suse-sle-micro-5-1-byos-v20240913-hvm-ssd-x86

000release-packages:SUSE-MicroOS-release

n/a

ca-certificates-mozilla

- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".

containerd

- Update to containerd v1.7.21. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.21>
  Fixes CVE-2023-47108. bsc#1217070
  Fixes CVE-2023-45142. bsc#1228553
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

curl

- Security fix: [bsc#1230093, CVE-2024-8096]
  * curl: OCSP stapling bypass with GnuTLS
  * Add curl-CVE-2024-8096.patch

- Security fix: [bsc#1228535, CVE-2024-7264]
  * curl: ASN.1 date parser overread
  * Add curl-CVE-2024-7264.patch

glib2

- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
  a dbus message. Fixes a possible use after free (boo#1224044).

glibc

- s390x-wcsncmp.patch: s390x: Fix segfault in wcsncmp (bsc#1228043, BZ
  [#31934])

kernel-default

- Update patches.suse/usb-f_fs-Fix-use-after-free-for-epfile.patch
  (git-fixes bsc#1228040 CVE-2022-48822).
- commit 2c8d4da

- ima: Fix use-after-free on a dentry's dname.name (bsc#1227716
  CVE-2024-39494).
- commit f6c5c97

- ASoC: topology: Fix route memory corruption (CVE-2024-41069
  bsc#1228644).
- commit f66560f

- IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145)
- commit f02f32a

- ASoC: topology: Fix references to freed memory (CVE-2024-41069
  bsc#1228644).
- commit 92df0ca

- hfsplus: fix uninit-value in copy_name (bsc#1228561
  CVE-2024-41059).
- commit 97ed148

- dmaengine: idxd: Fix possible Use-After-Free in
  irq_process_work_list (CVE-2024-40956 bsc#1227810).
- commit 26f1077

- ocfs2: fix DIO failure due to insufficient transaction credits
  (bsc#1216834).
- commit 300f953

- SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (CVE-2023-52885
  bsc#1227750).
- commit e97b8a4

- scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
  (bsc#1228013 CVE-2022-48792).
- commit e1a6b29

- tap: add missing verification for short frame (CVE-2024-41090
  bsc#1228328).
- commit ebf78ce

- ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
  (CVE-2021-47291 bsc#1224918).
- ipv6: Fix KASAN: slab-out-of-bounds Read in
  fib6_nh_flush_exceptions (bsc#1224918 CVE-2021-47126
  bsc#1221539).
- commit 8e8ce7c

- drm/amdkfd: don't allow mapping the MMIO HDP page with large
  pages (CVE-2024-41011 bsc#1228115).
- commit 71f4e95

- sch_cake: do not call cake_destroy() from cake_init()
  (CVE-2021-47598 bsc#1226574).
- commit bd20b3c

- scsi: scsi_debug: Fix type in min_t to avoid stack OOB
  (bsc#1226550 CVE-2021-47580).
- scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()
  (bsc#1222824 CVE-2021-47219).
- commit 2e165bd

- X.509: Fix the parser of extended key usage for length
  (bsc#1218820 bsc#1226666).
- commit 2d78310

- gve: Clear napi->skb before dev_kfree_skb_any() (CVE-2024-40937
  bsc#1227836).
- commit 2df93fe

- Update References
  patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch
  (bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610
  CVE-2020-26558).
- commit d06a0d0

- Update
  patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch
  (bsc#1186463 CVE-2021-0129 CVE-2020-26558 bsc#1179610
  CVE-2020-26558).
- commit 9cfc088

- misc: fastrpc: avoid double fput() on failed usercopy
  (CVE-2022-48821 bsc#1227976).
- commit 57e770a

- Update
  patches.suse/tls-fix-use-after-free-on-failed-backlog-decryption.patch
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186
  CVE-2024-26800 bsc#1222728).
- commit 72c3b29

- Update
  patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_eve.patch
  (bsc#1065729 CVE-2023-52686 bsc#1224682).
- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226758 CVE-2024-38559 bsc#1226785).
- commit 53c517e

- nfsd: fix use-after-free due to delegation race (CVE-2021-47506
  bsc#1225404 bsc#1227497).
- commit b195c7b

- Update
  patches.suse/net-tls-factor-out-tls_-crypt_async_wait.patch.
- fix build warning
- commit 7f81dcf

- Fix spurious WARNING caused by a qxl driver patch (bsc#1227213)
  Refresh patches.suse/drm-qxl-fix-UAF-on-handle-creation.patch
- commit e245863

- Update
  patches.suse/scsi-qedf-Ensure-the-copied-buf-is-NUL-terminated.patch
  (bsc#1226785 CVE-2024-38559).
  Fix incorrect bug reference.
- commit 7bd70b9

- can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431
  CVE-2021-47520).
- commit 0094102

- powerpc/rtas: Prevent Spectre v1 gadget construction in
  sys_rtas() (bsc#1227487).
- commit 74bce38

- blacklist.conf:
- commit cdd4002

- NFS: Don't overfill uncached readdir pages (bsc#1226662).
- commit d0f2933

- tls: fix use-after-free on failed backlog decryption
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: separate no-async decryption request handling from async
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: decrement decrypt_pending if no async completion will be
  called (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: handle backlogging of crypto requests (CVE-2024-26584
  bsc#1220186).
- tls: fix race between tx work scheduling and socket close
  (CVE-2024-26585 bsc#1220187).
- tls: fix race between async notify and socket close
  (CVE-2024-26583 bsc#1220185).
- net: tls: factor out tls_*crypt_async_wait() (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- net: tls: fix async vs NIC crypto offload (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: use async as an in-out argument (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: assume crypto always calls our callback (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't track the async count (CVE-2024-26583
  CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: simplify async wait (CVE-2024-26583 CVE-2024-26584
  bsc#1220185 bsc#1220186).
- tls: rx: wrap decryption arguments in a structure
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: don't report text length from the bowels of decrypt
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- tls: rx: drop unnecessary arguments from tls_setup_from_iter()
  (CVE-2024-26583 CVE-2024-26584 bsc#1220185 bsc#1220186).
- net/tls: race causes kernel panic (CVE-2024-26583 CVE-2024-26584
  bsc#1220185 bsc#1220186).
- commit cf4818b

- Delete
  patches.suse/tls-fix-race-between-tx-work-scheduling-and-socket-c.patch.
  Will be replaced with refreshed version once all conflicting patches are in.
- commit e1dd229

- dm btree remove: fix use after free in rebalance_children()
  (CVE-2021-47600, bsc#1226575).
- commit 088e9db

openssl-1_1

- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch

snapper

- handle content-length of stomp in zypper plugin
  (gh#openSUSE/snapper#918) (bsc#1229142)
  * added pr919.patch
  * added pr920.patch

libsolv

- removed dependency on external find program in the repo2solv tool
- bindings: fix return value of repodata.add_solv()
- new SOLVER_FLAG_FOCUS_NEW flag
- bump version to 0.7.30

libzypp

- Make sure not to statically linked installed tools (bsc#1228787)
- version 17.35.8 (35)

- MediaPluginType must be resolved to a valid MediaHandler
  (bsc#1228208)
- version 17.35.7 (35)

- Export CredentialManager for legacy YAST versions (bsc#1228420)
- version 17.35.6 (35)

- Export asSolvable for YAST (bsc#1228420)
- Fix 4 typos in zypp.conf.
- version 17.35.5 (35)

- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- version 17.35.4 (35)

- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
  Older zypp-plugins reject stomp headers including a '-'. Like the
  'content-length' header we may send.
- Fix int overflow in Provider (fixes #559)
  This patch fixes an issue in safe_strtonum which caused
  timestamps to overflow in the Provider message parser.
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- version 17.35.3 (35)

- Keep UrlResolverPlugin API public (fixes #560)
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
  Buddy pairs (like -release package and product) internally share
  the same status object. When applying locks from query results
  the locked bit must be set if either item is locked.
- version 17.35.2 (35)

- Install zypp/APIConfig.h legacy include (fixes #557)
- version 17.35.1 (35)

- Update soname due to RepoManager refactoring and cleanup.
- version 17.35.0 (35)

- Workaround broken libsolv-tools-base requirements (fixes
  openSUSE/zypper#551)
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency.
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows.
- version 17.34.2 (34)

pam

- Prevent cursor escape from the login prompt [bsc#1194818]
  * Added: pam-bsc1194818-cursor-escape.patch

python-PyYAML

- reenable the cython yaml loader (bsc#1225641)

python-setuptools

- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
  * Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)

zypp-plugin

- Fix stomp header regex to include '-' (bsc#1227793)
- version 0.6.4

- singlespec in Tumbleweed must support multiple python3 flavors
  in the future gh#openSUSE/python-rpm-macros#66

- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)

- Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596)

runc

[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.14. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
  Includes the patch for CVE-2024-45310. bsc#1230092
- Rebase patches:
  * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
  * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
  * 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
  * 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch

selinux-policy

- Update to version 20210716+git64.0c11a3fb:
  * Fix mkhomedir_helper label to match on sbin (bsc#1229701)
  * allow init to run bpf programs. We do this during early startup (bsc#1215423)
  * Allow sysadm_t run kernel bpf programs

- Packaging rework. Move policy to git repository
  Please use `osc service manualrun` to update this OBS package to the
  newest git version.
  * Added _service and _servicedata file that pulls from selinux-policy and tar it
  * Replaced old tar file: fedora-policy-20210716.tar.bz2
    with tar file generated via OBS service: selinux-policy-20210716+git59.29f0685b.tar.xz
  * Updated selinux-policy.spec to build selinux-policy with
    container-selinux
  * Removed suse specific modules as they are now covered by git commits
  * packagekit.te packagekit.if packagekit.fc
  * rebootmgr.te rebootmgr.if rebootmgr.fc
  * rtorrent.te rtorrent.if rtorrent.fc
  * wicked.te wicked.if wicked.fc
  * Removed *.patch as they are now covered by git commits:
  * fix_djbdns.patch
  * fix_dbus.patch
  * fix_java.patch
  * fix_hadoop.patch
  * fix_thunderbird.patch
  * fix_postfix.patch
  * fix_nscd.patch
  * fix_sysnetwork.patch
  * fix_logging.patch
  * fix_xserver.patch
  * fix_miscfiles.patch
  * fix_init.patch
  * fix_locallogin.patch
  * fix_iptables.patch
  * fix_irqbalance.patch
  * fix_ntp.patch
  * fix_fwupd.patch
  * fix_firewalld.patch
  * fix_logrotate.patch
  * fix_selinuxutil.patch
  * fix_corecommand.patch
  * fix_snapper.patch
  * fix_systemd.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_chronyd.patch
  * fix_networkmanager.patch
  * fix_accountsd.patch
  * fix_automount.patch
  * fix_colord.patch
  * fix_mcelog.patch
  * fix_sslh.patch
  * fix_nagios.patch
  * fix_openvpn.patch
  * fix_cron.patch
  * fix_usermanage.patch
  * fix_smartmon.patch
  * fix_geoclue.patch
  * fix_authlogin.patch
  * fix_screen.patch
  * fix_unprivuser.patch
  * fix_rpm.patch
  * fix_apache.patch
  * fix_nis.patch
  * fix_libraries.patch
  * fix_dovecot.patch
  * fix_cockpit.patch
  * fix_systemd_watch.patch
  * fix_kernel_sysctl.patch
  * fix_auditd.patch
  * fix_hypervkvp.patch
  * systemd_domain_dyntrans_type.patch
  * fix_cloudform.patch
  * sedoctool.patch
  * init_watch_unallocated_ttys.patch
- Move update.sh to selinux-devel-tools git repository (does not need
  to be tracked by OBS since it is an internal tool for package update)

supportutils

- Changes to version 3.2.8
  + Avoid getting duplicate kernel verifications in boot.text (pr#190)
  + lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
  + docker_info: Add timestamps to container logs (pr#196)
  + Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
  + Update supportconfig get pam.d sorted (pr#199)
  + yast_files: Exclude .zcat (pr#201)
  + Sanitize grub bootloader (bsc#1227127, pr#203)
  + Sanitize regcodes (pr#204)
  + Improve product detection (pr#205)
  + Add read_values for s390x (bsc#1228265, pr#206)
  + hardware_info: Remove old alsa ver check (pr#209)
  + drbd_info: Fix incorrect escape of quotes (pr#210)

suse-build-key

- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
  - gpg-pubkey-39db7c82-5f68629b.asc
  + gpg-pubkey-39db7c82-66c5d91a.asc

xen

- bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86
  IOMMU identity mapping (XSA-460)
  xsa460.patch
- bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through
  with shared resources (XSA-461)
  xsa461.patch

zypper

- Show rpm install size before installing (bsc#1224771)
  If filesystem snapshots are taken before the installation (e.g.
  by snapper) no disk space is freed by removing old packages. In
  this case the install size of all packages is a hint how much
  additional disk space is needed by the new packages static
  content.
- version 1.14.76

- Fix readline setup to handle Ctrl-C and Ctrl-D corrrectly
  (bsc#1227205)
- version 1.14.75

- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- version 1.14.74