- 000release-packages:SLE-Micro-release
-
n/a
- coreutils
-
- coreutils-9.7-sort-CVE-2025-5278.patch: Add upstream patch:
sort with key character offsets of SIZE_MAX, could induce
a read of 1 byte before an allocated heap buffer.
(CVE-2025-5278, bsc#1243767)
- transactional-update
-
- Build with PIE enabled [bsc#1239954]
- glib2
-
- Add glib2-CVE-2025-4373.patch: carefully handle gssize parameters
(bsc#1242844 CVE-2025-4373 glgo#GNOME/glib#3677).
- iputils
-
- Security fix [bsc#1243772, CVE-2025-48964]
* Fix integer overflow in ping statistics via zero timestamp
* Add iputils-CVE-2025-48964_01.patch
* Add iputils-CVE-2025-48964_02.patch
* Add iputils-CVE-2025-48964_03.patch
* Add iputils-CVE-2025-48964_regression.patch
- mozilla-nss
-
- update to NSS 3.112
* bmo#1963792 - Fix alias for mac workers on try
* bmo#1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* bmo#1931930 - ABI/API break in ssl certificate processing
* bmo#1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* bmo#1965754 - update taskgraph to v14.2.1
* bmo#1964358 - Workflow for automation of the release on GitHub when pushing a tag
* bmo#1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
* bmo#1934877 - Renegotiations should use a fresh ECH GREASE buffer
* bmo#1951396 - update taskgraph to v14.1.1
* bmo#1962503 - Partial fix for ACVP build CI job
* bmo#1961827 - Initialize find in sftk_searchDatabase
* bmo#1963121 - Add clang-18 to extra builds
* bmo#1963044 - Fault tolerant git fetch for fuzzing
* bmo#1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp
* bmo#1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* bmo#1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* bmo#1963102 - Remove Cryptofuzz CI version check
- update to NSS 3.111
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1957685 - Turn off Websites Trust Bit from CAs
* bmo#1937338 - Update nssckbi version following April 2025 Batch of Changes
* bmo#1943135 - Disable SMIME ‘trust bit’ for GoDaddy CAs
* bmo#1874383 - Replaced deprecated sprintf function with snprintf in dbtool.c
* bmo#1954612 - Need up update NSS for PKCS 3.1
* bmo#1773374 - avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* bmo#1953097 - Decrease ASAN quarantine size for Cryptofuzz in CI
* bmo#1943962 - selfserv: Add support for zlib certificate compression
- update to NSS 3.110
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1954724 - Prevent excess allocations in sslBuffer_Grow
* bmo#1953429 - Remove Crl templates from ASN1 fuzz target
* bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target
* bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned
* bmo#1930807 - NSS policy updates
* bmo#1951161 - Improve locking in nssPKIObject_GetInstances
* bmo#1951394 - Fix race in sdb_GetMetaData
* bmo#1951800 - Fix member access within null pointer
* bmo#1950077 - Increase smime fuzzer memory limit
* bmo#1949677 - Enable resumption when using custom extensions
* bmo#1952568 - change CN of server12 test certificate
* bmo#1949118 - Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* bmo#1949118 - Part 1: Fix smime UBSan errors
* bmo#1930806 - FIPS changes need to be upstreamed: updated key checks
* bmo#1951491 - Don't build libpkix in static builds
* bmo#1951395 - handle `-p all` in try syntax
* bmo#1951346 - fix opt-make builds to actually be opt
* bmo#1951346 - fix opt-static builds to actually be opt
* bmo#1916439 - Remove extraneous assert
- Removed upstreamed nss-fips-stricter-dh.patch
- Added bmo1962556.patch to fix test failures
- Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch
- update to NSS 3.109
* bmo#1939512 - Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* bmo#1930807 - NSS policy updates - fix inaccurate key policy issues
* bmo#1945883 - SMIME fuzz target
* bmo#1914256 - ASN1 decoder fuzz target
* bmo#1936001 - Part 2: Revert “Extract testcases from ssl gtests
for fuzzing”
* bmo#1915155 - Add fuzz/README.md
* bmo#1936001 - Part 4: Fix tstclnt arguments script
* bmo#1944545 - Extend pkcs7 fuzz target
* bmo#1912320 - Extend certDN fuzz target
* bmo#1944300 - revert changes to HACL* files from bug 1866841
* bmo#1936001 - Part 3: Package frida corpus script
- update to NSS 3.108
* bmo#1923285 - libclang-16 -> libclang-19
* bmo#1939086 - Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* bmo#1915902 - Remove SwissSign Silver CA – G2
* bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS
* bmo#1942301 - fix fips test failure on windows
* bmo#1935925 - change default sensitivity of KEM keys
* bmo#1936001 - Part 1: Introduce frida hooks and script
* bmo#1942350 - add missing arm_neon.h include to gcm.c
* bmo#1831552 - ci: update windows workers to win2022
* bmo#1831552 - strip trailing carriage returns in tools tests
* bmo#1880256 - work around unix/windows path translation issues
in cert test script
* bmo#1831552 - ci: let the windows setup script work without $m
* bmo#1880255 - detect msys
* bmo#1936680 - add a specialized CTR_Update variant for AES-GCM
* bmo#1930807 - NSS policy updates
* bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG
* bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero
* bmo#1930806 - FIPS changes need to be upstreamed - updated POST
* bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing
* bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality
* bmo#1935984 - Ensure zero-initialization of collectArgs.cert
* bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate
* bmo#1915898 - Fix actual underlying ODR violations issue
* bmo#1184059 - mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* bmo#1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* bmo#1934526 - Fix memory leak in pkcs7 fuzz target
* bmo#1934529 - Set -O2 for ASan builds in CI
* bmo#1934543 - Change branch of tlsfuzzer dependency
* bmo#1915898 - Run tests in CI for ASan builds with detect_odr_violation=1
* bmo#1934241 - Fix coverage failure in CI
* bmo#1934213 - Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* bmo#1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* bmo#1913677 - Part 3: Restructure fuzz/
* bmo#1931925 - Extract testcases from ssl gtests for fuzzing
* bmo#1923037 - Force Cryptofuzz to use NSS in CI
* bmo#1923037 - Fix Cryptofuzz on 32 bit in CI
* bmo#1933154 - Update Cryptofuzz repository link
* bmo#1926256 - fix build error from 9505f79d
* bmo#1926256 - simplify error handling in get_token_objects_for_cache
* bmo#1931973 - nss doc: fix a warning
* bmo#1930797 - pkcs12 fixes from RHEL need to be picked up
- remove obsolete patches
* nss-fips-safe-memset.patch
* nss-bmo1930797.patch
- update to NSS 3.107
* bmo#1923038 - Remove MPI fuzz targets.
* bmo#1925512 - Remove globals `lockStatus` and `locksEverDisabled`.
* bmo#1919015 - Enable PKCS8 fuzz target.
* bmo#1923037 - Integrate Cryptofuzz in CI.
* bmo#1913677 - Part 2: Set tls server target socket options in config class
* bmo#1913677 - Part 1: Set tls client target socket options in config class
* bmo#1913680 - Support building with thread sanitizer.
* bmo#1922392 - set nssckbi version number to 2.72.
* bmo#1919913 - remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* bmo#1920641 - remove Security Communication RootCA3 root cert.
* bmo#1918559 - remove SecureSign RootCA11 root cert.
* bmo#1922387 - Add distrust-after for TLS to Entrust Roots.
* bmo#1927096 - update expected error code in pk12util pbmac1 tests.
* bmo#1929041 - Use random tstclnt args with handshake collection script
* bmo#1920466 - Remove extraneous assert in ssl3gthr.c.
* bmo#1928402 - Adding missing release notes for NSS_3_105.
* bmo#1874451 - Enable the disabled mlkem tests for dtls.
* bmo#1874451 - NSS gtests filter cleans up the constucted buffer
before the use.
* bmo#1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe.
* bmo#1925503 - Remove short circuit test from ssl_Init.
- fix build on loongarch64 (setting it as 64bit arch)
- Remove upstreamed bmo-1400603.patch
- Added nss-bmo1930797.patch to fix failing tests in testsuite
- update to NSS 3.106
* bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36.
* bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
* bmo#1899402 - Correctly destroy bulkkey in error scenario.
* bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers.
* bmo#1923002 - Extract certificates with handshake collection script.
* bmo#1923006 - Specify len_control for fuzz targets.
* bmo#1923280 - Fix memory leak in dumpCertificatePEM.
* bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use.
* bmo#1921768 - allow null phKey in NSC_DeriveKey.
* bmo#1921801 - Only create seed corpus zip from existing corpus.
* bmo#1826035 - Use explicit allowlist for for KDF PRFS.
* bmo#1920138 - Increase optimization level for fuzz builds.
* bmo#1920470 - Remove incorrect assert.
* bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI.
* bmo#1920945 - Polish corpus collection for automation.
* bmo#1917572 - Detect new and unfuzzed SSL options.
* bmo#1804646 - PKCS12 fuzzing target.
- requires NSPR 4.36
- update to NSS 3.105
* bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key
* bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
* bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds
* bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* bmo#1918767 - override default definition of KRML_MUSTINLINE
* bmo#1916525 - libssl support for mlkem768x25519
* bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap
* bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
* bmo#1911912 - Avoid misuse of ctype(3) functions
* bmo#1917311 - part 2: run clang-format
* bmo#1917311 - part 1: upgrade to clang-format 13
* bmo#1916953 - clang-format fuzz
* bmo#1910370 - DTLS client message buffer may not empty be on retransmit
* bmo#1916413 - Optionally print config for TLS client and server
fuzz target
* bmo#1916059 - Fix some simple documentation issues in NSS.
* bmo#1915439 - improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
- Fix build error under Leap by rebasing nss-fips-safe-memset.patch.
- update to NSS 3.104
* bmo#1910071 - Copy original corpus to heap-allocated buffer
* bmo#1910079 - Fix min ssl version for DTLS client fuzzer
* bmo#1908990 - Remove OS2 support just like we did on NSPR
* bmo#1910605 - clang-format NSS improvements
* bmo#1902078 - Adding basicutil.h to use HexString2SECItem function
* bmo#1908990 - removing dirent.c from build
* bmo#1902078 - Allow handing in keymaterial to shlibsign to make
the output reproducible
* bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references
* bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* bmo#1908990 - remove mentions of WIN95
* bmo#1908990 - remove mentions of WIN16
* bmo#1913750 - More explicit directory naming
* bmo#1913755 - Add more options to TLS server fuzz target
* bmo#1913675 - Add more options to TLS client fuzz target
* bmo#1835240 - Use OSS-Fuzz corpus in NSS CI
* bmo#1908012 - set nssckbi version number to 2.70.
* bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
* bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA.
* bmo#1908006 - Add Cybertrust Japan Roots to NSS.
* bmo#1908004 - Add Taiwan CA Roots to NSS.
* bmo#1911354 - remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* bmo#1913132 - Fix tstclnt CI build failure
* bmo#1913047 - vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* bmo#1912427 - Enable all supported protocol versions for UDP
* bmo#1910361 - Actually use random PSK hash type
* bmo#1911576 - Initialize NSS DB once
* bmo#1910361 - Additional ECH cipher suites and PSK hash types
* bmo#1903604 - Automate corpus file generation for TLS client Fuzzer
* bmo#1910364 - Fix crash with UNSAFE_FUZZER_MODE
* bmo#1910605 - clang-format shlibsign.c
- remove obsolete nss-reproducible-builds.patch
- update to NSS 3.103
* bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
* bmo#1903783 - Adjust libFuzzer size limits
* bmo#1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Add nss-reproducible-builds.patch to make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
- update to NSS 3.102.1
* bmo#1905691 - ChaChaXor to return after the function
- update to NSS 3.102
* bmo#1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305.
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* bmo#1660676 - correct length of raw SPKI data before printing in pp utility.
- Add nss-reproducible-chksums.patch to make NSS-build reproducible
Use key from openssl (bsc#1081723)
- Updated nss-fips-approved-crypto-non-ec.patch to exclude the
SHA-1 hash from SLI approval.
- libgcrypt
-
- Security fix [bsc#1221107, CVE-2024-2236]
* Add --enable-marvin-workaround to spec to enable workaround
* Fix timing based side-channel in RSA implementation ( Marvin attack )
* Add libgcrypt-CVE-2024-2236_01.patch
* Add libgcrypt-CVE-2024-2236_02.patch
* Add libgcrypt-CVE-2024-2236_03.patch
- gnutls
-
- Fix heap buffer overread when handling the CT SCT extension during X.509
certificate parsing [bsc#1246233, CVE-2025-32989]
* Add patch gnutls-CVE-2025-32989.patch
- Fix double-free due to incorrect ownership handling in the export logic of
SAN entries containing an otherName [bsc#1246232, CVE-2025-32988]
* Add patch gnutls-CVE-2025-32988.patch
- Fix 1-byte heap buffer overflow when parsing templates with certtool
[bsc#1246267, CVE-2025-32990]
* Add patch gnutls-CVE-2025-32990.patch
- Fix NULL pointer dereference when 2nd Client Hello omits PSK
[bsc#1246299, CVE-2025-6395]
* Add patch gnutls-CVE-2025-6395.patch
- libxml2
-
- security update
- added patches
CVE-2025-49794 [bsc#1244554], heap use after free (UAF) can lead to Denial of service (DoS)
CVE-2025-49796 [bsc#1244557], type confusion may lead to Denial of service (DoS)
+ libxml2-CVE-2025-49794,49796.patch
- security update
- added patches
CVE-2025-6170 [bsc#1244700], stack buffer overflow may lead to a crash
CVE-2025-6021 [bsc#1244580], Integer Overflow in xmlBuildQName() Leads to Stack Buffer Overflow in libxml2
+ libxml2-CVE-2025-6170,6021.patch
- salt
-
- Add `minion_legacy_req_warnings` option to avoid noisy warnings
- Require M2Crypto >= 0.44.0 for SUSE Family distros
- Added:
* add-minion_legacy_req_warnings-option-to-avoid-noisy.patch
- Prevent tests failures when pygit2 is not present
- Several fixes for security issues
(bsc#1244561, CVE-2024-38822)
(bsc#1244564, CVE-2024-38823)
(bsc#1244565, CVE-2024-38824)
(bsc#1244566, CVE-2024-38825)
(bsc#1244567, CVE-2025-22240)
(bsc#1244568, CVE-2025-22236)
(bsc#1244570, CVE-2025-22241)
(bsc#1244571, CVE-2025-22237)
(bsc#1244572, CVE-2025-22238)
(bsc#1244574, CVE-2025-22239)
(bsc#1244575, CVE-2025-22242)
* Request server hardening
* Prevent traversal in local_cache::save_minions
* Add test and fix for file_recv cve
* Fix traversal in gitfs find_file
* Fix traversal in salt.utils.virt
* Fix traversal in pub_ret
* Reasonable failures when pillars timeout
* Make send_req_async wait longer
* Remove token to prevent decoding errors
* Fix checking of non-url style git remotes
* Allow subdirs in GitFS find_file check
- Add subsystem filter to udev.exportdb (bsc#1236621)
- tornado.httputil: raise errors instead of logging in
multipart/form-data parsing (CVE-2025-47287, bsc#1243268)
- Fix Ubuntu 24.04 edge-case test failures
- Fix broken tests for Ubuntu 24.04
- Fix refresh of osrelease and related grains on Python 3.10+
- Make "salt" package to obsolete "python3-salt" package on SLE15SP7+
- Fix issue requiring proper Python flavor for dependencies and recommended package
- Added:
* fix-tests-issues-in-salt-shaker-environments-721.patch
* several-fixes-for-security-issues.patch
* fix-of-cve-2025-47287-bsc-1243268-718.patch
* add-subsystem-filter-to-udev.exportdb-bsc-1236621-71.patch
* fix-ubuntu-24.04-specific-failures-716.patch
* fix-debian-tests-715.patch
* fix-refresh-of-osrelease-and-related-grains-on-pytho.patch