- 000release-packages:SUSE-MicroOS-release
-
n/a
- ca-certificates-mozilla
-
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
- Added: FIRMAPROFESIONAL CA ROOT-A WEB
- Distrust: GLOBALTRUST 2020
- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
Added:
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
- D-Trust SBR Root CA 1 2022
- D-Trust SBR Root CA 2 2022
- Telekom Security SMIME ECC Root 2021
- Telekom Security SMIME RSA Root 2023
- Telekom Security TLS ECC Root 2020
- Telekom Security TLS RSA Root 2023
- TrustAsia Global Root CA G3
- TrustAsia Global Root CA G4
Removed:
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- Chambers of Commerce Root - 2008
- Global Chambersign Root - 2008
- Security Communication Root CA
- Symantec Class 1 Public Primary Certification Authority - G6
- Symantec Class 2 Public Primary Certification Authority - G6
- TrustCor ECA-1
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2
- VeriSign Class 1 Public Primary Certification Authority - G3
- VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".
- containerd
-
- Update to containerd v1.7.21. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.21>
Fixes CVE-2023-47108. bsc#1217070
Fixes CVE-2023-45142. bsc#1228553
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- curl
-
- Security fix: [bsc#1230093, CVE-2024-8096]
* curl: OCSP stapling bypass with GnuTLS
* Add curl-CVE-2024-8096.patch
- Security fix: [bsc#1228535, CVE-2024-7264]
* curl: ASN.1 date parser overread
* Add curl-CVE-2024-7264.patch
- glib2
-
- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
a dbus message. Fixes a possible use after free (boo#1224044).
- glibc
-
- s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ
[#31934])
- kernel-default
-
- Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch
(git-fixes bsc#1228040 CVE-2022-48822).
- commit 2c8d4da
- ima: Fix use-after-free on a dentry's dname.name (bsc#1227716
CVE-2024-39494).
- commit f6c5c97
- ASoC: topology: Fix route memory corruption (CVE-2024-41069
bsc#1228644).
- commit f66560f
- IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145)
- commit f02f32a
- ASoC: topology: Fix references to freed memory (CVE-2024-41069
bsc#1228644).
- commit 92df0ca
- hfsplus: fix uninit-value in copy_name (bsc#1228561
CVE-2024-41059).
- commit 97ed148
- dmaengine: idxd: Fix possible Use-After-Free in
irq_process_work_list (CVE-2024-40956 bsc#1227810).
- commit 26f1077
- ocfs2: fix DIO failure due to insufficient transaction credits
(bsc#1216834).
- commit 300f953
- SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (CVE-2023-52885
bsc#1227750).
- commit e97b8a4
- scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
(bsc#1228013 CVE-2022-48792).
- commit e1a6b29
- tap: add missing verification for short frame (CVE-2024-41090
bsc#1228328).
- commit ebf78ce
- ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
(CVE-2021-47291 bsc#1224918).
- ipv6: Fix KASAN: slab-out-of-bounds Read in
fib6_nh_flush_exceptions (bsc#1224918 CVE-2021-47126
bsc#1221539).
- commit 8e8ce7c
- drm/amdkfd: don't allow mapping the MMIO HDP page with large
pages (CVE-2024-41011 bsc#1228115).
- commit 71f4e95
- sch_cake: do not call cake_destroy() from cake_init()
(CVE-2021-47598 bsc#1226574).
- commit bd20b3c
- scsi: scsi_debug: Fix type in min_t to avoid stack OOB
(bsc#1226550 CVE-2021-47580).
- scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()
(bsc#1222824 CVE-2021-47219).
- commit 2e165bd
- X.509: Fix the parser of extended key usage for length
(bsc#1218820 bsc#1226666).
- commit 2d78310
- gve: Clear napi->skb before dev_kfree_skb_any() (CVE-2024-40937
bsc#1227836).
- commit 2df93fe
- Update References
patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch
(bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610
CVE-2020-26558).
- commit d06a0d0
- Update
patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch
(bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610
CVE-2020-26558).
- commit 9cfc088
- misc: fastrpc: avoid double fput() on failed usercopy
(CVE-2022-48821 bsc#1227976).
- commit 57e770a
- Update
patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch
(CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186
CVE-2024-26800 bsc#1222728).
- commit 72c3b29
- Update
patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_eve.patch
(bsc#1065729 CVE-2023-52686 bsc#1224682).
- Update
patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
(bsc#1226758 CVE-2024-38559 bsc#1226785).
- commit 53c517e
- nfsd: fix use-after-free due to delegation race (CVE-2021-47506
bsc#1225404 bsc#1227497).
- commit b195c7b
- Update
patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch.
- fix build warning
- commit 7f81dcf
- Fix spurious WARNING caused by a qxl driver patch (bsc#1227213)
Refresh patches.suse/drm-qxl-fix-UAF-on-handle-creation.patch
- commit e245863
- Update
patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
(bsc#1226785 CVE-2024-38559).
Fix incorrect bug reference.
- commit 7bd70b9
- can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431
CVE-2021-47520).
- commit 0094102
- powerpc/rtas: Prevent Spectre v1 gadget construction in
sys_rtas() (bsc#1227487).
- commit 74bce38
- blacklist.conf:
- commit cdd4002
- NFS: Don't overfill uncached readdir pages (bsc#1226662).
- commit d0f2933
- tls: fix use-after-free on failed backlog decryption
(CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: separate no-async decryption request handling from async
(CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: decrement decrypt_pending if no async completion will be
called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: handle backlogging of crypto requests (CVE-2024-26584
bsc#1220186).
- tls: fix race between tx work scheduling and socket close
(CVE-2024-26585 bsc#1220187).
- tls: fix race between async notify and socket close
(CVE-2024-26583 bsc#1220185).
- net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583
CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: fix async vs NIC crypto offload (CVE-2024-26583
CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: use async as an in-out argument (CVE-2024-26583
CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: assume crypto always calls our callback (CVE-2024-26583
CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't track the async count (CVE-2024-26583
CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584
bsc#1220185 bsc#1220186).
- tls: rx: wrap decryption arguments in a structure
(CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't report text length from the bowels of decrypt
(CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: drop unnecessary arguments from tls_setup_from_iter()
(CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net/tls: race causes kernel panic (CVE-2024-26583 CVE-2024-26584
bsc#1220185 bsc#1220186).
- commit cf4818b
- Delete
patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch.
Will be replaced with refreshed version once all conflicting patches are in.
- commit e1dd229
- dm btree remove: fix use after free in rebalance_children()
(CVE-2021-47600, bsc#1226575).
- commit 088e9db
- openssl-1_1
-
- Security fix: [bsc#1227138, CVE-2024-5535]
* SSL_select_next_proto buffer overread
* Add openssl-CVE-2024-5535.patch
- snapper
-
- handle content-length of stomp in zypper plugin
(gh#openSUSE/snapper#918) (bsc#1229142)
* added pr919.patch
* added pr920.patch
- libsolv
-
- removed dependency on external find program in the repo2solv tool
- bindings: fix return value of repodata.add_solv()
- new SOLVER_FLAG_FOCUS_NEW flag
- bump version to 0.7.30
- libzypp
-
- Make sure not to statically linked installed tools (bsc#1228787)
- version 17.35.8 (35)
- MediaPluginType must be resolved to a valid MediaHandler
(bsc#1228208)
- version 17.35.7 (35)
- Export CredentialManager for legacy YAST versions (bsc#1228420)
- version 17.35.6 (35)
- Export asSolvable for YAST (bsc#1228420)
- Fix 4 typos in zypp.conf.
- version 17.35.5 (35)
- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- version 17.35.4 (35)
- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
Older zypp-plugins reject stomp headers including a '-'. Like the
'content-length' header we may send.
- Fix int overflow in Provider (fixes #559)
This patch fixes an issue in safe_strtonum which caused
timestamps to overflow in the Provider message parser.
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- version 17.35.3 (35)
- Keep UrlResolverPlugin API public (fixes #560)
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
Buddy pairs (like -release package and product) internally share
the same status object. When applying locks from query results
the locked bit must be set if either item is locked.
- version 17.35.2 (35)
- Install zypp/APIConfig.h legacy include (fixes #557)
- version 17.35.1 (35)
- Update soname due to RepoManager refactoring and cleanup.
- version 17.35.0 (35)
- Workaround broken libsolv-tools-base requirements (fixes
openSUSE/zypper#551)
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency.
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows.
- version 17.34.2 (34)
- pam
-
- Prevent cursor escape from the login prompt [bsc#1194818]
* Added: pam-bsc1194818-cursor-escape.patch
- python-PyYAML
-
- reenable the cython yaml loader (bsc#1225641)
- python-setuptools
-
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
* Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
- zypp-plugin
-
- Fix stomp header regex to include '-' (bsc#1227793)
- version 0.6.4
- singlespec in Tumbleweed must support multiple python3 flavors
in the future gh#openSUSE/python-rpm-macros#66
- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)
- Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596)
- runc
-
[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.14. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
Includes the patch for CVE-2024-45310. bsc#1230092
- Rebase patches:
* 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
* 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
* 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
* 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
- selinux-policy
-
- Update to version 20210716+git64.0c11a3fb:
* Fix mkhomedir_helper label to match on sbin (bsc#1229701)
* allow init to run bpf programs. We do this during early startup (bsc#1215423)
* Allow sysadm_t run kernel bpf programs
- Packaging rework. Move policy to git repository
Please use `osc service manualrun` to update this OBS package to the
newest git version.
* Added _service and _servicedata file that pulls from selinux-policy and tar it
* Replaced old tar file: fedora-policy-20210716.tar.bz2
with tar file generated via OBS service: selinux-policy-20210716+git59.29f0685b.tar.xz
* Updated selinux-policy.spec to build selinux-policy with
container-selinux
* Removed suse specific modules as they are now covered by git commits
* packagekit.te packagekit.if packagekit.fc
* rebootmgr.te rebootmgr.if rebootmgr.fc
* rtorrent.te rtorrent.if rtorrent.fc
* wicked.te wicked.if wicked.fc
* Removed *.patch as they are now covered by git commits:
* fix_djbdns.patch
* fix_dbus.patch
* fix_java.patch
* fix_hadoop.patch
* fix_thunderbird.patch
* fix_postfix.patch
* fix_nscd.patch
* fix_sysnetwork.patch
* fix_logging.patch
* fix_xserver.patch
* fix_miscfiles.patch
* fix_init.patch
* fix_locallogin.patch
* fix_iptables.patch
* fix_irqbalance.patch
* fix_ntp.patch
* fix_fwupd.patch
* fix_firewalld.patch
* fix_logrotate.patch
* fix_selinuxutil.patch
* fix_corecommand.patch
* fix_snapper.patch
* fix_systemd.patch
* fix_unconfined.patch
* fix_unconfineduser.patch
* fix_chronyd.patch
* fix_networkmanager.patch
* fix_accountsd.patch
* fix_automount.patch
* fix_colord.patch
* fix_mcelog.patch
* fix_sslh.patch
* fix_nagios.patch
* fix_openvpn.patch
* fix_cron.patch
* fix_usermanage.patch
* fix_smartmon.patch
* fix_geoclue.patch
* fix_authlogin.patch
* fix_screen.patch
* fix_unprivuser.patch
* fix_rpm.patch
* fix_apache.patch
* fix_nis.patch
* fix_libraries.patch
* fix_dovecot.patch
* fix_cockpit.patch
* fix_systemd_watch.patch
* fix_kernel_sysctl.patch
* fix_auditd.patch
* fix_hypervkvp.patch
* systemd_domain_dyntrans_type.patch
* fix_cloudform.patch
* sedoctool.patch
* init_watch_unallocated_ttys.patch
- Move update.sh to selinux-devel-tools git repository (does not need
to be tracked by OBS since it is an internal tool for package update)
- supportutils
-
- Changes to version 3.2.8
+ Avoid getting duplicate kernel verifications in boot.text (pr#190)
+ lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
+ docker_info: Add timestamps to container logs (pr#196)
+ Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
+ Update supportconfig get pam.d sorted (pr#199)
+ yast_files: Exclude .zcat (pr#201)
+ Sanitize grub bootloader (bsc#1227127, pr#203)
+ Sanitize regcodes (pr#204)
+ Improve product detection (pr#205)
+ Add read_values for s390x (bsc#1228265, pr#206)
+ hardware_info: Remove old alsa ver check (pr#209)
+ drbd_info: Fix incorrect escape of quotes (pr#210)
- suse-build-key
-
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
- gpg-pubkey-39db7c82-5f68629b.asc
+ gpg-pubkey-39db7c82-66c5d91a.asc
- zypper
-
- Show rpm install size before installing (bsc#1224771)
If filesystem snapshots are taken before the installation (e.g.
by snapper) no disk space is freed by removing old packages. In
this case the install size of all packages is a hint how much
additional disk space is needed by the new packages static
content.
- version 1.14.76
- Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly
(bsc#1227205)
- version 1.14.75
- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- version 1.14.74