Container summary for sles12/openldap

SUSE-CU-2019:496-1

This update for suse-module-tools to version 12.6 fixes the following issues:

• weak-modules2: emit 'inconsistent' warning only if replacement fails (bsc#1127155)
• modprobe.conf.common: add csiostor->cxgb4 dependency (bsc#1100989, bsc#1131635)
• Fix driver-check.sh (bsc#1123697, bsc#1123704)
• modsign-verify: support for parsing PKCS#7 signatures (bsc#1111300, bsc#1105495)

SUSE-CU-2019:495-1

This update for libxml2 fixes the following issues:
Issue fixed:

• Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
• CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

This update for glibc fixes the following issues:
Security issues fixed:

• CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308).
• CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223).

• Added cfi information for start routines in order to stop unwinding on S390 (bsc#1128574).

This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:

• CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
• CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
• CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

• Made cleandeps jobs on patterns work (bsc#1137977).
• Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
• Keep consistent package name if there are multiple alternatives (bsc#1131823).

• Fixes a bug where locking the kernel was not possible (bsc#1113296)

• Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
• Improved the displaying of locks (bsc#1112911)
• Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
• zypper will now always warn when no repositories are defined (bsc#1109893)

This update for bzip2 fixes the following issues:

• Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083).

This update for openslp fixes the following issues:

• Use tcp connects to talk with other directory agents (DAs) (bsc#1117969)
• Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136)

SUSE-CU-2019:494-1

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937).

This update for pam fixes the following issues:

• restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544)

SUSE-CU-2019:493-1

This update for xz does only update the license:

• Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709)

This update for permissions fixes the following issues:

• Updated permissons for amanda (bsc#1110797)

This update for sg3_utils provides the following fixes:

• Fix regression for page 0xa. (bsc#1119296)
• Add pre/post scripts for lunmask.service. (bsc#954600)
• Will now generate by-path links for fibrechannel. (bsc#1005063)
• Fixes a syntax error for rule 59-fc-wwpn-id.rules. (bsc#1133418)

This update for binutils fixes the following issues:

• Add support for new IBM zSeries z13 instructions. (fate#327074, jsc#SLE-6206, bsc#1137271)

This update for elfutils fixes the following issues:
Security issues fixed:

• CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).
• CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
• CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
• CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
• CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685).
• CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
• CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
• CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090).
• CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
• CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
• CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
• CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
• CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
• CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
• CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).

This update for e2fsprogs fixes the following issues:

• Revert 'mke2fs: prevent creation of unmountable ext4 with large flex_bg count'. (bsc#1135261)

• Place metadata blocks in the last flex_bg so they are contiguous. (bsc#1135261)

• Check and fix tails of all bitmaps. (bsc#1128383)

This update for libssh2_org fixes the following issues:

• Fix the previous fix for CVE-2019-3860 (bsc#1136570, bsc#1128481) (Out-of-bounds reads with specially crafted SFTP packets)

SUSE-CU-2019:492-1

SUSE-CU-2019:491-1

SUSE-CU-2019:490-1

SUSE-CU-2019:489-1

This update for sysvinit fixes the following issues:

• Handle various optional fields of /proc//mountinfo on the entry/ies before the hyphen (bsc#1131982)

This update for systemd fixes the following issues:
Security issues fixed:

• CVE-2018-6954: Fixed a vulnerability in the symlink handling of systemd-tmpfiles which allowed a local user to obtain ownership of arbitrary files (bsc#1080919).
• CVE-2019-3842: Fixed a vulnerability in pam_systemd which allowed a local user to escalate privileges (bsc#1132348).
• CVE-2019-6454: Fixed a denial of service caused by long dbus messages (bsc#1125352).

• systemd-coredump: generate a stack trace of all core dumps (jsc#SLE-5933)
• udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400)
• sd-bus: bump message queue size again (bsc#1132721)
• core: only watch processes when it's really necessary (bsc#955942 bsc#1128657)
• rules: load drivers only on 'add' events (bsc#1126056)
• sysctl: Don't pass null directive argument to '%s' (bsc#1121563)
• Do not automatically online memory on s390x (bsc#1127557)

This update for curl fixes the following issues:
Security issue fixed:

• CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170).

This update for libtasn1 fixes the following issues:
Security issues fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
• CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).

This update for kmod fixes the following issues:

• Fixes a potential buffer overflow in libkmod (bsc#1118629).

SUSE-CU-2019:488-1

This update for openssl fixes the following issues:

• Reject invalid EC point coordinates (bsc#1131291)

This update for audit fixes the following issues:
Audit on SUSE Linux Enterprise 12 SP3 was updated to 2.8.1 to bring new features and bugfixes. (bsc#1125535 FATE#326346)

• Many features were added to auparse_normalize
• cli option added to auditd and audispd for setting config dir
• In auditd, restore the umask after creating a log file
• Option added to auditd for skipping email verification

• Change openldap dependency to client only (bsc#1085003)

• CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)

SUSE-CU-2019:487-1

This update for libssh2_org fixes the following issues:
- Incorrect upstream fix for CVE-2019-3859 broke public key authentication [bsc#1133528, bsc#1130103]

This update for glibc fixes the following issues:

• Add support for the new Japanese time era name that comes into effect on 2019-05-01. [bsc#1100396, bsc#1103244]

This update for libidn fixes the following issues:

• Obsoletes now the libidn 32bit package (bsc#1092034)

SUSE-CU-2019:486-1

This update for sg3_utils fixes the following issues:

• rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384)

This update for curl fixes the following issues:
Security issue fixed:

• CVE-2018-16839: Fixed a buffer overflow in the SASL authentication code (bsc#1112758).

SUSE-CU-2019:485-1

SUSE-CU-2019:484-1

SUSE-CU-2019:483-1

This update for libssh2_org fixes the following issues:
Security issues fixed:

• CVE-2019-3861: Fixed Out-of-bounds reads with specially crafted SSH packets (bsc#1128490).
• CVE-2019-3862: Fixed Out-of-bounds memory comparison with specially crafted message channel request packet (bsc#1128492).
• CVE-2019-3860: Fixed Out-of-bounds reads with specially crafted SFTP packets (bsc#1128481).
• CVE-2019-3863: Fixed an Integer overflow in user authenticate keyboard interactive which could allow out-of-bounds writes with specially crafted keyboard responses (bsc#1128493).
• CVE-2019-3856: Fixed a potential Integer overflow in keyboard interactive handling which could allow out-of-bounds write with specially crafted payload (bsc#1128472).
• CVE-2019-3859: Fixed Out-of-bounds reads with specially crafted payloads due to unchecked use of _libssh2_packet_require and _libssh2_packet_requirev (bsc#1128480).
• CVE-2019-3855: Fixed a potential Integer overflow in transport read which could allow out-of-bounds write with specially crafted payload (bsc#1128471).
• CVE-2019-3858: Fixed a potential zero-byte allocation which could lead to an out-of-bounds read with a specially crafted SFTP packet (bsc#1128476).
• CVE-2019-3857: Fixed a potential Integer overflow which could lead to zero-byte allocation and out-of-bounds with specially crafted message channel request SSH packet (bsc#1128474).

• Libbssh2 will stop using keys unsupported types in the known_hosts file (bsc#1091236).

This update for krb5 fixes the following issues:

• Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. (bsc#1087481).

This update for openssl fixes the following issues:
Security issues fixed:

• The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
• CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

• Fixed IV handling in SHAEXT paths: aes/asm/aesni-sha*-x86_64.pl (bsc#1113975).
• Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).

This update for bash fixes the following issues: Security issue fixed:

• CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324).

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360).
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

SUSE-CU-2019:482-1

This update for systemd fixes the following issues:
Security vulnerability fixed:

• CVE-2019-6454: Fixed a crash of PID1 by sending specially crafted D-BUS message on the system bus by an unprivileged user (bsc#1125352)

• journal-remote: set a limit on the number of fields in a message
• journal-remote: verify entry length from header
• journald: set a limit on the number of fields (1k)
• journald: do not store the iovec entry for process commandline on stack
• core: include Found state in device dumps
• device: fix serialization and deserialization of DeviceFound
• fix path in btrfs rule (#6844)
• assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025)
• Update systemd-system.conf.xml (bsc#1122000)
• units: inform user that the default target is started after exiting from rescue or emergency mode
• manager: don't skip sigchld handler for main and control pid for services (#3738)
• core: Add helper functions unit_{main, control}_pid
• manager: Fixing a debug printf formatting mistake (#3640)
• manager: Only invoke a single sigchld per unit within a cleanup cycle (bsc#1117382)
• core: update invoke_sigchld_event() to handle NULL ->sigchld_event()
• sd-event: expose the event loop iteration counter via sd_event_get_iteration() (#3631)
• unit: rework a bit how we keep the service fdstore from being destroyed during service restart (bsc#1122344)
• core: when restarting services, don't close fds
• cryptsetup: Add dependency on loopback setup to generated units
• journal-gateway: use localStorage['cursor'] only when it has valid value
• journal-gateway: explicitly declare local variables
• analyze: actually select longest activated-time of services
• sd-bus: fix implicit downcast of bitfield reported by LGTM
• core: free lines after reading them (bsc#1123892)
• pam_systemd: reword message about not creating a session (bsc#1111498)
• pam_systemd: suppress LOG_DEBUG log messages if debugging is off (bsc#1111498)
• main: improve RLIMIT_NOFILE handling (#5795) (bsc#1120658)
• sd-bus: if we receive an invalid dbus message, ignore and proceeed
• automount: don't pass non-blocking pipe to kernel.
• units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333)
• units: add Wants=initrd-cleanup.service to initrd-switch-root.target (#4345) (bsc#1123333)

This update for libsemanage provides the following fix:

• Prevent an error message when reading module version if the directory does not exist. (bsc#1115500)

This update for procps fixes the following security issues:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

This update for apparmor fixes the following issues:

• Fix erroneously generated audit records: include status* files in dnsmasq. (bsc#1112300)

SUSE-CU-2019:481-1

This update for curl fixes the following issues:
Security issues fixed:

• CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378).
• CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377).
• CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371).

This update for pam-config fixes the following issues:

• Adds support for more pam_cracklib options. (bsc#1114835)

SUSE-CU-2019:480-1

This update for dirmngr fixes a segmentation fault at start up. (bnc#901845)

This update for gcc48 fixes a performance degradation issue caused by generation of unneeded code whe using option -pg.

file was updated to fix one security issue.
This security issue was fixed:

• Out-of-bounds read in elf note headers (CVE-2014-3710).

• Correctly identify GDBM files created by libgdbm4 (bnc#888308).

This cpio security update fixes the following buffer overflow issue and two non security issues:

• fix an OOB write with cpio -i (bnc#907456) (CVE-2014-9112)
• prevent cpio from extracting over a symlink (bnc#658010)
• fix a truncation check in mt

This libksba update fixes the following security issue:

• bnc#907074: buffer overflow in OID processing (CVE-2014-9087)

This file update fixes the following security issues:

• bsc#910252: multiple denial of service issues (resource consumption) (CVE-2014-8116)
• bsc#910253: denial of service issue (resource consumption) (CVE-2014-8117)

This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924)

This rpm update fixes the following security and non-security issues:

• bnc#908128: Check for bad invalid name sizes (CVE-2014-8118)
• bnc#906803: Create files with mode 0 (CVE-2013-6435)
• bnc#892431: Honor --noglob in install mode
• bnc#911228: Fix noglob patch, it broke files with space.

This update for e2fsprogs fixes a 'use after free' issue in fsck(8).

This binutils update fixes the following security issues:

• bnc#902676: lack of range checking leading to controlled write in _bfd_elf_setup_sections() (CVE-2014-8485)
• bnc#902677: invalid read flaw in libbfd (CVE-2014-8484)
• bnc#903655: Multiple memory corruption issues in binary parsers of libbfd (CVE-2014-8501, CVE-2014-8502, CVE-2014-8503, CVE-2014-8504)
• bnc#905735: Out-of-bounds memory write while processing a crafted 'ar' archive (CVE-2014-8738)
• bnc#905736: Directory traversal vulnerability allowing random file deletion/creation (CVE-2014-8737)

elfutils was updated to fix one security issue.
This security issue was fixed:

• Directory traversal vulnerability in the read_long_names function (CVE-2014-9447).

curl was updated to fix problems when operating in FIPS mode.
This patch reenables following methods:

• NTLM authentication (e.g. for proxies) (allowing its usage of MD4 and MD5)
• HTTP Digest authentication (allowing its usage of MD5)

This update for pam fixes updating of NIS passwords.

This update for openslp provides the following fixes:

• Fix storage handling in predicate code. It clashed with gcc's fortify_source extension and this could cause a segmentation fault.
• Bring back allowDoubleEqualInPredicate option.

The ssh client library libssh2_org was updated to fix a security issue.
CVE-2015-1782: A malicious server could send a crafted SSH_MSG_KEXINIT packet, that could lead to a buffer overread and to a crash of the libssh2_org using application.

This update for procps provides the following fixes:

• Add description of pgrep's --list-full parameter to usage instructions (--help). (bsc#901202)
• Fix handling of arguments to -s option in free(1). (bsc#908516)
• Correct package name in descriptions: procps, not props.

curl was updated to fix five security issues.
The following vulnerabilities were fixed:

• CVE-2015-3143: curl could re-use NTML authenticateds connections
• CVE-2015-3144: curl could access memory out of bounds with zero length host names
• CVE-2015-3145: curl cookie parser could access memory out of boundary
• CVE-2015-3148: curl could treat Negotiate as not connection-oriented
• CVE-2015-3153: curl could have sent sensitive HTTP headers also to proxies

This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements.
libgcrypt now uses ciphertext blinding for Elgamal decryption (CVE-2014-3591)
FIPS 140-2 related changes:

• The library performs its self-tests when the module is complete (the -hmac file is also installed).

• Added a NIST 800-90a compliant DRBG.

• Change DSA key generation to be FIPS 186-4 compliant.

• Change RSA key generation to be FIPS 186-4 compliant.

• Enable HW support in fips mode (bnc#896435)

• Make DSA selftest use 2048 bit keys (bnc#898003)

• Added ECDSA selftests and add support for it to the CAVS testing framework (bnc#896202)

• Various CAVS testing improvements.

Two security issues were fixed in e2fsprogs:
Security issues fixed:

• CVE-2015-0247: Various heap overflows were fixed in e2fsprogs (fsck, dumpe2fs, e2image...).
• CVE-2015-1572: Fixed a potential buffer overflow in closefs() (bsc#918346 )

The system compiler gcc48 was updated to the GCC 4.8.5 release, fixing a lot of bugs and bringing some improvements.
It includes various bug fixes found by our customers:

• Fixes bogus integer overflow in constant expression. [bnc#934689]
• Fixes ICE with atomics on aarch64. [bnc#930176]
• Includes fix for -imacros bug. [bnc#917169]
• Includes fix for incorrect -Warray-bounds warnings. [bnc#919274]
• Includes updated -mhotpatch for s390x. [bnc#924525]
• Includes fix for ppc64le issue with doubleword vector extract. [bnc#924687]
• Includes patches to allow building against ISL 0.14.
• Backport rework of the memory allocator for C++ exceptions used in OOM situations. [bnc#889990]
• Fix a reload issue on S390 (GCC PR66306).
• Avoid accessing invalid memory when passing aggregates by value. [bnc#922534]

This update contains the release of the new SUSE Linux Enterprise Toolchain module.
Its major feature is the GNU Compiler Collection 5.2, please see https://gcc.gnu.org/gcc-5/changes.html for important changes.
This update also includes a version update of binutils to 2.25 release branch to provide features and bugfixes.
Following features have been added to binutils:

• IBM zSeries z13 hardware support (fate#318036, bnc#936050).
• various IBM Power8 improvements (fate#318238, bnc#926412).
• AVX512 support on the Intel EM64T platform (fate#318520).

This update fixes the following issues:
Security:

• Fixed data-dependent timing variations in modular exponentiation [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks are Practical] (bsc#920057)

• don't drop privileges when locking secure memory (bsc#938343)

This update for sed fixes the behavior of --follow-symlinks when reading from the standard input (stdin).
The behavior of 'sed --follow-symlinks -' is now identical to 'sed -'. In both cases, sed will read from the standard input and no longer from a file named '-'.

This update for grep fixes undefined behaviour with -P and non-utf-8 data.

ARM64 (aarch64) binaries produced by binutils 2.25 gold linker had incorrect (4k) section alignment. As a result, those binaries could not be mapped when being executed on a SLE 12 kernel.
This update adjusts the section alignment to 64k, as required by the ABI.

The gpg2 package was updated to fix the following security and non security issues:

• CVE-2015-1606: Fixed invalid memory read using a garbled keyring (bsc#918089).
• CVE-2015-1607: Fixed memcpy with overlapping ranges (bsc#918090).

• bsc#955753: Fixed a regression of 'gpg --recv' due to keyserver import filter (also boo#952347).

The libksba package was updated to fix the following security issues:

• Fixed an integer overflow, an out of bounds read and a stack overflow issues (bsc#926826).

This update for acl provides the following fixes:

• Fix segmentation fault of getfacl -e on overly long group name.
• Make sure that acl_from_text() always sets errno when it fails.
• Fix memory and resource leaks in getfacl.

This update for gcr, gnome-keyring, libgcrypt, libsecret fixes issues when the system operates in FIPS mode.
The various GNOME libraries and tool have been changed to use the default libgcrypt allocators.
GNOME keyring was changed not to use MD5 anymore.
libgcrypt was adjusted to free the DRBG on exit to avoid crashes.

This update for curl fixes the following issues:

• CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983)

• bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time

• bsc#962996: Expired cookie in test 46 caused test failures
• bsc#934333: Curl test suite was not run, is now enabled during build

This update for OpenSLP adjusts slpd's initialization to use SystemD's forking mechanism, avoiding stale PID files after the daemon is stopped.

This update for insserv-compat fixes the name of the ntpd service.

This update for libssh2_org fixes the following issues:
Security issue fixed:

• CVE-2016-0787 (bsc#967026): Weakness in diffie-hellman secret key generation lead to much shorter DH groups then needed, which could be used to retrieve server keys.

• Support of SHA256 digests for DH group exchanges was added (fate#320343, bsc#961964)

• Properly detect EVP_aes_128_ctr at configure time (bsc#933336)

This update for libcap adds two new capabilities (CAP_WAKE_ALARM and CAP_BLOCK_SUSPEND) which are available in Linux Kernel 3.12.

This update for libgcrypt fixes a crash in GPG key generation when operating in FIPS mode. (bsc#970882)

The GNU Compiler Collection was updated to version 5.3.1, which brings several fixes and enhancements.
The following security issue has been fixed:

• Fix C++11 std::random_device short read issue that could lead to predictable randomness. (CVE-2015-5276, bsc#945842)

• Enable frame pointer for TARGET_64BIT_MS_ABI when stack is misaligned. Fixes internal compiler error when building Wine. (bsc#966220)
• Fix a PowerPC specific issue in gcc-go that broke compilation of newer versions of Docker. (bsc#964468)
• Fix HTM built-ins on PowerPC. (bsc#955382)
• Fix libgo certificate lookup. (bsc#953831)
• Suppress deprecated-declarations warnings for inline definitions of deprecated virtual methods. (bsc#939460)
• Build s390[x] with '--with-tune=z9-109 --with-arch=z900' on SLE11 again. (bsc#954002)
• Revert accidental libffi ABI breakage on aarch64. (bsc#968771)
• On x86_64, set default 32bit code generation to -march=x86-64 rather than -march=i586.
• Add experimental File System TS library.

libgcrypt was updated to fix one security issue.
This security issue was fixed:

• CVE-2015-7511: Side-channel attack on ECDH with Weierstrass curves (bsc#965902).

This update for bzip2 fixes the following issues:

• Fix bzgrep wrapper that always returns 0 as exit code when working on multiple archives, even when the pattern is not found.

This update for libssh2_org fixes a regression introduced by a previous update which could result in a segmentation fault in EVP_DigestInit_Ex().

This update for curl fixes the following issue:

• Fix 'Network is unreachable' error when ipv6 is not available but ipv4. This fixes the same error in applications using libcurl4 (like zypper). (bsc#915846)

This update for libgcrypt fixes the following issue:

• Fix failing reboot after installing fips pattern (bsc#979629)

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2016-0718: Fix Expat XML parser that mishandles certain kinds of malformed input documents. (bsc#979441)
• CVE-2015-1283: Fix multiple integer overflows. (bnc#980391)

This update for libksba fixes the following issues:

• CVE-2016-4579: Out-of-bounds read in _ksba_ber_parse_tl()
• CVE-2016-4574: two OOB read access bugs (remote DoS) (bsc#979261)

This update for procps fixes the following issues:

• Improve pmap(1) to be compatible with kernel 4.4. (bsc#981616)

This update for findutils fixes the following issues:

• find -exec + would not pass all arguments for certain specific filename lengths (bsc#986935)

This update for kmod fixes libkmod to handle very long lines in /proc/modules.

GNU Binutils was updated to version 2.26.1, which brings several fixes and enhancements:

• Add -mrelax-relocations on x86 but keep it disabled on old products.
• Add --fix-stm32l4xx-629360 to the ARM linker to enable a link-time workaround for a bug in the bus matrix / memory controller for some of the STM32 Cortex-M4 based products (STM32L4xx).
• Add a configure option --enable-compressed-debug-sections={all,ld} to decide whether DWARF debug sections should be compressed by default.
• Add support for the ARC EM/HS, and ARC600/700 architectures.
• Experimental support for linker garbage collection (--gc-sections) has been enabled for COFF and PE based targets.
• New command line option for ELF targets to compress DWARF debug sections, --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi].
• New command line option, --orphan-handling=[place|warn|error|discard], to adjust how orphan sections are handled. The default is 'place' which gives the current behavior, 'warn' and 'error' issue a warning or error respectively when orphan sections are found, and 'discard' will discard all orphan sections.
• Add support for LLVM plugin.
• Add --print-memory-usage option to report memory blocks usage.
• Add --require-defined option, it's like --undefined except the new symbol must be defined by the end of the link.
• Add a configure option --enable-compressed-debug-sections={all,gas} to decide whether DWARF debug sections should be compressed by default.
• Add support for the ARC EM/HS, and ARC600/700 architectures. Remove assembler support for Argonaut RISC architectures.
• Add option to objcopy to insert new symbols into a file: --add-symbol =[
  :][,]
• Add support for the ARC EM/HS, and ARC600/700 architectures.
• Extend objcopy --compress-debug-sections option to support --compress-debug-sections=[none|zlib|zlib-gnu|zlib-gabi] for ELF targets.
• Add --update-section option to objcopy.
• Add --output-separator option to strings.
• Fix internal error when applying TLSDESC relocations with no TLS segment
• Fix wrong insn type for troo insn.
• Change default common-page-size to 64K on aarch64.

This update for rpm provides the following fixes:

• Add is_opensuse and leap_version macros to suse_macros. (bsc#940315)
• Add option to make postinstall scriptlet errors fatal. (bsc#967728)
• Normalize big blocksizes to 4096 bytes. (bsc#894610, bsc#829717, bsc#965322)
• Fix updating of sources/patches when recursing because of a BuildArch. (bsc#953532)

This update for libidn fixes the following issues:

• CVE-2016-6262 and CVE-2015-8948: Out-of-bounds-read when reading one zero byte as input (bsc#990189)

• CVE-2016-6261: Out-of-bounds stack read in idna_to_ascii_4i (bsc#990190)

• CVE-2016-6263: stringprep_utf8_nfkc_normalize reject invalid UTF-8 (bsc#990191)

• CVE-2015-2059: out-of-bounds read with stringprep on invalid UTF-8 (bsc#923241)

This update for cracklib fixes the following issues:

• Add patch to fix a buffer overflow in GECOS parser (bsc#992966 CVE-2016-6318)

This update for Perl fixes the following issues:

• CVE-2016-6185: Xsloader looking at a '(eval)' directory. (bsc#988311)
• CVE-2016-1238: Searching current directory for optional modules. (bsc#987887)
• CVE-2015-8853: Regular expression engine hanging on bad utf8. (bsc)
• CVE-2016-2381: Environment dup handling bug. (bsc#967082)
• 'Insecure dependency in require' error in taint mode. (bsc#984906)
• Memory leak in 'use utf8' handling. (bsc#928292)
• Missing lock prototype to the debugger. (bsc#932894)

This update ships the GNU Compiler Collection (GCC) in version 6.2.
This update is shipped in two parts:

• SUSE Linux Enterprise Server 12 and Desktop:

• SUSE Linux Enterprise 12 Toolchain Module:

• The default mode for C++ is now -std=gnu++14 instead of -std=gnu++98.

• UndefinedBehaviorSanitizer gained a new sanitization option, -fsanitize=bounds-strict, which enables strict checking of array bounds. In particular, it enables -fsanitize=bounds as well as instrumentation of flexible array member-like arrays.
• Type-based alias analysis now disambiguates accesses to different pointers. This improves precision of the alias oracle by about 20-30% on higher-level C++ programs. Programs doing invalid type punning of pointer types may now need -fno-strict-aliasing to work correctly.
• Alias analysis now correctly supports weakref and alias attributes. This makes it possible to access both a variable and its alias in one translation unit which is common with link-time optimization.
• Value range propagation now assumes that the this pointer of C++ member functions is non-null. This eliminates common null pointer checks but also breaks some non-conforming code-bases (such as Qt-5, Chromium, KDevelop). As a temporary work-around -fno-delete-null-pointer-checks can be used. Wrong code can be identified by using -fsanitize=undefined.
• Various Link-time optimization improvements.
• Inter-procedural optimization improvements: - Basic jump threading is now performed before profile construction and inline analysis, resulting in more realistic size and time estimates that drive the heuristics of the of inliner and function cloning passes. - Function cloning now more aggressively eliminates unused function parameters.
• Compared to GCC 5, the GCC 6 release series includes a much improved implementation of the OpenACC 2.0a specification.

• Version 4.5 of the OpenMP specification is now supported in the C and C++ compilers.
• Source locations for the C and C++ compilers are now tracked as ranges, rather than just points, making it easier to identify the subexpression of interest within a complicated expression. In addition, there is now initial support for precise diagnostic locations within strings,
• Diagnostics can now contain 'fix-it hints', which are displayed in context underneath the relevant source code.
• The C and C++ compilers now offer suggestions for misspelled field names.
• New command-line options have been added for the C and C++ compilers: - -Wshift-negative-value warns about left shifting a negative value. - -Wshift-overflow warns about left shift overflows. This warning is enabled by default. -Wshift-overflow=2 also warns about left-shifting 1 into the sign bit. - -Wtautological-compare warns if a self-comparison always evaluates to true or false. This warning is enabled by -Wall. - -Wnull-dereference warns if the compiler detects paths that trigger erroneous or undefined behavior due to dereferencing a null pointer. This option is only active when -fdelete-null-pointer-checks is active, which is enabled by optimizations in most targets. The precision of the warnings depends on the optimization options used. - -Wduplicated-cond warns about duplicated conditions in an if-else-if chain. - -Wmisleading-indentation warns about places where the indentation of the code gives a misleading idea of the block structure of the code to a human reader. This warning is enabled by -Wall.
• The C and C++ compilers now emit saner error messages if merge-conflict markers are present in a source file.

• It is possible to disable warnings when an initialized field of a structure or a union with side effects is being overridden when using designated initializers via a new warning option -Woverride-init-side-effects.
• A new type attribute scalar_storage_order applying to structures and unions has been introduced. It specifies the storage order (aka endianness) in memory of scalar fields in structures or unions.

• The default mode has been changed to -std=gnu++14.
• C++ Concepts are now supported when compiling with -fconcepts.
• -flifetime-dse is more aggressive in dead-store elimination in situations where a memory store to a location precedes a constructor to that memory location.
• G++ now supports C++17 fold expressions, u8 character literals, extended static_assert, and nested namespace definitions.
• G++ now allows constant evaluation for all non-type template arguments.
• G++ now supports C++ Transactional Memory when compiling with -fgnu-tm.

• Extensions to the C++ Library to support mathematical special functions (ISO/IEC 29124:2010), thanks to Edward Smith-Rowland.
• Experimental support for C++17.
• An experimental implementation of the File System TS.
• Experimental support for most features of the second version of the Library Fundamentals TS. This includes polymorphic memory resources and array support in shared_ptr, thanks to Fan You.
• Some assertions checked by Debug Mode can now also be enabled by _GLIBCXX_ASSERTIONS. The subset of checks enabled by the new macro have less run-time overhead than the full _GLIBCXX_DEBUG checks and don't affect the library ABI, so can be enabled per-translation unit.

• Fortran 2008 SUBMODULE support.
• Fortran 2015 EVENT_TYPE, EVENT_POST, EVENT_WAIT, and EVENT_QUERY support.
• Improved support for Fortran 2003 deferred-length character variables.
• Improved support for OpenMP and OpenACC.
• The MATMUL intrinsic is now inlined for straightforward cases if front-end optimization is active. The maximum size for inlining can be set to n with the -finline-matmul-limit=n option and turned off with -finline-matmul-limit=0.
• The -Wconversion-extra option will warn about REAL constants which have excess precision for their kind.
• The -Winteger-division option has been added, which warns about divisions of integer constants which are truncated. This option is included in -Wall by default.

• AArch64 received a lot of improvements.

• GCC now supports the Intel CPU named Skylake with AVX-512 extensions through -march=skylake-avx512. The switch enables the following ISA extensions: AVX-512F, AVX512VL, AVX-512CD, AVX-512BW, AVX-512DQ.
• Support for new AMD instructions monitorx and mwaitx has been added. This includes new intrinsic and built-in support. It is enabled through option -mmwaitx. The instructions monitorx and mwaitx implement the same functionality as the old monitor and mwait instructions. In addition mwaitx adds a configurable timer. The timer value is received as third argument and stored in register %ebx.
• x86-64 targets now allow stack realignment from a word-aligned stack pointer using the command-line option -mstackrealign or __attribute__ ((force_align_arg_pointer)). This allows functions compiled with a vector-aligned stack to be invoked from objects that keep only word-alignment.
• Support for address spaces __seg_fs, __seg_gs, and __seg_tls. These can be used to access data via the %fs and %gs segments without having to resort to inline assembly.
• Support for AMD Zen (family 17h) processors is now available through the -march=znver1 and -mtune=znver1 options.

• PowerPC64 now supports IEEE 128-bit floating-point using the __float128 data type. In GCC 6, this is not enabled by default, but you can enable it with -mfloat128. The IEEE 128-bit floating-point support requires the use of the VSX instruction set. IEEE 128-bit floating-point values are passed and returned as a single vector value. The software emulator for IEEE 128-bit floating-point support is only built on PowerPC GNU/Linux systems where the default CPU is at least power7. On future ISA 3.0 systems (POWER 9 and later), you will be able to use the -mfloat128-hardware option to use the ISA 3.0 instructions that support IEEE 128-bit floating-point. An additional type (__ibm128) has been added to refer to the IBM extended double type that normally implements long double. This will allow for a future transition to implementing long double with IEEE 128-bit floating-point.
• Basic support has been added for POWER9 hardware that will use the recently published OpenPOWER ISA 3.0 instructions. The following new switches are available: - -mcpu=power9: Implement all of the ISA 3.0 instructions supported by the compiler. - -mtune=power9: In the future, apply tuning for POWER9 systems. Currently, POWER8 tunings are used. - -mmodulo: Generate code using the ISA 3.0 integer instructions (modulus, count trailing zeros, array index support, integer multiply/add). - -mpower9-fusion: Generate code to suitably fuse instruction sequences for a POWER9 system. - -mpower9-dform: Generate code to use the new D-form (register+offset) memory instructions for the vector registers. - -mpower9-vector: Generate code using the new ISA 3.0 vector (VSX or Altivec) instructions. - -mpower9-minmax: Reserved for future development. - -mtoc-fusion: Keep TOC entries together to provide more fusion opportunities.
• New constraints have been added to support IEEE 128-bit floating-point and ISA 3.0 instructions.
• Support has been added for __builtin_cpu_is() and __builtin_cpu_supports(), allowing for very fast access to AT_PLATFORM, AT_HWCAP, and AT_HWCAP2 values. This requires use of glibc 2.23 or later.
• All hardware transactional memory builtins now correctly behave as memory barriers. Programmers can use #ifdef __TM_FENCE__ to determine whether their 'old' compiler treats the builtins as barriers.
• Split-stack support has been added for gccgo on PowerPC64 for both big- and little-endian (but not for 32-bit). The gold linker from at least binutils 2.25.1 must be available in the PATH when configuring and building gccgo to enable split stack. (The requirement for binutils 2.25.1 applies to PowerPC64 only.) The split-stack feature allows a small initial stack size to be allocated for each goroutine, which increases as needed.
• GCC on PowerPC now supports the standard lround function.
• The 'q', 'S', 'T', and 't' asm-constraints have been removed.
• The 'b', 'B', 'm', 'M', and 'W' format modifiers have been removed.

• Support for the IBM z13 processor has been added. When using the -march=z13 option, the compiler will generate code making use of the new instructions and registers introduced with the vector extension facility. The -mtune=z13 option enables z13 specific instruction scheduling without making use of new instructions.
• Compiling code with -march=z13 reduces the default alignment of vector types bigger than 8 bytes to 8. This is an ABI change and care must be taken when linking modules compiled with different arch levels which interchange variables containing vector type values. For newly compiled code the GNU linker will emit a warning.
• The -mzvector option enables a C/C++ language extension. This extension provides a new keyword vector which can be used to define vector type variables. (Note: This is not available when enforcing strict standard compliance e.g. with -std=c99. Either enable GNU extensions with e.g. -std=gnu99 or use __vector instead of vector.)
• Additionally a set of overloaded builtins is provided which is partially compatible to the PowerPC Altivec builtins. In order to make use of these builtins the vecintrin.h header file needs to be included.
• The new command line options -march=native, and -mtune=native are now available on native IBM z Systems. Specifying these options will cause GCC to auto-detect the host CPU and rewrite these options to the optimal setting for that system. If GCC is unable to detect the host CPU these options have no effect.
• The IBM z Systems port now supports target attributes and pragmas. Please refer to the documentation for details of available attributes and pragmas as well as usage instructions.
• -fsplit-stack is now supported as part of the IBM z Systems port. This feature requires a recent gold linker to be used.
• Support for the g5 and g6 -march=/-mtune= CPU level switches has been deprecated and will be removed in a future GCC release. -m31 from now on defaults to -march=z900 if not specified otherwise. -march=native on a g5/g6 machine will default to -march=z900.

This update for curl fixes the following issues:
Security issues fixed:

• CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389)
• CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390)
• CVE-2016-5421: use of connection struct after free (bsc#991391)
• CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420)

• fixing a performance issue (bsc#991746)

This update for libgcrypt fixes the following issues:
- RNG prediction vulnerability (bsc#994157, CVE-2016-6313)

Various packages included vulnerable parsers generated by 'flex'.
This update provides a fixed 'flex' package and also rebuilds of packages that might have security issues caused by the auto generated code.
Flex itself was updated to fix a buffer overflow in the generated scanner (bsc#990856, CVE-2016-6354)
Packages that were rebuilt with the fixed flex:

• at
• bogofilter
• cyrus-imapd
• kdelibs4
• libQtWebKit4
• libbonobo
• mdbtools
• netpbm
• openslp
• sgmltool
• virtuoso

• CVE-2015-8079: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode (bsc#954210).

This update for openslp fixes two security issues and two bugs.
The following vulnerabilities were fixed:

• CVE-2016-4912: A remote attacker could have crashed the server with a large number of packages (bsc#980722)
• CVE-2016-7567: A remote attacker could cause a memory corruption having unspecified impact (bsc#1001600)

• bsc#994989: Removed convenience code as changes bytes in the message buffer breaking the verification code
• bsc#974655: Removed no longer needed slpd init file

This update for curl fixes the following security issues:

• CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)
• CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)
• CVE-2016-8622: URL unescape heap overflow via integer truncation (bsc#1005643)
• CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)
• CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640)
• CVE-2016-8619: double-free in krb5 code (bsc#1005638)
• CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)
• CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)
• CVE-2016-8616: case insensitive password comparison (bsc#1005634)
• CVE-2016-8615: cookie injection for other servers (bsc#1005633)
• CVE-2016-7167: escape and unescape integer overflows (bsc#998760)

This update for shadow fixes the following issues:

• Set file modes according to the permissions package and don't attempt to manipulate them in %files section. (bsc#1002975)

This update for sg3_utils provides the following fixes:

• Adjust 55-scsi-sg3_id.rules to correctly handle VPD page 0x80. This issue could prevent some IBM Power systems from booting after installation. (bsc#1006469)
• Fix 55-scsi_sg3_id.rules to skip sg_inq on recent kernels. (bsc#979436)
• In some circumstances, the rescan-scsi-bus.sh script failed to identify new LUNs that have been added to the server. (bsc#958369)

This update for pcre to version 8.39 (bsc#972127) fixes several issues.
If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version.
This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed:

• CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
• CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
• CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
• CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
• CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
• bsc#942865: heap overflow in compile_regex()
• CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
• CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
• bsc#957598: Various security issues
• CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
• CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
• CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
• CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
• CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
• CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
• CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
• CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
• CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
• CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
• CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
• CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
• CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
• CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
• CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
• CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
• CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
• CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

• JIT compiler improvements
• performance improvements
• The Unicode data tables have been updated to Unicode 7.0.0.

This update for systemd provides the following fixes:

• Allow to redirect confirmation messages to a different console. (bsc#1006690)
• Do not bind a mount unit to a device, if it was from mountinfo. (bsc#989831)
• Decrease systemd-nspawn's non-fatal mount errors to debug level. (bsc#1004289)
• Don't emit space usage message right after opening the persistent journal. (bsc#991443)
• Change owner of /var/log/journal/remote and create /var/lib/systemd/journal-upload. (bsc#1006372)
• Document that *KeyIgnoreInhibited only apply to a subset of locks.
• Revert 'logind: really handle *KeyIgnoreInhibited options in logind.conf'. (bsc#1001790, bsc#1005404)
• Revert 'kbd-model-map: add more mappings offered by Yast'.
• Don't busy loop when we get a notification message we can't process.
• Rename kbd-model-map-extra into kbd-model-map.legacy.
• Add kbd-model-map-extra file which contains the additional maps needed by YaST.
• Drop localfs.service: unused and not needed anymore.

This update for pcre to version 8.39 (bsc#972127) fixes several issues.
If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version.
This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed:

• CVE-2014-8964: Heap-based buffer overflow in PCRE allowed remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats (bsc#906574).
• CVE-2015-2325: Heap buffer overflow in compile_branch() (bsc#924960).
• CVE-2015-3210: Heap buffer overflow in pcre_compile2() / compile_regex() (bsc#933288)
• CVE-2015-3217: PCRE Library Call Stack Overflow Vulnerability in match() (bsc#933878).
• CVE-2015-5073: Library Heap Overflow Vulnerability in find_fixedlength() (bsc#936227).
• bsc#942865: heap overflow in compile_regex()
• CVE-2015-8380: The pcre_exec function in pcre_exec.c mishandled a // pattern with a \01 string, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957566).
• CVE-2015-2327: PCRE mishandled certain patterns with internal recursive back references, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror (bsc#957567).
• bsc#957598: Various security issues
• CVE-2015-8381: Heap Overflow in compile_regex() (bsc#957598).
• CVE-2015-8382: Regular Expression Uninitialized Pointer Information Disclosure Vulnerability (ZDI-CAN-2547)(bsc#957598).
• CVE-2015-8383: Buffer overflow caused by repeated conditional group(bsc#957598).
• CVE-2015-8384: Buffer overflow caused by recursive back reference by name within certain group(bsc#957598).
• CVE-2015-8385: Buffer overflow caused by forward reference by name to certain group(bsc#957598).
• CVE-2015-8386: Buffer overflow caused by lookbehind assertion(bsc#957598).
• CVE-2015-8387: Integer overflow in subroutine calls(bsc#957598).
• CVE-2015-8388: Buffer overflow caused by certain patterns with an unmatched closing parenthesis(bsc#957598).
• CVE-2015-8389: Infinite recursion in JIT compiler when processing certain patterns(bsc#957598).
• CVE-2015-8390: Reading from uninitialized memory when processing certain patterns(bsc#957598).
• CVE-2015-8391: Some pathological patterns causes pcre_compile() to run for a very long time(bsc#957598).
• CVE-2015-8392: Buffer overflow caused by certain patterns with duplicated named groups(bsc#957598).
• CVE-2015-8393: Information leak when running pcgrep -q on crafted binary(bsc#957598).
• CVE-2015-8394: Integer overflow caused by missing check for certain conditions(bsc#957598).
• CVE-2015-8395: Buffer overflow caused by certain references(bsc#957598).
• CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allowed remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression (bsc#957600).
• CVE-2016-1283: The pcre_compile2 function in pcre_compile.c in PCRE mishandled certain patterns with named subgroups, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression (bsc#960837).
• CVE-2016-3191: The compile_branch function in pcre_compile.c in pcre2_compile.c mishandled patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allowed remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression (bsc#971741).

• JIT compiler improvements
• performance improvements
• The Unicode data tables have been updated to Unicode 7.0.0.

This update adds the 32bit version of libpth20 to SUSE Linux Enterprise 12 SP1 and 12 SP2.

This update for zlib fixes the following issues:
CVE-2016-9843: Big-endian out-of-bounds pointer
CVE-2016-9842: Undefined Left Shift of Negative Number (bsc#1003580)
CVE-2016-9840 CVE-2016-9841: Out-of-bounds pointer arithmetic in inftrees.c (bsc#1003579)
Incompatible declarations for external linkage function deflate (bsc#1003577)

This update for systemd fixes the following issues:

• core: Make mount units from /proc/self/mountinfo possibly bind to a device. Fixes unmounting issues when ejecting CDs or DVDs. (bsc#909418, bsc#912715, bsc#945340)
• fstab-generator: Remove bogus condition that leads to warnings on boot. (bsc#1013989)
• coredumpctl: Let gdb handle the SIGINT signal. (bsc#1012591)
• Ship kbd-model-map with the correct contents. (bsc#1015515)
• rules: Set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event. (bsc#963290, bsc#990538)
• tmpfiles: Don't skip path_set_perms on error. (bsc#953807)
• nspawn: Properly handle image/directory paths that are symbolic links. (bsc#1012390)
• systemctl: Fix 'is-enabled' exit status on failure when executed in chroot. (bsc#1012818)

This update for dirmngr enables support for daemon mode.

This update for systemd fixes the following two issues:

• A regression in the previous update (SUSE-RU-2017:0013-1, bsc#909418) could have caused systemd to freeze. (bsc#1018399)
• Warnings emitted when udev socket units are restarted during package upgrade were silenced. (bsc#1018214)

This update for kmod fixes a rare race condition while loading modules.

This update for systemd fixes the following issues:
This security issue was fixed:

• CVE-2016-10156: Fix permissions set on permanent timer timestamp files, preventing local unprivileged users from escalating privileges (bsc#1020601).

• Fix permission set on /var/lib/systemd/linger/*
• install: follow config_path symlink (#3362)
• install: fix disable when /etc/systemd/system is a symlink (bsc#1014560)
• run: make --slice= work in conjunction with --scope (bsc#1014566)
• core: don't dispatch load queue when setting Slice= for transient units
• systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266)
• rule: don't automatically online standby memory on s390x (bsc#997682)

This update for cpio fixes two issues.
This security issue was fixed:

• CVE-2016-2037: The cpio_safer_name_suffix function in util.c in cpio allowed remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file (bsc#963448).

• bsc#1020108: Always use 32 bit CRC to prevent checksum errors for files greater than 32MB

This update for libxml2 fixes the following issues:

• CVE-2016-4658: use-after-free error could lead to crash [bsc#1005544]
• Fix NULL dereference in xpointer.c when in recovery mode [bsc#1014873]
• CVE-2016-9597: An XML document with many opening tags could have caused a overflow of the stack not detected by the recursion limits, allowing for DoS (bsc#1017497).

This update provides libseccomp version 2.3.1 which fixes the following issues:

• Fixed a problem with 32-bit x86 socket syscalls on some systems (fate#321647, bsc#1019900)
• Fixed problems with ipc syscalls on 32-bit x86
• Fixed problems with socket and ipc syscalls on s390 and s390x

This update for expat fixes the following security issues:

• CVE-2012-6702: Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, made it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand function. (bsc#983215)
• CVE-2016-5300: The XML parser in Expat did not use sufficient entropy for hash initialization, which allowed context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0876. (bsc#983216)

This update for openssl fixes the following issues contained in the OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641)
Security issues fixed:

• CVE-2016-7055: The x86_64 optimized montgomery multiplication may produce incorrect results (bsc#1009528)
• CVE-2017-3731: Truncated packet could crash via OOB read (bsc#1022085)
• CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 (bsc#1022086)
• Degrade the 3DES cipher to MEDIUM in SSLv2 (bsc#1001912)

• fix crash in openssl speed (bsc#1000677)
• fix X509_CERT_FILE path (bsc#1022271)
• AES XTS key parts must not be identical in FIPS mode (bsc#1019637)

This update for dirmngr fixes the following issues:

• Properly initialize the dirmngr tmpfilesd files right away and not just during reboot
• Own the /usr/lib/tmpfiles.d/ folder as it is needed in older systemds wrt (bsc#1019276)
• Proprely require logrotate as we need it for the dirmngr configs

This update for sg3_utils fixes the following issue:

• Add udev rules to handle legacy CCISS devices (bsc#1006175)

This update for systemd provides the following fixes:

• core: Fix memory leak in transient units. (bsc#1025598)
• core: Destroy all name watching bus slots when we are kicked off the bus. (bsc#1006687)
• sd-event: Fix incorrect assertion. (bsc#995936, bsc#1022014)
• journald: Don't flush to /var/log/journal before we get asked to. (bsc#1004094)
• core: Downgrade warning about duplicate device names. (bsc#1022047)
• units: Remove no longer needed ldconfig service. (bsc#1019470)

This update for netcfg provides the following fixes:

• Update script to generate services to use UTF8 by default. (bsc#1028305)
• Repack services.bz2 with latest from upstream and adjust the script to not add all the names and emails at the bottom of the file. (bsc#959693)

This update for lvm2 fixes the following issues:

• Fix clvmd segmentation fault on ppc64le architecture. (bsc#1025630)
• Fix several trivial issues about clvmd/cmirrord resource agents. (bsc#1023283, bsc#1025560)
• Use {local,remote}-fs-pre.target instead of {local,remote}-fs.target. (bsc#1017034)
• Simplify special-case for md in 69-dm-lvm-metadata.rules. (bsc#1012973)
• Add systemd_requires to device-mapper package. (bsc#1015943)

This update for glibc fixes a potential segmentation fault in libpthread:

• Fork in libpthread cannot use IFUNC resolver. (bsc#1007851, bsc#1029725, bsc#1029900)

This update for cpio fixes the following issues:

• A regression caused cpio to crash for tar and ustar archive types [bsc#1028410]

This update for libtool prevents a segmentation fault caused by insufficient error handling on out-of-memory situations.

This update for curl fixes the following issues:
Security issue fixed:

• CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332)
• CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309).

This update for procps fixes the following issues:

• Command w(1) with option -n doesn't work. (bsc#1030621)

This update for gpg2 provides the following fixes:

• Do not install CAcert and other root certificates which are not needed with Let's Encrypt. (bsc#1036736)
• Initialize the trustdb before import attempt. (bsc#986783)

This update for systemd provides the following fixes:

• logind: Update empty and 'infinity' handling for [User]TasksMax. (bsc#1031355)
• importd: Support SUSE style checksums. (fate#322054)
• journal: Don't remove leading spaces. (bsc#1033855)
• Make sure all swap units are ordered before the swap target. (bsc#955770, bsc#1034565)
• hwdb: Fix warning 'atkbd serio0: Unknown key pressed'. (bsc#1010220)
• logind: Restart logind on package update only on SLE12 distros. (bsc#1032660)
• core: Treat masked files as 'unchanged'. (bsc#1032538)
• units: Move Before deps for quota services to remote-fs.target. (bsc#1028263)
• udev: Support predictable ifnames on vio buses. (bsc#1029183)
• udev: Add a persistent rule for ibmvnic devices. (bsc#1029183)
• units: Do not throw a warning in emergency mode if plymouth is not installed. (bsc#1025398)
• core: Downgrade 'Time has been changed' message to debug level. (bsc#1028610)
• vconsole: Don't do GIO_SCRNMAP / GIO_UNISCRNMAP. (bsc#1029691)
• udev-rules: Perform whitespace replacement for symlink subst values. (bsc#1025886)
• Consider chroot updates in fix-machines-subvol-for-rollbacks.sh. (bsc#1030290)

This update for bash fixes an issue that could lead to syntax errors when parsing scripts that use expr(1) inside loops.
Additionally, the popd build-in now ensures that the normalized stack offset is within bounds before trying to free that stack entry. This fixes a segmentation fault.

This update for glibc introduces basic support for IBM POWER9 systems. Additionally, an improper assert in dlclose() has been removed.

This update for pam fixes the following issues:

• CVE-2015-3238: pam_unix in conjunction with SELinux allowed for DoS attacks (bsc#934920).
• log a hint to syslog if /etc/nologin is present, but empty (bsc#1015565).
• If /etc/nologin is present, but empty, log a hint to syslog. (bsc#1015565)
• Added support for libowcrypt.so, if present, to configure support for BLOWFISH (bsc#1037824)

This update for e2fsprogs provides the following fixes:

• Fix 32/64-bit overflow when multiplying by blocks/clusters per group. This allows resize2fs(8) to resize file systems larger than 20 TB. (bsc#1009532)
• Update spec file to regenerate initrd when e2fsprogs is updated or uninstalled. (bsc#960273)

This update for cryptsetup provides the following fix:

• Don't use a zero-filled empty key, because in FIPS, XTS mode key parts mustn't be equivalent (bsc#1031998)

This update for libxml2 fixes the following issues:

• CVE-2017-9047, CVE-2017-9048: The function xmlSnprintfElementContent in valid.c was vulnerable to a stack buffer overflow (bsc#1039063, bsc#1039064)
• CVE-2017-9049: The function xmlDictComputeFastKey in dict.c was vulnerable to a heap-based buffer over-read. (bsc#1039066)
• CVE-2017-9050: The function xmlDictAddString was vulnerable to a heap-based buffer over-read (bsc#1039661)
• CVE-2016-1839: heap-based buffer overflow (xmlDictAddString func) (bnc#1039069)

This update for shadow fixes the following issues:

• Dynamically added users via pam_group are not listed in groups databases but are still valid. (bsc#1031643)
• useradd(8) and groupadd(8) performance issue when using SSSD. Previously the entire possible UID/GID was iterated to find an available UID/GID. This could take long time over a network device. Instead, find available UID/GID locally, and then check only those values over network. (bsc#1003978)

This update for libsemanage, selinux-policy fixes the following issues:

• Limit to policy version 29 by default.
• Fix policy module build failures and wrong policy path on SLE 12 SP2 (bsc#1038189, bsc#1035818, bsc#1020143, bsc#1032445)

This update for libxml2 fixes the following security issues:

• CVE-2017-9050: A heap-based buffer over-read in xmlDictAddString (bsc#1039069, bsc#1039661)
• CVE-2017-9049: A heap-based buffer overflow in xmlDictComputeFastKey (bsc#1039066)
• CVE-2017-9048: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039063)
• CVE-2017-9047: A stack overflow vulnerability in xmlSnprintfElementContent (bsc#1039064)

This update for gcc5 fixes the version of libffi in its pkg-config configuration file.

This update for openldap2 fixes the following issues:
Security issues fixed:

• CVE-2017-9287: A double free vulnerability in the mdb backend during search with page size 0 was fixed (bsc#1041764)

• Let OpenLDAP read system-wide certificates by default and don't hide the error if the user-specified CA location cannot be read. (bsc#1009470)
• Fix an uninitialised variable that causes startup failure (bsc#1037396)
• Fix an issue with transaction management that can cause server crash (bsc#972331)

This update for libgcrypt fixes the following issues:

• CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326)

• Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932)

This update for glibc fixes the following issues:

• CVE-2017-1000366: Fix a potential privilege escalation vulnerability that allowed unprivileged system users to manipulate the stack of setuid binaries to gain special privileges. [bsc#1039357]

• A bug in glibc that could result in deadlocks between malloc() and fork() has been fixed. [bsc#1040043]

This update for e2fsprogs provides the following fixes:

• Don't ignore fsync errors in libext2fs. (bsc#1038194)
• Fix fsync(2) detection in libext2fs. (bsc#1038194)

This update for libxml2 fixes the following issues:
Security issues fixed:

• CVE-2017-0663: Fixed a heap buffer overflow in xmlAddID (bsc#1044337)
• CVE-2017-5969: Fixed a NULL pointer deref in xmlDumpElementContent (bsc#1024989)

This update for libsemanage, policycoreutils fixes the following issue:

• Show version numbers of modules where they are available (bsc#1043237)

This update for dirmngr provides the following fix:

• Change logrotate from Requires to Recommends (bsc#1045943)

This update for libxml2 fixes the following issues:
Security issues fixed:

• CVE-2017-7376: Increase buffer space for port in HTTP redirect support (bsc#1044887)
• CVE-2017-7375: Prevent unwanted external entity reference [bsc#1044894, ]

This update for systemd fixes the following issues:
Security issue fixed:

• CVE-2017-9217: resolved: Fix null pointer p->question dereferencing that could lead to resolved aborting (bsc#1040614)

• core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount
• automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942)
• automount: Rework propagation between automount and mount units
• build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary
• build: Fix systemd-journal-upload installation
• basic: Detect XEN Dom0 as no virtualization (bsc#1036873)
• virt: Make sure some errors are not ignored
• fstab-generator: Do not skip Before= ordering for noauto mountpoints
• fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec
• core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995)
• fstab-generator: Apply the _netdev option also to device units (bsc#1004995)
• job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995)
• job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995)
• rules: Export NVMe WWID udev attribute (bsc#1038865)
• rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives
• rules: Add rules for NVMe devices
• sysusers: Make group shadow support configurable (bsc#1029516)
• core: When deserializing a unit, fully restore its cgroup state (bsc#1029102)
• core: Introduce cg_mask_from_string()/cg_mask_to_string()
• core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258)
• Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files.
• Disable group shadow support (bsc#1029516)
• Only check signature job error if signature job exists (bsc#1043758)

This update for libgcrypt fixes the following issues:

• CVE-2017-7526: Hardening against a local side-channel attack in RSA key handling has been added (bsc#1046607)

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2017-10684: Possible RCE via stack-based buffer overflow in the fmt_entry function. (bsc#1046858)
• CVE-2017-10685: Possible RCE with format string vulnerability in the fmt_entry function. (bsc#1046853)

• Drop patch ncurses-5.9-environment.dif as YaST2 ncurses GUI does not need it anymore and as well as it causes bug bsc#1000662

This update for binutils fixes an issue that prevented ld(1) from correctly linking the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.

This update for openldap2 provides the following fix:

• Fix a regression in handling of non-blocking connection (bsc#1031702)

This update for systemd and dracut fixes the following issues:
Security issues fixed:

• CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290)

• Automounter issue in combination with NFS volumes (bsc#1040968)
• Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153)
• Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750)

• Bail out if module directory does not exist. (bsc#1043900)
• Suppress bogus error message. (bsc#1032029)
• Fix module force loading with systemd. (bsc#986216)
• Ship udev files required by systemd. (bsc#1040153)
• Ignore module resolution errors (e.g. with kgraft). (bsc#1037120)

This update for procps provides the following fixes:

• Make pmap handle LazyFree in /proc/smaps (bsc#1034563)
• Allow reading and writing content lines longer than 1024 characters under /proc/sys (bsc#1039941)
• Avoid printing messages when /proc/sys/net/ipv6/conf/*/stable_secret is not set

This update for systemd provides several fixes and enhancements.
Security issues fixed:

• CVE-2017-9217: Null pointer dereferencing that could lead to resolved aborting. (bsc#1040614)
• CVE-2017-9445: Possible out-of-bounds write triggered by a specially crafted TCP payload from a DNS server. (bsc#1045290)

• core/mount: Use the '-c' flag to not canonicalize paths when calling /bin/umount
• automount: Handle expire_tokens when the mount unit changes its state (bsc#1040942)
• automount: Rework propagation between automount and mount units
• build: Make sure tmpfiles.d/systemd-remote.conf get installed when necessary
• build: Fix systemd-journal-upload installation
• basic: Detect XEN Dom0 as no virtualization (bsc#1036873)
• virt: Make sure some errors are not ignored
• fstab-generator: Do not skip Before= ordering for noauto mountpoints
• fstab-gen: Do not convert device timeout into seconds when initializing JobTimeoutSec
• core/device: Use JobRunningTimeoutSec= for device units (bsc#1004995)
• fstab-generator: Apply the _netdev option also to device units (bsc#1004995)
• job: Add JobRunningTimeoutSec for JOB_RUNNING state (bsc#1004995)
• job: Ensure JobRunningTimeoutSec= survives serialization (bsc#1004995)
• rules: Export NVMe WWID udev attribute (bsc#1038865)
• rules: Introduce disk/by-id (model_serial) symbolic links for NVMe drives
• rules: Add rules for NVMe devices
• sysusers: Make group shadow support configurable (bsc#1029516)
• core: When deserializing a unit, fully restore its cgroup state (bsc#1029102)
• core: Introduce cg_mask_from_string()/cg_mask_to_string()
• core:execute: Fix handling failures of calling fork() in exec_spawn() (bsc#1040258)
• Fix systemd-sysv-convert when a package starts shipping service units (bsc#982303) The database might be missing when upgrading a package which was shipping no sysv init scripts nor unit files (at the time --save was called) but the new version start shipping unit files.
• Disable group shadow support (bsc#1029516)
• Only check signature job error if signature job exists (bsc#1043758)
• Automounter issue in combination with NFS volumes (bsc#1040968)
• Missing symbolic link for SAS device in /dev/disk/by-path (bsc#1040153)
• Add minimal support for boot.d/* scripts in systemd-sysv-convert (bsc#1046750)

This update for binutils fixes an issue that prevented ld(1) from correctly linking the 32 bit version of libclntshcore.so.12.1 from the Oracle 12 Client.

This update for openssl fixes the following issues including fixes for our ongoing FIPS 140-2 evaluation:

• Remove DES-CBC3-SHA based ciphers from DEFAULT_SUSE to address SWEET32 problem (bsc#1027908)
• Use getrandom syscall instead of reading from /dev/urandom to get at least 128 bits of entropy to comply with FIPS 140.2 IG 7.14 (bsc#1027079 bsc#1044175)
• Fix x86 extended feature detection (bsc#1029523)
• Allow runtime switching of s390x capabilities via the 'OPENSSL_s390xcap' environmental variable (bsc#1028723)
• s_client sent empty client certificate (bsc#1028281) Add back certificate initialization set_cert_key_stuff() which was removed in a previous update.
• Fix a bug in XTS key handling (bsc#1019637)
• Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392)

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2017-11112: Illegal address access in append_acs. (bsc#1047964)
• CVE-2017-11113: Dereferencing NULL pointer in _nc_parse_entry. (bsc#1047965)
• CVE-2017-10684, CVE-2017-10685: Add modified upstream fix from ncurses 6.0 to avoid broken termcap format (bsc#1046853, bsc#1046858, bsc#1049344)

This update for cyrus-sasl provides the following fixes:

• Fix SASL GSSAPI mechanism acceptor wrongly returns zero maxbufsize
• Fix unknown authentication mechanism: kerberos5 (bsc#1026825)
• Really use SASLAUTHD_PARAMS variable (bsc#938657)
• Make sure /usr/sbin/rcsaslauthd exists
• Add /usr/sbin/rcsaslauthd symbolic link to /usr/sbin/service (bsc#1014471)
• Silence 'GSSAPI client step 1' debug log message (bsc#1044840)

This update for libxml2 fixes the following issues:
Security issues fixed:

• CVE-2017-8872: Out-of-bounds read in htmlParseTryOrFinish. (bsc#1038444)

This update for sed provides the following fixes:

• Don't terminate with a segmentation fault if close of last file descriptor fails. (bsc#954661)

This update adds the libverto library to OpenStack Cloud Magnum Orchestration channels.

This update for systemd fixes the following issues:

• compat-rules: Don't rely on ID_SERIAL when generating 'by-id' links for NVMe devices. (bsc#1048679)
• fstab-generator: Handle NFS 'bg' mounts correctly. (bsc#874665, fate#323464)
• timesyncd: Don't use compiled-in list if FallbackNTP has been configured explicitly.

This update for curl fixes the following issues:

• CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644)
• CVE-2017-1000101: URL globbing out of bounds read could lead to a denial of service (bsc#1051643)

This update for procps fixes the following issues:

• Fix a regression introduced in a previous update that would result in sysctl dying with a SIGSEGV error (bsc#1053409).

This update for lua51 provides the following fixes:

• Add Lua(API) and Lua(devel) symbols to fix building of lua51-luasocket. (bsc#1051626)

The Software Update Stack was updated to receive fixes and enhancements.

libzypp:

• CVE-2017-7435, CVE-2017-7436, CVE-2017-9269: Fix GPG check workflows, mainly for unsigned repositories and packages. (bsc#1045735, bsc#1038984)
• Fix gpg-pubkey release (creation time) computation. (bsc#1036659)
• Update lsof blacklist. (bsc#1046417)
• Re-probe on refresh if the repository type changes. (bsc#1048315)
• Propagate proper error code to DownloadProgressReport. (bsc#1047785)
• Allow to trigger an appdata refresh unconditionally. (bsc#1009745)
• Support custom repo variables defined in /etc/zypp/vars.d.

• Do not crash when the repository URL is not defined. (bsc#1043218)

This update for expat fixes the following issues:

• CVE-2016-9063: Possible integer overflow to fix inside XML_Parse leading to unexpected behaviour (bsc#1047240)
• CVE-2017-9233: External Entity Vulnerability could lead to denial of service (bsc#1047236)

This update for systemd fixes the following issues:

• Revert fix for bsc#1004995 which could have caused boot failure on LVM (bsc#1048605)

• compat-rules: drop the bogus 'import everything' rule (bsc#1046268)
• core: use an AF_UNIX/SOCK_DGRAM socket for cgroup agent notification (bsc#1045384 bsc#1047379)
• udev/path_id: introduce support for NVMe devices (bsc#1045987)

The Software Update Stack was updated to receive fixes and enhancements.
libzypp:

• Adapt to work with GnuPG 2.1.23. (bsc#1054088)
• Support signing with subkeys. (bsc#1008325)
• Enhance sort order for media.1/products. (bsc#1054671)

• Also show a gpg key's subkeys. (bsc#1008325)
• Improve signature check callback messages. (bsc#1045735)
• Add options to tune the GPG check settings. (bsc#1045735)
• Adapt download callback to report and handle unsigned packages. (bsc#1038984, CVE-2017-7436)
• Report missing/optional files as 'not found' rather than 'error'. (bsc#1047785)

This update for insserv-compat fixes the following issues:

• Add /etc/init.d hierarchy from former 'filesystem' package. (bsc#1035062)
• Fix directory argument parsing. (bsc#944903)
• Add perl(Getopt::Long) to list of requirements.

This update for libgcrypt fixes the following issues:

• libgcrypt stored an open file descriptor to the random device in a static variable between invocations. gnome-keyring-daemon on initialization reopened descriptors 0-2 with /dev/null which caused an infinite loop when libgcrypt attempted to read from the random device (bsc#1043333)
• Avoid seeding the DRBG during FIPS power-up selftests (bsc#1046659) * don't call gcry_drbg_instantiate() in healthcheck sanity test to save entropy * turn off blinding for RSA decryption in selftests_rsa to avoid allocation of a random integer
• fix a bug in gcry_drbg_healthcheck_sanity() which caused skipping some of the tests (bsc#1046659)
• dlsym returns PLT address on s390x, dlopen libgcrypt20.so before calling dlsym (bsc#1047008)

This update for sg3_utils provides the following fixes:

• Add lunsearch filter to findresized() so that only LUNs specified using --luns are rescanned or resized. (bsc#1025176)
• In case the VPD sysfs attributes are missing or cannot be accessed, fallback to use sg_inq --page when using multipath devices in AutoYast2 installations. (bsc#1012523)
• Generate /dev/disk/by-path links based on WWPN for Fibre Channel NPIV setups. (bsc#1005063)
• Fix dumping data in hexadecimal format in sg_vpd when using the --hex option. (bsc#1050943)
• Fix ID_SERIAL values for KVM disks by exporting all NAA values and removing some validity checking. (bsc#1050767)
• Make sure initrd is rebuilt on sg3_utils updates. (bsc#1009269)

This update for lvm2 provides the following fixes:

• Create /dev/disk/by-part{label,uuid} and gpt-auto-root links. (bsc#1028485)
• Try to refresh clvmd's device cache on the first failure. (bsc#978055)
• Fix stale device cache in clvmd. (bsc#978055)
• Warn if PV size in metadata is larger than disk device size. (bsc#999878)
• Fix lvm2 activation issue when used on top of multipath. (bsc#998893)

This update for krb5 fixes several issues.
This security issue was fixed:

• CVE-2017-11462: Prevent automatic security context deletion to prevent double-free (bsc#1056995)

• Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028)
• Prevent kadmind.service startup failure caused by absence of LDAP service. (bsc#903543)
• Remove main package's dependency on systemd (bsc#1032680)

This update for dbus-1 provides the following fixes:

• Fix systemd-logind dbus disconnection by ensuring all required timeouts are restarted. (bsc#1043615)
• Remove call to initscripts related macros from the spec file as dbus-1 does not ship any initscript anymore. (bsc#1046173)

This update for audit provides the following fix:

• Make auditd start by forking the systemd service to fix some initialization failures. (bsc#1042781)

This update for curl fixes the following issues:
Security issues fixed:

• CVE-2017-1000254: FTP PWD response parser out of bounds read (bsc#1061876)
• CVE-2017-1000257: IMAP FETCH response out of bounds read (bsc#1063824)

• Fixed error 'error:1408F10B:SSL routines' when connecting to ftps via proxy (bsc#1060653)

This update for pcre fixes the following issues:

• Fixed the pcre stack frame size detection because modern compilers break it due to cloning and inlining pcre match() function (bsc#1058722)

This update for permissions fixes the following issues:

• Allows users to install the HPC 'singularity' toolkit for managing singularity containers in setuid root mode. (bsc#1028304)

This update for krb5 fixes the following issues:
Security issues fixed:

• CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274)

This update for shadow fixes several issues.
This security issue was fixed:

• CVE-2017-12424: The newusers tool could have been forced to manipulate internal data structures in ways unintended by the authors. Malformed input may have lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors (bsc#1052261).

• bsc#1023895: Fixed man page to not contain invalid options and also prevent warnings when using these options in certain settings
• bsc#980486: Reset user in /var/log/tallylog because of the usage of pam_tally2

The GNU file utility was updated to version 5.22.
Security issues fixed:

• CVE-2014-9621: The ELF parser in file allowed remote attackers to cause a denial of service via a long string. (bsc#913650)
• CVE-2014-9620: The ELF parser in file allowed remote attackers to cause a denial of service via a large number of notes. (bsc#913651)
• CVE-2014-9653: readelf.c in file did not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file. (bsc#917152)
• CVE-2014-8116: The ELF parser (readelf.c) in file allowed remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities. (bsc#910253)
• CVE-2014-8117: softmagic.c in file did not properly limit recursion, which allowed remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors. (bsc#910253)

• add indirect relative for TIFF/Exif
• restructure elf note printing to avoid repeated messages
• add note limit, suggested by Alexander Cherepanov
• Bail out on partial pread()'s (Alexander Cherepanov)
• Fix incorrect bounds check in file_printable (Alexander Cherepanov)
• PR/405: ignore SIGPIPE from uncompress programs
• change printable -> file_printable and use it in more places for safety
• in ELF, instead of '(uses dynamic libraries)' when PT_INTERP is present print the interpreter name.

• there was an incorrect free in magic_load_buffers()
• there was an out of bounds read for some pascal strings
• there was a memory leak in magic lists
• don't interpret strings printed from files using the current locale, convert them to ascii format first.
• there was an out of bounds read in elf note reads

• recognize encrypted CDF documents
• add magic_load_buffers from Brooks Davis
• add thumbs.db support

• Fixed a memory corruption during rpmbuild (bsc#1063269)
• Backport of a fix for an increased printable string length as found in file 5.30 (bsc#996511)
• file command throws 'Composite Document File V2 Document, corrupt: Can't read SSAT' error against excel 97/2003 file format. (bsc#1009966)

This update for perl fixes the following issues:
Security issues fixed:

• CVE-2017-12837: Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\N{}' escape and the case-insensitive modifier. (bnc#1057724)
• CVE-2017-12883: Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\N{U+...}' escape. (bnc#1057721)
• CVE-2017-6512: Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loosening logic. (bnc#1047178)

• backport set_capture_string changes from upstream (bsc#999735)
• reformat baselibs.conf as source validator workaround

This update for libgcrypt provides the following fix:

• Fix a regression in a previous update which caused libgcrypt to leak file descriptors causing failures when starting rtkit-daemon. (bsc#1059723)

The GNU Compiler GCC 7 is being added to the Toolchain Module by this update.
New features:

• Support for specific IBM Power9 processor instructions.
• Support for specific IBM zSeries z14 processor instructions.
• New packages cross-npvtx-gcc7 and nvptx-tools added to the Toolchain Module for specific NVIDIA Card offload support.

The Software Update Stack was updated to receive fixes and enhancements.
libsolv:

• Many fixes and improvements for cleandeps.
• Always create dup rules for 'distupgrade' jobs.
• Use recommends also for ordering packages.
• Fix splitprovides handling with addalreadyrecommended turned off. (bsc#1059065)
• Expose solver_get_recommendations() in bindings.
• Fix bug in solver_prune_to_highest_prio_per_name resulting in bad output from solver_get_recommendations().
• Support 'without' and 'unless' dependencies.
• Use same heuristic as upstream to determine source RPMs.
• Fix memory leak in bindings.
• Add pool_best_solvables() function.
• Fix 64bit integer parsing from RPM headers.
• Enable bzip2 and xz/lzma compression support.
• Enable complex/rich dependencies on distributions with RPM 4.13+.

• Fix media handling in presence of a repo path prefix. (bsc#1062561)
• Fix RepoProvideFile ignoring a repo path prefix. (bsc#1062561)
• Remove unused legacy notify-message script. (bsc#1058783)
• Support multiple product licenses in repomd. (fate#322276)
• Propagate 'rpm --import' errors. (bsc#1057188)
• Fix typos in zypp.conf.

• Locale: Fix possible segmentation fault. (bsc#1064999)
• Add summary hint if product is better updated by a different command. This is mainly used by rolling distributions like openSUSE Tumbleweed to remind their users to use 'zypper dup' to update (not zypper up or patch). (bsc#1061384)
• Unify '(add|modify)(repo|service)' property related arguments.
• Fixed 'add' commands supporting to set only a subset of properties.
• Introduced '-f/-F' as preferred short option for --[no-]refresh in all four commands. (bsc#661410, bsc#1053671)
• Fix missing package names in installation report. (bsc#1058695)
• Differ between unsupported and packages with unknown support status. (bsc#1057634)
• Return error code '107' if an RPM's %post configuration script fails, but only if ZYPPER_ON_CODE12_RETURN_107=1 is set in the environment. (bsc#1047233)

This update for systemd fixes the following issues:

• unit: When JobTimeoutSec= is turned off, implicitly turn off JobRunningTimeoutSec= too. (bsc#1048605, bsc#1004995)
• compat-rules: Generate compat by-id symlinks with 'nvme' prefix missing and warn users that have broken symlinks. (bsc#1063249)
• compat-rules: Allow to specify the generation number through the kernel command line.
• scsi_id: Fixup prefix for pre-SPC inquiry reply. (bsc#1039099)
• tmpfiles: Remove old ICE and X11 sockets at boot.
• tmpfiles: Silently ignore any path that passes through autofs. (bsc#1045472)
• pam_logind: Skip leading /dev/ from PAM_TTY field before passing it on.
• shared/machine-pool: Fix another mkfs.btrfs checking. (bsc#1053595)
• shutdown: Fix incorrect fscanf() result check.
• shutdown: Don't remount,ro network filesystems. (bsc#1035386)
• shutdown: Don't be fooled when detaching DM devices with BTRFS. (bsc#1055641)
• bash-completion: Add support for --now. (bsc#1053137)
• Add convert-lib-udev-path.sh script to convert /lib/udev directory into a symlink pointing to /usr/lib/udev when upgrading from SLE11. (bsc#1050152)
• Add a rule to teach hotplug to offline containers transparently. (bsc#1040800)

This update for coreutils provides the following fixes:

• Fix df(1) to no longer interact with excluded file system types, so for example specifying -x nfs no longer hangs with problematic nfs mounts. (bsc#1026567)
• Ensure df -l no longer interacts with dummy file system types, so for example no longer hangs with problematic NFS mounted via system.automount(5). (bsc#1043059)
• Significantly speed up df(1) for huge mount lists. (bsc#965780)

This update for libtool provides the following fix:

• Add missing dependencies and provides to baselibs.conf to make sure libltdl libraries are properly installed. (bsc#1056381)

This update for openssl fixes the following issues:
Security issues fixed:

• CVE-2017-3735: openssl1,openssl: Malformed X.509 IPAdressFamily could cause OOB read (bsc#1056058)
• CVE-2017-3736: openssl: bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242)
• Out of bounds read+crash in DES_fcrypt (bsc#1065363)
• openssl DEFAULT_SUSE cipher list is missing ECDHE-ECDSA ciphers (bsc#1055825)

GNU binutil was updated to the 2.29.1 release, bringing various new features, fixing a lot of bugs and security issues.
Following security issues are being addressed by this release:
* 18750 bsc#1030296 CVE-2014-9939 * 20891 bsc#1030585 CVE-2017-7225 * 20892 bsc#1030588 CVE-2017-7224 * 20898 bsc#1030589 CVE-2017-7223 * 20905 bsc#1030584 CVE-2017-7226 * 20908 bsc#1031644 CVE-2017-7299 * 20909 bsc#1031656 CVE-2017-7300 * 20921 bsc#1031595 CVE-2017-7302 * 20922 bsc#1031593 CVE-2017-7303 * 20924 bsc#1031638 CVE-2017-7301 * 20931 bsc#1031590 CVE-2017-7304 * 21135 bsc#1030298 CVE-2017-7209 * 21137 bsc#1029909 CVE-2017-6965 * 21139 bsc#1029908 CVE-2017-6966 * 21156 bsc#1029907 CVE-2017-6969 * 21157 bsc#1030297 CVE-2017-7210 * 21409 bsc#1037052 CVE-2017-8392 * 21412 bsc#1037057 CVE-2017-8393 * 21414 bsc#1037061 CVE-2017-8394 * 21432 bsc#1037066 CVE-2017-8396 * 21440 bsc#1037273 CVE-2017-8421 * 21580 bsc#1044891 CVE-2017-9746 * 21581 bsc#1044897 CVE-2017-9747 * 21582 bsc#1044901 CVE-2017-9748 * 21587 bsc#1044909 CVE-2017-9750 * 21594 bsc#1044925 CVE-2017-9755 * 21595 bsc#1044927 CVE-2017-9756 * 21787 bsc#1052518 CVE-2017-12448 * 21813 bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450, bsc#1052503, CVE-2017-12456, bsc#1052507, CVE-2017-12454, bsc#1052509, CVE-2017-12453, bsc#1052511, CVE-2017-12452, bsc#1052514, CVE-2017-12450 * 21933 bsc#1053347 CVE-2017-12799 * 21990 bsc#1058480 CVE-2017-14333 * 22018 bsc#1056312 CVE-2017-13757 * 22047 bsc#1057144 CVE-2017-14129 * 22058 bsc#1057149 CVE-2017-14130 * 22059 bsc#1057139 CVE-2017-14128 * 22113 bsc#1059050 CVE-2017-14529 * 22148 bsc#1060599 CVE-2017-14745 * 22163 bsc#1061241 CVE-2017-14974 * 22170 bsc#1060621 CVE-2017-14729
Update to binutils 2.29. [fate#321454, fate#321494, fate#323293]:
* The MIPS port now supports microMIPS eXtended Physical Addressing (XPA) instructions for assembly and disassembly. * The MIPS port now supports the microMIPS Release 5 ISA for assembly and disassembly. * The MIPS port now supports the Imagination interAptiv MR2 processor, which implements the MIPS32r3 ISA, the MIPS16e2 ASE as well as a couple of implementation-specific regular MIPS and MIPS16e2 ASE instructions. * The SPARC port now supports the SPARC M8 processor, which implements the Oracle SPARC Architecture 2017. * The MIPS port now supports the MIPS16e2 ASE for assembly and disassembly. * Add support for ELF SHF_GNU_MBIND and PT_GNU_MBIND_XXX. * Add support for the wasm32 ELF conversion of the WebAssembly file format. * Add --inlines option to objdump, which extends the --line-numbers option so that inlined functions will display their nesting information. * Add --merge-notes options to objcopy to reduce the size of notes in a binary file by merging and deleting redundant notes. * Add support for locating separate debug info files using the build-id method, where the separate file has a name based upon the build-id of the original file.

• GAS specific:

• GNU ld specific:

• Add riscv64 target, tested with gcc7 and downstream newlib 2.4.0
• Prepare riscv32 target (gh#riscv/riscv-newlib#8)
• Make compressed debug section handling explicit, disable for old products and enable for gas on all architectures otherwise. [bsc#1029995]
• Remove empty rpath component removal optimization from to workaround CMake rpath handling. [bsc#1025282]

• Update to binutils 2.28.

• GAS specific:

• GNU ld specific: