 test failed 'assert(gch->gc_cause() == GCCause::_scavenge_alot || !gch->incremental_collection_failed()) failed: Twice in a row' + JDK-8293117: Add atomic bitset functions + JDK-8293547: Add relaxed add_and_fetch for macos aarch64 atomics + JDK-8294158: HTML formatting for PassFailJFrame instructions + JDK-8294254: [macOS] javax/swing/plaf/aqua/ /CustomComboBoxFocusTest.java failure + JDK-8294535: Add screen capture functionality to PassFailJFrame + JDK-8295068: SSLEngine throws NPE parsing CertificateRequests + JDK-8295124: Atomic::add to pointer type may return wrong value + JDK-8295274: HelidonAppTest.java fails 'assert(event->should_commit()) failed: invariant' from compiled frame' + JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts + JDK-8297968: Crash in PrintOptoAssembly + JDK-8298087: XML Schema Validation reports an required attribute twice via ErrorHandler + JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java failed: ExceptionInInitializerError: target class not found + JDK-8300269: The selected item in an editable JComboBox with titled border is not visible in Aqua LAF + JDK-8301306: java/net/httpclient/* fail with -Xcomp + JDK-8301310: The SendRawSysexMessage test may cause a JVM crash + JDK-8301787: java/net/httpclient/SpecialHeadersTest failing after JDK-8301306 + JDK-8301846: Invalid TargetDataLine after screen lock when using JFileChooser or COM library + JDK-8302017: Allocate BadPaddingException only if it will be thrown + JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/ /TestAMEnotNPE.java + JDK-8303605: Memory leaks in Metaspace gtests + JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM + JDK-8304696: Duplicate class names in dynamicArchive tests can lead to test failure + JDK-8305356: Fix ignored bad CompileCommands in tests + JDK-8305900: Use loopback IP addresses in security policy files of httpclient tests + JDK-8305906: HttpClient may use incorrect key when finding pooled HTTP/2 connection for IPv6 address + JDK-8305962: update jcstress to 0.16 + JDK-8305972: Update XML Security for Java to 3.0.2 + JDK-8306014: Update javax.net.ssl TLS tests to use SSLContextTemplate or SSLEngineTemplate + JDK-8306408: Fix the format of several tables in building.md + JDK-8307185: pkcs11 native libraries make JNI calls into java code while holding GC lock + JDK-8307926: Support byte-sized atomic bitset operations + JDK-8307955: Prefer to PTRACE_GETREGSET instead of PTRACE_GETREGS in method 'ps_proc.c::process_get_lwp_regs' + JDK-8307990: jspawnhelper must close its writing side of a pipe before reading from it + JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC while allocating + JDK-8308245: Add -proc:full to describe current default annotation processing policy + JDK-8308336: Test java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java failed: java.net.BindException: Address already in use + JDK-8309302: java/net/Socket/Timeouts.java fails with AssertionError on test temporal post condition + JDK-8309305: sun/security/ssl/SSLSocketImpl/ /BlockedAsyncClose.java fails with jtreg test timeout + JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/ /agentthr001/TestDescription.java crashing due to empty while loop + JDK-8309733: [macOS, Accessibility] VoiceOver: Incorrect announcements of JRadioButton + JDK-8309870: Using -proc:full should be considered requesting explicit annotation processing + JDK-8310106: sun.security.ssl.SSLHandshake .getHandshakeProducer() incorrectly checks handshakeConsumers + JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/ /bug6889007.java fails + JDK-8310380: Handle problems in core-related tests on macOS when codesign tool does not work + JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is spuriously passing + JDK-8310807: java/nio/channels/DatagramChannel/Connect.java timed out + JDK-8310838: Correct range notations in MethodTypeDesc specification + JDK-8310844: [AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate + JDK-8310923: Refactor Currency tests to use JUnit + JDK-8311081: KeytoolReaderP12Test.java fail on localized Windows platform + JDK-8311160: [macOS, Accessibility] VoiceOver: No announcements on JRadioButtonMenuItem and JCheckBoxMenuItem + JDK-8311581: Remove obsolete code and comments in TestLVT.java + JDK-8311645: Memory leak in jspawnhelper spawnChild after JDK-8307990 + JDK-8311986: Disable runtime/os/TestTracePageSizes.java for ShenandoahGC + JDK-8312428: PKCS11 tests fail with NSS 3.91 + JDK-8312434: SPECjvm2008/xml.transform with CDS fails with 'can't seal package nu.xom' + JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074 + JDK-8313082: Enable CreateCoredumpOnCrash for testing in makefiles + JDK-8313206: PKCS11 tests silently skip execution + JDK-8313575: Refactor PKCS11Test tests + JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/ /TestFloatingDecimal should use RandomFactory + JDK-8313643: Update HarfBuzz to 8.2.2 + JDK-8313816: Accessing jmethodID might lead to spurious crashes + JDK-8314164: java/net/HttpURLConnection/ /HttpURLConnectionExpectContinueTest.java fails intermittently in timeout + JDK-8314220: Configurable InlineCacheBuffer size + JDK-8314830: runtime/ErrorHandling/ tests ignore external VM flags + JDK-8315034: File.mkdirs() occasionally fails to create folders on Windows shared folder + JDK-8315042: NPE in PKCS7.parseOldSignedData + JDK-8315594: Open source few headless Swing misc tests + JDK-8315600: Open source few more headless Swing misc tests + JDK-8315602: Open source swing security manager test + JDK-8315611: Open source swing text/html and tree test + JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should run with -Xbatch + JDK-8315731: Open source several Swing Text related tests + JDK-8315761: Open source few swing JList and JMenuBar tests + JDK-8315920: C2: 'control input must dominate current control' assert failure + JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/ /bug4654927.java: component must be showing on the screen to determine its location + JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use createTestJvm + JDK-8316028: Update FreeType to 2.13.2 + JDK-8316030: Update Libpng to 1.6.40 + JDK-8316106: Open source few swing JInternalFrame and JMenuBar tests + JDK-8316304: (fs) Add support for BasicFileAttributes .creationTime() for Linux + JDK-8316392: compiler/interpreter/ /TestVerifyStackAfterDeopt.java failed with SIGBUS in PcDescContainer::find_pc_desc_internal + JDK-8316414: C2: large byte array clone triggers 'failed: malformed control flow' assertion failure on linux-x86 + JDK-8316415: Parallelize sun/security/rsa/SignedObjectChain.java subtests + JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java get OOM killed with Parallel GC + JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/ /CheckOrigin.java as vm.flagless + JDK-8316679: C2 SuperWord: wrong result, load should not be moved before store if not comparable + JDK-8316693: Simplify at-requires checkDockerSupport() + JDK-8316929: Shenandoah: Shenandoah degenerated GC and full GC need to cleanup old OopMapCache entries + JDK-8316947: Write a test to check textArea triggers MouseEntered/MouseExited events properly + JDK-8317039: Enable specifying the JDK used to run jtreg + JDK-8317144: Exclude sun/security/pkcs11/sslecc/ /ClientJSSEServerJSSE.java on Linux ppc64le + JDK-8317307: test/jdk/com/sun/jndi/ldap/ /LdapPoolTimeoutTest.java fails with ConnectException: Connection timed out: no further information + JDK-8317603: Improve exception messages thrown by sun.nio.ch.Net native methods (win) + JDK-8317771: [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma + JDK-8317807: JAVA_FLAGS removed from jtreg running in JDK-8317039 + JDK-8317960: [17u] Excessive CPU usage on AbstractQueuedSynchronized.isEnqueued + JDK-8318154: Improve stability of WheelModifier.java test + JDK-8318183: C2: VM may crash after hitting node limit + JDK-8318410: jdk/java/lang/instrument/BootClassPath/ /BootClassPathTest.sh fails on Japanese Windows + JDK-8318468: compiler/tiered/LevelTransitionTest.java fails with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1 + JDK-8318490: Increase timeout for JDK tests that are close to the limit when run with libgraal + JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java + JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni tests + JDK-8318608: Enable parallelism in vmTestbase/nsk/stress/threads tests + JDK-8318689: jtreg is confused when folder name is the same as the test name + JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with 'transport error 202: bind failed: Address already in use' + JDK-8318951: Additional negative value check in JPEG decoding + JDK-8318955: Add ReleaseIntArrayElements in Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to early return + JDK-8318957: Enhance agentlib:jdwp help output by info about allow option + JDK-8318961: increase javacserver connection timeout values and max retry attempts + JDK-8318971: Better Error Handling for Jar Tool When Processing Non-existent Files + JDK-8318983: Fix comment typo in PKCS12Passwd.java + JDK-8319124: Update XML Security for Java to 3.0.3 + JDK-8319213: Compatibility.java reads both stdout and stderr of JdkUtils + JDK-8319436: Proxy.newProxyInstance throws NPE if loader is null and interface not visible from class loader + JDK-8319456: jdk/jfr/event/gc/collection/ /TestGCCauseWith[Serial|Parallel].java : GC cause 'GCLocker Initiated GC' not in the valid causes + JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh + JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21 + JDK-8319961: JvmtiEnvBase doesn't zero _ext_event_callbacks + JDK-8320001: javac crashes while adding type annotations to the return type of a constructor + JDK-8320168: handle setsocktopt return values + JDK-8320208: Update Public Suffix List to b5bf572 + JDK-8320300: Adjust hs_err output in malloc/mmap error cases + JDK-8320363: ppc64 TypeEntries::type_unknown logic looks wrong, missed optimization opportunity + JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly + JDK-8320798: Console read line with zero out should zero out underlying buffer + JDK-8320885: Bump update version for OpenJDK: jdk-17.0.11 + JDK-8320921: GHA: Parallelize hotspot_compiler test jobs + JDK-8320937: support latest VS2022 MSC_VER in abstract_vm_version.cpp + JDK-8321151: JDK-8294427 breaks Windows L&F on all older Windows versions + JDK-8321215: Incorrect x86 instruction encoding for VSIB addressing mode + JDK-8321408: Add Certainly roots R1 and E1 + JDK-8321480: ISO 4217 Amendment 176 Update + JDK-8321599: Data loss in AVX3 Base64 decoding + JDK-8321815: Shenandoah: gc state should be synchronized to java threads only once per safepoint + JDK-8321972: test runtime/Unsafe/InternalErrorTest.java timeout on linux-riscv64 platform + JDK-8322098: os::Linux::print_system_memory_info enhance the THP output with /sys/kernel/mm/transparent_hugepage/hpage_pmd_size + JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces + JDK-8322417: Console read line with zero out should zero out when throwing exception + JDK-8322583: RISC-V: Enable fast class initialization checks + JDK-8322725: (tz) Update Timezone Data to 2023d + JDK-8322750: Test 'api/java_awt/interactive/ /SystemTrayTests.html' failed because A blue ball icon is added outside of the system tray + JDK-8322772: Clean up code after JDK-8322417 + JDK-8322783: prioritize /etc/os-release over /etc/SuSE-release in hs_err/info output + JDK-8322968: [17u] Amend Atomics gtest with 1-byte tests + JDK-8323008: filter out harmful -std* flags added by autoconf from CXX + JDK-8323021: Shenandoah: Encountered reference count always attributed to first worker thread + JDK-8323086: Shenandoah: Heap could be corrupted by oom during evacuation + JDK-8323243: JNI invocation of an abstract instance method corrupts the stack + JDK-8323331: fix typo hpage_pdm_size + JDK-8323428: Shenandoah: Unused memory in regions compacted during a full GC should be mangled + JDK-8323515: Create test alias 'all' for all test roots + JDK-8323637: Capture hotspot replay files in GHA + JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed + JDK-8323806: [17u] VS2017 build fails with warning after 8293117. + JDK-8324184: Windows VS2010 build failed with 'error C2275: 'int64_t'' + JDK-8324280: RISC-V: Incorrect implementation in VM_Version::parse_satp_mode + JDK-8324347: Enable 'maybe-uninitialized' warning for FreeType 2.13.1 + JDK-8324514: ClassLoaderData::print_on should print address of class loader + JDK-8324647: Invalid test group of lib-test after JDK-8323515 + JDK-8324659: GHA: Generic jtreg errors are not reported + JDK-8324937: GHA: Avoid multiple test suites per job + JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/ /AKISerialNumber.java is failing + JDK-8325150: (tz) Update Timezone Data to 2024a + JDK-8325585: Remove no longer necessary calls to set/unset-in-asgct flag in JDK 17 + JDK-8326000: Remove obsolete comments for class sun.security.ssl.SunJSSE + JDK-8327036: [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 + JDK-8327391: Add SipHash attribution file + JDK-8329836: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.11

• Removed the possibility to use the system timezone-java (bsc#1213470).

This update for salt fixes the following issues:

• Convert oscap output to UTF-8
• Make Salt compatible with Python 3.11
• Ignore non-ascii chars in oscap output (bsc#1219001)
• Fix detected issues in Salt tests when running on VMs
• Make importing seco.range thread safe (bsc#1211649)
• Fix problematic tests and allow smooth tests executions on containers
• Discover Ansible playbook files as '*.yml' or '*.yaml' files (bsc#1211888)
• Provide user(salt)/group(salt) capabilities for RPM 4.19
• Extend dependencies for python3-salt-testsuiteand python3-salt packages
• Improve Salt and testsuite packages multibuild
• Enable multibuilld and create test flavor
• Prevent exceptions with fileserver.update when called via state (bsc#1218482)
• Improve pip target override condition with VENV_PIP_TARGET environment variable (bsc#1216850)
• Fixed KeyError in logs when running a state that fails

This update for grafana and mybatis fixes the following issues:
grafana was updated to version 9.5.18:

• Grafana now requires Go 1.20
• Security issues fixed:

• Other non-security related changes:

• `apache-commons-ognl` is now a non-optional dependency
• Fixed building with log4j v1 and v2 dependencies

This update for golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter fixes the following issues:

• update to 1.7.0 (jsc#PED-7893, jsc#PED-7928): * [FEATURE] Add ZFS freebsd per dataset stats #2753 * [FEATURE] Add cpu vulnerabilities reporting from sysfs #2721 * [ENHANCEMENT] Parallelize stat calls in Linux filesystem collector #1772 * [ENHANCEMENT] Add missing linkspeeds to ethtool collector #2711 * [ENHANCEMENT] Add CPU MHz as the value for node_cpu_info metric #2778 * [ENHANCEMENT] Improve qdisc collector performance #2779 * [ENHANCEMENT] Add include and exclude filter for hwmon collector #2699 * [ENHANCEMENT] Optionally fetch ARP stats via rtnetlink instead of procfs #2777 * [BUFFIX] Fix ZFS arcstats on FreeBSD 14.0+ 2754 * [BUGFIX] Fallback to 32-bit stats in netdev #2757 * [BUGFIX] Close btrfs.FS handle after use #2780 * [BUGFIX] Move RO status before error return #2807 * [BUFFIX] Fix promhttp_metric_handler_errors_total being always active #2808 * [BUGFIX] Fix nfsd v4 index miss #2824
• update to 1.6.1: (no source code changes in this release)
• BuildRequire go1.20

• update to 1.6.0: * [CHANGE] Fix cpustat when some cpus are offline #2318 * [CHANGE] Remove metrics of offline CPUs in CPU collector #2605 * [CHANGE] Deprecate ntp collector #2603 * [CHANGE] Remove bcache `cache_readaheads_totals` metrics #2583 * [CHANGE] Deprecate supervisord collector #2685 * [FEATURE] Enable uname collector on NetBSD #2559 * [FEATURE] NetBSD support for the meminfo collector #2570 * [FEATURE] NetBSD support for CPU collector #2626 * [FEATURE] Add FreeBSD collector for netisr subsystem #2668 * [FEATURE] Add softirqs collector #2669 * [ENHANCEMENT] Add suspended as a `node_zfs_zpool_state` #2449 * [ENHANCEMENT] Add administrative state of Linux network interfaces #2515 * [ENHANCEMENT] Log current value of GOMAXPROCS #2537 * [ENHANCEMENT] Add profiler options for perf collector #2542 * [ENHANCEMENT] Allow root path as metrics path #2590 * [ENHANCEMENT] Add cpu frequency governor metrics #2569 * [ENHANCEMENT] Add new landing page #2622 * [ENHANCEMENT] Reduce privileges needed for btrfs device stats #2634 * [ENHANCEMENT] Add ZFS `memory_available_bytes` #2687 * [ENHANCEMENT] Use `SCSI_IDENT_SERIAL` as serial in diskstats #2612 * [ENHANCEMENT] Read missing from netlink netclass attributes from sysfs #2669 * [BUGFIX] perf: fixes for automatically detecting the correct tracefs mountpoints #2553 * [BUGFIX] Fix `thermal_zone` collector noise @2554 * [BUGFIX] Fix a problem fetching the user wire count on FreeBSD 2584 * [BUGFIX] interrupts: Fix fields on linux aarch64 #2631 * [BUGFIX] Remove metrics of offline CPUs in CPU collector #2605 * [BUGFIX] Fix OpenBSD filesystem collector string parsing #2637 * [BUGFIX] Fix bad reporting of `node_cpu_seconds_total` in OpenBSD #2663

• change go_modules archive in _service to use obscpio file

This update for python-cheroot and python-tempora fixes the following issues:

• Use update-alternatives for cheroot and tempora binaries (bsc#1223694)

This update for rpm fixes the following issues:
Security fixes:

• CVE-2021-3521: Fixed missing subkey binding signature checking (bsc#1191175)

• accept more signature subpackets marked as critical (bsc#1218686)
• backport limit support for the autopatch macro (bsc#1189495)

This update for salt fixes the following issues:

• Make 'man' a recommended package instead of required to fix installation issues with SLE Micro

This update for coreutils fixes the following issues:

• ls: avoid triggering automounts (bsc#1221632)

This update for perl fixes the following issues:
Security issues fixed:

• CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216)
• CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233)

• make Net::FTP work with TLS 1.3 (bsc#1213638)

SUSE-CU-2024:1690-1

This update for systemd-rpm-macros fixes the following issues:

• Introduce macro '%service_del_postun_without_restart' to resolve blocking new releases based on this. (bsc#1173034)

This update for systemd-rpm-macros fixes the following issues:

• Backport missing macros of directory paths from upstream + %_environmentdir + %_modulesloaddir + %_modprobedir

• Make sure %_restart_on_update_never and %_stop_on_removal_never don't expand to the empty string. (bsc#1176932) Otherwise sequences like the following code: if [ ... ]; then %_restart_on_update_never fi would result in the following incorrect shell syntax: if [ ... ]; then fi

This update for systemd-rpm-macros fixes the following issues:

• Deprecate '-f'/'-n' options When used with %service_del_preun, support for these options will be dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the next version of SLE (jsc#SLE-8968) When used with %service_del_postun, they should be replaced with their counterpart %service_del_postun_with_restart/%service_del_postun_without_restart
• Introduced %service_del_postun_with_restart() It's the counterpart of %service_del_postun_without_restart() and replaces the '-f' option of %service_del_postun().
• Does no longer apply presets when migrating from a disabled initscript (bsc#1178481)
• Fix importing of %{_unitdir}

This update for systemd-rpm-macros fixes the following issues:

• Bump to version 6

• Make upstream '%systemd_{pre,post,preun,postun}' aliases to their SUSE counterparts. Packagers can now choose to use the upstream or the SUSE variants indifferently. For consistency the SUSE variants should be preferred since almost all SUSE packages already use them but the upstream versions might be usefull in certain cases where packages need to support multiple distros based on RPM.

• Improve the logic used to apply the presets. (bsc#1177039) Before presests were applied at a) package installation b) new units introduced via a package update (but after making sure that it was not a SysV initscript being converted). The problem is that a) didn't handle package a renaming or split properly since the package with the new name is installed rather being updated and therefore the presets were applied even if they were already with the old name. We now cover this case (and the other ones) by applying presets only if the units are new and the services are not being migrated. This regardless of whether this happens during an install or an update.

This update for systemd-rpm-macros fixes the following issues:

• Added a %systemd_user_pre macro (bsc#1183051, bsc#1183012)
• Fixed an issue with %systemd_user_post, where the --global parameter was treated like if it was another service (bsc#1183051, bsc#1182661)

This update for systemd-rpm-macros fixes the following issues:

• Fixed an issue whe zypper ignores the ordering constraints. (bsc#1187332)
• Introduce '%sysusers_create_package': '%sysusers_create' and '%sysusers_create_inline' are now deprecated and the new macro should be used instead.
• %sysusers_create_inline: use here-docs instead of echo (bsc#1186282)

This update for systemd-rpm-macros fixes the following issues:

• Introduce rpm macro %_systemd_util_dir

This update for systemd-rpm-macros fixes the following issues:

• Bump version to 10

• %sysusers_create_inline was wrongly marked as deprecated
• %sysusers_create can be useful in certain cases and won't go away until we'll move to file triggers. So don't mark it as deprecated too

This update for systemd-rpm-macros fixes the following issue:

• Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079).

This update for systemd-rpm-macros fixes the following issues:

• Adjust functions so they are disabled when called from a chroot (bsc#1211272)

This update for systemd-rpm-macros fixes the following issues:

• Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`.

This update of duktape fixes the following issue:

• duktape-devel is shipped to Basesystem module (bsc#1216296).

This update for openblas contains the following fixes:

• Added `libopenblas_pthreads0` to Package Hub SLE-15-SP5 for architecture s390 (no source changes) (bsc#1217608)

This update for duktape fixes the following issues:

• Ship libduktape206-32bit: needed by libproxy since version 0.5.

This update for Java fixes the following issues:
apache-commons-codec was updated to version 1.16.1:

• Changes in version 1.16.1:

• Changes in version 1.16.0:

• Changes in version 1.26:

• Changes in version 1.25:

• Changes in version 1.24:

• Changes in version 1.23:

• Changes in version 1.22:

• Changes in version 2.15.1:

• Changes in version 2.15.0:

• Changes in version 2.14.0:

• Syncing the version with javapackages-tools 6.2.0
• Remove unnecessary dependencies

• Changes in version 3.9.6:

• Explicitely require commons-io:commons-io and commons-codec:common-codes artifacts that are optional in apache-commons-compress

• Changes in version 1.11.1:

• Changes in version 3.3.0:

• Changes from version 3.6.0:

• Changes from version 3.5.0:

• Restore binary compat for MavenReport

• Changes in version 3.2.0:

• Changes in version 1.9.18:

• Changes in version 3.3.1:

• Fixed RPM package build with maven 3.9.6 and maven-resolver 1.9.18

• Modify the xmvn-install script to work with new apache-commons-compress
• Recompiling RPM package to resolve package building issues with maven-lib

This update for system-user-prometheus contains the following fixes:

• Added `system-user-prometheus` to Package Hub SLE-15-SP5 to resolve dependency issue with prometheus (bsc#1218252)

This update for postgresql-jdbc fixes the following issues:

• CVE-2024-1597: Fixed SQL Injection via line comment generation (bsc#1220644).

This update for giflib fixes the following issues:
Update to version 5.2.2

• Fixes for CVE-2023-48161 (bsc#1217390), CVE-2022-28506 (bsc#1198880)
• #138 Documentation for obsolete utilities still installed
• #139: Typo in 'LZW image data' page ('110_2 = 4_10')
• #140: Typo in 'LZW image data' page ('LWZ')
• #141: Typo in 'Bits and bytes' page ('filed')
• Note as already fixed SF issue #143: cannot compile under mingw
• #144: giflib-5.2.1 cannot be build on windows and other platforms using c89
• #145: Remove manual pages installation for binaries that are not installed too
• #146: [PATCH] Limit installed man pages to binaries, move giflib to section 7
• #147 [PATCH] Fixes to doc/whatsinagif/ content
• #148: heap Out of Bound Read in gif2rgb.c:298 DumpScreen2RGB
• Declared no-info on SF issue #150: There is a denial of service vulnerability in GIFLIB 5.2.1
• Declared Won't-fix on SF issue 149: Out of source builds no longer possible
• #151: A heap-buffer-overflow in gif2rgb.c:294:45
• #152: Fix some typos on the html documentation and man pages
• #153: Fix segmentation faults due to non correct checking for args
• #154: Recover the giffilter manual page
• #155: Add gifsponge docs
• #157: An OutofMemory-Exception or Memory Leak in gif2rgb
• #158: There is a null pointer problem in gif2rgb
• #159 A heap-buffer-overflow in GIFLIB5.2.1 DumpScreen2RGB() in gif2rgb.c:298:45
• #163: detected memory leaks in openbsd_reallocarray giflib/openbsd-reallocarray.c
• #164: detected memory leaks in GifMakeMapObject giflib/gifalloc.c
• #166: a read zero page leads segment fault in getarg.c and memory leaks in gif2rgb.c and gifmalloc.c
• #167: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function at Line 321 of gif2rgb.c

This update for tomcat fixes the following issues:

• Added dependencies on tomcat `user` and `group`, required by RPM 4.19 (bsc#1219530)
• Link ecj.jar into the install instead of copying it

This update for cloud-init contains the following fixes:

• Skip tests with empty config.

• Support reboot on package update/upgrade via the cloud-init config. (bsc#1198533, bsc#1218952, jsc#SMO-326)

• Switch build dependency to the generic distribution-release package.

• Move fdupes call back to %install. (bsc#1214169)

This update for aaa_base fixes the following issues:

• Silence the output in the case of broken symlinks (bsc#1218232)

This update for python3 fixes the following issues:

• CVE-2023-6597: Fixed symlink bug in cleanup of tempfile.TemporaryDirectory (bsc#1219666).
• CVE-2022-48566: Make compare_digest more constant-time (bsc#1214691).

This update for audit fixes the following issue:

• Fix plugin termination when using systemd service units (bsc#1215377)

This update for coreutils fixes the following issues:

• tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

This update for systemd-rpm-macros fixes the following issue:

• Order packages that requires systemd after systemd-sysvcompat if needed. (bsc#1217964)

This update for openblas fixes the following issues:
openblas was updated from version 0.3.21 to version 0.3.25 (jsc#PED-7926, jsc#PED-7927, bsc#1221813):

• Changes in version 0.3.25:

• Changes in version 0.3.24:

• Changes in version 0.3.23:

• Changes in version 0.3.22:

This update for netty, netty-tcnative fixes the following issues:

• CVE-2024-29025: Fixed out of memory due to large number of form fields (bsc#1222045).

This update for rpm fixes the following issues:

• Turn on IMA/EVM file signature support, move the imaevm code that needs the libiamevm library into a plugin, and install this plugin as part of a new 'rpm-imaevmsign' subpackage (jsc#PED-7246).

• Backport signature reserved space handling from upstream.

This update for expat fixes the following issues:

• CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
• CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for hwdata fixes the following issues:

• Update to 0.380
• Update pci, usb and vendor ids

This update for xfsprogs-scrub fixes the following issues:

• Added missing xfsprogs-scrub to Package Hub for SLE-15-SP5 (bsc#1190495)
• Added missing jctools to Package Hub for SLE-15-SP5 (bsc#1213418)

This update for rpm fixes the following issues:

• remove imaevmsign plugin from rpm-ndb [bsc#1222259]

This update for gcc13 fixes the following issues:

• Fix unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Fixed building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]

This update for python3 fixes the following issue:

• Fix syslog making default 'ident' from sys.argv (bsc#1222109)

This update for vim fixes the following issues:
Updated to version 9.1.0111, fixes the following security problems

• CVE-2023-48231: Use-After-Free in win_close() (bsc#1217316).
• CVE-2023-48232: Floating point Exception in adjust_plines_for_skipcol() (bsc#1217320).
• CVE-2023-48233: overflow with count for :s command (bsc#1217321).
• CVE-2023-48234: overflow in nv_z_get_count (bsc#1217324).
• CVE-2023-48235: overflow in ex address parsing (CVE-2023-48235).
• CVE-2023-48236: overflow in get_number (bsc#1217329).
• CVE-2023-48237: overflow in shift_line (bsc#1217330).
• CVE-2023-48706: heap-use-after-free in ex_substitute (bsc#1217432).
• CVE-2024-22667: stack-based buffer overflow in did_set_langmap function in map.c (bsc#1219581).
• CVE-2023-4750: Heap use-after-free in function bt_quickfix (bsc#1215005).

This update for systemd-default-settings fixes the following issues:

• Disable pids controller limit under user instances (jsc#SLE-10123)
• Disable controllers by default (jsc#PED-2276)
• The usage of drop-ins is now the official way for configuring systemd and its various daemons on Factory/ALP, hence the early drop-ins SUSE specific 'feature' has been abandoned.
• User priority '26' for SLE-Micro
• Convert more drop-ins into early ones

SUSE-CU-2024:806-1

This update for unzip fixes the following issues:

• CVE-2014-9636: Prevent denial of service (out-of-bounds read or write and crash) via an extra field with an uncompressed size smaller than the compressed field size in a zip archive that advertises STORED method compression (bsc#914442)
• CVE-2018-1000035: Prevent heap-based buffer overflow in the processing of password-protected archives that allowed an attacker to perform a denial of service or to possibly achieve code execution (bsc#1080074)

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This java-11-openjdk update to version jdk-11+24 fixes the following issues:
Security issues fixed:

• CVE-2018-2940: Fix unspecified vulnerability in subcomponent Libraries (bsc#1101645).
• CVE-2018-2952: Fix unspecified vulnerability in subcomponent Concurrency (bsc#1101651).
• CVE-2018-2972: Fix unspecified vulnerability in subcomponent Security (bsc#1101655).
• CVE-2018-2973: Fix unspecified vulnerability in subcomponent JSSE (bsc#1101656).

This update fixes the following issues:
hwdata:

• Update to version 0.314: + Updated pci, usb and vendor ids.

• Channels to be actually un-subscribed from the assigned systems when being removed using spacewalk-remove-channel tool. (bsc#1104120)
• Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388)

This update for java-11-openjdk fixes the following issues:
Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU)
Security fixes:

• S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support
• S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses
• S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups
• S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability
• S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability again
• S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks
• S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound
• S8194534, CVE-2018-3136, bsc#1112142: Manifest better support
• S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs updates
• S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection

• S8194546: Choosier FileManagers
• S8195874: Improve jar specification adherence
• S8196897: Improve PRNG support
• S8197881: Better StringBuilder support
• S8201756: Improve cipher inputs
• S8203654: Improve cypher state updates
• S8204497: Better formatting of decimals
• S8200666: Improve LDAP support
• S8199110: Address Internet Addresses

• S8207317: SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
• S8207838: AArch64: Float registers incorrectly restored in JNI call
• S8209637: [s390x] Interpreter doesn't call result handler after native calls
• S8209670: CompilerThread releasing code buffer in destructor is unsafe
• S8209735: Disable avx512 by default
• S8209806: API docs should be updated to refer to javase11
• Report version without the '-internal' postfix

• Don't build against gdk making the accessibility depend on a particular version of gtk.

• S8031761: [TESTBUG] Add a regression test for JDK-8026328
• S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030 fails with 'unexpected values of outer fields of the class' when running with -Xcomp
• S8164639: Configure PKCS11 tests to use user-supplied NSS libraries
• S8189667: Desktop#moveToTrash expects incorrect '<>' FilePermission
• S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in -Xcomp
• S8195156: [Graal] serviceability/jvmti/GetModulesInfo/ /JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode
• S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails if run twice
• S8201394: Update java.se module summary to reflect removal of java.se.ee module
• S8204931: Colors with alpha are painted incorrectly on Linux
• S8204966: [TESTBUG] hotspot/test/compiler/whitebox/ /IsMethodCompilableTest.java test fails with -XX:CompileThreshold=1
• S8205608: Fix 'frames()' in ThreadReferenceImpl.c to prevent quadratic runtime behavior
• S8205687: TimeoutHandler generates huge core files
• S8206176: Remove the temporary tls13VN field
• S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not found
• S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE and ja_JP locale.
• S8207009: TLS 1.3 half-close and synchronization issues
• S8207046: arm32 vm crash: C1 arm32 platform functions parameters type mismatch
• S8207139: NMT is not enabled on Windows 2016/10
• S8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
• S8207355: C1 compilation hangs in ComputeLinearScanOrder::compute_dominator
• S8207746: C2: Lucene crashes on AVX512 instruction
• S8207765: HeapMonitorTest.java intermittent failure
• S8207944: java.lang.ClassFormatError: Extra bytes at the end of class file test' possibly violation of JVMS 4.7.1
• S8207948: JDK 11 L10n resource file update msg drop 10
• S8207966: HttpClient response without content-length does not return body
• S8208125: Cannot input text into JOptionPane Text Input Dialog
• S8208164: (str) improve specification of String::lines
• S8208166: Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
• S8208189: ProblemList compiler/graalunit/JttThreadsTest.java
• S8208205: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!'
• S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java
• S8208251: serviceability/jvmti/HeapMonitor/MyPackage/ /HeapMonitorGCCMSTest.java fails intermittently on Linux-X64
• S8208305: ProblemList compiler/jvmci/compilerToVM/GetFlagValueTest.java
• S8208347: ProblemList compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java
• S8208353: Upgrade JDK 11 to libpng 1.6.35
• S8208358: update bug ids mentioned in tests
• S8208370: fix typo in ReservedStack tests' @requires
• S8208391: Differentiate response and connect timeouts in HTTP Client API
• S8208466: Fix potential memory leak in harfbuzz shaping.
• S8208496: New Test to verify concurrent behavior of TLS.
• S8208521: ProblemList more tests that fail due to 'Error attaching to process: Can't create thread_db agent!'
• S8208640: [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard.
• S8208663: JDK 11 L10n resource file update msg drop 20
• S8208676: Missing NULL check and resource leak in NetworkPerformanceInterface::NetworkPerformance::network_utilization
• S8208691: Tighten up jdk.includeInExceptions security property
• S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/ /TestNssDbSqlite.java fails in aarch64 platforms
• S8209029: ProblemList tests that fail due to 'Error attaching to process: Can't create thread_db agent!' in jdk-11+25 testing
• S8209149: [TESTBUG] runtime/RedefineTests/ /RedefineRunningMethods.java needs a longer timeout
• S8209451: Please change jdk 11 milestone to FCS
• S8209452: VerifyCACerts.java failed with 'At least one cacert test failed'
• S8209506: Add Google Trust Services GlobalSign root certificates
• S8209537: Two security tests failed after JDK-8164639 due to dependency was missed

This update for libxcb provides the following fix:

• Fix some IO errors when using KWin in combination with the NVIDIA driver. (bsc#1101560)

This update for fuse fixes the following issues:

• CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for java-11-openjdk fixes the following issues:
Merge into the JDK following modules from github.com/javaee:

• com.sum.xml.fastinfoset
• org.jvnet.staxex
• com.sun.istack.runtime
• com.sun.xml.txw2
• com.sun.xml.bind

This update for make fixes the following issues:

• Use a non-blocking read with pselect to avoid hangs (bsc#1100504)

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for MozillaFirefox, mozilla-nss and mozilla-nspr fixes the following issues:
Issues fixed in MozillaFirefox:

• Update to Firefox ESR 60.4 (bsc#1119105)
• CVE-2018-17466: Fixed a buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11
• CVE-2018-18492: Fixed a use-after-free with select element
• CVE-2018-18493: Fixed a buffer overflow in accelerated 2D canvas with Skia
• CVE-2018-18494: Fixed a Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs
• CVE-2018-18498: Fixed a integer overflow when calculating buffer sizes for images
• CVE-2018-12405: Fixed a few memory safety bugs

• Update to NSS 3.40.1 (bsc#1119105)
• CVE-2018-12404: Fixed a cache side-channel variant of the Bleichenbacher attack (bsc#1119069)
• CVE-2018-12384: Fixed an issue in the SSL handshake. NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. (bsc#1106873)
• CVE-2018-0495: Fixed a memory-cache side-channel attack with ECDSA signatures (bsc#1097410)
• Fixed a decryption failure during FFDHE key exchange
• Various security fixes in the ASN.1 code

• Update mozilla-nspr to 4.20 (bsc#1119105)

GCC 7 was updated to the GCC 7.4 release.

• Fix AVR configuration to not use __cxa_atexit or libstdc++ headers. Point to /usr/avr/sys-root/include as system header include directory.
• Includes fix for build with ISL 0.20.
• Pulls fix for libcpp lexing bug on ppc64le manifesting during build with gcc8. [bsc#1099119]
• Pulls fix for forcing compile-time tuning even when building with -march=z13 on s390x. [bsc#1099192]
• Fixes support for 32bit ASAN with glibc 2.27+

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for zeromq fixes the following issues:
Security issue fixed:

• CVE-2019-6250: fix a remote execution vulnerability due to pointer arithmetic overflow (bsc#1121717)

This update for java-11-openjdk to version 11.0.2+7 fixes the following issues:
Security issues fixed:

• CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
• CVE-2019-2426: Improve web server connections
• CVE-2018-11212: Improve JPEG processing (bsc#1122299)
• Better route routing
• Better interface enumeration
• Better interface lists
• Improve BigDecimal support
• Improve robot support
• Better icon support
• Choose printer defaults
• Proper allocation handling
• Initial class initialization
• More reliable p11 transactions
• Improve NIO stability
• Better loading of classloader classes
• Strengthen Windows Access Bridge Support
• Improved data set handling
• Improved LSA authentication
• Libsunmscapi improved interactions

• Do not resolve by default the added JavaEE modules (bsc#1120431)
• ~2.5% regression on compression benchmark starting with 12-b11
• java.net.http.HttpClient hangs on 204 reply without Content-length 0
• Add additional TeliaSonera root certificate
• Add more ld preloading related info to hs_error file on Linux
• Add test to exercise server-side client hello processing
• AES encrypt performance regression in jdk11b11
• AIX: ProcessBuilder: Piping between created processes does not work.
• AIX: Some class library files are missing the Classpath exception
• AppCDS crashes for some uses with JRuby
• Automate vtable/itable stub size calculation
• BarrierSetC1::generate_referent_check() confuses register allocator
• Better HTTP Redirection
• Catastrophic size_t underflow in BitMap::*_large methods
• Clip.isRunning() may return true after Clip.stop() was called
• Compiler thread creation should be bounded by available space in memory and Code Cache
• com.sun.net.httpserver.HttpServer returns Content-length header for 204 response code
• Default mask register for avx512 instructions
• Delayed starting of debugging via jcmd
• Disable all DES cipher suites
• Disable anon and NULL cipher suites
• Disable unsupported GCs for Zero
• Epsilon alignment adjustments can overflow max TLAB size
• Epsilon elastic TLAB sizing may cause misalignment
• HotSpot update for vm_version.cpp to recognise updated VS2017
• HttpClient does not retrieve files with large sizes over HTTP/1.1
• IIOException 'tEXt chunk length is not proper' on opening png file
• Improve TLS connection stability again
• InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
• Inspect stack during error reporting
• Instead of circle rendered in appl window, but ellipse is produced JEditor Pane
• Introduce diagnostic flag to abort VM on failed JIT compilation
• Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap
• jar has issues with UNC-path arguments for the jar -C parameter [windows]
• java.net.http HTTP client should allow specifying Origin and Referer headers
• java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
• JDK 11.0.1 l10n resource file update
• JDWP Transport Listener: dt_socket thread crash
• JVMTI ResourceExhausted should not be posted in CompilerThread
• LDAPS communication failure with jdk 1.8.0_181
• linux: Poor StrictMath performance due to non-optimized compilation
• Missing synchronization when reading counters for live threads and peak thread count
• NPE in SupportedGroupsExtension
• OpenDataException thrown when constructing CompositeData for StackTraceElement
• Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader
• Populate handlers while holding streamHandlerLock
• ppc64: Enable POWER9 CPU detection
• print_location is not reliable enough (printing register info)
• Reconsider default option for ClassPathURLCheck change done in JDK-8195874
• Register to register spill may use AVX 512 move instruction on unsupported platform.
• s390: Use of shift operators not covered by cpp standard
• serviceability/sa/TestUniverse.java#id0 intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
• SIGBUS in CodeHeapState::print_names()
• SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
• Soft reference reclamation race in com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
• Swing apps are slow if displaying from a remote source to many local displays
• switch jtreg to 4.2b13
• Test library OSInfo.getSolarisVersion cannot determine Solaris version
• TestOptionsWithRanges.java is very slow
• TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails intermittently
• The Japanese message of FileNotFoundException garbled
• The 'supported_groups' extension in ServerHellos
• ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData
• TimeZone.getDisplayName given Locale.US doesn't always honor the Locale.
• TLS 1.2 Support algorithm in SunPKCS11 provider
• TLS 1.3 handshake server name indication is missing on a session resume
• TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
• TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
• tz: Upgrade time-zone data to tzdata2018g
• Undefined behaviour in ADLC
• Update avx512 implementation
• URLStreamHandler initialization race
• UseCompressedOops requirement check fails fails on 32-bit system
• windows: Update OS detection code to recognize Windows Server 2019
• x86: assert on unbound assembler Labels used as branch targets
• x86: jck tests for ldc2_w bytecode fail
• x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
• '-XX:OnOutOfMemoryError' uses fork instead of vfork

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for unzip fixes the following issues:

• CVE-2018-18384: Fixed a buffer overflow when listing archives (bsc#1110194)

This update for sqlite3 to version 3.27.2 fixes the following issue:
Security issue fixed:

• CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687).

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for gcc fixes the following issues:

• Fix gcc-PIE spec to properly honor -no-pie at link time. (bsc#1096008)

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This update for hwdata fixes the following issues:
Update to version 0.320 (bsc#1121410):

• Updated the pci, usb and vendor ids vendor and product databases.

This update for samba fixes the following issues:
Security issue fixed:

• CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060).

• Out of bound read in ldb_wildcard_compare
• Hold at most 10 outstanding paged result cookies
• Put 'results_store' into a doubly linked list
• Refuse to build Samba against a newer minor version of ldb

• Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377).
• Abide to the load_printers parameter in smb.conf (bsc#1124223).
• Provide the 32bit samba winbind PAM module and its dependend 32bit libraries.

This update for java-11-openjdk to version 11.0.3+7 fixes the following issues:
Security issues fixed:

• CVE-2019-2602: Fixed excessive use of CPU time in the BigDecimal implementation (bsc#1132728).
• CVE-2019-2684: Fixed a flaw in the RMI registry implementation which could lead to selection of an incorrect skeleton class (bsc#1132732).

• Multiple bug fixes and improvements.