Container summary for suse/sles12sp4

SUSE-CU-2023:2192-1

This update for gcc12 fixes the following issues:
Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204, containing lots of bugfixes and improvements.

• Speed up builds with --enable-link-serialization.
• Update embedded newlib to version 4.2.0

SUSE-CU-2023:2107-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

SUSE-CU-2023:1873-1

This update for openldap2 fixes the following issues:

• CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

SUSE-CU-2023:1834-1

SUSE-CU-2023:1727-1

This update for krb5 fixes the following issues:

• Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix (bsc#1211411)

SUSE-CU-2023:1693-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

SUSE-CU-2023:1619-1

This update for curl fixes the following issues:

• CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).
• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

This update for libzypp, zypper fixes the following issues:

• Removing a PTF without enabled repos should always fail (bsc#1203248)
• zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
• Add expert (allow-*) options to all installer commands (bsc#428822)

• Provide 'removeptf' command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. But you don't want the dependant packages to be removed together with the PTF, which is what the remove command would do. The removeptf command however will aim to replace the dependant packages by their official update versions.

SUSE-CU-2023:1580-1

SUSE-CU-2023:1468-1

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

SUSE-CU-2023:1426-1

SUSE-CU-2023:1371-1

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

SUSE-CU-2023:1305-1

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).

SUSE-CU-2023:1186-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
• CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

SUSE-CU-2023:963-1

This update for systemd fixes the following issues:

• CVE-2023-26604: Fixed a privilege escalation via the less pager. (bsc#1208958)
• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).
• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).
• Fixed 'systemd --user' call pam_loginuid when creating user@.service (bsc#1198507).
• Fixed 'systemd-detect-virt' refine hypervisor detection (bsc#1197244).
• Fixed 'udev' 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529).
• Fixed 'man' tweak description of auto/noauto (bsc#1191502).

SUSE-CU-2023:874-1

This update for openssl-1_0_0 fixes the following issues:
Security fixes:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

• Fix DH key generation in FIPS mode, add support for constant BN for DH parameters (bsc#1202062)

SUSE-CU-2023:599-1

SUSE-CU-2023:591-1

SUSE-CU-2023:295-1

This update for krb5 fixes the following issues:

• Update logrotate script, call systemd to reload the services instead of init-scripts. (bsc#1206152)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

• testsuite: Update further expiring certificates that affect tests [bsc#1201627]

SUSE-CU-2023:177-1

SUSE-CU-2023:18-1

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

SUSE-CU-2022:3457-1

This update for ca-certificates-mozilla fixes the following issues:

• Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212)

• Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1

SUSE-CU-2022:3341-1

This update for libzypp fixes the following issues:
Update to version 16.22.5:

• properly reset range requests (bsc#1204548)

SUSE-CU-2022:3317-1

SUSE-CU-2022:3313-1

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

SUSE-CU-2022:3230-1

SUSE-CU-2022:3229-1

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Toolchain Module.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

SUSE-CU-2022:3155-1

This update for openldap2 fixes the following issues:

• Resolve broken symlinks in documentation (bsc#1203320)

SUSE-CU-2022:3083-1

This update for augeas fixes the following issues:

• Recognize fudge flags in ntp lens (bsc#1142050)
• Fix issues with build time tests (bsc#1084542)

SUSE-CU-2022:2938-1

This update for rpm fixes the following issues:

• Fixed PGP parsing bugs (bsc#1185299).
• Fixed various format handling bugs (bsc#996280).
• CVE-2021-3421: Fixed vulnerability where unsigned headers could be injected into the rpm database (bsc#1183543).
• CVE-2021-20271: Fixed vulnerability where a corrupted rpm could corrupt the rpm database (bsc#1183545).
• CVE-2021-20266: Fixed missing bounds check in hdrblobInit (bsc#1183632).

• Fixed deadlock when multiple rpm processes tried to acquire the database lock (bsc#1183659).

This update for glibc fixes the following issues:

• CVE-2015-8985: Fixed assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

• x86: fix stack alignment in pthread_cond_[timed]wait (bsc#1196852)
• Recognize ppc64p7 arch to build for power7

SUSE-CU-2022:2873-1

This update for openssl-1_0_0 fixes the following issues:

• Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)

SUSE-CU-2022:2831-1

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

SUSE-CU-2022:2802-1

SUSE-CU-2022:2779-1

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690).

SUSE-CU-2022:2732-1

This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593). - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

SUSE-CU-2022:2711-1

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

SUSE-CU-2022:2627-1

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

SUSE-CU-2022:2460-1

SUSE-CU-2022:2425-1

This update for libgcrypt fixes the following issues:

• FIPS: Auto-initialize drbg if needed. (bsc#1200095)

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

SUSE-CU-2022:2151-1

SUSE-CU-2022:2046-1

SUSE-CU-2022:2045-1

This update for keyutils fixes the following issues:

• Apply default TTL to DNS records from getaddrinfo() (bsc#1201929)

This update for ca-certificates-mozilla fixes the following issues:
Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)

• Added:

• Removed:

• Added:

• Removed:

• Added CAs:

• Added new root CAs:

• Removed old root CAs:

SUSE-CU-2022:2024-1

This update for util-linux fixes the following issues:

• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

SUSE-CU-2022:1908-1

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

SUSE-CU-2022:1863-1

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

SUSE-CU-2022:1845-1

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223).
• CVE-2022-27782: Fixed an issue where TLS and SSH connections would be reused even when a related option had been changed (bsc#1199224).
• CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused by an unbounded number of compression layers (bsc#1200735).
• CVE-2022-32208: Fixed an incorrect message verification issue when performing FTP transfers using krb5 (bsc#1200737).

SUSE-CU-2022:1827-1

SUSE-CU-2022:1809-1

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

SUSE-CU-2022:1773-1

SUSE-CU-2022:1772-1

SUSE-CU-2022:1618-1

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).

SUSE-CU-2022:1533-1

SUSE-CU-2022:1452-1

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

SUSE-CU-2022:1397-1

This update for openssl fixes the following issues:

• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

SUSE-CU-2022:1330-1

This update for zypper fixes the following issues:

• Improve return codes. (bsc#1198139)
• info: Fix SEGV with not installed PTFs. (bsc#1196317)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

SUSE-CU-2022:1307-1

SUSE-CU-2022:1296-1

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• Fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• Fixes issue with debug dumping together with -o /dev/null
• Fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

SUSE-CU-2022:1207-1

This update for audit fixes the following issues:

• Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)

SUSE-CU-2022:1159-1

This update for libxml2 fixes the following issues:

• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
• CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).

SUSE-CU-2022:1120-1

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
• Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).

SUSE-CU-2022:1054-1

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issues:

• Fix handling of keywords in new sysctl.conf (bsc#1197443)

This update for systemd syncs internal package requirements, but has otherwise no code or functional changes compared to the last update. (bsc#1199273)

SUSE-CU-2022:1019-1

SUSE-CU-2022:951-1

SUSE-CU-2022:682-1

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)

SUSE-CU-2022:658-1

SUSE-CU-2022:635-1

This update for bash fixes the following issues:

• Fix memory leak in array asignment (bsc#1197674)

SUSE-CU-2022:621-1

This update for libsolv, libzypp fixes the following issues:

• fix memory leaks in SWIG generated code
• fix misparsing with libxml2
• try to keep packages from a cycle close togther in the transaction order (bsc#1189622)
• fix split provides not working if the update includes a forbidden vendor change (bsc#1195485)
• fix segfault on conflict resolution when using bindings
• do not replace noarch problem rules with arch dependent one in problem reporting
• fix and simplify pool_vendor2mask implementation
• Hint on ptf resolver conflicts (bsc#1194848)
• Fix package signature check (bsc#184501) Pay attention that header and payload are secured by a valid. signature and report more detailed which signature is missing.
• Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.

SUSE-CU-2022:620-1

SUSE-CU-2022:598-1

SUSE-CU-2022:597-1

SUSE-CU-2022:596-1

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for systemd fixes the following issues:

• systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871)
• systemctl: exit with 1 if no unit files found (bsc#1193841)
• umount: show correct error message
• core/umount: fix unitialized fields in MountPoint in dm_list_get()
• umount: Add more asserts and remove some unused arguments, fix memory leak
• mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
• busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861)
• sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (bsc#1191399)
• manager: reexecute on SIGRTMIN+25, user instances only
• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018)
• units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480)
• Avoid the error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291)
• Allow systemd sysusers config files to be overriden during system installation (bsc#1171962).
• While at it, add a comment to explain why we don't use %sysusers_create in %pre and why it should be safe in %post.

SUSE-CU-2022:508-1

This update for util-linux fixes the following issues:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)
• Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
• Warn if uuidd lock state is not usable. (bsc#1194642)
• Fix 'su -s' bash completion. (bsc#1172427)
• CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921)
• Prevent outdated pam files (bsc#1082293, bsc#1081947#c68).
• Do not trim read-only volumes (bsc#1106214).
• libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417).
• raw.service: Add `RemainAfterExit=yes` (bsc#1135534).
• agetty: Reload issue only if it is really needed (bsc#1085196)
• agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886)
• blockdev: Do not fail `--report` on kpartx-style partitions on multipath. (bsc#1168235)
• nologin: Add support for `-c` to prevent error from `su -c`. (bsc#1151708)
• Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
• libblkid: Do not trigger CDROM autoclose. (bsc#1084671)
• Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
• Build with libudev support to support non-root users. (bsc#1169006)
• lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
• Fix warning on mounts to CIFS with mount –a. (bsc#1174942)

SUSE-CU-2022:471-1

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]

SUSE-CU-2022:470-1

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

SUSE-CU-2022:435-1

SUSE-CU-2022:434-1

This update for pcre fixes the following issue:

• Add devel package to HA channels. (bsc#1196187)

SUSE-CU-2022:280-1

SUSE-CU-2022:279-1

This update for expat fixes the following issues:

• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

This update for openssl-1_0_0 fixes the following issues:

• CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
• Allow CRYPTO_THREADID_set_callback to be called with NULL parameter (bsc#1196249).

SUSE-CU-2022:272-1

This update for suse-build-key fixes the following issues:

• Extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
• Added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
• Extended expiry of SUSE SLES11 key (bsc#1194845)
• Added SUSE Contaner signing key in PEM format for use e.g. by cosign.
• SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
• Removed old security key.

SUSE-CU-2022:262-1

SUSE-CU-2022:244-1

This update for cyrus-sasl fixes the following issues:

• CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

SUSE-CU-2022:233-1

SUSE-CU-2022:183-1

SUSE-CU-2022:182-1

SUSE-CU-2022:181-1

This update for expat fixes the following issues:

• CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
• CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

This update for openldap2 fixes the following issues:

• Resolve double free in sssvlv overlay (bsc#1193296).

This update for coreutils fixes the following issues:

• Remove problematic special leaf optimization cases for XFS that can lead to du crashes. (bsc#1190354)

SUSE-CU-2022:176-1

glibc was updated to fix the following issues:
Security issues fixed:

• CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
• CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)

• Make endian-conversion macros always return correct types (bsc#1193478, BZ #16458)
• Allow dlopen of filter object to work (bsc#1192620, BZ #16272)
• x86: fix stack alignment in cancelable syscall stub (bsc#1191835)

SUSE-CU-2022:103-1

This update for expat fixes the following issues:

• CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
• CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
• CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
• CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
• CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
• CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
• CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
• CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).

SUSE-CU-2022:59-1

SUSE-CU-2022:40-1

SUSE-CU-2022:3-1

SUSE-CU-2022:2-1

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

SUSE-CU-2021:591-1

This update for bash fixes the following issues:

• Fixed and issue when 'setuid' causing permission denied on 'popen'. (bsc#1192785)

SUSE-CU-2021:589-1

This update for openssl-1_0_0 fixes the following issues:

• Fix parameters by name ffdheXXXX and modp_XXXX sometimes result in 'not found' (bsc#1190885)
• Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameter (bsc#1180995)

SUSE-CU-2021:586-1

SUSE-CU-2021:583-1

SUSE-CU-2021:576-1

This update for nghttp2 fixes the following issue:

• libnghttp2-devel was missing from the SDK. (bsc#1192681)

SUSE-CU-2021:567-1

This update for curl fixes the following issues:

• Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

SUSE-CU-2021:552-1

SUSE-CU-2021:551-1

This update for bzip2 fixes the following issues:

• Enables build time tests of bzip2. (bsc#1191648)

SUSE-CU-2021:542-1

SUSE-CU-2021:541-1

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

SUSE-CU-2021:537-1

SUSE-CU-2021:536-1

SUSE-CU-2021:535-1

This optional update for cracklib fixes the following issue:

• Execute the test while building the package. (bsc#1191736)

SUSE-CU-2021:530-1

This update for permissions fixes the following issues:

• Update to version 20170707:

• add capability for prometheus-blackbox_exporter (bsc#1191194)

SUSE-CU-2021:511-1

This update for pam fixes the following issues:

• pam_cracklib: backported code to check whether the password contains a substring of of the user's name of at least characters length in some form from SLE-15. (jsc#SLE-22182)

SUSE-CU-2021:509-1

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
• CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
• CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
• CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
• CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
• CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).

SUSE-CU-2021:498-1

SUSE-CU-2021:497-1

SUSE-CU-2021:485-1

SUSE-CU-2021:484-1

SUSE-CU-2021:463-1

This update of cjose, cyrus-sasl, flac, libarchive, libesmtp, libevent, libgit2, libgt, liboauth, librdkafka, libserv, libssh2_org, openslp and xmlsec1 rebuilds the packages with a symbol versioned openssl, to allow later migration to a TLS 1.3 enabled openssl 1.1.1.
This update contains no other functional changes.

SUSE-CU-2021:457-1

SUSE-CU-2021:452-1

This update for libsolv, libzypp, zypper fixes the following issues:

• Turn on rich dependency handling needed for ptf support. (bsc#1190530)
• Rebuild all caches to make sure rich dependency handling is enabled. (bsc#1190530)
• Fix solver jobs for PTFs. (bsc#1186503)
• Add support for PTFs. (jsc#SLE-17973, jsc#SLE-17974)
• Identify well-known category names for better sorting. (bsc#1179847)
• Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
• Don't probe for plaindir repo if URL schema is plugin. (bsc#1191286)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)

SUSE-CU-2021:450-1

SUSE-CU-2021:427-1

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

SUSE-CU-2021:426-1

SUSE-CU-2021:425-1

SUSE-CU-2021:414-1

SUSE-CU-2021:407-1

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

SUSE-CU-2021:390-1

This update for glibc fixes the following issues:

• CVE-2021-33574: Fixed a use-after-free possibility in mq_notify() (bsc#1186489)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided in the Toolchain module, and updated compiler base libraries (libgcc_s1, libstdc++6 and others) are being provided in the regular SUSE Linux Enterprise Server repositories.
Changes done in GCC11 are documented on:
https://gcc.gnu.org/gcc-11/changes.html
This update ships the C, C++, Objective C, D, Fortran, GO, and ADA compiler.
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

SUSE-CU-2021:374-1

SUSE-CU-2021:366-1

SUSE-CU-2021:358-1

This update for ca-certificates-mozilla fixes the following issues:

• remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in SUSE Linux Enterprise 12 and older. (bsc#1190858)

SUSE-CU-2021:347-1

This update contains new end of support dates for the release packages.

• Update the EOL date for the products. (bsc#1158605)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

Create update to release base-container-licenses to fix bsc#1189738

SUSE-CU-2021:295-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for bzip2 fixes the following issues:

• Disable a optimization that caused crashes with libarchive due to uninitialized memory. (bsc#1188891)
• Fixed bashisms in bzgrep and bznew

This update for cracklib fixes the following issue:

• Provide 'cracklib-dict-small' to SUSE Linux Enterprise Server 12-SP5 (bsc#1188698)

This update for file fixes the following issues:

• CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).

This update for zypper fixes the following issues:

• Fix for man: point out more clearly that patches update affected packages to the latest available version. (bsc#1187466)

SUSE-CU-2021:287-1

SUSE-CU-2021:286-1

This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)

This update for cpio fixes the following issues:

• A regression in last update would cause builds to hang on various architectures(bsc#1189465)

This update for cpio fixes the following issues:

• A regression in the previous update could lead to crashes (bsc#1189465)

This update for cpio fixes the following issues:

• A patch previously applied to remedy CVE-2021-38185 introduced a regression that had the potential to cause a segmentation fault in cpio. [bsc#1189465]

SUSE-CU-2021:277-1

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack that could bypass all existing protection mechanisms (bsc#1186015).

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for libsolv fixes the following issues:
Security issues fixed:

• CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
• CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)

• backport support for blacklisted packages to support ptf packages and retracted patches
• fix ruleinfo of complex dependencies returning the wrong origin
• fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
• fix add_complex_recommends() selecting conflicted packages in rare cases
• fix potential segfault in resolve_jobrules
• fix solv_zchunk decoding error if large chunks are used

This update for systemd fixes the following issues:
Security issues fixed:

• CVE-2021-33910: Fixed a denial of service (stack exhaustion) in systemd (PID 1) (bsc#1188063)

• mount-util: shorten the loop a bit (#7545)
• mount-util: do not use the official MAX_HANDLE_SZ (#7523)
• mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
• mount-util: fix bad indenting
• mount-util: EOVERFLOW might have other causes than buffer size issues
• mount-util: fix error propagation in fd_fdinfo_mnt_id()
• mount-util: drop exponential buffer growing in name_to_handle_at_loop()
• udev: port udev_has_devtmpfs() to use path_get_mnt_id()
• mount-util: add new path_get_mnt_id() call that queries the mnt ID of a path
• mount-util: add name_to_handle_at_loop() wrapper around name_to_handle_at()
• mount-util: accept that name_to_handle_at() might fail with EPERM (#5499)
• basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
• sysusers: use the usual comment style
• test/TEST-21-SYSUSERS: add tests for new functionality
• sysusers: allow admin/runtime overrides to command-line config
• basic/strv: add function to insert items at position
• sysusers: allow the shell to be specified
• sysusers: move various user credential validity checks to src/basic/
• man: reformat table in sysusers.d(5)
• sysusers: take configuration as positional arguments
• sysusers: emit a bit more info at debug level when locking fails
• sysusers: allow force reusing existing user/group IDs (#8037)
• sysusers: ensure GID in uid:gid syntax exists
• sysusers: make ADD_GROUP always create a group
• test: add TEST-21-SYSUSERS test
• sysuser: use OrderedHashmap
• sysusers: allow uid:gid in sysusers.conf files
• sysusers: fix memleak (#4430)
• These commits implement the option '--replace' for systemd-sysusers so %sysusers_create_package can be introduced in SLE and packages can rely on this rpm macro without wondering whether the macro is available on the different target the package is submitted to.
• Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
• systemctl: add --value option
• execute: make sure to call into PAM after initializing resource limits (bsc#1184967)
• rlimit-util: introduce setrlimit_closest_all()
• system-conf: drop reference to ShutdownWatchdogUsec=
• core: rename ShutdownWatchdogSec to RebootWatchdogSec (bsc#1185331)
• Return -EAGAIN instead of -EALREADY from unit_reload (bsc#1185046)
• rules: don't ignore Xen virtual interfaces anymore (bsc#1178561)
• write_net_rules: set execute bits (bsc#1178561)
• udev: rework network device renaming
• Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''

This update for curl fixes the following issues:

• CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
• CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
• CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
• CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

This update for glibc fixes the following issues:
Security issues fixed:

• CVE-2021-35942: wordexp: Fixed handle overflow in positional parameter number (bsc#1187911)
• CVE-2016-10228: Rewrite iconv option parsing (bsc#1027496)

• Fixed race in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330)

This update for openldap2 rebuilds openldap2 against a symbol versioned enabled openssl 1.0 library.
This is an enablemend for migrations to openssl 1.1.1 which will enable TLS 1.3 support.

SUSE-CU-2021:242-1

SUSE-CU-2021:225-1

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)
• Fixed build failure in SLE-12 due to bogus 'rpmlint'. (bsc#1185337)

SUSE-CU-2021:219-1

This update for curl fixes the following issues:

• CVE-2021-22898: TELNET stack contents disclosure (bsc#1186114)
• CVE-2021-22876: The automatic referer leaks credentials (bsc#1183933)
• CVE-2020-8286: Inferior OCSP verification (bsc#1179593)
• CVE-2020-8285: FTP wildcard stack overflow (bsc#1179399)
• CVE-2020-8284: Trusting FTP PASV responses (bsc#1179398)
• CVE-2020-8231: libcurl will pick and use the wrong connection with multiple requests with libcurl's multi API and the 'CURLOPT_CONNECT_ONLY' option (bsc#1175109)
• Fix: SFTP uploads result in empty uploaded files (bsc#1177976)

SUSE-CU-2021:172-1

This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for audit fixes the following issues:

• Enable Aarch64 processor support. (bsc#1179515, bsc#1184362)

SUSE-CU-2021:149-1

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a bug where the 'tailf' command destroyed the terminal/console settings (bsc1177369)

SUSE-CU-2021:129-1

This update for permissions fixes the following issues:

• Update to version 20170707: * make btmp root:utmp (bsc#1050467, bsc#1182899)

SUSE-CU-2021:122-1

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs'. (bsc#1184690, bsc#1184434)

SUSE-CU-2021:114-1

SUSE-CU-2021:111-1

This update for systemd fixes the following issues:

• Added a requirement for aaa_base >= 13.2 to stay compatible (bsc#1180083)
• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.
• Fixed a memory leak in systemctl daemon-reload (bsc#1180020)
• Fixed a crash in systemd-journald upon activation of persistent journal (bsc#1179824)
• Fixed an error when building systemd systemd-mini, caused by a change in systemd-rpm-macros (bsc#1183094)
• Fixed a race condition at device creation and sound.target dependencies (bsc#1179363)
• Fixed an issue, where Restart=on-abort was not respected based on the exit status of the main process (bsc#1183790)
• Created a /dev/disk/by-label symlink for LUKS2 to be able to label crypto devices properly (bsc#1180885)
• When /etc/localtime is missing, timezone UTC will be assumed (bsc#1141597)
• Fix edge case when processing /proc/self/mountinfo (bsc#1180596)
• Added a requirement for aaa_base >= 13.2 to stay compatible (bsc#1180083)

SUSE-CU-2021:104-1

This update for glibc fixes the following issues:

• CVE-2020-27618: Accept redundant shift sequences in IBM1364 (bsc#1178386)
• CVE-2020-29562: Fix incorrect UCS4 inner loop bounds (bsc#1179694)
• CVE-2020-29573: Harden printf against non-normal long double values (bsc#1179721)
• Check vector support in memmove ifunc-selector (bsc#1184034)

SUSE-CU-2021:95-1

This update for pam fixes the following issue:

• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

This update for libzypp, zypper fixes the following issues:
Changes in zypper:

• Fix typo in `list-patches` help. (bsc#1178925)

• Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966)
• Remove from the logs the credentials available from the authorization header. (bsc#1174215) The authorization header may include base64 encoded credentials which could be restored from the log file. The credentials are now stripped from the log.

This update for cyrus-sasl fixes the following issues:

• CVE-2019-19906: Fixed an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet (bsc#1159635).

This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823)

• key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys).
• This fix uses a hash table to avoid the quadratic behaviour.

This update for openldap2 fixes the following issues:

• CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
• CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

This update for openssl-1_0_0 fixes the following issues:

• Add declaration of BN_secure_new() function needed by other packages. (bsc#1180777)
• Add FIPS elliptic curve key check necessary for FIPS 140-2 certification. (bsc#1180959)

This update for file fixes the following issues:

• Fixed an issue when file is used with a string started with '80'. (bsc#1182138)

This update for glibc fixes the following issues:

• Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
• gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
• Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
• powerpc: Add support for POWER10 (bsc#1181365)

This update for openldap2 fixes the following issues:

• bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
• bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
• bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service.
• bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
• bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
• bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
• bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
• bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
• bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.

This update for openssl-1_0_0 fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for nghttp2 fixes the following issues:
Security issues fixed:

• CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
• CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
• CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
• CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
• CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).

• Packages must not mark license files as %doc (bsc#1082318)
• Typo in description of libnghttp2_asio1 (bsc#962914)
• Fixed mistake in spec file (bsc#1125689)
• Fixed build issue with boost 1.70.0 (bsc#1134616)
• Fixed build issue with GCC 6 (bsc#964140)
• Feature: Add W&S module (FATE#326776, bsc#1112438)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

SUSE-CU-2020:691-1

This update for systemd fixes the following issues:

• Create systemd-remote user only if journal-remote is included with the package (bsc#1177458)
• Fixed a buffer overflow in systemd ask-password (bsc#1177510)
• Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses the 'bg' option while the NFS server is not reachable (bsc#1176513)
• Fixed an issue with the try-restart command, where services won't restart (bsc#1139459)

• cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842)

SUSE-CU-2020:686-1

This update for krb5 fixes the following security issue:

• CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

SUSE-CU-2020:680-1

This update for zypper fixes the following issues:

• Fixed an issue, where zypper crashed when the system language is set to Spanish and the user tried to patch their system with 'zypper patch --category security' (bsc#1178038)
• Fixed a typo in man page (bsc#1169947)

SUSE-CU-2020:674-1

This update for openldap2 fixes the following issues:

• CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

SUSE-CU-2020:670-1

This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

SUSE-CU-2020:653-1

This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

• Removed CAs:

• Added CAs:

SUSE-CU-2020:652-1

This update for openssl-1_0_0 fixes the following issues:
Various changes required for FIPS 140-2 certification (jsc#SLE-10541)

• FIPS: Use SHA-2 in the RSA pairwise consistency check (bsc#1155346)
• FIPS: Add shared secret KAT to FIPS DH selftest (bsc#1176029)
• FIPS: Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1176029 bsc#1177479 bsc#1177575 bsc#1177673 bsc#1177793)

SUSE-CU-2020:558-1

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

SUSE-CU-2020:549-1

This update for suse-build-key fixes the following issues:

• This update extends the suse build key (bsc#1176759)
• The SUSE container key is different from the build key. (PM-1845 bsc#1170347)

This update for libproxy fixes the following issues:

• CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
• CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

SUSE-CU-2020:515-1

SUSE-CU-2020:508-1

This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:

• CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
• CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
• CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

• Made cleandeps jobs on patterns work (bsc#1137977).
• Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
• Keep consistent package name if there are multiple alternatives (bsc#1131823).

This update for systemd fixes the following issues:

• Fixes some file mode inconsistencies for some ghost files (bsc#1173227)
• Fixes an issue where the system could hang on reboot (bsc#1169488)

SUSE-CU-2020:490-1

This update for libxml2 fixes the following issues:

• CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
• CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
• CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
• Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).

SUSE-CU-2020:439-1

This update for ca-certificates-mozilla fixes the following issues:
Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:

• AddTrust External CA Root
• AddTrust Class 1 CA Root
• LuxTrust Global Root 2
• Staat der Nederlanden Root CA - G2
• Symantec Class 1 Public Primary Certification Authority - G4
• Symantec Class 2 Public Primary Certification Authority - G4
• VeriSign Class 3 Public Primary Certification Authority - G3

• certSIGN Root CA G2
• e-Szigno Root CA 2017
• Microsoft ECC Root Certificate Authority 2017
• Microsoft RSA Root Certificate Authority 2017

This update for procps fixes the following issues:

• Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)

SUSE-CU-2020:431-1

This update of pam fixes the following issue:

• On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com a pam version with a higher release number than the last update of pam was delivered. This update releases pam with a higher release number to align it with this media. (bsc#1173593)

SUSE-CU-2020:413-1

This update for openldap2 fixes the following issues:

• Fixes an issue where slapd failed to start due to the missing pwdMaxRecordedFailure attribute (bsc#1174537)

SUSE-CU-2020:398-1

This update for grep fixes the following issues:

• Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)

SUSE-CU-2020:372-1

This update for glibc fixes the following issues:

• Fix concurrent changes on nscd aware files (bsc#1171878, BZ #23178)
• nscd: bump GC cycle during cache pruning (bsc#1171878, BZ #26130)
• Correct locking and cancellation cleanup in syslog functions (bsc#1172085, BZ #26100)

SUSE-CU-2020:369-1

This update for grep fixes the following issues:
Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)

SUSE-CU-2020:360-1

This update for systemd fixes the following issues:

• CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
• Renamed the persistent link for ATA devices (bsc#1164538)
• shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
• tmpfiles: removed unnecessary assert (bsc#1171145)
• pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
• manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
• coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
• udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
• libblkid: open device in nonblock mode. (bsc#1084671)
• udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)

This update for permissions fixes the following issues:

• Removed conflicting entries which might expose pcp to security issues (bsc#1171883)

This update for openldap2 fixes the following issues:

• CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).
• Changed DB_CONFIG to root:ldap permissions (bsc#1172704).
• Fixed an issue where slapd becomes unresponsive after many failed login/bind attempts(bsc#1170715).

SUSE-CU-2020:357-1

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

SUSE-CU-2020:348-1

This update for perl fixes the following issues:

• CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863).
• CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864).
• CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866).
• Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
• Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

SUSE-CU-2020:194-1

This update for adns fixes the following issues:

• CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265).
• CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265).
• CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
• CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).

SUSE-CU-2020:189-1

This update for audit fixes the following issues:

• Fix hang on startup. (bsc#1156159)
• Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)

SUSE-CU-2020:185-1

This update for glibc fixes the following issue:

• nptl: wait for pending setxid request also in detached thread (bsc#1162930)

SUSE-CU-2020:175-1

This update for coreutils fixes the following issues:
-Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

SUSE-CU-2020:160-1

This update for openldap2 fixes the following issues:

• CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

SUSE-CU-2020:156-1

This update for libgcrypt fixes the following issues:

• FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)

This update for glibc fixes the following issues:

• fork: Remove bogus parent PID assertions to avoid hangs (bsc#1162721)

SUSE-CU-2020:117-1

This update for e2fsprogs fixes the following issues:

• e2fsck: clarify overflow link count error message (bsc#1160979)
• ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
• ext2fs: implement dir entry creation in htree directories (bsc#1160979)
• tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
• tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

SUSE-CU-2020:109-1

This update for openldap2 fixes the following issue:

• The openldap2-ppolicy-check-password plugin is now included (FATE#319461 bsc#1168195)

SUSE-CU-2020:103-1

This update for p11-kit fixes the following issues:

• tag this version with 'p11-kit-tools-supports-CKA_NSS_MOZILLA_CA_POLICY' provides so we can pull it in. (bsc#1165915 bsc#1165919)

This update for glibc fixes the following issues:

• CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631).
• CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
• CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784).
• Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834)
• Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226)

This update for pam fixes the following issues:

• Moved pam_userdb to a separate package pam-extra (bsc#1166510)

SUSE-CU-2020:88-1

This update for ca-certificates-mozilla fixes the following issues:
This reverts a previous change to the generated pem structure, as it require a p11-kit tools update installed first, which can not always ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)

This update for suse-build-key fixes the following issues:

• created a new security_at_suse.de key for email communication (bsc#1166334)

SUSE-CU-2020:82-1

This update for permissions fixes the following issues:

• CVE-2020-8013: Fixed an improper check which could have allowed the setting of unintented setuid bits (bsc#1163922).
• Fixed handling of relative directory symlinks in chkstat.
• Whitelisted postgres sticky directories (bsc#1123886).
• Fixed regression where chkstat broke when /proc was not available (bsc#1160764, bsc#1160594)
• Fixed capability handling when doing multiple permission changes at once (bsc#1161779)

SUSE-CU-2020:79-1

This update for ca-certificates-mozilla fixes the following issues:
The following non-security bugs were fixed:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:

• Certplus Class 2 Primary CA
• Deutsche Telekom Root CA 2
• CN=Swisscom Root CA 2
• UTN-USERFirst-Client Authentication and Email

• Entrust Root Certification Authority - G4

• Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
• Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
• Use %license instead of %doc (bsc#1082318).
• Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).

SUSE-CU-2020:75-1

This update for cyrus-sasl fixes the following issues:

• Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)
• Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)

SUSE-CU-2020:69-1

This update for elfutils fixes the following issues:

• Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578)
• Fix for '.ko' file corruption in debug info. (bsc#1110929)

SUSE-CU-2020:60-1

This update for p11-kit fixes the following issues:

• Support loading NSS attribute 'CKA_NSS_MOZILLA_CA_POLICY' so Firefox detects built-in certificates. (bsc#1154871)

SUSE-CU-2020:56-1

This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set.

For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants.
Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

SUSE-CU-2020:52-1

This update for e2fsprogs fixes the following issues:

• CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

SUSE-CU-2020:46-1

This update for systemd fixes the following issues:

• CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages.

• Unconfirmed fix for prevent hanging of systemctl during restart. (bsc#1139459)
• Fix warnings thrown during package installation. (bsc#1154043)
• Fix for system-udevd prevent crash within OES2018. (bsc#1151506)
• Fragments of masked units ought not be considered for 'NeedDaemonReload'. (bsc#1156482)
• Wait for workers to finish when exiting. (bsc#1106383)
• Improve log message when inotify limit is reached. (bsc#1155574)
• Mention in the man pages that alias names are only effective after command 'systemctl enable'. (bsc#1151377)
• Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)

SUSE-CU-2020:29-1

This update for aaa_base fixes the following issues:

• Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
• Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127)
• Update logic for JRE_HOME variable. (bsc#1128246)
• Restore old position of ssh/sudo source of profile. (bsc#1118364)
• Revert 'Avoid NAT on Bridges. Bridges are L2 devices, really.' (bsc#1115020)
• Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794)

SUSE-CU-2020:23-1

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

SUSE-CU-2020:16-1

This update for libgcrypt fixes the following issues:

• Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode
• Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338)

SUSE-CU-2020:8-1

This update for libzypp fixes the following issues:
Security issue fixed:

• CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

SUSE-CU-2020:3-1

This update for openssl-1_0_0 fixes the following issues:
Security issue fixed:

• CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).

SUSE-CU-2019:671-1

This update for elfutils fixes the following issues:

• Add require of 'libebl1' for 'libelf1'. (bsc#1151577)

This update for ncurses fixes the following issues:

• Work around a bug of old upstream gen-pkgconfig (bsc#1159162)
• Remove doubled library path options (bsc#1159162)
• Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162)
• Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162)
• Do not mix include directories of different ncurses ABI (bsc#1158586)

SUSE-CU-2019:670-1

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

SUSE-CU-2019:669-1

This update for permissions fixes the following issues:
Security issues fixed:

• CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414).
• CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734).

• Corrected a badly constracted file which could have allowed treating of the shell environment as permissions files (bsc#1097665,bsc#1047247).
• Fixed a regression which caused sagmentation fault (bsc#1157198).

SUSE-CU-2019:668-1

SUSE-CU-2019:667-1