- SUSEConnect
-
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
- cups
-
- cups-2.2.7-CVE-2020-10001.patch fixes CVE-2020-10001
access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-2.2.7-CVE-2019-8842.patch fixes CVE-2019-8842 (bsc#1170671)
the ippReadIO function may under-read an extension field
- curl
-
- Security fix: [bsc#1179593, CVE-2020-8286]
* Inferior OCSP verification: libcurl offers "/OCSP stapling"/ via
the 'CURLOPT_SSL_VERIFYSTATUS' option that, when set, verifies
the OCSP response that a server responds with as part of the TLS
handshake. It then aborts the TLS negotiation if something is
wrong with the response. The same feature can be enabled with
'--cert-status' using the curl tool.
* As part of the OCSP response verification, a client should verify
that the response is indeed set out for the correct certificate.
This step was not performed by libcurl when built or told to use
OpenSSL as TLS backend.
- Add curl-CVE-2020-8286.patch
- Security fix: [bsc#1179399, CVE-2020-8285]
* FTP wildcard stack overflow: The wc_statemach() internal
function has been rewritten to use an ordinary loop instead of
the recursive approach.
- Add curl-CVE-2020-8285.patch
- Security fix: [bsc#1179398, CVE-2020-8284]
* Trusting FTP PASV responses: When curl performs a passive FTP
transfer, it first tries the 'EPSV' command and if that is not
supported, it falls back to using 'PASV'. A malicious server
can use the 'PASV' response to trick curl into connecting
back to a given IP address and port, and this way potentially
make curl extract information about services that are otherwise
private and not disclosed.
* The IP address part of the response is now ignored by default,
by making 'CURLOPT_FTP_SKIP_PASV_IP' default to '1L'. The same
goes for the command line tool, which then might need
'--no-ftp-skip-pasv-ip' set to prevent curl from ignoring the
address in the server response.
- Add curl-CVE-2020-8284.patch
- gmp
-
- adjusted to be the same license as in factory (bsc#1180603)
- correct license statement (library itself is no GPL-3.0)
- groff
-
- Add 0001-make-package-build-reproducible.patch
0002-Implement-SOURCE_DATE_EPOCH-for-reproducible-builds.patch
to make corosync build reproducibly (bsc#1180276)
- gzip
-
- Enable DFLTCC compression for s390x for levels 1-6 (i. e. to make
it used by default) by adding -DDFLTCC_LEVEL_MASK=0x7e to CLFAGS.
[jsc#SLE-13775]
- refresh gzip-1.10-ibm_dfltcc_support.patch to fix three data
corruption issues [bsc#1145276] [jsc#SLE-5818] [jsc#SLE-8914]
- add gzip-1.10-ibm_dfltcc_support.patch [jsc#SLE-5818] [jsc#SLE-8914]
* it adds support for DFLTCC (hardware-accelerated deflation)
for s390x arch
* enable it via "/--enable-dfltcc"/ option
- gzip 1.10:
* Compressed gzip output no longer contains the current time as
a timestamp when the input is not a regular file. Instead, the
output contains a null (zero) timestamp. This makes gzip's
behavior more reproducible when used as part of a pipeline.
* A use of uninitialized memory on some malformed inputs has been
fixed.
* A few theoretical race conditions in signal handers have been
fixed.
- drop upstreamed patches:
* gnulib-libio.patch
* gzip-1.8-deprecate_netstat.patch
- gnulib-libio.patch: Update gnulib for libio.h removal
- kdump
-
- kdump-fix-m_threads-missing-initialization.patch: Update
references (bsc#1047609, bsc#1047634).
- kdump-fix-multipath-user_friendly_names.patch: Fix multipath
configuration with user_friendly_names and/or aliases
(bsc#1111207, LTC#171953, bsc#1125218, LTC#175465, bsc#1153601).
- kdump-recover-from-missing-CRASHTIME.patch: Recover from missing
CRASHTIME= in VMCOREINFO (bsc#1112387).
- kdump-clean-up-use-of-boot-NIC-names.patch: Clean up the use of
current vs. boot network interface names (bsc#1094444,
bsc#1116463, bsc#1141064).
- kdump-custom-namespace-for-physical-NICs.patch: Use a custom
namespace for physical NICs (bsc#1094444, bsc#1116463,
bsc#1141064).
- kdump-Add-force-option-to-KDUMP_NETCONFIG.patch: Add "/:force"/
option to KDUMP_NETCONFIG (bsc#1108919).
- kdump-Add-fence_kdump_send-when-fence-agents-installed.patch: Add
fence_kdump_send when fence-agents installed (bsc#1108919).
- kdump-FENCE_KDUMP_SEND-variable.patch: Use var for path of
fence_kdump_send and remove the unnecessary PRESCRIPT check
(bsc#1108919).
- kdump-Document-fence_kdump_send.patch: Document kdump behaviour
for fence_kdump_send (bsc#1108919).
- kdump-Restore-only-static-routes-in-kdump-initrd.patch: Restore
only static routes in kdump initrd (bsc#1093795).
- kdump-use-pbl.patch: Replace obsolete perl-Bootloader library
with a simpler script (bsc#1050349).
- kdump-remove-console-hvc0-from-commandline.patch: remove
console=hvc0 from commandline (bsc#1173914).
- kdump-set-serial-console-from-Xen-cmdline.patch: set serial
console from Xen cmdline (bsc#1173914).
- kdump-Remove-noefi-and-acpi_rsdp-for-EFI-firmware.patch: Remove
noefi and acpi_rsdp for EFI firmware (bsc#1123940, bsc#1170336).
- kdump-Add-skip_balance-option-to-BTRFS-mounts.patch: Add
skip_balance option to BTRFS mounts (bsc#1108255).
- kdump-do-not-add-rd.neednet.patch: Do not add 'rd.neednet=1' to
dracut command line (bsc#1177196).
- keyutils
-
- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+,
the library is just LGPL-2.1+) (bsc#1180603)
- libidn2
-
- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
match factory licenses (bsc#1180138)
- libselinux
-
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Set License: to correct value (bsc#1135710 bsc#1180603)
- libxml2
-
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
* key/unique/keyref schema attributes currently use qudratic loops
to check their various constraints (that keys are unique and that
keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
- openldap2
-
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
where openldap would crash due to malformed inputs.
* patch: 0209-ITS-9383-remove-assert-in-certificateListValidate.patch
* patch: 0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
- bsc#1179503 - fix proxy retry binds to a remote server
* patch: 0208-ITS-9400-back-ldap-fix-retry-binds.patch
- openssh
-
- Add openssh-bsc1148566-scp-handle-quotes-while-checking-filenames-from-serv.patch,
openssh-bsc1148566-scp-show-filename-match-patterns-in-verbose-mode.patch
(bsc#1148566). Fixes a class of false alarms due to filename
validation. Patches by Josef Cejka <jcejka@suse.com>.
- Add openssh-CVE-2020-14145-information-leak.patch
(CVE-2020-14145, bsc#1173513). This partially mitigates a
potential information leak during host key exchange that could
be exploited by a man-in-the-middle attacker.
- pam
-
- Create macros.pam with definition of %_pamdir so packages which
are commonly shared between Factory and SLE can use this macro
[pam.spec]
- python
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- python-base
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- python3
-
- readd --with-fpectl (bsc#1180377)
- Adjust sphinx-update-removed-function.patch
- (bsc#1179630) Update sphinx-update-removed-function.patch to
work with all versions of Sphinx (not binding the Python
documentation build to the latest verison of Sphinx). Updated
version mentioned on gh#python/cpython#13236.
- Add CVE-2020-27619-no-eval-http-content.patch fixing
CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
calls eval() on content retrieved via HTTP.
- Add patch sphinx-update-removed-function.patch to no longer call
a now removed function (gh#python/cpython#13236). As
a consequence, no longer pin Sphinx version.
- Pin Sphinx version to fix doc subpackage
- Change setuptools and pip version numbers according to new wheels
- Add ignore_pip_deprec_warn.patch to switch of persistently
failing test.
- Handful of changes to make python36 compatible with SLE15 and SLE12
(jsc#ECO-2799, jsc#SLE-13738)
- Rebase bpo23395-PyErr_SetInterrupt-signal.patch
- Fix build with RPM 4.16: error: bare words are no longer
supported, please use "/..."/: x86 == ppc.
- Fix installing .desktop file
- Buildrequire timezone only for general flavor. It's used in this
flavor for the test suite.
- Add faulthandler_stack_overflow_on_GCC10.patch to make build
working even with GCC10 (bpo#38965).
- Just cleanup and reordering items to synchronize with python38
- Format with spec-cleaner
- riscv64-support.patch: bpo-33377: add triplets for mips-r6 and riscv
(#6655)
- riscv64-ctypes.patch: bpo-35847: RISC-V needs CTYPES_PASS_BY_REF_HACK
(GH-11694)
- Update list of tests to exclude under qemu linux-user
- Update the python keyring
- Correct libpython name
- Drop patches which are not mentioned in spec:
* CVE-2019-5010-null-defer-x509-cert-DOS.patch
* F00102-lib64.patch
* F00251-change-user-install-location.patch
* OBS_dev-shm.patch
* SUSE-FEDORA-multilib.patch
* bpo-31046_ensurepip_honours_prefix.patch
* bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch
* bpo36302-sort-module-sources.patch
* bpo40784-Fix-sqlite3-deterministic-test.patch
* bsc1167501-invalid-alignment.patch
* python3-imp-returntype.patch
- Working around missing python-packaging dependency in
python-Sphinx (bsc#1174571) is not necessary anymore.
- Update to 3.6.12 (bsc#1179193)
* Ensure python3.dll is loaded from correct locations when Python is embedded
* The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface
incorrectly generated constant hash values of 32 and 128 respectively. This
resulted in always causing hash collisions. The fix uses hash() to generate
hash values for the tuple of (address, mask length, network address).
* Prevent http header injection by rejecting control characters in
http.client.putrequest(…).
* Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now
UnpicklingError instead of crashing.
* Avoid infinite loop when reading specially crafted TAR files using the tarfile
module
- Drop merged fixtures:
* CVE-2020-14422-ipaddress-hash-collision.patch
* CVE-2019-20907_tarfile-inf-loop.patch
* recursion.tar
- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).
- Make library names internally consistent
- Disable profile optimalizations as they deadlock in test_faulthandler
- Disable lto as it causes mess and works with 3.7 onwards only
- Sync the test disablements from the python3 in sle15
- Update to 3.6.11:
- bpo-39073: Disallow CR or LF in email.headerregistry. Address
arguments to guard against header injection attacks.
- bpo-38576 (bsc#1155094): Disallow control characters in
hostnames in http.client, addressing CVE-2019-18348. Such
potentially malicious header injection URLs now cause
a InvalidURL to be raised.
- bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class
of the urllib.request module uses an inefficient regular
expression which can be exploited by an attacker to cause
a denial of service. Fix the regex to prevent the
catastrophic backtracking. Vulnerability reported by Ben
Caller and Matt Schwager.
- bpo-39401: Avoid unsafe load of
api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch
- Fix minor issues found in the staging.
- Do not set ourselves as a primary interpreter
- CVE-2019-16935-xmlrpc-doc-server_title.patch (and also
bpo37614-race_test_docxmlrpc_srv_setup.patch, which was
resolving bsc#1174701).
- release-notes-sles
-
- 15.0.20201217 (tracked in bsc#1180184)
- Added note about Git 2.26.2 update (jsc#SLE-12396)
- Added note about removal of libjpeg-turbo (bsc#1150224)
- Added note about alternatives system & display manager (bsc#1163166)
- Updated URL for source code download (bsc#1150672)
- rsyslog
-
- imfile: suppress segfault in ratelimiter (bsc#1176355)
* add 0001-bugfix-imfile-segfault-in-ratelimiter.patch
- sudo
-
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
* sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
* sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
CVE-2021-23240]
* sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
* sudo-fix-bsc-1180687.patch
- systemd
-
- Add 0001-cgroup-actually-reset-the-cgroup-invalidation-mask-a.patch (bsc#1178775)
It's been added in quarantine for now on.
- Import commit c720c4d784b85feab124eae39919bec59e061ff5
bd6bedd353 udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885)
- Import commit 080062ed5f90b8a4085a89f2ad30ee320fab27c9
80e37dcacc busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225)
2ee6877bb3 core: make sure to restore the control command id, too
d1b9949337 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope
af5945c2f4 fileio: tweak write_string_stream_ts() to write out trailing n in one go even if buffering is off
a28c165efa fileio: write_string_stream_ts: check for file errors immediately
dc122eb771 fileio: write_string_stream_ts: return errors from fputs and fputc
14c89b1424 fileio: make write_string_stream() accept flags parameter
2959e7dfe6 journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824)
08db1ac361 cgroup: drastically simplify caching of cgroups members mask (bsc#1175458)
bb59042ab4 cgroup: extend comment on what unit_release_cgroup() is for
ead2955f65 cgroup: document what the various masks variables are used for
805fe8ecdf cgroup: extend cg_mask_supported() comment a bit
305806da38 cgroup: tweak log message, so that it doesn't claim we always enable controllers when we actually disable them
d02ce63463 cgroup-util: disable buffering for cg_enable_everywhere() when writing to cgroup attributes
b4e9893f5d cgroup-util: fix enabling of controllers (#8816)
e7dd277c1b cgroup: propagate errors when we cannot open cgroup.subtree_control
7c8f19714f cgroup-util: optimization — open subtree_control file only once for all controllers
7999763781 cgroup: add explanatory comment
2829342e7a cgroup: units that aren't loaded properly should not result in cgroup controllers being pulled in
48a0d85047 cgroup: make unit_get_needs_bpf_firewall() static too
888dc39134 cgroup: make some functions static
6c0efa2f01 cgroup: suffix settings with "/="/ in log messages where appropriate
e69d9927c6 cgroup: use structured initialization
5174fb9622 core: fix message about detected memory hierarchy
3b6443e1ee core: use safe_fclose() where we can
906dcf1f6b udev: Fix sound.target dependency (bsc#1179363)
2c9866d55a rules: enable hardware-related targets also for user instances
127e546608 sd-event: fix delays assert brain-o (#17790)
b98b6d230c core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436)
2f50b9ecf1 time-util: treat /etc/localtime missing as UTC (bsc#1141597)
- tcl
-
- bsc#1179615: TCL_LIBS in tclConfig.sh possibly breaks build on
newer service packs and is not needed for linking to a dynamic
libtcl anyway, so make it empty.
- timezone
-
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.