Container summary for suse/sles12sp3

SUSE-CU-2022:1396-1

This update for openssl fixes the following issues:

• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

SUSE-CU-2022:1329-1

This update for zypper fixes the following issues:

• Improve return codes. (bsc#1198139)
• info: Fix SEGV with not installed PTFs. (bsc#1196317)

This update for openssl fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

SUSE-CU-2022:1295-1

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• Fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• Fixes issue with debug dumping together with -o /dev/null
• Fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

SUSE-CU-2022:1158-1

This update for libxml2 fixes the following issues:

• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
• CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).

SUSE-CU-2022:1088-1

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
• CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

SUSE-CU-2022:1053-1

This update for augeas fixes the following issues:

• Fix handling of keywords in new sysctl.conf (bsc#1197443)

This update for systemd syncs internal package requirements, but has otherwise no code or functional changes compared to the last update. (bsc#1199273)

SUSE-CU-2022:1018-1

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
• Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).

This update for gzip fixes the following issues:

• CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)

SUSE-CU-2022:1017-1

SUSE-CU-2022:983-1

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

SUSE-CU-2022:920-1

This update for curl fixes the following issues:

• CVE-2022-27776: Fixed Auth/cookie leak on redirect (bsc#1198766)
• CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

SUSE-CU-2022:681-1

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)

SUSE-CU-2022:634-1

SUSE-CU-2022:633-1

This update for gzip fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for bash fixes the following issues:

• Fix memory leak in array asignment (bsc#1197674)

SUSE-CU-2022:619-1

This update for libsolv, libzypp fixes the following issues:

• fix memory leaks in SWIG generated code
• fix misparsing with libxml2
• try to keep packages from a cycle close togther in the transaction order (bsc#1189622)
• fix split provides not working if the update includes a forbidden vendor change (bsc#1195485)
• fix segfault on conflict resolution when using bindings
• do not replace noarch problem rules with arch dependent one in problem reporting
• fix and simplify pool_vendor2mask implementation
• Hint on ptf resolver conflicts (bsc#1194848)
• Fix package signature check (bsc#184501) Pay attention that header and payload are secured by a valid. signature and report more detailed which signature is missing.
• Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.

SUSE-CU-2022:618-1

SUSE-CU-2022:595-1

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for systemd fixes the following issues:

• systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871)
• systemctl: exit with 1 if no unit files found (bsc#1193841)
• umount: show correct error message
• core/umount: fix unitialized fields in MountPoint in dm_list_get()
• umount: Add more asserts and remove some unused arguments, fix memory leak
• mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
• busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861)
• sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (bsc#1191399)
• manager: reexecute on SIGRTMIN+25, user instances only
• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018)
• units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480)
• Avoid the error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291)
• Allow systemd sysusers config files to be overriden during system installation (bsc#1171962).
• While at it, add a comment to explain why we don't use %sysusers_create in %pre and why it should be safe in %post.

SUSE-CU-2022:537-1

This update for glibc fixes the following issues:

• CVE-2020-1752: Fix use-after-free in glob when expanding ~user (bsc#1167631)

SUSE-CU-2022:507-1

This update for util-linux fixes the following issues:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)
• Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
• Warn if uuidd lock state is not usable. (bsc#1194642)
• Fix 'su -s' bash completion. (bsc#1172427)

SUSE-CU-2022:469-1

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]

SUSE-CU-2022:440-1

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

SUSE-CU-2022:433-1

This update for pcre fixes the following issue:

• Add devel package to HA channels. (bsc#1196187)

SUSE-CU-2022:322-1

SUSE-CU-2022:321-1

This update for glibc fixes the following issues:

• CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)
• CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)

SUSE-CU-2022:278-1

SUSE-CU-2022:277-1

This update for expat fixes the following issues:

• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

This update for openssl fixes the following issues:

• CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

SUSE-CU-2022:271-1

This update for suse-build-key fixes the following issues:

• Extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
• Added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
• Extended expiry of SUSE SLES11 key (bsc#1194845)
• Added SUSE Contaner signing key in PEM format for use e.g. by cosign.
• SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
• Removed old security key.

SUSE-CU-2022:243-1

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

SUSE-CU-2022:241-1

This update for cyrus-sasl fixes the following issues:

• CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

SUSE-CU-2022:180-1

This update for expat fixes the following issues:

• CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
• CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

This update for coreutils fixes the following issues:

• Remove problematic special leaf optimization cases for XFS that can lead to du crashes. (bsc#1190354)

SUSE-CU-2022:58-1

This update for expat fixes the following issues:

• CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
• CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
• CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
• CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
• CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
• CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
• CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
• CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).

SUSE-CU-2022:1-1

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

SUSE-CU-2021:603-1

This update for bash fixes the following issues:

• Fixed and issue when 'setuid' causing permission denied on 'popen'. (bsc#1192785)

This update for openldap2 fixes the following issues:

• Fix doubly freeing memory in sssvlv overlay (bsc#1193296)

SUSE-CU-2021:578-1

This update for suse-module-tools fixes the following issues:
Update to version 12.6.1: Import kernel scriptlets from kernel-source

• rpm-script: fix bad exit status in OpenQA (bsc#1191922)
• cert-script: Deal with existing $cert.delete file (bsc#1191804).
• cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480).
• cert-script: Only print mokutil output in verbose mode.
• inkmp-script(postun): don't pass existing files to weak-modules2 (bsc#1191200)
• kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260)
• rpm-script: link config also into /boot (bsc#1189879)
• Import kernel scriptlets from kernel-source. (bsc#1189841, bsc#1190598)
• Provide 'suse-kernel-rpm-scriptlets'

SUSE-CU-2021:550-1

SUSE-CU-2021:549-1

This update for bzip2 fixes the following issues:

• Enables build time tests of bzip2. (bsc#1191648)

SUSE-CU-2021:548-1

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

SUSE-CU-2021:534-1

This optional update for cracklib fixes the following issue:

• Execute the test while building the package. (bsc#1191736)

SUSE-CU-2021:521-1

SUSE-CU-2021:510-1

This update for pam fixes the following issues:

• pam_cracklib: backported code to check whether the password contains a substring of of the user's name of at least characters length in some form from SLE-15. (jsc#SLE-22182)

SUSE-CU-2021:508-1

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
• CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
• CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
• CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
• CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
• CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).

SUSE-CU-2021:483-1

SUSE-CU-2021:456-1

SUSE-CU-2021:451-1

This update for libsolv, libzypp, zypper fixes the following issues:

• Turn on rich dependency handling needed for ptf support. (bsc#1190530)
• Rebuild all caches to make sure rich dependency handling is enabled. (bsc#1190530)
• Fix solver jobs for PTFs. (bsc#1186503)
• Add support for PTFs. (jsc#SLE-17973, jsc#SLE-17974)
• Identify well-known category names for better sorting. (bsc#1179847)
• Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
• Don't probe for plaindir repo if URL schema is plugin. (bsc#1191286)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)

SUSE-CU-2021:424-1

SUSE-CU-2021:423-1

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

SUSE-CU-2021:420-1

This update for util-linux fixes the following issues:

• CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
• Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
• Do not trim read-only volumes (bsc#1106214).
• libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
• raw.service: Add RemainAfterExit=yes (bsc#1135534).
• agetty: Reload issue only if it is really needed (bsc#1085196)
• agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
• blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
• nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
• Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
• libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
• Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
• Build with libudev support to support non-root users. (bsc#1169006)
• lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
• Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942)

SUSE-CU-2021:413-1

SUSE-CU-2021:394-1

SUSE-CU-2021:389-1

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided in the Toolchain module, and updated compiler base libraries (libgcc_s1, libstdc++6 and others) are being provided in the regular SUSE Linux Enterprise Server repositories.
Changes done in GCC11 are documented on:
https://gcc.gnu.org/gcc-11/changes.html
This update ships the C, C++, Objective C, D, Fortran, GO, and ADA compiler.
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

SUSE-CU-2021:375-1

This update for glibc fixes the following issues:
Security issues fixed:

• CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
• CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

• Avoid concurrency problem in ldconfig (bsc#1117993)

SUSE-CU-2021:373-1

SUSE-CU-2021:365-1

SUSE-CU-2021:357-1

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

This update for ca-certificates-mozilla fixes the following issues:

• remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in SUSE Linux Enterprise 12 and older. (bsc#1190858)

SUSE-CU-2021:346-1

This update for openssl fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

SUSE-CU-2021:294-1

This update for openssl fixes the following security issue:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for bzip2 fixes the following issues:

• Disable a optimization that caused crashes with libarchive due to uninitialized memory. (bsc#1188891)
• Fixed bashisms in bzgrep and bznew

This update for cracklib fixes the following issue:

• Provide 'cracklib-dict-small' to SUSE Linux Enterprise Server 12-SP5 (bsc#1188698)

This update for file fixes the following issues:

• CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).

This update for zypper fixes the following issues:

• Fix for man: point out more clearly that patches update affected packages to the latest available version. (bsc#1187466)

SUSE-CU-2021:285-1

This update for cpio fixes the following issues:

• A patch previously applied to remedy CVE-2021-38185 introduced a regression that had the potential to cause a segmentation fault in cpio. [bsc#1189465]

SUSE-CU-2021:284-1

This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)

This update for cpio fixes the following issues:

• A regression in last update would cause builds to hang on various architectures(bsc#1189465)

This update for cpio fixes the following issues:

• A regression in the previous update could lead to crashes (bsc#1189465)

SUSE-CU-2021:276-1

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack that could bypass all existing protection mechanisms (bsc#1186015).

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for libsolv fixes the following issues:
Security issues fixed:

• CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
• CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)

• backport support for blacklisted packages to support ptf packages and retracted patches
• fix ruleinfo of complex dependencies returning the wrong origin
• fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
• fix add_complex_recommends() selecting conflicted packages in rare cases
• fix potential segfault in resolve_jobrules
• fix solv_zchunk decoding error if large chunks are used

This update for curl fixes the following issues:

• CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
• CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
• CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
• CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

This update for systemd fixes the following issues:
Security issues fixed:

• CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)

• mount-util: shorten the loop a bit (#7545)
• mount-util: do not use the official MAX_HANDLE_SZ (#7523)
• mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
• mount-util: fix bad indenting
• mount-util: EOVERFLOW might have other causes than buffer size issues
• mount-util: fix error propagation in fd_fdinfo_mnt_id()
• mount-util: drop exponential buffer growing in name_to_handle_at_loop()
• udev: port udev_has_devtmpfs() to use path_get_mnt_id()
• mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
• mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
• mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
• basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
• sysusers: use the usual comment style
• test/TEST-21-SYSUSERS: add tests for new functionality
• sysusers: allow admin/runtime overrides to command-line config
• basic/strv: add function to insert items at position
• sysusers: allow the shell to be specified
• sysusers: move various user credential validity checks to src/basic/
• man: reformat table in sysusers.d(5)
• sysusers: take configuration as positional arguments
• sysusers: emit a bit more info at debug level when locking fails
• sysusers: allow force reusing existing user/group IDs (#8037)
• sysusers: ensure GID in uid:gid syntax exists
• sysusers: make ADD_GROUP always create a group
• test: add TEST-21-SYSUSERS test
• sysuser: use OrderedHashmap
• sysusers: allow uid:gid in sysusers.conf files
• sysusers: fix memleak (#4430)
• These commits implement the option '--replace' for systemd-sysusers so %sysusers_create_package can be introduced in SLE and packages can rely on this rpm macro without wondering whether the macro is available on the different target the package is submitted to.
• Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
• systemctl: add --value option
• execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
• rlimit-util: introduce setrlimit_closest_all()
• system-conf: drop reference to ShutdownWatchdogUsec=
• core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
• Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
• rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
• write_net_rules: set execute bits (bsc#1178561)
• udev: rework network device renaming
• Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''

This update for dbus-1 fixes the following issues:

• CVE-2020-35512: Fixed a bug where users with the same numeric UID could lead to use-after-free and undefined behaviour. (bsc#1187105)
• CVE-2020-12049: Fixed a bug where a truncated messages lead to resource exhaustion. (bsc#1172505)

SUSE-CU-2021:224-1

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)
• Fixed build failure in SLE-12 due to bogus 'rpmlint'. (bsc#1185337)

SUSE-CU-2021:198-1

This update for curl fixes the following issues:

• CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).

SUSE-CU-2021:171-1

This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

SUSE-CU-2021:148-1

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a bug where the 'tailf' command destroyed the terminal/console settings (bsc1177369)

SUSE-CU-2021:132-1

This update for apparmor fixes the following issues:

• Enable access to sssd fast cache for nameservice users. (bsc#1183599)

SUSE-CU-2021:124-1

This update for curl fixes the following issues:

• CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).

SUSE-CU-2021:121-1

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs'. (bsc#1184690, bsc#1184434)

SUSE-CU-2021:110-1

This update for systemd fixes the following issues:

• Added a requirement for aaa_base >= 13.2 to stay compatible (bsc#1180083)
• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.
• Fixed a memory leak in systemctl daemon-reload (bsc#1180020)
• Fixed a crash in systemd-journald upon activation of persistent journal (bsc#1179824)
• Fixed an error when building systemd systemd-mini, caused by a change in systemd-rpm-macros (bsc#1183094)
• Fixed a race condition at device creation and sound.target dependencies (bsc#1179363)
• Fixed an issue, where Restart=on-abort was not respected based on the exit status of the main process (bsc#1183790)
• Created a /dev/disk/by-label symlink for LUKS2 to be able to label crypto devices properly (bsc#1180885)
• When /etc/localtime is missing, timezone UTC will be assumed (bsc#1141597)
• Fix edge case when processing /proc/self/mountinfo (bsc#1180596)
• Added a requirement for aaa_base >= 13.2 to stay compatible (bsc#1180083)

SUSE-CU-2021:94-1

This update for pam fixes the following issue:

• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)

This update for sg3_utils fixes the following issues:

• Fixed wrong device ID for devices using NAA extended format (bsc#1116107)

This update for openssl fixes the following issues:

• CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

This update for libzypp, zypper fixes the following issues:
Changes in zypper:

• Fix typo in `list-patches` help. (bsc#1178925)

• Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966)
• Remove from the logs the credentials available from the authorization header. (bsc#1174215) The authorization header may include base64 encoded credentials which could be restored from the log file. The credentials are now stripped from the log.

This update for curl fixes the following issues:

• CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
• CVE-2020-8231: Fixed an issue with trusting FTP PASV responses (bsc#1175109).

This update for curl fixes the following issue:

• CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399).
• CVE-2020-8284: Adjust trusting FTP PASV responses (bsc#1179398).

This update for cyrus-sasl fixes the following issues:

• CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).

This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823)

• key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys).
• This fix uses a hash table to avoid the quadratic behaviour.

This update for openldap2 fixes the following issues:

• CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
• CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

This update for file fixes the following issues:

• Fixed an issue when file is used with a string started with '80'. (bsc#1182138)

This update for openldap2 fixes the following issues:

• bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
• bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
• bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
• bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
• bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
• bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
• bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
• bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

This update for openssl fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for apparmor fixes the following issues:

• Add abstraction/base fix to apparmor-profile. (bsc#1181728)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

SUSE-CU-2020:690-1

This update for systemd fixes the following issues:

• Create systemd-remote user only if journal-remote is included with the package (bsc#1177458)
• Fixed a buffer overflow in systemd ask-password (bsc#1177510)
• Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses the 'bg' option while the NFS server is not reachable (bsc#1176513)
• Fixed an issue with the try-restart command, where services won't restart (bsc#1139459)

• cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842)

SUSE-CU-2020:685-1

This update for krb5 fixes the following security issue:

• CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

SUSE-CU-2020:679-1

This update for zypper fixes the following issues:

• Fixed an issue, where zypper crashed when the system language is set to Spanish and the user tried to patch their system with 'zypper patch --category security' (bsc#1178038)
• Fixed a typo in man page (bsc#1169947)

SUSE-CU-2020:673-1

This update for openldap2 fixes the following issues:

• CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

SUSE-CU-2020:669-1

This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

SUSE-CU-2020:668-1

This update for cloud-regionsrv-client fixes the following issues:

• Introduce containerbuild-regionsrv service to allow container building tools to access required data for accessing Public Cloud RMTs (bsc#1173474, bsc#1173475)

This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

• Removed CAs:

• Added CAs:

SUSE-CU-2020:582-1

This update for glibc fixes the following issues:

• CVE-2020-10029: Fixed a stack corruption from range reduction of pseudo-zero (bsc#1165784)
• Use posix_spawn on popen (bsc#1149332, bsc#1176013)
• Correct locking and cancellation cleanup in syslog functions (bsc#1172085)
• Fixed concurrent changes on nscd aware files (bsc#1171878)

SUSE-CU-2020:557-1

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

SUSE-CU-2020:548-1

This update for suse-build-key fixes the following issues:

• This update extends the suse build key (bsc#1176759)
• The SUSE container key is different from the build key. (PM-1845 bsc#1170347)

This update for libproxy fixes the following issues:

• CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
• CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

SUSE-CU-2020:507-1

This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:

• CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
• CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
• CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

• Made cleandeps jobs on patterns work (bsc#1137977).
• Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
• Keep consistent package name if there are multiple alternatives (bsc#1131823).

This update for systemd fixes the following issues:

• Fixes some file mode inconsistencies for some ghost files (bsc#1173227)
• Fixes an issue where the system could hang on reboot (bsc#1169488)

SUSE-CU-2020:489-1

This update for libxml2 fixes the following issues:

• CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
• CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
• CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
• Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).

SUSE-CU-2020:438-1

This update for ca-certificates-mozilla fixes the following issues:
Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:

• AddTrust External CA Root
• AddTrust Class 1 CA Root
• LuxTrust Global Root 2
• Staat der Nederlanden Root CA - G2
• Symantec Class 1 Public Primary Certification Authority - G4
• Symantec Class 2 Public Primary Certification Authority - G4
• VeriSign Class 3 Public Primary Certification Authority - G3

• certSIGN Root CA G2
• e-Szigno Root CA 2017
• Microsoft ECC Root Certificate Authority 2017
• Microsoft RSA Root Certificate Authority 2017

This update for procps fixes the following issues:

• Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)

SUSE-CU-2020:430-1

This update of pam fixes the following issue:

• On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com a pam version with a higher release number than the last update of pam was delivered. This update releases pam with a higher release number to align it with this media. (bsc#1173593)

SUSE-CU-2020:412-1

This update for openldap2 fixes the following issues:

• Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537)

SUSE-CU-2020:397-1

This update for grep fixes the following issues:

• Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)

SUSE-CU-2020:384-1

This update for grep fixes the following issues:
Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)

SUSE-CU-2020:359-1

This update for systemd fixes the following issues:

• CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
• Renamed the persistent link for ATA devices (bsc#1164538)
• shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
• tmpfiles: removed unnecessary assert (bsc#1171145)
• pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
• manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
• coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
• udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
• libblkid: open device in nonblock mode. (bsc#1084671)
• udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)

This update for openldap2 fixes the following issues:

• CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
• Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
• Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).

SUSE-CU-2020:356-1

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

SUSE-CU-2020:347-1

This update for perl fixes the following issues:

• CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863).
• CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864).
• CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866).
• Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
• Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

This update for audit fixes the following issues:

• Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
• Fix hang on startup. (bsc#1156159)

SUSE-CU-2020:193-1

This update for adns fixes the following issues:

• CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265).
• CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265).
• CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
• CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).

SUSE-CU-2020:184-1

SUSE-CU-2020:174-1

This update for coreutils fixes the following issues:
-Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

SUSE-CU-2020:159-1

This update for openldap2 fixes the following issues:

• CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

SUSE-CU-2020:155-1

This update for openldap2 fixes the following issue:

• The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195)

This update for libgcrypt fixes the following issues:

• FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)

SUSE-CU-2020:104-1

This update for p11-kit fixes the following issues:

• tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919)

This update for pam fixes the following issues:

• Moved pam_userdb to a separate package pam-extra (bsc#1166510)

SUSE-CU-2020:89-1

This update for ca-certificates-mozilla fixes the following issues:
This reverts a previous change to the generated pem structure, as it require a p11-kit tools update installed first, which can not always ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)

This update for suse-build-key fixes the following issues:

• created a new security_at_suse.de key for email communication (bsc#1166334)

SUSE-CU-2020:80-1

This update for ca-certificates-mozilla fixes the following issues:
The following non-security bugs were fixed:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:

• Certplus Class 2 Primary CA
• Deutsche Telekom Root CA 2
• CN=Swisscom Root CA 2
• UTN-USERFirst-Client Authentication and Email

• Entrust Root Certification Authority - G4

• Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
• Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
• Use %license instead of %doc (bsc#1082318).
• Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).

SUSE-CU-2020:76-1

This update for cyrus-sasl fixes the following issues:

• Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
• Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)

SUSE-CU-2020:71-1

This update for elfutils fixes the following issues:

• Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578)
• Fix for '.ko' file corruption in debug info. (bsc#1110929)

SUSE-CU-2020:68-1

This update for permissions fixes the following issues:
Security issues fixed:

• CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).

• Fixed a regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594).
• Fixed capability handling when doing multiple permission changes at once (bsc#1161779).

SUSE-CU-2020:64-1

This update for openssl fixes the following issues:
Security issue fixed:

• CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).

• Fixed a crash in BN_copy (bsc#1160163).

SUSE-CU-2020:61-1

This update for p11-kit fixes the following issues:

• Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871)

SUSE-CU-2020:57-1

This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set.

For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants.
Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

SUSE-CU-2020:47-1

This update for systemd fixes the following issues:

• CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages.

• Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
• Fix warnings thrown during package installation. (bsc#1154043)
• Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
• Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
• Wait for workers to finish when exiting. (bsc#1106383)
• Improve log message when inotify limit is reached. (bsc#1155574)
• Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
• Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)

SUSE-CU-2020:17-1

This update for libgcrypt fixes the following issues:

• Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode
• Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338)

SUSE-CU-2020:9-1

This update for e2fsprogs fixes the following issues:

• CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

This update for libzypp fixes the following issues:
Security issue fixed:

• CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

SUSE-CU-2019:694-1

This update for elfutils fixes the following issues:

• Add require of 'libebl1' for 'libelf1'. (bsc#1151577)

This update for ncurses fixes the following issues:

• Work around a bug of old upstream gen-pkgconfig (bsc#1159162)
• Remove doubled library path options (bsc#1159162)
• Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162)
• Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162)
• Do not mix include directories of different ncurses ABI (bsc#1158586)

SUSE-CU-2019:693-1

This update for permissions fixes the following issues:

• CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414).
• CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734).
• Fixed a regression which caused segmentation fault (bsc#1157198).

SUSE-CU-2019:692-1

This update for update-alternatives fixes the following issues:

• Fix post install scripts: test if there is actual file before calling update-alternatives. (bsc#1154043)

SUSE-CU-2019:691-1

This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past.

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830).
• CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037).

• Fixed ppc64le build configuration (bsc#1134550).

SUSE-CU-2019:690-1

This update for cpio fixes the following issues:

• CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199).

SUSE-CU-2019:689-1

This update for procps provides the following fixes:

• Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396)
• Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386)

SUSE-CU-2019:688-1

This update for libseccomp fixes the following issues:
Update to new upstream release 2.4.1:

• Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks.

• Update the syscall table for Linux v5.0-rc5
• Added support for the SCMP_ACT_KILL_PROCESS action
• Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
• Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
• Added support for the parisc and parisc64 architectures
• Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
• Return -EDOM on an endian mismatch when adding an architecture to a filter
• Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
• Fix PFC generation when a syscall is prioritized, but no rule exists
• Numerous fixes to the seccomp-bpf filter generation code
• Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
• Numerous tests added to the included test suite, coverage now at ~92%
• Update our Travis CI configuration to use Ubuntu 16.04
• Numerous documentation fixes and updates

• Updated the syscall table for Linux v4.15-rc7

• Achieved full compliance with the CII Best Practices program
• Added Travis CI builds to the GitHub repository
• Added code coverage reporting with the '--enable-code-coverage' configure flag and added Coveralls to the GitHub repository
• Updated the syscall tables to match Linux v4.10-rc6+
• Support for building with Python v3.x
• Allow rules with the -1 syscall if the SCMP\_FLTATR\_API\_TSKIP attribute is set to true
• Several small documentation fixes

• ignore make check error for ppc64/ppc64le, bypass bsc#1142614

SUSE-CU-2019:687-1

This update for libssh2_org fixes the following issue:

• CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862).

SUSE-CU-2019:686-1

This update for systemd fixes the following issues:

• sd-bus: deal with cookie overruns (bsc#1150595)
• rules: Add by-id symlinks for persistent memory (bsc#1140631)
• Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948)

SUSE-CU-2019:685-1

This update for apparmor provides the following fix:

• Change pathname in logprof.conf and use check_qualifiers() in autodep to make sure apparmor does not generate profiles for programs marked as not having their own profiles. (bsc#1139870)

SUSE-CU-2019:684-1

This update for dbus-1 fixes the following issues: Security issue fixed:

• CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832).

SUSE-CU-2019:683-1

This update for zypper and libzypp fixes the following issues:
Package: zypper

• Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521)
• Rephrased the file conflicts check summary (bsc#1140039)
• Fixes an issue where the bash completion was wrongly expanded (bsc#1049825)

• Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557)
• Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415)
• Fixes a file descriptor leak in the media backend (bsc#1116995)

SUSE-CU-2019:682-1

SUSE-CU-2019:681-1

SUSE-CU-2019:680-1

SUSE-CU-2019:679-1

This update for libdb-4_8 fixes the following issues:

• A DB_CONFIG file in the current working directory allowed local users to obtain sensitive information via a symlink attack involving a setgid or setuid application using libdb-4_8. (bsc#1043886)

This update for xz does only update the license:

• Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709)

This update for permissions fixes the following issues:

• Updated permissons for amanda (bsc#1110797)

This update for sg3_utils provides the following fixes:

• Fix regression for page 0xa. (bsc#1119296)
• Add pre/post scripts for lunmask.service. (bsc#954600)
• Will now generate by-path links for fibrechannel. (bsc#1005063)
• Fixes a syntax error for rule 59-fc-wwpn-id.rules. (bsc#1133418)

This update for elfutils fixes the following issues:
Security issues fixed:

• CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).
• CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
• CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
• CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
• CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685).
• CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
• CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
• CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090).
• CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
• CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
• CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
• CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
• CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
• CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
• CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).

This update for e2fsprogs fixes the following issues:

• Revert 'mke2fs: prevent creation of unmountable ext4 with large flex_bg count'. (bsc#1135261)

• Place metadata blocks in the last flex_bg so they are contiguous. (bsc#1135261)

• Check and fix tails of all bitmaps. (bsc#1128383)

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937).

This update for pam fixes the following issues:

• restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544)

This update for libxml2 fixes the following issues:
Issue fixed:

• Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
• CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

This update for glibc fixes the following issues:
Security issues fixed:

• CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
• CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).

• Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).

This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:

• CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
• CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
• CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

• Made cleandeps jobs on patterns work (bsc#1137977).
• Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
• Keep consistent package name if there are multiple alternatives (bsc#1131823).

• Fixes a bug where locking the kernel was not possible (bsc#1113296)

• Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
• Improved the displaying of locks (bsc#1112911)
• Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
• zypper will now always warn when no repositories are defined (bsc#1109893)

This update for bzip2 fixes the following issues:

• Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083).

This update for suse-module-tools to version 12.6 fixes the following issues:

• weak-modules2: emit 'inconsistent' warning only if replacement fails (bsc#1127155)
• modprobe.conf.common: add csiostor->cxgb4 dependency (bsc#1100989, bsc#1131635)
• Fix driver-check.sh (bsc#1123697, bsc#1123704)
• modsign-verify: support for parsing PKCS#7 signatures (bsc#1111300, bsc#1105495)

This update for pam fixes the following issues:

• Enable pam_userdb.so (SLE-7257,bsc#1136298)
• Upgraded pam_userdb to 1.3.1. (bsc#1136298)

This update for libssh2_org fixes the following issues:

• Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481) (Out-of-bounds reads with specially crafted SFTP packets)

This update for ca-certificates-mozilla fixes the following issues:

• Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169)

• Removed Root CAs:

• Added root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth)

This update for perl fixes the following issues:
Security issue fixed:

• CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).

This update for systemd fixes the following issues:

• Fixes an issue where the Kernel took very long to unmount a user's runtime directory (bsc#1104902)
• udevd: changed the default value of udev.children-max (again) (bsc#1107617)

This update for krb5 fixes the following issues:

• Fix missing responder if there is no pre-auth; (bsc#1139942)
• Load mechglue config files from /etc/gss/mech.d; (bsc#1140914, jsc#SLE-7081)
• Fix impersonate_name to work with interposers; (bsc#1140914, jsc#SLE-7081)

This update for curl fixes the following issues:
Security issue fixed:

• CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496).

This update for openldap2 fixes the following issues:
Security issues fixed:

• CVE-2019-13565: Fixed ssf memory reuse that leads to incorrect authorization of another connection, granting excess connection rights (ssf) (bsc#1143194).
• CVE-2019-13057: Fixed rootDN of a backend that may proxyauth incorrectly to another backend, violating multi-tenant isolation (bsc#1143273).

This update for openssl fixes the following issues:
OpenSSL Security Advisory [10 September 2019]

• CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance (bsc#1150003).
• CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250).

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429)

This update for gpg2 fixes the following issues:
Security issue fixed:

• CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093)

• Allow coredumps in X11 desktop sessions (bsc#1124847).

This update for libgcrypt fixes the following issues:
Security issues fixed:

• CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)

SUSE-CU-2019:678-1

SUSE-CU-2019:677-1

This update for libssh2_org fixes the following issues:
- Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]

This update for glibc fixes the following issues:

• Add support for the new Japanese time era name that comes into effect on 2019-05-01. [bsc#1100396, bsc#1103244]

This update for libidn fixes the following issues:

• Obsoletes now the libidn 32bit package (bsc#1092034)

This update for openssl fixes the following issues:

• Reject invalid EC point coordinates (bsc#1131291)

This update for audit fixes the following issues:
Audit on SUSE Linux Enterprise 12 SP3 was updated to 2.8.1 to bring new features and bugfixes. (bsc#1125535 FATE#326346)

• Many features were added to auparse_normalize
• cli option added to auditd and audispd for setting config dir
• In auditd, restore the umask after creating a log file
• Option added to auditd for skipping email verification

• Change openldap dependency to client only (bsc#1085003)

• CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)

This update for sysvinit fixes the following issues:

• Handle various optional fields of /proc//mountinfo on the entry/ies before the hyphen (bsc#1131982)

This update for systemd fixes the following issues:
Security issues fixed:

• CVE-2018-6954: Fixed a vulnerability in the symlink handling of systemd-tmpfiles which allowed a local user to obtain ownership of arbitrary files (bsc#1080919).
• CVE-2019-3842: Fixed a vulnerability in pam_systemd which allowed a local user to escalate privileges (bsc#1132348).
• CVE-2019-6454: Fixed a denial of service caused by long dbus messages (bsc#1125352).

• systemd-coredump: generate a stack trace of all core dumps (jsc#SLE-5933)
• udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
• sd-bus: bump message queue size again (bsc#1132721)
• core: only watch processes when it's really necessary (bsc#955942 bsc#1128657)
• rules: load drivers only on 'add' events (bsc#1126056)
• sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
• Do not automatically online memory on s390x (bsc#1127557)

This update for curl fixes the following issues:
Security issue fixed:

• CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).

This update for libtasn1 fixes the following issues:
Security issues fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
• CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).

This update for kmod fixes the following issues:

• Fixes a potential buffer overflow in libkmod (bsc#1118629).

SUSE-CU-2019:676-1

This update for sg3_utils fixes the following issues:

• rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384)

This update for curl fixes the following issues:
Security issue fixed:

• CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758).

SUSE-CU-2019:675-1

SUSE-CU-2019:674-1

This update for kmod fixes the following issues:

• Fix module dependency file corruption on parallel invocation (bsc#1118629).

This update for curl fixes the following issues:
Security issues fixed:

• CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
• CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
• CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).

This update for pam-config fixes the following issues:

• Adds support for more pam_cracklib options. (bsc#1114835)

This update for systemd fixes the following issues:
Security vulnerability fixed:

• CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352)

• journal-remote: set a limit on the number of fields in a message
• journal-remote: verify entry length from header
• journald: set a limit on the number of fields (1k)
• journald: do not store the iovec entry for process commandline on stack
• core: include Found state in device dumps
• device: fix serialization and deserialization of DeviceFound
• fix path in btrfs rule (#6844)
• assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
• Update systemd-system.conf.xml (bsc#1122000)
• units: inform user that the default target is started after exiting from rescue or emergency mode
• manager: don't skip sigchld handler for main and control pid for services (#3738)
• core: Add helper functions unit_{main, control}_pid
• manager: Fixing a debug printf formatting mistake (#3640)
• manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382)
• core: update invoke_sigchld_event() to handle NULL ->sigchld_event()
• sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631)
• unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344)
• core: when restarting services, don't close fds
• cryptsetup: Add dependency on loopback setup to generated units
• journal-gateway: use localStorage['cursor'] only when it has valid value
• journal-gateway: explicitly declare local variables
• analyze: actually select longest activated-time of services
• sd-bus: fix implicit downcast of bitfield reported by LGTM
• core: free lines after reading them (bsc#1123892)
• pam_systemd: reword message about not creating a session (bsc#1111498)
• pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498)
• main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658)
• sd-bus: if we receive an invalid dbus message, ignore and proceeed
• automount: don't pass non-blocking pipe to kernel.
• units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
• units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333)

This update for libsemanage provides the following fix:

• Prevent an error message when reading module version if the directory does not exist. (bsc#1115500)

This update for procps fixes the following security issues:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

This update for apparmor fixes the following issues:

• Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300)

This update for libssh2_org fixes the following issues:
Security issues fixed:

• CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
• CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
• CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
• CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes with specially crafted keyboard responses (bsc#1128493).
• CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write with specially crafted payload (bsc#1128472).
• CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (bsc#1128480).
• CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially crafted payload (bsc#1128471).
• CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted SFTP packet (bsc#1128476).
• CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially crafted message channel request SSH packet (bsc#1128474).

• Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).

This update for krb5 fixes the following issues:

• Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. (bsc#1087481).

This update for openssl fixes the following issues:
Security issues fixed:

• The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
• CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

• Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975).
• Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).

This update for bash fixes the following issues: Security issue fixed:

• CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324).

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360).
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

SUSE-CU-2019:673-1

This update for krb5 fixes the following issues:
Security issue fixed:

• CVE-2018-20217: Fixed an assertion issue with older encryption types (bsc#1120489)

This update for systemd provides the following fixes:
Security issues fixed:

• CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323)
• CVE-2018-16866: Fixed an information leak in journald (bsc#1120323)
• Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971)

• core: Queue loading transient units after setting their properties. (bsc#1115518)
• logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591)
• terminal-util: introduce vt_release() and vt_restore() helpers.
• terminal: Unify code for resetting kbd utf8 mode a bit.
• terminal Reset should honour default_utf8 kernel setting.
• logind: Make session_restore_vt() static.
• udev: Downgrade message when settting inotify watch up fails. (bsc#1005023)
• log: Never log into foreign fd #2 in PID 1 or its pre-execve() children. (bsc#1114981)
• udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696)

This update for ncurses fixes the following issues:

• ncurses applications freezing (bsc#1121450)

This update for ca-certificates-mozilla fixes the following issues:
The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)
Removed Root CAs:

• AC Raiz Certicamara S.A.
• Certplus Root CA G1
• Certplus Root CA G2
• OpenTrust Root CA G1
• OpenTrust Root CA G2
• OpenTrust Root CA G3
• Visa eCommerce Root

• Certigna Root CA (email and server auth)
• GTS Root R1 (server auth)
• GTS Root R2 (server auth)
• GTS Root R3 (server auth)
• GTS Root R4 (server auth)
• OISTE WISeKey Global Root GC CA (email and server auth)
• UCA Extended Validation Root (server auth)
• UCA Global G2 Root (email and server auth)

SUSE-CU-2019:672-1

This update for dirmngr fixes a segmentation fault at start up. (bnc#901845)

This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg.

file was updated to fix one security issue.
This security issue was fixed:

• Out-of-bounds read in elf note headers (CVE-2014-3710).

• Correctly identify GDBM files created by libgdbm4 (bnc#888308).

This cpio security update fixes the following buffer overflow issue and two non security issues:

• fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112)
• prevent cpio from extracting over a symlink (bnc#658010)
• fix a truncation check in mt

This libksba update fixes the following security issue:

• bnc#907074: buffer overflow in OID processing (CVE-2014-9087)

This file update fixes the following security issues:

• bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116)
• bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117)

This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924)

The system root SSL certificates were updated to match Mozilla NSS 2.2.
Some removed/disabled 1024 bit certificates were temporarily reenabled/readded, as openssl and gnutls have a different handling of intermediates than mozilla nss and would otherwise not recognize SSL certificates from commonly used sites like Amazon.
Updated to 2.2 (bnc#888534)

• The following CAs were added: + COMODO_RSA_Certification_Authority codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R4 codeSigning emailProtection serverAuth + GlobalSign_ECC_Root_CA_-_R5 codeSigning emailProtection serverAuth + USERTrust_ECC_Certification_Authority codeSigning emailProtection serverAuth + USERTrust_RSA_Certification_Authority codeSigning emailProtection serverAuth + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
• The following CAs were changed: + Equifax_Secure_eBusiness_CA_1 remote code signing and https trust, leave email trust + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2 only trust emailProtection
• Updated to 2.1 (bnc#888534)
• The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority - TDC Internet Root CA
• The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3
• The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado

This rpm update fixes the following security and non-security issues:

• bnc#908128: Check for bad invalid name sizes (CVE-2014-8118)
• bnc#906803: Create files with mode 0 (CVE-2013-6435)
• bnc#892431: Honor --noglob in install mode
• bnc#911228: Fix noglob patch, it broke files with space.

This update for e2fsprogs fixes a 'use after free' issue in fsck(8).