- SUSEConnect
-
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
- containerd
-
- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
fixes CVE-2020-15257. bsc#1178969 bsc#1180243
- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
boo#1176708
- Refresh patches:
* 0001-makefile-remove-emoji.patch
- Use Go 1.13 for build.
- cups
-
- cups-1.7.5-CVE-2020-10001.patch fixes CVE-2020-10001
access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-1.7.5-CVE-2019-8842.patc fixes CVE-2019-8842 (bsc#1170671)
the ippReadIO function may under-read an extension field
- curl
-
- Update curl-CVE-2020-8284.patch [bsc#1179398, CVE-2020-8284]
- Security fix: [bsc#1179399, CVE-2020-8285]
* FTP wildcard stack overflow: The wc_statemach() internal
function has been rewritten to use an ordinary loop instead of
the recursive approach.
- Add curl-CVE-2020-8285.patch
- cyrus-sasl
-
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
has an out-of-bounds write leading to unauthenticated remote
denial-of-service in OpenLDAP via a malformed LDAP packet
o apply upstream patch
- 0001-Fix-587.patch
- docker
-
- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
https://github.com/docker/docker-ce/releases/tag/v19.03.14
- Enable fish-completion
- Add a patch which makes Docker compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(boo#1178801, SLE-16460)
* boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Emergency fix: %requires_eq does not work with provide symbols,
only effective package names. Convert back to regular Requires.
- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
spurrious errors due to Go returning -EINTR from I/O syscalls much more often
(due to Go 1.14's pre-emptive goroutine support).
- bsc1172377-0001-unexport-testcase.Cleanup-to-fix-Go-1.14.patch
- Add BuildRequires for all -git dependencies so that we catch missing
dependencies much more quickly.
- docker-runc
-
- Switch to Go 1.13 for build.
- flac
-
- Fix out-of-bounds access (CVE-2020-0499 bsc#1180099):
libFLAC-bitreader.c-Fix-out-of-bounds-read.patch
- golang-github-docker-libnetwork
-
- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
bsc#1180243
- Add patch which makes libnetwork compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(boo#1178801, SLE-16460)
* boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to libnetwork 026aabaa6598, which is required for Docker 19.03.12-ce.
- java-1_6_0-ibm
-
- Fixed jpackage-java-1_6_0-ibm-webstart.desktop file to allow
Java jnlp files run from Firefox. [bsc#1057460]
- kdump
-
- kdump-fix-multipath-user_friendly_names.patch: Update references
(bsc#1111207, LTC#171953, bsc#1125218, LTC#175465, bsc#1153601).
- kdump-remove-console-hvc0-from-commandline.patch: remove
console=hvc0 from commandline (bsc#1173914).
- kdump-set-serial-console-from-Xen-cmdline.patch: set serial
console from Xen cmdline (bsc#1173914).
- kdump-Remove-noefi-and-acpi_rsdp-for-EFI-firmware.patch: Remove
noefi and acpi_rsdp for EFI firmware (bsc#1123940, bsc#1170336).
- kdump-Add-skip_balance-option-to-BTRFS-mounts.patch: Add
skip_balance option to BTRFS mounts (bsc#1108255).
- kdump-do-not-add-rd.neednet.patch: Do not add 'rd.neednet=1' to
dracut command line (bsc#1177196).
- libnl3
-
- Add libnl3-fix-ipv6-privacy-extension.patch: fix ipv6 privacy
extension of NetworkManager not working by backporting these 3
commits (bsc#1025043):
42c41336000e ("/add support for IFA_FLAGS nl attribute"/)
dcc0baac020e ("/addr: add address flag IFA_F_MANAGETEMPADDR"/)
b203c89d862a ("/addr: add address flag IFA_F_NOPREFIXROUTE"/)
- libxml2
-
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
* key/unique/keyref schema attributes currently use qudratic loops
to check their various constraints (that keys are unique and that
keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
- logrotate
-
- Fix false alarm when using su and compress (bsc#1179189)
Applies commit 15a768b340d1010e22955ace518425cdb13bba5f
* Added patch logrotate-3.11.0-false-alarm-for-su-compress.patch
- makedumpfile
-
- makedumpfile-x86_64-xen-vtop.patch: Update references
(bsc#1014136, bsc#1068694, bsc#1162279).
- makedumpfile-vaddr_to_paddr_x86_64-Xen-fix.patch: Fix
vaddr_to_paddr_x86_64 under Xen (bsc#1116830).
- makedumpfile-x86_64-xen-vtop.patch: Remove a hunk that breaks
Xen dumps (bsc#1116830).
- openldap2-client
-
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
where openldap would crash due to malformed inputs.
* patch: 0207-ITS-9383-remove-assert-in-certificateListValidate.patch
* patch: 0208-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
- openssh
-
- Add openssh-CVE-2020-14145-information-leak.patch
(CVE-2020-14145, bsc#1173513). This partially mitigates a
potential information leak during host key exchange that could
be exploited by a man-in-the-middle attacker.
- pam-modules
-
- The fail delay is fixed and annoying. The relevant code sections
from factory are backported here. There is not patch as the
file with the offending code resides in the top level directory.
[unix2_chkpw.c, bsc#1070595]
- python-urllib3
-
- Add CVE-2020-26116-CRLF-injection.patch which raises ValueError
if method contains control characters and thus prevents CRLF
injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,
gh#urllib3/urllib3#1800).
- python3
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- python3-base
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- sudo
-
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
* sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
* sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
CVE-2021-23240]
* sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
* sudo-fix-bsc-1180687.patch
- systemd-rpm-macros
-
- Bump to version 5 (bsc#1179020)
Backport changes from SLE15 so SLE12-SP2 and SLE15 versions are
mostly identical.
- Drop reference to FIRST_ARG in new introduced macro %service_del_postun_without_restart
Influencing the behavior of the macro with 'FIRST_ARG' variable was
a hack. We should not add that to newly introduced interfaces.
- Rename the tag file used to detect when presets need to be applied
Rather than placing these tags directly under /run, let's place them
under /run/systemd/rpm. This also has the benefit to make the
workaround for bsc#1059627 no more needed.
- Move macros.systemd from /etc to /usr (backport from SLE15)
macros.systemd has never meant to be modified and treated like a
configuration file. Hence let's move it to /usr and don't tag it
with %config. In the very unlikely case it's been modified, it will
be backed up with .rpmsave extension but no more read by rpmbuild.
- Add missing macro %_userpresetdir
- rpm: fix %systemd_user_post() macro.
Escape "/--user"/ and "/--global"/ arguments with "//"/ since rpm treats
arguments starting with "/-"/ as macro options which causes "/Unknown
option"/ rpm error.
Use %{expand:...} to force expansion of the inner macro. Otherwise %{?*}
is recursively defined as "/--user --global {%?*}"/ which causes
"/Too many levels of recursion in macro expansion"/ rpm error.
Upstream commit: e67ba783696f21782ad5c2ba00515d387016e785
- Deprecate '-f'/'-n' options (backported from SLE15)
When used with %service_del_preun, support for these options will be
dropped as DISABLE_STOP_ON_REMOVAL support will be removed on the
next version of SLE (jsc#SLE-8968)
When used with %service_del_postun, they should be replaced with
their counterpart
%service_del_postun_with_restart/%service_del_postun_without_restart
- Backport %service_del_postun_with_restart()
It's the counterpart of %service_del_postun_without_restart() and
replaces the '-f' option of %service_del_postun().
- Backport %systemd_ordering
This macro is already available in later distros and should ease
backports of packages, which rely on it.
- Update some comments
- Really test the presence of systemctl once
No functional changes.
- Split private macros related to presets off as these macros have
never been intended to be used by any package but
systemd-presets-branding. In fact these have been completely removed
since SLE15. So let's move them into a "/private"/ file.
- Dont apply presets when migrating from a disabled initscript (bsc#1178481)
- Test for the presence of systemctl only once in %service_add_{post,pre}
- timezone
-
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.