Container summary for suse/ltss/sle12.5/sles12sp5

This update for aaa_base provides the following fixes:

• Support changing PS1 even for mksh and user root. (bsc#1036895)
• Unset unused variables on profile files. (bsc#1049577)
• Unset id in csh.cshrc instead of profile.csh. (bsc#1049577)
• Allow that personal ~/.bashrc is read again. (bsc#1052182)
• Avoid that IFS becomes global in _ls ksh shell function. (bsc#1079674, bsc#1025743)
• Replace 'cat > file' by 'mv -f ... file' in pre/post to fix issues with clients having these files mmapped. (bsc#1038549)

This update for perl fixes the following issues:
Security issues fixed:

• CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
• CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
• CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).

This update for libsolv, libzypp provides the following fixes:
Changes in libsolv:

• Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602)
• Also make use of suggests for ordering packages. (bsc#1077635)
• Fix bad assignment in solution refinement that led to a memory leak. (bsc#1075978)
• Use license tag instead of doc in the spec file. (bsc#1082318)

• Make sure the product file comes from /etc/products.d for the fallback product search. (bsc#1086602)
• Fix a memory leak in Digest.cc. (bsc#1075978)
• Add /var/lib/gdm to CheckAccessDeleted blacklist to prevent showing superfluous `zypper ps -s` messages. (bsc#1079991)

This update for rpm provides the following fixes:

• Fix find-lang.sh to handle special case of .qm file paths correctly. (bsc#1027925)
• Add %sle_version macro to suse_macros. (bsc#1003714)
• Added a %rpm_vercmp macro which accepts two versions as parameters and returns -1, 0, 1 if the first version is less than, equal or greater than the second version respectively.
• Added a %pkg_version macro that accepts a package or capability name as argument and returns the version number of the installed package. If no package provides the argument, it returns the string '~~~'.
• Added a %pkg_vcmp macro that accepts 3 parameters. The first parameter is a package name or provided capability name, the second argument is an operator ( < <= = >= > != ) and the third parameter is a version string to be compared to the installed version of the first argument.
• Added a %pkg_version_cmp macro which accepts a package or capability name as first argument and a version number as second argument and returns -1, 0, 1 or '~~~'. The number values have the same meaning as in %rpm_vercmp and the '~~~' string is returned if the package or capability can't be found. (bsc#1069934)

This update for gcc7 to 7.3 release fixes the following issues:

• Update to GCC 7.3 release and further updated to gcc-7-branch head (r258812).
• The Spectre v2 mitigation patch for s390x is now included. [bsc#1083946]
• Adds backport of x86 retpoline support via -mindirect-branch=, -mfunction-return= and friends. [bsc#1074621]
• Update includes a fix for chromium build failure. [bsc#1083290]
• Various AArch64 compile fixes are included:

• Revert the ios_base::failure ABI back to compatible behavior with the default ABI. [bsc#1087550]

• Fix nvptx offload target compiler install so GCC can pick up required files. Split out the newlib part into cross-nvptx-newlib7-devel and avoid conflicts with GCC 8 variant via Provides/Conflicts of cross-nvptx-newlib-devel.

This update for aaa_base fixes a regression which was introduced within the latest maintenance update cycle, where customized profiles were not sourced properly. (bsc#1088524)

This update for bash fixes the following issues:
Security issues fixed:

• CVE-2016-7543: A code execution possibility via SHELLOPTS+PS4 variable was fixed (bsc#1001299)
• CVE-2016-0634: Arbitrary code execution via malicious hostname was fixed (bsc#1000396)

• Fix repeating self-calling of traps due the combination of a non-interactive shell, a trap handler for SIGINT, an external process in the trap handler, and a SIGINT within the trap after the external process runs. (bsc#1086247)

This update for pam fixes the following issues:

• Fix order of accessed configuration files in man page. (bsc#1089884)

This update for rpm fixes the following issues:

• Backport support for no_recompute_build_ids macro. (bsc#964063)
• Fix code execution when evaluating common python-related macros. (bsc#1080078)

This update for gpg2 fixes the following security issue:

• CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745)

This update for procps fixes the following security issues:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

This update for perl fixes the following issues:
These security issue were fixed:

• CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
• CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
• CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
• CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718)

• fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]

This update for libgcrypt fixes the following issues:
The following security vulnerability was addressed:

• CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410).

• Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
• Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)

This update for pam provides the following fix:

• Added /etc/security/limits.d to the pam package. (bsc#1096282)

This update for libgcrypt fixes the following issues:
The following security vulnerability was addressed:

• CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410).

• Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
• Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)

This update for pam provides the following fix:

• Added /etc/security/limits.d to the pam package. (bsc#1096282)

The systemwide Root CA certificates were updated to the 2.24 state of the Mozilla NSS Certificate store.
Following CAs were removed:

• S-TRUST_Universal_Root_CA
• TC_TrustCenter_Class_3_CA_II
• TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5

This update for pam provides the following fix:

• Added /etc/security/limits.d to the pam package. (bsc#1096282)

This update for perl fixes the following issues:
These security issue were fixed:

• CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216).
• CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233).
• CVE-2018-6797: Fixed sharp-s regexp overflow (bsc#1082234).
• CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718)

• fix debugger crash in tab completion with Term::ReadLine::Gnu [bsc#1068565]

This update for ca-certificates-mozilla fixes the following issues:
The Root CA store was updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)

• Removed server auth from following CAs:

• Removed CAs

• Added new CAs

This update for libzypp, zypper fixes the following issues:
Update libzypp to version 16.17.20:
Security issues fixed:

• PackageProvider: Validate deta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)
• PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685)

• lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304)
• Handle http error 502 Bad Gateway in curl backend (bsc#1070851)
• RepoManager: Explicitly request repo2solv to generate application pseudo packages.
• libzypp-devel should not require cmake (bsc#1101349)
• HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803)
• Avoid zombie tar processes (bsc#1076192)

• Improve signature check callback messages (bsc#1045735, CVE-2017-9269)
• add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269)

• XML attribute `packages-to-change` added (bsc#1102429)
• man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028)
• Prevent nested calls to exit() if aborted by a signal (bsc#1092413)
• ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413)
• Fix: zypper bash completion expands non-existing options (bsc#1049825)
• Improve signature check callback messages (bsc#1045735)
• add/modify repo: Add options to tune the GPG check settings (bsc#1045735)

This update provides kubic-locale-archive for the codestream.

This update for libxml2 fixes the following security issues:

• CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).
• CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166).
• CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).
• CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601).

The GNU Compiler GCC 8 is being added to the Toolchain Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the base products of SUSE Linux Enterprise 12.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for bash provides the following fixes:

• Fix an inconsistent behaviour regarding expansion of here strings. (bsc#1094121)
• Fix mis-matching of null string with '*' pattern. (bsc#1107430)
• Fix a crash when the lastpipe option is enabled.
• Fix a typo that was preventing the `compat42' shopt option from working as intended.
• Help the shell to process any pending traps at redirection.
• Fix a crashe due to incorrect conversion from an indexed to associative array.
• Avoid the expansion of escape sequences in HOSTNAME in prompt.
• Avoid `xtrace' attack over $PS4.

This update for rpm fixes the following issues:
These security issues were fixed:

• CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457).
• CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457)

• Use ksym-provides tool [bsc#1077692]

This update for libzypp fixes the following issues:

• Add filesize check for downloads with known size (bsc#408814)
• Fix conversion of string and glob to regex when compiling queries (bsc#1099982, bsc#939392, bsc#556664)
• Fix blocking wait for finished child process (bsc#1109877)

This update for cpio provides the following fix:

• Remove an obsolete patch that was causing cpio not to preserve folder permissions. (bsc#1076810, bsc#889138)

This update for bash fixes the following issues:
Recently released update introduced a change of behavior which resulted in broken customers scripts. (bsc#1113117)

This releases container-suseconnect, skopeo and umoci to the SUSE Linux Enterprise 12 codestream as a build dependency only.

This update for rpm fixes the following issues:

• Fix superfluous TOC. dependency on PowerPC64 (bsc#1113100)
• Update to current find-provides.ksyms and find-requires.ksyms scripts (bsc#1095148)

This update for base-container-licenses, sles12sp4-image fixes the following issues:
Initial delivery of the SUSE Linux Enterprise Server 12 SP4 images.

This update for rpm fixes the following issues:
These security issues were fixed:

• CVE-2017-7500: rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination (bsc#943457).
• CVE-2017-7501: rpm used temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation (bsc#943457)

This update for libgcrypt fixes the following issues:
The following security vulnerability was addressed:

• CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures (bsc#1097410).

• Extended the fipsdrv dsa-sign and dsa-verify commands with the --algo parameter for the FIPS testing of DSA SigVer and SigGen (bsc#1064455).
• Ensure libgcrypt20-hmac and libgcrypt20 are installed in the correct order. (bsc#1090766)

This update for procps fixes the following security issues:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

This update for aaa_base provides the following fixes:

• Get mixed use case of service wrapper script straight. (bsc#1040613)
• Fix an error at login if java system directory is empty. (bsc#1102310)
• Add a test for xdgdir/applications before adding data directory (bsc#1095969)

This update for ncurses fixes the following issue:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

This update for suse-build-key fixes the following issues:

• Install the PTF key also to /usr/lib/rpm/gnupg/keys/ so it can exists also on systems where documentation is not installed. (bsc#1044232)

This update for openssl-1_0_0 fixes the following issues:

Security issues fixed:

• CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652).
• CVE-2018-5407: Fixed elliptic curve scalar multiplication timing attack defenses (bsc#1113534).
• Add missing timing side channel patch for DSA signature generation (bsc#1113742).

• Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209).
• Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078).

This update for libgcrypt provides the following fix:

• Fail selftests when checksum file is missing in FIPS mode only. (bsc#1117355)

This update for acl fixes the following issues:

• quote: Escape literal backslashes (bsc#953659).

This update for container-suseconnect fixes the following issues:
container-suseconnect was updated to 2.0.0 (bsc#1119496):

• Added command line interface
• Added `ADDITIONAL_MODULES` capability to enable further extension modules during image build and run
• Added documentation about how to build docker images on non SLE distributions
• Improve documentation to clarify how container-suseconnect works in a Dockerfile
• Improve error handling on non SLE hosts
• Fix bug which makes container-suseconnect work on SLE15 based distributions

This update for ncurses fixes the following issues:

• ncurses applications freezing (bsc#1121450)

This update for ca-certificates-mozilla fixes the following issues:
The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446)
Removed Root CAs:

• AC Raiz Certicamara S.A.
• Certplus Root CA G1
• Certplus Root CA G2
• OpenTrust Root CA G1
• OpenTrust Root CA G2
• OpenTrust Root CA G3
• Visa eCommerce Root

• Certigna Root CA (email and server auth)
• GTS Root R1 (server auth)
• GTS Root R2 (server auth)
• GTS Root R3 (server auth)
• GTS Root R4 (server auth)
• OISTE WISeKey Global Root GC CA (email and server auth)
• UCA Extended Validation Root (server auth)
• UCA Global G2 Root (email and server auth)

This update for libsemanage provides the following fix:

• Prevent an error message when reading module version if the directory does not exist. (bsc#1115500)

This update for procps fixes the following security issues:

• CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100).
• CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100).
• CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100).
• CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100).
• CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100).

• Fix CPU summary showing old data. (bsc#1121753)

This update for audit fixes the following issues:
Audit on SUSE Linux Enterprise 12 SP4 was updated to 2.8.1 to bring new features and bugfixes. (bsc#1125535 FATE#326346)

• Many features were added to auparse_normalize
• cli option added to auditd and audispd for setting config dir
• In auditd, restore the umask after creating a log file
• Option added to auditd for skipping email verification

• Change openldap dependency to client only (bsc#1085003)

• CVE-2015-5186: Audit: log terminal emulator escape sequences handling (bsc#941922)

This update for openssl-1_0_0 fixes the following issues:
Security issues fixed:

• The 9 Lives of Bleichenbacher's CAT: Cache Attacks on TLS Implementations (bsc#1117951)
• CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

This update for bash fixes the following issues: Security issue fixed:

• CVE-2019-9924: Fixed a vulnerability in which shell did not prevent user BASH_CMDS allowing the user to execute any command with the permissions of the shell (bsc#1130324).

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974 CVE-2018-10360).
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for glibc fixes the following issues:
Security issues fixed:

• CVE-2019-9169: regex: fix read overrun (bsc#1127308, BZ #24114)
• CVE-2016-10739: Fully parse IPv4 address strings (bsc#1122729, BZ #20018)
• CVE-2009-5155: ERE '0|()0|\1|0' causes regexec undefined behavior (bsc#1127223, BZ #18986)

• Enable TLE only if GLIBC_ELISION_ENABLE=yes is defined (bsc#1131994, fate#322271)
• Add more checks for valid ld.so.cache file (bsc#1110661, BZ #18093)
• Added cfi information for start routines in order to stop unwinding (bsc#1128574)
• ja_JP locale: Add entry for the new Japanese era (bsc#1100396, fate#325570, BZ #22964)

This update for libtasn1 fixes the following issues:
Security issues fixed:

• CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435).
• CVE-2017-6891: Fixed a stack overflow in asn1_find_node() (bsc#1040621).

This update for xz does only update the license:

• Add SUSE-Public-Domain license as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain license (bsc#1135709)

This update for e2fsprogs fixes the following issues:

• e2fsck: Check and fix tails of all bitmap blocks. (bsc#1128383)

This update for glibc fixes the following issues:
Security issue fixed:

• CVE-2015-5180: Fixed a NULL pointer dereference with internal QTYPE (bsc#941234).

• IBM zSeries arch13 hardware support in glibc added (fate#327072, bsc#1132678)

• Fixed a concurrency issue with ldconfig (bsc#1117993).

This update for elfutils fixes the following issues:
Security issues fixed:

• CVE-2018-16403: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1107067).
• CVE-2016-10254: Fixed a memory allocation failure in alloxate_elf (bsc#1030472).
• CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007).
• CVE-2016-10255: Fixed a memory allocation failure in libelf_set_rawdata_wrlock (bsc#1030476).
• CVE-2019-7150: Added a missing check in dwfl_segment_report_module which could have allowed truncated files to be read (bsc#1123685).
• CVE-2018-16062: Fixed a heap-buffer-overflow (bsc#1106390).
• CVE-2017-7611: Fixed a heap-based buffer over-read that could have led to Denial of Service (bsc#1033088).
• CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090).
• CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084).
• CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085).
• CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087).
• CVE-2018-18521: Fixed multiple divide-by-zero vulnerabilities in function arlib_add_symbols() (bsc#1112723).
• CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089).
• CVE-2018-18310: Fixed an invalid address read in dwfl_segment_report_module.c (bsc#1111973).
• CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726).

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937).

This update for pam fixes the following issues:

• restricted the number of file descriptors to close to a more sensible number based upon resource limits (bsc#1116544)

This update for libxml2 fixes the following issues:
Issue fixed:

• Fixed a bug related to the fix for CVE-2016-9318 which allowed xsltproc to access the internet even when --nonet was given and also was making docbook-xsl-stylesheets to have incomplete xml catalog file (bsc#1010675, bsc#1126613 and bsc#1110146).

This update for bzip2 fixes the following issues:
Security issue fixed:

• CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083).
• CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657).

This update for libsolv, libzypp and zypper fixes the following issues:
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:

• CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
• CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
• CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

• Made cleandeps jobs on patterns work (bsc#1137977).
• Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
• Keep consistent package name if there are multiple alternatives (bsc#1131823).

• Fixes a bug where locking the kernel was not possible (bsc#1113296)

• Fixes a bug where the wrong exit code was set when refreshing repos if --root was used (bsc#1134226)
• Improved the displaying of locks (bsc#1112911)
• Fixes an issue where `https` repository urls caused an error prompt to appear twice (bsc#1110542)
• zypper will now always warn when no repositories are defined (bsc#1109893)

This update for bzip2 fixes the following issues:

• Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083).

This update for pam fixes the following issues:

• Enable pam_userdb.so (SLE-7257,bsc#1136298)
• Upgraded pam_userdb to 1.3.1. (bsc#1136298)

This update for ca-certificates-mozilla fixes the following issues:

• Update to 2.34 state of the Mozilla NSS Certificate store. (bsc#1144169)

• Removed Root CAs:

• Added root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth)

This update for perl fixes the following issues:
Security issue fixed:

• CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674).

This update for expat fixes the following issues:
Security issue fixed:

• CVE-2019-15903: Fixed a heap-based buffer over-read caused by crafted XML documents. (bsc#1149429)

This update for gpg2 fixes the following issues:
Security issue fixed:

• CVE-2019-13050: Fixed denial-of-service attacks via big keys. (bsc#1141093)

• Allow coredumps in X11 desktop sessions (bsc#1124847).

This update for openssl-1_0_0 fixes the following issues:
OpenSSL Security Advisory [10 September 2019]

• CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003)
• CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250)

This update for libgcrypt fixes the following issues:
Security issues fixed:

• CVE-2019-13627: Mitigated ECDSA timing attack. (bsc#1148987)

This update for e2fsprogs fixes the following issues:
Security issue fixed:

• CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101)

• libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716)

This update for zypper and libzypp fixes the following issues:
Package: zypper

• Fixed an issue where zypper exited on a SIGPIPE during package download (bsc#1145521)
• Rephrased the file conflicts check summary (bsc#1140039)
• Fixes an issue where the bash completion was wrongly expanded (bsc#1049825)

• Fixed an issue where YaST2 was not able to find base products via libzypp (bsc#1153557)
• Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415)
• Fixes a file descriptor leak in the media backend (bsc#1116995)

This update for procps provides the following fixes:

• Backport the MemAvailable patch into SLE12-SP4/SP5 procps. (jsc#SLE-10396)
• Add missing ShmemPmdMapped entry for pmap with newer kernels. (bsc#1153386)

This update for cpio fixes the following issues:

• CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199).

This update for libxml2 doesn't fix any additional security issues, but correct the rpm changelog to reflect all CVEs that have been fixed over the past.

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-10754: Fixed a denial of service caused by a NULL Pointer Dereference in the _nc_parse_entry() (bsc#1131830).
• CVE-2019-17594: Fixed a heap-based buffer over-read in _nc_find_entry function in tinfo/comp_hash.c (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in fmt_entry function in tinfo/comp_hash.c (bsc#1154037).

• Fixed ppc64le build configuration (bsc#1134550).

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

This update for elfutils fixes the following issues:

• Add require of 'libebl1' for 'libelf1'. (bsc#1151577)

This update for ncurses fixes the following issues:

• Work around a bug of old upstream gen-pkgconfig (bsc#1159162)
• Remove doubled library path options (bsc#1159162)
• Also remove private requirements as (lib)tinfo are binary compatible with normal and wide version of (lib)ncurses (bsc#1158586, bsc#1159162)
• Fix last change, that is add missed library linker paths as well as missed include directories for none standard paths (bsc#1158586, bsc#1159162)
• Do not mix include directories of different ncurses ABI (bsc#1158586)

This update for openssl-1_0_0 fixes the following issues:
Security issue fixed:

• CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).

This update for libgcrypt fixes the following issues:

• Fix test dsa-rfc6979 in FIPS mode: Disabled tests in elliptic curves with 192 bits which are not recommended in FIPS mode
• Added CMAC AES and TDES FIPS self-tests: (bsc#1155339, bsc#1155338)

This update for libssh fixes the following issues:

• CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

This update for aaa_base fixes the following issues:

• Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
• Reduces the list in /opt/* to gnome, kde4, and kde3. (bsc#910904, bsc#1149127)
• Update logic for JRE_HOME variable. (bsc#1128246)
• Restore old position of ssh/sudo source of profile. (bsc#1118364)
• Revert 'Avoid NAT on Bridges. Bridges are L2 devices, really.' (bsc#1115020)
• Generalize testing for JVM system variables supporting other shells when creating the java path. (boo#1157794)

This update for systemd provides the following fixes:

• CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages.
• sd-bus: Deal with cookie overruns. (bsc#1150595)
• rules: Add by-id symlinks for persistent memory. (bsc#1140631)
• Drop the old fds used for logging and reopen them in the sub process before doing any new logging. (bsc#1154948)
• Fix warnings thrown during package installation (bsc#1154043)
• Fix for systemctl hanging by restart. (bsc#1139459)
• man: mention that alias names are only effective after 'systemctl enable'. (bsc#1151377)
• ask-password: improve log message when inotify limit is reached. (bsc#1155574)
• udevd: wait for workers to finish when exiting. (bsc#1106383)
• core: fragments of masked units ought not be considered for NeedDaemonReload. (bsc#1156482)
• udev: fix 'NULL' deref when executing rules. (bsc#1151506)
• Introduce function for reading virtual files in 'sysfs' and 'procfs'. (bsc#1133495, bsc#1159814)

This update for e2fsprogs fixes the following issues:

• CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

This update for elfutils fixes the following issues:

• Fix 'eu-nm' issue in elfutils: Symbol iteration will be set to start at 0 instead of 1 to avoid missing symbols in the output. (bsc#1157578)
• Fix for '.ko' file corruption in debug info. (bsc#1110929)

This update for ca-certificates-mozilla fixes the following issues:
The following non-security bugs were fixed:
Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):
Removed certificates:

• Certplus Class 2 Primary CA
• Deutsche Telekom Root CA 2
• CN=Swisscom Root CA 2
• UTN-USERFirst-Client Authentication and Email

• Entrust Root Certification Authority - G4

• Export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871).
• Updated to 2.24 state of the Mozilla NSS Certificate store (bsc#1100415).
• Use %license instead of %doc (bsc#1082318).
• Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152, bsc#1071390, bsc#1010996).

This update for ca-certificates-mozilla fixes the following issues:
This reverts a previous change to the generated pem structure, as it require a p11-kit tools update installed first, which can not always ensured correctly. (bsc#1166301 bsc#1165915 bsc#1165919)

This update for suse-build-key fixes the following issues:

• created a new security_at_suse.de key for email communication (bsc#1166334)

This update for glibc fixes the following issues:

• CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631).
• CVE-2020-1751: Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
• CVE-2020-10029: Fixed a stack buffer overflow during range reduction (bsc#1165784).
• Use 'posix_spawn' on popen preventing crash caused by 'subprocess'. (bsc#1149332, BZ #22834)
• Fix handling of needles crossing a page, preventing incorrect results to return during the cross page boundary search. (bsc#1157893, BZ #25226)

This update for container-suseconnect fixes the following issues:

• Fix usage with RMT and SMT. (bsc#1157960)
• Parse the /etc/products.d/*.prod files.
• Fix function comments based on best practices from Effective Go. (bsc#1138731)
• Implement interacting with SCC behind proxy and SMT. (bsc#1154247)

This update for e2fsprogs fixes the following issues:

• e2fsck: clarify overflow link count error message (bsc#1160979)
• ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
• ext2fs: implement dir entry creation in htree directories (bsc#1160979)
• tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
• tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

This update for libssh fixes the following issues:

• CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

This update for gcc9 fixes the following issues:
The GNU Compiler Collection is shipped in version 9.
A detailed changelog on what changed in GCC 9 is available at https://gcc.gnu.org/gcc-9/changes.html
The compilers have been added to the SUSE Linux Enterprise Toolchain Module.
To use these compilers, install e.g. gcc9, gcc9-c++ and build with CC=gcc-9 CXX=g++-9 set.

For SUSE Linux Enterprise base products, the libstdc++6, libgcc_s1 and other compiler libraries have been switched from their gcc8 variants to their gcc9 variants.
Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libgcrypt fixes the following issues:

• FIPS: Relax the entropy requirements on selftest during boot (bsc#1162879)

This update for glibc fixes the following issues:

• fork: Remove bogus parent PID assertions to avoid hangs (bsc#1162721)

This update for coreutils fixes the following issues:
-Fix for an issue when using sort with '--human-numeric-sort-key' option the column containig the values can be faulty. (bsc#1156276)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for pam fixes the following issues:

• Moved pam_userdb to a separate package pam-extra (bsc#1166510)

This update for zlib fixes the following issues:

• Includes the last fixes from IBM for bsc#1166260 IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
• Add SUSE specific fix to solve bsc#1138793 The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime.

This update for base-container-licenses, sles12sp5-image fixes the following issues:
Changes in base-container-licenses:

• Also build for aarch64 (bsc#1172042)
• Ignore base-container-licenses in pre_checkin.sh already
• Update list based on current package list

• Also build for aarch64 (bsc#1172042)

This update for glibc fixes the following issue:

• nptl: wait for pending setxid request also in detached thread (bsc#1162930)

This update for audit fixes the following issues:

• Fix hang on startup. (bsc#1156159)
• Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)

This update for adns fixes the following issues:

• CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265).
• CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265).
• CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265).
• CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265).

This update for perl fixes the following issues:

• CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863).
• CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864).
• CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866).
• Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601).
• Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

This update for curl fixes the following issues:

• CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

This update for systemd fixes the following issues:

• CVE-2019-20386: Fixed a memory leak when executing the udevadm trigger command (bsc#1161436).
• Renamed the persistent link for ATA devices (bsc#1164538)
• shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
• tmpfiles: removed unnecessary assert (bsc#1171145)
• pid1: by default make user units inherit their umask from the user manager (bsc#1162698)
• manager: fixed job mode when signalled to shutdown etc (bsc#1161262)
• coredump: fixed bug that loses core dump files when core dumps are compressed and disk space is low. (bsc#1167622)
• udev: inform systemd how many workers we can potentially spawn (#4036) (bsc#1165633)
• libblkid: open device in nonblock mode. (bsc#1084671)
• udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)

This update for grep fixes the following issues:
Fix for an issue when command 'grep -i' produces bad performance by using multibyte with 'non-utf8' encoding. (bsc#1163834)

This update for glibc fixes the following issues:

• Fix concurrent changes on nscd aware files (bsc#1171878, BZ #23178)
• nscd: bump GC cycle during cache pruning (bsc#1171878, BZ #26130)
• Correct locking and cancellation cleanup in syslog functions (bsc#1172085, BZ #26100)

This update for cloud-regionsrv-client fixes the following issues:

• Introduce containerbuild-regionsrv service to allow container building tools to access required data for accessing Public Cloud RMTs (bsc#1173474, bsc#1173475)

This update for util-linux fixes the following issues:

• blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
• nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
• Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
• mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911)

This update for grep fixes the following issues:

• Fix for -P treating invalid UTF-8 input and causing incosistency. (bsc#1174080)

This update of pam fixes the following issue:

• On some SUSE Linux Enterprise 12 SP5 based media from build.suse.com a pam version with a higher release number than the last update of pam was delivered. This update releases pam with a higher release number to align it with this media. (bsc#1173593)

This update for ca-certificates-mozilla fixes the following issues:
Update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
Removed CAs:

• AddTrust External CA Root
• AddTrust Class 1 CA Root
• LuxTrust Global Root 2
• Staat der Nederlanden Root CA - G2
• Symantec Class 1 Public Primary Certification Authority - G4
• Symantec Class 2 Public Primary Certification Authority - G4
• VeriSign Class 3 Public Primary Certification Authority - G3

• certSIGN Root CA G2
• e-Szigno Root CA 2017
• Microsoft ECC Root Certificate Authority 2017
• Microsoft RSA Root Certificate Authority 2017

This update for curl fixes the following issues:

• An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231]

This update for zlib provides the following fixes:

• Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
• Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

This update for systemd fixes the following issues:

• Fix inconsistent file modes for some ghost files. (bsc#1173227)
• Fix for an issue where nfs-server clone causes cluster node to hang on reboot. (bsc#1169488)

This update for procps fixes the following issues:

• Add fix for procps and its libraries to avoid issues with the 'free' tool. (bsc#1174660)

This update for libxml2 fixes the following issues:

• CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
• CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).
• CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).
• Fixed invalid xmlns references due to CVE-2019-19956 (bsc#1172021).

This update for zlib fixes the following issues:

• Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
• Enable hardware compression on s390/s390x (jsc#SLE-13776)

This update for libsolv fixes the following issues:
This is a reissue of an existing libsolv update that also included libsolv-devel for LTSS products.
libsolv was updated to version 0.6.36 fixes the following issues:
Security issues fixed:

• CVE-2018-20532: Fixed a NULL pointer dereference in testcase_read() (bsc#1120629).
• CVE-2018-20533: Fixed a NULL pointer dereference in testcase_str2dep_complex() (bsc#1120630).
• CVE-2018-20534: Fixed a NULL pointer dereference in pool_whatprovides() (bsc#1120631).

• Made cleandeps jobs on patterns work (bsc#1137977).
• Fixed an issue multiversion packages that obsolete their own name (bsc#1127155).
• Keep consistent package name if there are multiple alternatives (bsc#1131823).

This update for libzypp fixes the following issues:
Security issue fixed:

• CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

This update for suse-build-key fixes the following issues:

• This update extends the suse build key (bsc#1176759)
• The SUSE container key is different from the build key. (PM-1845 bsc#1170347)

This update for libproxy fixes the following issues:

• CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
• CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for openssl-1_0_0 fixes the following issues:
Various changes required for FIPS 140-2 certification (jsc#SLE-10541)

• FIPS: Use SHA-2 in the RSA pairwise consistency check (bsc#1155346)
• FIPS: Add shared secret KAT to FIPS DH selftest (bsc#1176029)
• FIPS: Include ECDH/DH Requirements from SP800-56Arev3 (bsc#1176029 bsc#1177479 bsc#1177575 bsc#1177673 bsc#1177793)

This update for ca-certificates-mozilla fixes the following issues:
The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

• Removed CAs:

• Added CAs:

This update for gcc10 fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

This update for zypper fixes the following issues:

• Fixed an issue, where zypper crashed when the system language is set to Spanish and the user tried to patch their system with 'zypper patch --category security' (bsc#1178038)
• Fixed a typo in man page (bsc#1169947)

This update for systemd fixes the following issues:

• Create systemd-remote user only if journal-remote is included with the package (bsc#1177458)
• Fixed a buffer overflow in systemd ask-password (bsc#1177510)
• Fixed an issue in the boot process, when the system has an NFS moiunt on fstab that uses the 'bg' option while the NFS server is not reachable (bsc#1176513)
• Fixed an issue with the try-restart command, where services won't restart (bsc#1139459)

• cryptsetup: support LUKS2 on-disk format (bsc#1083571, jsc#SLE-13842)

This update for pam fixes the following issue:

• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

This update for curl fixes the following issues:

• CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
• CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
• CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

This update for libzypp, zypper fixes the following issues:
Changes in zypper:

• Fix typo in `list-patches` help. (bsc#1178925)

• Fix in repository manager for removing non-directory entries related to the cache. (bsc#1178966)
• Remove from the logs the credentials available from the authorization header. (bsc#1174215) The authorization header may include base64 encoded credentials which could be restored from the log file. The credentials are now stripped from the log.

This update for util-linux fixes the following issues:

• Do not trigger CDROM autoclose. (bsc#1084671)
• Try to autoconfigure broken serial lines.
• Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514)
• Build with libudev support to support non-root users. (bsc#1169006)
• Aavoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
• Fix warning on mounts to CIFS with mount –a. (SG#57988, bsc#1174942)

This update for libxml2 fixes the following issues:
Avoid quadratic checking of identity-constraints, speeding up XML validation. (bsc#1178823)

• key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys).
• This fix uses a hash table to avoid the quadratic behaviour.

This update for openssl-1_0_0 fixes the following issues:

• Add declaration of BN_secure_new() function needed by other packages. (bsc#1180777)
• Add FIPS elliptic curve key check necessary for FIPS 140-2 certification. (bsc#1180959)

This update for curl fixes the following issues:

• Fix for SFTP uploads when it results in empty uploaded files. (bsc#1177976)

This update for systemd fixes the following issues:

• Import commit 4eae068097b42f2fd2a942e637e91ba3c12b37af 386e85dcd3 core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596) 7be6e949dc udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885) 3bce298616 core: fix memory leak on reloadbsc#1180020) b24b36d76c journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824) 703c08e0ae udev: Fix sound.target dependency (bsc#1179363) 07dc6d987d rules: enable hardware-related targets also for user instances 5cfed8b620 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope 2710a4be38 core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436) d3b81a8940 core: make sure RequestStop signal is send directed bbe11f8400 time-util: treat /etc/localtime missing as UTC (bsc#1141597)

• Import commit 4eae068097b42f2fd2a942e637e91ba3c12b37af 386e85dcd3 core: Fix edge case when processing /proc/self/mountinfo (#7811) (bsc#1180596) 7be6e949dc udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885) 3bce298616 core: fix memory leak on reload (bsc#1180020) b24b36d76c journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824) 703c08e0ae udev: Fix sound.target dependency (bsc#1179363) 07dc6d987d rules: enable hardware-related targets also for user instances 5cfed8b620 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope 2710a4be38 core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436) d3b81a8940 core: make sure RequestStop signal is send directed bbe11f8400 time-util: treat /etc/localtime missing as UTC (bsc#1141597)

This update for file fixes the following issues:

• Fixed an issue when file is used with a string started with '80'. (bsc#1182138)

This update for glibc fixes the following issues:

• Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
• gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
• Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
• powerpc: Add support for POWER10 (bsc#1181365)

This update for openssl-1_0_0 fixes the following issues:

• CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
• CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

This update for zlib fixes the following issues:

• Fixed hw compression on z15 (bsc#1176201)

This update for nghttp2 fixes the following issues:
Security issues fixed:

• CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).
• CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
• CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).
• CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).
• CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).

• Packages must not mark license files as %doc (bsc#1082318)
• Typo in description of libnghttp2_asio1 (bsc#962914)
• Fixed mistake in spec file (bsc#1125689)
• Fixed build issue with boost 1.70.0 (bsc#1134616)
• Fixed build issue with GCC 6 (bsc#964140)
• Feature: Add W&S module (FATE#326776, bsc#1112438)

This update for libcap fixes the following issues:

• Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
• Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

This update for glibc fixes the following issues:

• CVE-2020-27618: Accept redundant shift sequences in IBM1364 (bsc#1178386)
• CVE-2020-29562: Fix incorrect UCS4 inner loop bounds (bsc#1179694)
• CVE-2020-29573: Harden printf against non-normal long double values (bsc#1179721)
• Check vector support in memmove ifunc-selector (bsc#1184034)

This update for systemd fixes the following issues:

• Fixed an issue, where Restart=on-abort was not respected based on the exit status of the main process (bsc#1183790)
• Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted.
• Fixed an error when building systemd systemd-mini, caused by a change in systemd-rpm-macros (bsc#1183094)
• Added a requirement for aaa_base >= 13.2 to stay compatible (bsc#1180083)
• Fixed a memory leak in systemctl daemon-reload (bsc#1180020)

This update for libcap fixes the following issues:

• Add explicit dependency on 'libcap2' with version to 'libcap-progs'. (bsc#1184690, bsc#1184434)

This update for curl fixes the following issues:

• CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).

This update for libxml2 fixes the following issues:

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for bash fixes the following issues:

• Fixed a bug where the 'tailf' command destroyed the terminal/console settings (bsc1177369)

This update for libxml2 fixes the following issues:
Security issues fixed:
CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)

• CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
• CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
• CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

This update for audit fixes the following issues:

• Enable Aarch64 processor support. (bsc#1179515, bsc#1184362)

This update for systemd fixes the following issues:
systemctl: add --value option execute: make sure to call into PAM after initializing resource limits. (bsc#1184967) rlimit-util: introduce setrlimit_closest_all() system-conf: drop reference to ShutdownWatchdogUsec= core: rename ShutdownWatchdogSec to RebootWatchdogSec. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046)
rules: don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: set execute bits. (bsc#1178561) udev: rework network device renaming. Revert 'Revert 'udev: network device renaming - immediately give up if the target name isn't available''

This update for curl fixes the following issues:

• CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
• Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check.

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)
• Fixed build failure in SLE-12 due to bogus 'rpmlint'. (bsc#1185337)

This update for libxml2 fixes the following issues:

• CVE-2021-3541: Fixed exponential entity expansion attack that could bypass all existing protection mechanisms (bsc#1186015).

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for libgcrypt fixes the following issues:

• CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

This update for libsolv fixes the following issues:
Security issues fixed:

• CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510)
• CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229)

• backport support for blacklisted packages to support ptf packages and retracted patches
• fix ruleinfo of complex dependencies returning the wrong origin
• fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason
• fix add_complex_recommends() selecting conflicted packages in rare cases
• fix potential segfault in resolve_jobrules
• fix solv_zchunk decoding error if large chunks are used

This update for permissions fixes the following issues:

• Fork package for 12-SP5 (bsc#1155939)
• make btmp root:utmp (bsc#1050467, bsc#1182899)
• pcp: remove no longer needed / conflicting entries (bsc#1171883). Fixes a potential security issue.
• do not follow symlinks that are the final path element (CVE-2020-8013, bsc#1163922)
• fix handling of relative directory symlinks in chkstat
• whitelist postgres sticky directories (bsc#1123886)
• fix regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594)
• fix capability handling when doing multiple permission changes at once (bsc#1161779,
• fix invalid free() when permfiles points to argv (bsc#1157198)
• the eror should be reported for permfiles[i], not argv[i], as these are not the same files. (bsc#1047247, bsc#1097665)
• fix /usr/sbin/pinger ownership to root:squid (bsc#1093414, CVE-2019-3688)
• fix privilege escalation through untrusted symlinks (bsc#1150734, CVE-2019-3690)