Container summary for suse/sles12sp5

SUSE-CU-2024:5336-1

This update for gcc13 fixes the following issues:

• Fixed parsing tzdata 2024b [gcc#116657]

SUSE-CU-2024:4641-1

This update for curl fixes the following issue:

• Make special characters in URL work with aws-sigv4 (bsc#1230516).

This update for SLES-release provides the following fix:

• Adjust the EOL date for the product.

SUSE-CU-2024:4574-1

This update for grep fixes the following issues:

• Don't assume that pcre_exec that returns PCRE_ERROR_NOMATCH leaves its sub argument alone (bsc#1227099)

SUSE-CU-2024:4301-1

SUSE-CU-2024:4197-1

This update for expat fixes the following issues:

• CVE-2024-45492: Detect integer overflow in function nextScaffoldPart. (bsc#1229932)
• CVE-2024-45491: Detect integer overflow in dtdCopy. (bsc#1229931)
• CVE-2024-45490: Reject negative len for XML_ParseBuffer. (bsc#1229930)

This update for pam fixes the following issues:

• Prevent cursor escape from the login prompt (bsc#1194818)

This update for curl fixes the following issues:

• CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093)

SUSE-CU-2024:3918-1

This update for util-linux fixes the following issue:

• agetty: Prevent login cursor escape (bsc#1194818).

SUSE-CU-2024:3881-1

This update for util-linux fixes the following issues:

• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).
• fix Xen virtualization type misidentification.

This update for systemd fixes the following issues:

• Dynamically allocate the receive buffer (bsc#1226095)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138, bsc#1227227)

This update for expat fixes the following issues:

• CVE-2023-52425: denial of service (resource consumption) caused by processing large tokens (bsc#1219559)

This update for suse-build-key fixes the following issue:

• extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028 (bsc#1229339).

SUSE-CU-2024:3784-1

This update for curl fixes the following issues:

• CVE-2024-7264: Fixed out-of-bounds read in ASN.1 date parser GTime2str() (bsc#1228535)

SUSE-CU-2024:3488-1

This update for shadow fixes the following issues:

• CVE-2013-4235: Fixed TOCTOU race condition (bsc#916845)

SUSE-CU-2024:3421-1

This update for ca-certificates-mozilla fixes the following issues:

• Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525) - Added: FIRMAPROFESIONAL CA ROOT-A WEB - Distrust: GLOBALTRUST 2020

• Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356) Added: - CommScope Public Trust ECC Root-01 - CommScope Public Trust ECC Root-02 - CommScope Public Trust RSA Root-01 - CommScope Public Trust RSA Root-02 - D-Trust SBR Root CA 1 2022 - D-Trust SBR Root CA 2 2022 - Telekom Security SMIME ECC Root 2021 - Telekom Security SMIME RSA Root 2023 - Telekom Security TLS ECC Root 2020 - Telekom Security TLS RSA Root 2023 - TrustAsia Global Root CA G3 - TrustAsia Global Root CA G4 Removed: - Autoridad de Certificacion Firmaprofesional CIF A62634068 - Chambers of Commerce Root - 2008 - Global Chambersign Root - 2008 - Security Communication Root CA - Symantec Class 1 Public Primary Certification Authority - G6 - Symantec Class 2 Public Primary Certification Authority - G6 - TrustCor ECA-1 - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign Class 2 Public Primary Certification Authority - G3

SUSE-CU-2024:3253-1

This update for zypper fixes the following issues:

• Show rpm install size before installing (bsc#1224771)

This update for shadow fixes the following issues:

• CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).

SUSE-CU-2024:3050-1

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

SUSE-CU-2024:3007-1

This update for libxml2 fixes the following issues:

• CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282).

SUSE-CU-2024:2913-1

This update for util-linux fixes the following issue:

• fix Xen virtualization type misidentification (bsc#1215918)

SUSE-CU-2024:2818-1

This update for libzypp, zypper fixes the following issues:

• CVE-2017-9271: Fixed proxy credentials written to log files (bsc#1050625).

• clean: Do not report an error if no repos are defined at all (bsc#1223971)

This update for gcc13 fixes the following issues:

• Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.
• Fixed unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Fix libgccjit-devel dependency, a newer shared library is OK.
• Fix libgccjit dependency, the corresponding compiler isn't required.
• Remove crypt and crypt_r interceptors in sanitizer. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Includes fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Includes fix for building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]

SUSE-CU-2024:2603-1

This update for openldap2 fixes the following issue:

• Increase DH param minimums to 2048 bits (bsc#1220787)
• Null pointer deref in referrals as part of ldap_chain_response() (bsc#1217985)

SUSE-CU-2024:2500-1

SUSE-CU-2024:2180-1

This update for krb5 fixes the following issues:
Fixed inside previous release (v1.16.3-46.3.1):

• CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacked a server field (bsc#1189929).

SUSE-CU-2024:2124-1

This update for glibc fixes the following issues:

• nscd: Fixed use-after-free in addgetnetgrentX (BZ #23520)
• CVE-2024-33599: nscd: Fixed Stack-based buffer overflow in netgroup cache (bsc#1223423, BZ #31677)
• CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bsc#1223424, BZ #31678)
• CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bsc#1223424, BZ #31678)
• CVE-2024-33602: netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, bsc#1223425, BZ #31680)
• CVE-2024-33602; Use time_t for return type of addgetnetgrentX (bsc#1223425)
• CVE-2024-2961: iconv: ISO-2022-CN-EXT: Fixed out-of-bound writes when writing escape sequence (bsc#1222992)

SUSE-CU-2024:2043-1

This update for container-suseconnect fixes the following issues:

• remove unnecessary packaging buildrequires (bsc#1220716)

• update to 2.5.0:

• update to 2.4.0 (jsc#PED-1710):

• strip binaries (removes 4MB/25% of the uncompressed size) (bsc#1186827)

SUSE-CU-2024:1786-1

This update for krb5 fixes the following issues:

• Fix warning executing %postun scriptlet (bsc#1223122)

SUSE-CU-2024:1647-1

This update for systemd fixes the following issues:

• util: improve comments why we ignore EACCES and EPERM
• util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed
• namespace: don't fail on masked mounts (bsc#1220285)
• man: Document ranges for distributions config files and local config files
• Recommend drop-ins over modifications to the main config file
• man: reword the description of 'main conf file'
• man: rework section about configuration file precedence
• man: document paths under /usr/local in standard-conf.xml

SUSE-CU-2024:1318-1

This update for util-linux fixes the following issues:

• CVE-2024-28085: Properly neutralize escape sequences in wall. (bsc#1221831)

SUSE-CU-2024:1301-1

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for krb5 fixes the following issues:

• CVE-2024-26458: Fixed a memory leak in pmap_rmt.c (bsc#1220770)
• CVE-2024-26461: Fixed a memory leak in k5sealv3.c (bsc#1220771)

This update for curl fixes the following issues:

• CVE-2024-2004: Fix the uUsage of disabled protocol logic. (bsc#1221665)
• CVE-2024-2398: Fix HTTP/2 push headers memory-leak. (bsc#1221667)

This update for nghttp2 fixes the following issues:

• CVE-2024-28182: Fixed denial of service via http/2 continuation frames (bsc#1221399)

SUSE-CU-2024:1101-1

This update for krb5 fixes the following issues:
This update updates krb5 to 1.16.3 (jsc#PED-7884).
Most relevant changes:

• Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks.
• Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements.

SUSE-CU-2024:1018-1

This update for shadow fixes the following issues:

• Fix passwd segfault when nsswitch.conf defines 'files compat' (bsc#1188307)

SUSE-CU-2024:924-1

This update for libzypp fixes the following issues:

• applydeltaprm: Create target directory if it does not exist (bsc#1219442)
• Update to version 16.22.12

SUSE-CU-2024:879-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2024-0727: Denial of service when processing a maliciously formatted PKCS12 file (bsc#1219243).

This update for cpio fixes the following issues:

• Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

SUSE-CU-2024:626-1

This update for libssh fixes the following issues:
Update to version 0.9.8 (jsc#PED-7719):

• Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
• Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
• Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
• Allow @ in usernames when parsing from URI composes

• Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm guessing (bsc#1211188)
• Fix CVE-2023-2283: a possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190)
• Fix several memory leaks in GSSAPI handling code

• https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6

• CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
• Improve handling of library initialization (T222)
• Fix parsing of subsecond times in SFTP (T219)
• Make the documentation reproducible
• Remove deprecated API usage in OpenSSL
• Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
• Define version in one place (T226)
• Prevent invalid free when using different C runtimes than OpenSSL (T229)
• Compatibility improvements to testsuite

• https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
• Fix possible Denial of Service attack when using AES-CTR-ciphers CVE-2020-1730 (bsc#1168699)

• Fixed CVE-2019-14889 - SCP: Unsanitized location leads to command execution (bsc#1158095)
• SSH-01-003 Client: Missing NULL check leads to crash in erroneous state
• SSH-01-006 General: Various unchecked Null-derefs cause DOS
• SSH-01-007 PKI Gcrypt: Potential UAF/double free with RSA pubkeys
• SSH-01-010 SSH: Deprecated hash function in fingerprinting
• SSH-01-013 Conf-Parsing: Recursive wildcards in hostnames lead to DOS
• SSH-01-014 Conf-Parsing: Integer underflow leads to OOB array access
• SSH-01-001 State Machine: Initial machine states should be set explicitly
• SSH-01-002 Kex: Differently bound macros used to iterate same array
• SSH-01-005 Code-Quality: Integer sign confusion during assignments
• SSH-01-008 SCP: Protocol Injection via unescaped File Names
• SSH-01-009 SSH: Update documentation which RFCs are implemented
• SSH-01-012 PKI: Information leak via uninitialized stack buffer

• Fixed libssh-config.cmake
• Fixed issues with rsa algorithm negotiation (T191)
• Fixed detection of OpenSSL ed25519 support (T197)

• Added support for Ed25519 via OpenSSL
• Added support for X25519 via OpenSSL
• Added support for localuser in Match keyword
• Fixed Match keyword to be case sensitive
• Fixed compilation with LibreSSL
• Fixed error report of channel open (T75)
• Fixed sftp documentation (T137)
• Fixed known_hosts parsing (T156)
• Fixed build issue with MinGW (T157)
• Fixed build with gcc 9 (T164)
• Fixed deprecation issues (T165)
• Fixed known_hosts directory creation (T166)

• Added support for AES-GCM
• Added improved rekeying support
• Added performance improvements
• Disabled blowfish support by default
• Fixed several ssh config parsing issues
• Added support for DH Group Exchange KEX
• Added support for Encrypt-then-MAC mode
• Added support for parsing server side configuration file
• Added support for ECDSA/Ed25519 certificates
• Added FIPS 140-2 compatibility
• Improved known_hosts parsing
• Improved documentation
• Improved OpenSSL API usage for KEX, DH, and signatures

• Add libssh client and server config files

This update for libxml2 fixes the following issues:

• CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

SUSE-CU-2024:383-1

This update for cpio fixes the following issues:

• CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571).

SUSE-CU-2024:301-1

This update for systemd fixes the following issues:

• man: document that PAMName= and NotifyAccess=all don't mix well
• man: add brief documentation for the (sd-pam) processes created due to PAMName=
• service: accept the fact that the three xyz_good() functions return ints
• service: drop _pure_ decorator on static function
• service: a cgroup empty notification isn't reason enough to go down (bsc#1212207)
• service: add explanatory comments to control_pid_good() and cgroup_good()
• service: fix main_pid_good() comment
• utmp-wtmp: handle EINTR gracefully when waiting to write to tty
• utmp-wtmp: fix error in case isatty() fails
• sd-netlink: handle EINTR from poll() gracefully, as success
• stdio-bridge: don't be bothered with EINTR
• sd-bus: handle -EINTR return from bus_poll() (bsc#1215241)
• libsystemd: ignore both EINTR and EAGAIN
• errno-util: introduce ERRNO_IS_TRANSIENT()
• man/systemd-fsck@.service: clarify passno and noauto combination in /etc/fstab (bsc#1211725)
• units/initrd-parse-etc.service: Conflict with emergency.target
• umount: /usr/ should never be unmounted regardless of HAVE_SPLIT_USR or not (bsc#1211576)
• core/mount: Don't unmount initramfs mounts
• man: describe that changing Storage= does not move existing data

SUSE-CU-2024:299-1

This update for ca-certificates fixes the following issues:

• Invoke trust with the --overwrite option when running update-ca-certificates (bsc#1216685)

SUSE-CU-2024:268-1

This update for pam fixes the following issues:

• CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475).

SUSE-CU-2024:153-1

This update for libzypp, zypper fixes the following issues:

• Touch /run/reboot-needed if a patch suggesting a reboot was installed (bsc#1217948)
• Backport needs-rebooting command from Code15 (bsc#1217948)

SUSE-CU-2023:4324-1

This update for procps fixes the following issue:

• Avoid SIGSEGV in case of sending SIGTERM to a top command running in batch mode (bsc#1216825)

SUSE-CU-2023:4286-1

This update for curl fixes the following issues:

• libssh: Implement SFTP packet size limit (bsc#1216987)

SUSE-CU-2023:4240-1

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)

SUSE-CU-2023:4191-1

This update for pam fixes the following issue:

• Add no_pass_expiry option to ignore password expiration (bsc#1215594)

SUSE-CU-2023:4098-1

This update for libzypp fixes the following issues:

• Fixed handling of unmounting media. It mitigates the mount change during a package installation, for examlple a nfs.service restart that forcefully unmounts the media being accessed (bsc#1216064)
• Don't download sqlite metadata that is not needed

SUSE-CU-2023:4044-1

This update for curl fixes the following issues:

• CVE-2023-46218: Fixed cookie mixed case PSL bypass (bsc#1217573).
• CVE-2023-46219: HSTS long file name clears contents (bsc#1217574).

SUSE-CU-2023:3844-1

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

SUSE-CU-2023:3692-1

SUSE-CU-2023:3658-1

SUSE-CU-2023:3582-1

This update for nghttp2 fixes the following issues:

• CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174)

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

SUSE-CU-2023:3418-1

This update for shadow fixes the following issues:

• CVE-2023-4641: Fixed potential password leak (bsc#1214806).

This update for curl fixes the following issues:

• CVE-2023-38545: Fixed a heap buffer overflow in SOCKS5. (bsc#1215888)
• CVE-2023-38546: Fixed a cookie injection with none file. (bsc#1215889)

This update of glibc fixes the following issues:
Security issue fixed:

• CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

• S390: Fix relocation of _nl_current_LC_CATETORY_used in static build (bsc#1215504, BZ #19860)
• added GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

SUSE-CU-2023:3214-1

This update for nghttp2 fixes the following issues:

• CVE-2023-35945: Fixed memory leak when PUSH_PROMISE or HEADERS frame cannot be sent (bsc#1215713).

This update for gpg2 fixes the following issues:

• CVE-2018-9234: Fixed unenforced configuration allows for apparently valid certifications actually signed by signing subkeys (bsc#1088255).

SUSE-CU-2023:3096-1

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed not deterministic hashing of empty dict strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL dereference in xmlSchemaFixupComplexType (bsc#1210411).
• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).
• CVE-2016-3709: Fixed cross-site scripting vulnerability in libxml (bsc#1201978).

This update for curl fixes the following issues:

• CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026)

SUSE-CU-2023:2817-1

This update for krb5 fixes the following issues:

• CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

This update for ca-certificates-mozilla fixes the following issues:

• Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email Protection Root R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1

This update for procps fixes the following issues:
- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

SUSE-CU-2023:2723-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

SUSE-CU-2023:2625-1

This update for insserv-compat fixes the following issues:

• Remove not needed named entry from insserv.conf (bsc#1052837, bsc#1212955)

SUSE-CU-2023:2575-1

This update for util-linux fixes the following issues:

• CVE-2018-7738: Fixed shell code injection in umount bash-completions. (bsc#1213865, bsc#1084300)

SUSE-CU-2023:2476-1

This update for openssl-1_0_0 fixes the following issues:
- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

SUSE-CU-2023:2384-1

This update for curl fixes the following issues:

• CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237).

This update for perl fixes the following issues:
- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

SUSE-CU-2023:2339-1

This update for coreutils fixes the following issues:

• Avoid failure in case SELinux is disabled. (bsc#1212999)

SUSE-CU-2023:2211-1

This update for libcap fixes the following issues:

• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for libzypp fixes the following issues:

• curl: Trim user agent and custom header strings (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. Violation results in curl error: 92: HTTP/2 PROTOCOL_ERROR.
• version 16.22.8 (0)

SUSE-CU-2023:2193-1

This update for gcc12 fixes the following issues:
Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204, containing lots of bugfixes and improvements.

• Speed up builds with --enable-link-serialization.
• Update embedded newlib to version 4.2.0

SUSE-CU-2023:2108-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534).

SUSE-CU-2023:1874-1

This update for openldap2 fixes the following issues:

• CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

SUSE-CU-2023:1780-1

This update for util-linux fixes the following issues:

• Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164)

SUSE-CU-2023:1728-1

This update for krb5 fixes the following issues:

• Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix (bsc#1211411)

SUSE-CU-2023:1664-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

SUSE-CU-2023:1620-1

This update for curl adds the following feature:
Update to version 8.0.1 (jsc#PED-2580)

• CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230).
• CVE-2023-28320: siglongjmp race condition (bsc#1211231).
• CVE-2023-28321: IDN wildcard matching (bsc#1211232).
• CVE-2023-28322: POST-after-PUT confusion (bsc#1211233).

This update for libzypp, zypper fixes the following issues:

• Removing a PTF without enabled repos should always fail (bsc#1203248)
• zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
• Add expert (allow-*) options to all installer commands (bsc#428822)

• Provide 'removeptf' command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. But you don't want the dependant packages to be removed together with the PTF, which is what the remove command would do. The removeptf command however will aim to replace the dependant packages by their official update versions.

This update for zlib fixes the following issues:

• Fix crash when calling deflateBound() function (bsc#1210593)

SUSE-CU-2023:1581-1

SUSE-CU-2023:1469-1

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

SUSE-CU-2023:1372-1

This update for shadow fixes the following issues:

• CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

SUSE-CU-2023:1306-1

This update for libxml2 fixes the following issues:

• CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
• CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).

SUSE-CU-2023:1287-1

This update for zlib fixes the following issues:

• Add support for small windows in IBM Z hardware-accelerated deflate (bsc#1206513)

SUSE-CU-2023:1273-1

This update for permissions fixes the following issues:

• mariadb: settings for new auth_pam_tool (bsc#1160285)

SUSE-CU-2023:1187-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878).
• CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873).

SUSE-CU-2023:875-1

This update for openssl-1_0_0 fixes the following issues:
Security fixes:

• CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

• Fix DH key generation in FIPS mode, add support for constant BN for DH parameters (bsc#1202062)

SUSE-CU-2023:824-1

This update for systemd fixes the following issues:

• CVE-2023-26604: Fixed a privilege escalation via the less pager. (bsc#1208958)

SUSE-CU-2023:766-1

This update for curl fixes the following issues:

• CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
• CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
• CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
• CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
• CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).

SUSE-CU-2023:345-1

This update for curl fixes the following issues:

• CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

SUSE-CU-2023:296-1

This update for krb5 fixes the following issues:

• Update logrotate script, call systemd to reload the services instead of init-scripts. (bsc#1206152)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
• CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
• CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

• testsuite: Update further expiring certificates that affect tests [bsc#1201627]

SUSE-CU-2023:222-1

This update for zlib fixes the following issues:

• Follow up fix for bug bsc#1203652 due to libxml2 issue

SUSE-CU-2023:152-1

This update for util-linux fixes the following issues:

• Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

SUSE-CU-2023:113-1

This update for systemd fixes the following issues:
Fixing the following issues:

• units: restore RemainAfterExit=yes in systemd-vconsole-setup.service
• vconsole-setup: don't concat strv if we don't need to (i.e. not in debug log mode)
• vconsole-setup: add more log messages
• units: restore Before dependencies for systemd-vconsole-setup.service
• vconsole-setup: add lots of debug messages
• Add enable_disable() helper
• vconsole: correct kernel command line namespace
• vconsole: Don't do static installation under sysinit.target
• vconsole: use KD_FONT_OP_GET/SET to handle copying (bsc#1181636)
• vconsole: updates of keyboard/font loading functions
• vconsole: Add generic is_*() functions
• vconsole: add two new toggle functions, remove old enable/disable ones
• vconsole: copy font to 63 consoles instead of 15
• vconsole: add log_oom() where appropriate
• vconsole-setup: Store fonts on heap (#3268)
• errno-util: add new errno_or_else() helper

• CVE-2022-4415: coredump: do not allow user to access coredumps with changed uid/gid/capabilities (bsc#1205000).

SUSE-CU-2023:19-1

This update for libksba fixes the following issues:

• CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579).

SUSE-CU-2022:3458-1

This update for ca-certificates-mozilla fixes the following issues:

• Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212)

• Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1

This update for systemd fixes the following issues:

• CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

• Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

SUSE-CU-2022:3421-1

This update for curl fixes the following issues:

• CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

SUSE-CU-2022:3342-1

This update for libzypp fixes the following issues:
Update to version 16.22.5:

• properly reset range requests (bsc#1204548)

SUSE-CU-2022:3314-1

This update for krb5 fixes the following issues:

• CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

SUSE-CU-2022:3232-1

This update for systemd fixes the following issues:

• CVE-2022-3821: Fixed buffer overrun in format_timespan() function (bsc#1204968).

• Import commit 417bb0944e035969594fff83a3ab9c2ca9a56234 * 20743c1a44 logind: fix crash in logind on user-specified message string * b971b5f085 tmpfiles: check the directory we were supposed to create, not its parent * 2850271ea6 stat-util: replace is_dir() + is_dir_fd() by single is_dir_full() call * 3d3bd5fc8d systemd --user: call pam_loginuid when creating user@.service (#3120) (bsc#1198507) * 4b56c3540a parse-util: introduce pid_is_valid() * aa811a4c0c systemd-detect-virt: refine hypervisor detection (#7171) (bsc#1197244)

SUSE-CU-2022:3231-1

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Toolchain Module.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

SUSE-CU-2022:3156-1

This update for openldap2 fixes the following issues:

• Resolve broken symlinks in documentation (bsc#1203320)

SUSE-CU-2022:3013-1

This update for util-linux fixes the following issues:

• Integrate pam_keyinit PAM module (bsc#1201354, bsc#1081947)

SUSE-CU-2022:2974-1

This update for rpm fixes the following issues:

• Fixed PGP parsing bugs (bsc#1185299).
• Fixed various format handling bugs (bsc#996280).
• CVE-2021-3421: Fixed vulnerability where unsigned headers could be injected into the rpm database (bsc#1183543).
• CVE-2021-20271: Fixed vulnerability where a corrupted rpm could corrupt the rpm database (bsc#1183545).
• CVE-2021-20266: Fixed missing bounds check in hdrblobInit (bsc#1183632).

• Fixed deadlock when multiple rpm processes tried to acquire the database lock (bsc#1183659).

This update for glibc fixes the following issues:

• CVE-2015-8985: Fixed assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

• x86: fix stack alignment in pthread_cond_[timed]wait (bsc#1196852)
• Recognize ppc64p7 arch to build for power7

This update for zlib fixes the following issues:

• Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

SUSE-CU-2022:2874-1

This update for openssl-1_0_0 fixes the following issues:

• Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995)

SUSE-CU-2022:2832-1

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

SUSE-CU-2022:2780-1

This update for libtasn1 fixes the following issues:

• CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690).

SUSE-CU-2022:2737-1

This update for permissions fixes the following issues:

• Fix regression introduced by backport of security fix (bsc#1203911)

SUSE-CU-2022:2733-1

This update for curl fixes the following issues:
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

SUSE-CU-2022:2712-1

This update for libxml2 fixes the following issues:
- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

SUSE-CU-2022:2628-1

This update for libksba fixes the following issues:
- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

SUSE-CU-2022:2407-1

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

SUSE-CU-2022:2353-1

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

• Add capability for prometheus-blackbox_exporter (bsc#1191194).
• Make btmp root:utmp (bsc#1050467).

This update for libgcrypt fixes the following issues:

• FIPS: Auto-initialize drbg if needed. (bsc#1200095)

SUSE-CU-2022:2047-1

This update for util-linux fixes the following issues:

• su: Change owner and mode for pty (bsc#1200842)
• agetty: Resolve tty name even if stdin is specified (bsc#1197178)
• libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
• mesg: use only stat() to get the current terminal status (bsc#1200842)

This update for curl fixes the following issues:

• CVE-2022-35252: Fixed a potential injection of control characters into cookies, which could be exploited by sister sites to cause a denial of service (bsc#1202593).

This update for keyutils fixes the following issues:

• Apply default TTL to DNS records from getaddrinfo() (bsc#1201929)

This update for ca-certificates-mozilla fixes the following issues:
Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)

• Added:

• Removed:

• Added:

• Removed:

• Added CAs:

• Added new root CAs:

• Removed old root CAs:

SUSE-CU-2022:1909-1

This update for openldap2 fixes the following issues:

• Prevent memory reuse which may lead to instability (bsc#1198341)

SUSE-CU-2022:1883-1

This update for p11-kit fixes the following issues:

• CVE-2020-29362: Fixed a 4 byte overread that could lead to crashes (bsc#1180065)

SUSE-CU-2022:1864-1

This update for zlib fixes the following issues:

• CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

SUSE-CU-2022:1782-1

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

SUSE-CU-2022:1619-1

This update for gpg2 fixes the following issues:

• CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225).

SUSE-CU-2022:1534-1

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

SUSE-CU-2022:1410-1

This update for curl fixes the following issues:

• CVE-2022-32206: HTTP compression denial of service (bsc#1200735)
• CVE-2022-32208: FTP-KRB bad message verification (bsc#1200737)

SUSE-CU-2022:1398-1

This update for openssl fixes the following issues:

• CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

SUSE-CU-2022:1331-1

This update for zypper fixes the following issues:

• Improve return codes. (bsc#1198139)
• info: Fix SEGV with not installed PTFs. (bsc#1196317)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

SUSE-CU-2022:1267-1

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• Fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• Fixes issue with debug dumping together with -o /dev/null
• Fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

SUSE-CU-2022:1208-1

This update for audit fixes the following issues:

• Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)

SUSE-CU-2022:1160-1

This update for libxml2 fixes the following issues:

• CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c and tree.c (bsc#1199132).
• CVE-2017-16932: Prevent infinite recursion in parameter entities (bsc#1069689).

SUSE-CU-2022:1133-1

This update for curl fixes the following issues:

• CVE-2022-27781: Fixed CERTINFO never-ending busy-loop (bsc#1199223)
• CVE-2022-27782: Fixed TLS and SSH connection too eager reuse (bsc#1199224)

SUSE-CU-2022:1121-1

This update for openldap2 fixes the following issues:

• CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).
• Fixed issue with SASL init that crashed slapd at startup under certain conditions (bsc#1198383).

SUSE-CU-2022:1055-1

This update for e2fsprogs fixes the following issues:

• CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446)

This update for augeas fixes the following issues:

• Fix handling of keywords in new sysctl.conf (bsc#1197443)

SUSE-CU-2022:1020-1

This update for curl fixes the following issues:

• CVE-2022-27776: Fixed Auth/cookie leak on redirect (bsc#1198766)
• CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

This update for systemd syncs internal package requirements, but has otherwise no code or functional changes compared to the last update. (bsc#1199273)

SUSE-CU-2022:683-1

This update for libxml2 fixes the following issues:

• CVE-2022-23308: Fixed use-after-free of ID and IDREF attributes. (bsc#1196490)

SUSE-CU-2022:637-1

SUSE-CU-2022:636-1

This update for bash fixes the following issues:

• Fix memory leak in array asignment (bsc#1197674)

SUSE-CU-2022:622-1

This update for libsolv, libzypp fixes the following issues:

• fix memory leaks in SWIG generated code
• fix misparsing with libxml2
• try to keep packages from a cycle close togther in the transaction order (bsc#1189622)
• fix split provides not working if the update includes a forbidden vendor change (bsc#1195485)
• fix segfault on conflict resolution when using bindings
• do not replace noarch problem rules with arch dependent one in problem reporting
• fix and simplify pool_vendor2mask implementation
• Hint on ptf resolver conflicts (bsc#1194848)
• Fix package signature check (bsc#184501) Pay attention that header and payload are secured by a valid. signature and report more detailed which signature is missing.
• Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.

SUSE-CU-2022:600-1

This update for ca-certificates, p11-kit fixes the following issues:
Changes in p11-kit:

• call update-ca-certificates in post to make sure certs are regenerated even if ca-certificates was installed before p11-kit for whatever reason (bsc#1196443)
• make sure p11-kit components have matching versions (bsc#1196812)

• Require p11-kit-tools > 0.23.1 as older versions don't support pem-directory-hash (bsc#1196443, bsc#1196812)

SUSE-CU-2022:599-1

This update for xz fixes the following issues:

• CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

This update for systemd fixes the following issues:

• Core: make sure we always free the list of changes
• Install: correctly report symlink creations
• Core: make sure we generate a nicer error when a linked unit is attempted to be enabled
• Install: unify checking whether operations may be applied to a unit file in a new function
• Install: fix errno handling
• Allow 'edit' and 'cat' on unloaded units
• Don't open /var journals in volatile mode when runtime_journal==NULL
• udev: handle duplicate device ID (bsc#1195529)
• man: tweak description of auto/noauto (bsc#1191502)
• systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871)
• systemctl: exit with 1 if no unit files found (bsc#1193841)
• umount: show correct error message
• core/umount: fix unitialized fields in MountPoint
• umount: Add more asserts and remove some unused arguments, fix memory leak
• mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
• busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861)

SUSE-CU-2022:511-1

SUSE-CU-2022:510-1

This update for util-linux fixes the following issues:

• Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642)
• Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
• Warn if uuidd lock state is not usable. (bsc#1194642)
• Fix 'su -s' bash completion. (bsc#1172427)

SUSE-CU-2022:509-1

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]

SUSE-CU-2022:441-1

This update for pcre fixes the following issue:

• Add devel package to HA channels. (bsc#1196187)

This update for zlib fixes the following issues:

• CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

SUSE-CU-2022:282-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).
• Allow CRYPTO_THREADID_set_callback to be called with NULL parameter (bsc#1196249).

SUSE-CU-2022:281-1

This update for expat fixes the following issues:

• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

SUSE-CU-2022:275-1

This update for suse-build-key fixes the following issues:

• Extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
• Added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
• Extended expiry of SUSE SLES11 key (bsc#1194845)
• Added SUSE Contaner signing key in PEM format for use e.g. by cosign.
• SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
• Removed old security key.

SUSE-CU-2022:245-1

This update for cyrus-sasl fixes the following issues:

• CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

SUSE-CU-2022:186-1

This update for expat fixes the following issues:

• CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
• CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

This update for openldap2 fixes the following issues:

• Resolve double free in sssvlv overlay (bsc#1193296).

This update for coreutils fixes the following issues:

• Remove problematic special leaf optimization cases for XFS that can lead to du crashes. (bsc#1190354)

SUSE-CU-2022:177-1

glibc was updated to fix the following issues:
Security issues fixed:

• CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
• CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
• CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)

• Make endian-conversion macros always return correct types (bsc#1193478, BZ #16458)
• Allow dlopen of filter object to work (bsc#1192620, BZ #16272)
• x86: fix stack alignment in cancelable syscall stub (bsc#1191835)

SUSE-CU-2022:116-1

This update contains a major security update for Samba.

samba has received security fixes:

• CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share (bsc#1193690);
• CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution (bsc#1194859);
• CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services (bsc#1195048);

• CVE-2021-43566: Symlink race error can allow directory creation outside of the exported share; (bso#13979); (bsc#1139519);
• CVE-2021-20316: Symlink race error can allow metadata read and modify outside of the exported share; (bso#14842); (bsc#1191227);

• Build samba with embedded talloc, pytalloc, pytalloc-util, tdb, pytdb, tevent, pytevent, ldb, pyldb and pyldb-util libraries. The tdb and ldb tools are installed in /usr/lib[64]/samba/bin and their manpages in /usr/lib[64]/samba/man

• Duplicate SMB file_ids leading to Windows client cache poisoning; (bso#14928);
• Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error - NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
• kill_tcp_connections does not work; (bso#14934);
• Can't connect to Windows shares not requiring authentication using KDE/Gnome; (bso#14935);
• smbclient -L doesn't set 'client max protocol' to NT1 before calling the 'Reconnecting with SMB1 for workgroup listing' path; (bso#14939);
• Cross device copy of the crossrename module always fails; (bso#14940);
• symlinkat function from VFS cap module always fails with an error; (bso#14941);
• Fix possible fsp pointer deference; (bso#14942);
• Missing pop_sec_ctx() in error path inside close_directory(); (bso#14944);
• 'smbd --build-options' no longer works without an smb.conf file; (bso#14945);

• Reorganize libs packages. Split samba-libs into samba-client-libs, samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba public libraries depending on internal samba libraries into these packages as there were dependency problems everytime one of these public libraries changed its version (bsc#1192684). The devel packages are merged into samba-devel.
• Rename package samba-core-devel to samba-devel
• Update the symlink create by samba-dsdb-modules to private samba ldb modules following libldb2 changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba

• Build with the newer samba versions; (jsc#SLE-23330);
• Fix a dependency loop by moving internal libraries to sssd-common package; (bsc#1182058);

• Fix forking issues with libffi
• Fix various crashes in corner cases
• Updated translations
• Build fixes

• Fix multiple integer overflows in rpc code (bsc#1180064 CVE-2020-29361):
• Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993)

• p11-kit 0.23.1 supports pem-directory-hash. (jsc#SLE-23330)

• libnettle 3.1 and gnutls 3.4.17 as parallel libraries to meet the requires of the newer samba.

• Update samba apparmor profiles for samba 4.15 (jsc#SLE-23330);

• With latest versions of samba (>=4.15.0) calling 'net ads lookup' with '-U%' fails; (boo#1193533).
• yast-samba-client fails to join if /etc/samba/smb.conf or /etc/krb5.conf don't exist; (bsc#1089938)
• Do not stop nmbd while nmbstatus is running, it is not necessary anymore; (bsc#1158916);

SUSE-CU-2022:61-1

SUSE-CU-2022:60-1

This update for expat fixes the following issues:

• CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
• CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
• CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
• CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
• CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
• CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
• CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
• CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).

SUSE-CU-2022:5-1

SUSE-CU-2022:4-1

This update for libgcrypt fixes the following issues:

• Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

SUSE-CU-2021:618-1

This update for curl fixes the following issues:

• libcurl-devel: Add an explicit dependency on libnghttp2-devel since its not autodetected (bsc#1193483)

SUSE-CU-2021:592-1

This update for bash fixes the following issues:

• Fixed and issue when 'setuid' causing permission denied on 'popen'. (bsc#1192785)

SUSE-CU-2021:590-1

This update for openssl-1_0_0 fixes the following issues:

• Fix parameters by name ffdheXXXX and modp_XXXX sometimes result in 'not found' (bsc#1190885)
• Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameter (bsc#1180995)

SUSE-CU-2021:584-1

This update for zlib fixes the following issues:

• Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

SUSE-CU-2021:577-1

This update for curl fixes the following issues:

• Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

This update for nghttp2 fixes the following issue:

• libnghttp2-devel was missing from the SDK. (bsc#1192681)

SUSE-CU-2021:554-1

SUSE-CU-2021:553-1

This update for permissions fixes the following issues:
Update to version 20170707:

• add capability for prometheus-blackbox_exporter (bsc#1191194)

This update for bzip2 fixes the following issues:

• Enables build time tests of bzip2. (bsc#1191648)

SUSE-CU-2021:544-1

SUSE-CU-2021:543-1

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

SUSE-CU-2021:539-1

SUSE-CU-2021:538-1

This optional update for cracklib fixes the following issue:

• Execute the test while building the package. (bsc#1191736)

SUSE-CU-2021:512-1

This update for pam fixes the following issues:

• pam_cracklib: backported code to check whether the password contains a substring of of the user's name of at least characters length in some form from SLE-15. (jsc#SLE-22182)

SUSE-CU-2021:499-1

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973).
• CVE-2017-7244: Fixed invalid read in _pcre32_xclass() (bsc#1030807).
• CVE-2017-7245: Fixed buffer overflow in the pcre32_copy_substring (bsc#1030805).
• CVE-2017-7246: Fixed another buffer overflow in the pcre32_copy_substring (bsc#1030803).
• CVE-2017-7186: Fixed denial of service caused by an invalid Unicode property lookup (bsc#1030066).
• CVE-2017-6004: Fixed denial of service via crafted regular expression (bsc#1025709).

SUSE-CU-2021:493-1

This update for systemd fixes the following issues:

• machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
• Add timestamp to D-Bus events to improve traceability. (jsc#SLE-21894)
• busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225, jsc#SLE-21894)
• sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (bsc#1191399)
• basic/unit-name: do not use strdupa() on a path (bsc#1188063, CVE-2021-33910)
• logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018)
• units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
• Make sure the versions of both udev and systemd packages are always the same (bsc#1189480)
• Avoid the error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291)
• Allow systemd sysusers config files to be overriden during system installation (bsc#1171962)

SUSE-CU-2021:486-1

SUSE-CU-2021:464-1

This update of cjose, cyrus-sasl, flac, libarchive, libesmtp, libevent, libgit2, libgt, liboauth, librdkafka, libserv, libssh2_org, openslp and xmlsec1 rebuilds the packages with a symbol versioned openssl, to allow later migration to a TLS 1.3 enabled openssl 1.1.1.
This update contains no other functional changes.

SUSE-CU-2021:458-1

SUSE-CU-2021:453-1

This update for libsolv, libzypp, zypper fixes the following issues:

• Turn on rich dependency handling needed for ptf support. (bsc#1190530)
• Rebuild all caches to make sure rich dependency handling is enabled. (bsc#1190530)
• Fix solver jobs for PTFs. (bsc#1186503)
• Add support for PTFs. (jsc#SLE-17973, jsc#SLE-17974)
• Identify well-known category names for better sorting. (bsc#1179847)
• Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
• Don't probe for plaindir repo if URL schema is plugin. (bsc#1191286)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)

SUSE-CU-2021:429-1

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

SUSE-CU-2021:428-1

This update for util-linux fixes the following issues:

• CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921)

SUSE-CU-2021:421-1

SUSE-CU-2021:395-1

SUSE-CU-2021:393-1

SUSE-CU-2021:392-1

SUSE-CU-2021:391-1

This update for glibc fixes the following issues:

• CVE-2021-33574: Fixed a use-after-free possibility in mq_notify() (bsc#1186489)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided in the Toolchain module, and updated compiler base libraries (libgcc_s1, libstdc++6 and others) are being provided in the regular SUSE Linux Enterprise Server repositories.
Changes done in GCC11 are documented on:
https://gcc.gnu.org/gcc-11/changes.html
This update ships the C, C++, Objective C, D, Fortran, GO, and ADA compiler.
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for curl fixes the following issues:

• CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
• CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

SUSE-CU-2021:376-1

SUSE-CU-2021:367-1

SUSE-CU-2021:359-1

This update for ca-certificates-mozilla fixes the following issues:

• remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in SUSE Linux Enterprise 12 and older. (bsc#1190858)

SUSE-CU-2021:348-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521).

Create update to release base-container-licenses to fix bsc#1189738

Create update to release base-container-licenses to fix bsc#1189738

Create update to release base-container-licenses to fix bsc#1189738

SUSE-CU-2021:296-1

This update for openssl-1_0_0 fixes the following issues:

• CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521]

This update for bzip2 fixes the following issues:

• Disable a optimization that caused crashes with libarchive due to uninitialized memory. (bsc#1188891)
• Fixed bashisms in bzgrep and bznew

This update for cracklib fixes the following issue:

• Provide 'cracklib-dict-small' to SUSE Linux Enterprise Server 12-SP5 (bsc#1188698)

This update for file fixes the following issues:

• CVE-2019-18218: Fixed heap-based buffer overflow in cdf_read_property_info in cdf.c (bsc#1154661).