SUSEConnect
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
cups
- cups-2.2.7-CVE-2020-10001.patch fixes CVE-2020-10001
  access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-2.2.7-CVE-2019-8842.patch fixes CVE-2019-8842 (bsc#1170671)
  the ippReadIO function may under-read an extension field
curl
- Security fix: [bsc#1179593, CVE-2020-8286]
  * Inferior OCSP verification: libcurl offers "/OCSP stapling"/ via
    the 'CURLOPT_SSL_VERIFYSTATUS' option that, when set, verifies
    the OCSP response that a server responds with as part of the TLS
    handshake. It then aborts the TLS negotiation if something is
    wrong with the response. The same feature can be enabled with
    '--cert-status' using the curl tool.
  * As part of the OCSP response verification, a client should verify
    that the response is indeed set out for the correct certificate.
    This step was not performed by libcurl when built or told to use
    OpenSSL as TLS backend.
- Add curl-CVE-2020-8286.patch
- Security fix: [bsc#1179399, CVE-2020-8285]
  * FTP wildcard stack overflow: The wc_statemach() internal
    function has been rewritten to use an ordinary loop instead of
    the recursive approach.
- Add curl-CVE-2020-8285.patch
- Security fix: [bsc#1179398, CVE-2020-8284]
  * Trusting FTP PASV responses: When curl performs a passive FTP
    transfer, it first tries the 'EPSV' command and if that is not
    supported, it falls back to using 'PASV'. A malicious server
    can use the 'PASV' response to trick curl into connecting
    back to a given IP address and port, and this way potentially
    make curl extract information about services that are otherwise
    private and not disclosed.
  * The IP address part of the response is now ignored by default,
    by making 'CURLOPT_FTP_SKIP_PASV_IP' default to '1L'. The same
    goes for the command line tool, which then might need
    '--no-ftp-skip-pasv-ip' set to prevent curl from ignoring the
    address in the server response.
- Add curl-CVE-2020-8284.patch
gmp
- adjusted to be the same license as in factory (bsc#1180603)
- correct license statement (library itself is no GPL-3.0)
groff
- Add 0001-make-package-build-reproducible.patch
    0002-Implement-SOURCE_DATE_EPOCH-for-reproducible-builds.patch
  to make corosync build reproducibly (bsc#1180276)
gzip
- Enable DFLTCC compression for s390x for levels 1-6 (i. e. to make
  it used by default) by adding -DDFLTCC_LEVEL_MASK=0x7e to CLFAGS.
  [jsc#SLE-13775]
- refresh gzip-1.10-ibm_dfltcc_support.patch to fix three data
  corruption issues [bsc#1145276] [jsc#SLE-5818] [jsc#SLE-8914]
- add gzip-1.10-ibm_dfltcc_support.patch [jsc#SLE-5818] [jsc#SLE-8914]
  * it adds support for DFLTCC (hardware-accelerated deflation)
    for s390x arch
  * enable it via "/--enable-dfltcc"/ option
- gzip 1.10:
  * Compressed gzip output no longer contains the current time as
    a timestamp when the input is not a regular file.  Instead, the
    output contains a null (zero) timestamp.  This makes gzip's
    behavior more reproducible when used as part of a pipeline.
  * A use of uninitialized memory on some malformed inputs has been
    fixed.
  * A few theoretical race conditions in signal handers have been
    fixed.
- drop upstreamed patches:
  * gnulib-libio.patch
  * gzip-1.8-deprecate_netstat.patch
- gnulib-libio.patch: Update gnulib for libio.h removal
kdump
- kdump-fix-m_threads-missing-initialization.patch: Update
  references (bsc#1047609, bsc#1047634).
- kdump-fix-multipath-user_friendly_names.patch: Fix multipath
  configuration with user_friendly_names and/or aliases
  (bsc#1111207, LTC#171953, bsc#1125218, LTC#175465, bsc#1153601).
- kdump-recover-from-missing-CRASHTIME.patch: Recover from missing
  CRASHTIME= in VMCOREINFO (bsc#1112387).
- kdump-clean-up-use-of-boot-NIC-names.patch: Clean up the use of
  current vs. boot network interface names (bsc#1094444,
  bsc#1116463, bsc#1141064).
- kdump-custom-namespace-for-physical-NICs.patch: Use a custom
  namespace for physical NICs (bsc#1094444, bsc#1116463,
  bsc#1141064).
- kdump-Add-force-option-to-KDUMP_NETCONFIG.patch: Add "/:force"/
  option to KDUMP_NETCONFIG (bsc#1108919).
- kdump-Add-fence_kdump_send-when-fence-agents-installed.patch: Add
  fence_kdump_send when fence-agents installed (bsc#1108919).
- kdump-FENCE_KDUMP_SEND-variable.patch: Use var for path of
  fence_kdump_send and remove the unnecessary PRESCRIPT check
  (bsc#1108919).
- kdump-Document-fence_kdump_send.patch: Document kdump behaviour
  for fence_kdump_send (bsc#1108919).
- kdump-Restore-only-static-routes-in-kdump-initrd.patch: Restore
  only static routes in kdump initrd (bsc#1093795).
- kdump-use-pbl.patch: Replace obsolete perl-Bootloader library
  with a simpler script (bsc#1050349).
- kdump-remove-console-hvc0-from-commandline.patch: remove
  console=hvc0 from commandline (bsc#1173914).
- kdump-set-serial-console-from-Xen-cmdline.patch: set serial
  console from Xen cmdline (bsc#1173914).
- kdump-Remove-noefi-and-acpi_rsdp-for-EFI-firmware.patch: Remove
  noefi and acpi_rsdp for EFI firmware (bsc#1123940, bsc#1170336).
- kdump-Add-skip_balance-option-to-BTRFS-mounts.patch: Add
  skip_balance option to BTRFS mounts (bsc#1108255).
- kdump-do-not-add-rd.neednet.patch: Do not add 'rd.neednet=1' to
  dracut command line (bsc#1177196).
keyutils
- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+,
  the library is just LGPL-2.1+) (bsc#1180603)
libidn2
- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
  match factory licenses (bsc#1180138)
libselinux
- In selinux-ready
  * Removed check for selinux-policy package as we don't ship one
    (bsc#1136845)
  * Add check that restorecond is installed and enabled
- Set License: to correct value (bsc#1135710 bsc#1180603)
libxml2
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
  * key/unique/keyref schema attributes currently use qudratic loops
    to check their various constraints (that keys are unique and that
    keyrefs refer to existing keys).
  * This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
openldap2
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
    where openldap would crash due to malformed inputs.
  * patch: 0209-ITS-9383-remove-assert-in-certificateListValidate.patch
  * patch: 0210-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
- bsc#1179503 - fix proxy retry binds to a remote server
  * patch: 0208-ITS-9400-back-ldap-fix-retry-binds.patch
openssh
- Add openssh-bsc1148566-scp-handle-quotes-while-checking-filenames-from-serv.patch,
  openssh-bsc1148566-scp-show-filename-match-patterns-in-verbose-mode.patch
  (bsc#1148566). Fixes a class of false alarms due to filename
  validation. Patches by Josef Cejka <jcejka@suse.com>.
- Add openssh-CVE-2020-14145-information-leak.patch
  (CVE-2020-14145, bsc#1173513). This partially mitigates a
  potential information leak during host key exchange that could
  be exploited by a man-in-the-middle attacker.
pam
- Create macros.pam with definition of %_pamdir so packages which
  are commonly shared between Factory and SLE can use this macro
  [pam.spec]
python
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python-base
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python3
- readd --with-fpectl (bsc#1180377)
- Adjust sphinx-update-removed-function.patch
- (bsc#1179630) Update sphinx-update-removed-function.patch to
  work with all versions of Sphinx (not binding the Python
  documentation build to the latest verison of Sphinx). Updated
  version mentioned on gh#python/cpython#13236.
- Add CVE-2020-27619-no-eval-http-content.patch fixing
  CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
  calls eval() on content retrieved via HTTP.
- Add patch sphinx-update-removed-function.patch to no longer call
  a now removed function (gh#python/cpython#13236). As
  a consequence, no longer pin Sphinx version.
- Pin Sphinx version to fix doc subpackage
- Change setuptools and pip version numbers according to new wheels
- Add ignore_pip_deprec_warn.patch to switch of persistently
  failing test.
- Handful of changes to make python36 compatible with SLE15 and SLE12
  (jsc#ECO-2799, jsc#SLE-13738)
- Rebase bpo23395-PyErr_SetInterrupt-signal.patch
- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "/..."/:  x86 == ppc.
- Fix installing .desktop file
- Buildrequire timezone only for general flavor. It's used in this
  flavor for the test suite.
- Add faulthandler_stack_overflow_on_GCC10.patch to make build
  working even with GCC10 (bpo#38965).
- Just cleanup and reordering items to synchronize with python38
- Format with spec-cleaner
- riscv64-support.patch: bpo-33377: add triplets for mips-r6 and riscv
  (#6655)
- riscv64-ctypes.patch: bpo-35847: RISC-V needs CTYPES_PASS_BY_REF_HACK
  (GH-11694)
- Update list of tests to exclude under qemu linux-user
- Update the python keyring
- Correct libpython name
- Drop patches which are not mentioned in spec:
  * CVE-2019-5010-null-defer-x509-cert-DOS.patch
  * F00102-lib64.patch
  * F00251-change-user-install-location.patch
  * OBS_dev-shm.patch
  * SUSE-FEDORA-multilib.patch
  * bpo-31046_ensurepip_honours_prefix.patch
  * bpo34022-stop_hash-based_invalidation_w_SOURCE_DATE_EPOCH.patch
  * bpo36302-sort-module-sources.patch
  * bpo40784-Fix-sqlite3-deterministic-test.patch
  * bsc1167501-invalid-alignment.patch
  * python3-imp-returntype.patch
- Working around missing python-packaging dependency in
  python-Sphinx (bsc#1174571) is not necessary anymore.
- Update to 3.6.12 (bsc#1179193)
  * Ensure python3.dll is loaded from correct locations when Python is embedded
  * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface
    incorrectly generated constant hash values of 32 and 128 respectively. This
    resulted in always causing hash collisions. The fix uses hash() to generate
    hash values for the tuple of (address, mask length, network address).
  * Prevent http header injection by rejecting control characters in
    http.client.putrequest(…).
  * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now
    UnpicklingError instead of crashing.
  * Avoid infinite loop when reading specially crafted TAR files using the tarfile
    module
- Drop merged fixtures:
  * CVE-2020-14422-ipaddress-hash-collision.patch
  * CVE-2019-20907_tarfile-inf-loop.patch
  * recursion.tar
- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).
- Make library names internally consistent
- Disable profile optimalizations as they deadlock in test_faulthandler
- Disable lto as it causes mess and works with 3.7 onwards only
- Sync the test disablements from the python3 in sle15
- Update to 3.6.11:
  - bpo-39073: Disallow CR or LF in email.headerregistry. Address
    arguments to guard against header injection attacks.
  - bpo-38576 (bsc#1155094): Disallow control characters in
    hostnames in http.client, addressing CVE-2019-18348. Such
    potentially malicious header injection URLs now cause
    a InvalidURL to be raised.
  - bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class
    of the urllib.request module uses an inefficient regular
    expression which can be exploited by an attacker to cause
    a denial of service. Fix the regex to prevent the
    catastrophic backtracking. Vulnerability reported by Ben
    Caller and Matt Schwager.
  - bpo-39401: Avoid unsafe load of
    api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch
- Fix minor issues found in the staging.
- Do not set ourselves as a primary interpreter
  - CVE-2019-16935-xmlrpc-doc-server_title.patch (and also
    bpo37614-race_test_docxmlrpc_srv_setup.patch, which was
    resolving bsc#1174701).
release-notes-sles
- 15.0.20201217 (tracked in bsc#1180184)
- Added note about Git 2.26.2 update (jsc#SLE-12396)
- Added note about removal of libjpeg-turbo (bsc#1150224)
- Added note about alternatives system & display manager (bsc#1163166)
- Updated URL for source code download (bsc#1150672)
rsyslog
- imfile: suppress segfault in ratelimiter (bsc#1176355)
  * add 0001-bugfix-imfile-segfault-in-ratelimiter.patch
sudo
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
  * sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
  [bsc#1180684,CVE-2021-23239]
  * sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
  CVE-2021-23240]
  * sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
  * sudo-fix-bsc-1180687.patch
systemd
- Add 0001-cgroup-actually-reset-the-cgroup-invalidation-mask-a.patch (bsc#1178775)
  It's been added in quarantine for now on.
- Import commit c720c4d784b85feab124eae39919bec59e061ff5
  bd6bedd353 udev: create /dev/disk/by-label symlink for LUKS2 (#8998) (bsc#1180885)
- Import commit 080062ed5f90b8a4085a89f2ad30ee320fab27c9
  80e37dcacc busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225)
  2ee6877bb3 core: make sure to restore the control command id, too
  d1b9949337 scope: on unified, make sure to unwatch all PIDs once they've been moved to the cgroup scope
  af5945c2f4 fileio: tweak write_string_stream_ts() to write out trailing n in one go even if buffering is off
  a28c165efa fileio: write_string_stream_ts: check for file errors immediately
  dc122eb771 fileio: write_string_stream_ts: return errors from fputs and fputc
  14c89b1424 fileio: make write_string_stream() accept flags parameter
  2959e7dfe6 journal: do not trigger assertion when journal_file_close() get NULL (bsc#1179824)
  08db1ac361 cgroup: drastically simplify caching of cgroups members mask (bsc#1175458)
  bb59042ab4 cgroup: extend comment on what unit_release_cgroup() is for
  ead2955f65 cgroup: document what the various masks variables are used for
  805fe8ecdf cgroup: extend cg_mask_supported() comment a bit
  305806da38 cgroup: tweak log message, so that it doesn't claim we always enable controllers when we actually disable them
  d02ce63463 cgroup-util: disable buffering for cg_enable_everywhere() when writing to cgroup attributes
  b4e9893f5d cgroup-util: fix enabling of controllers (#8816)
  e7dd277c1b cgroup: propagate errors when we cannot open cgroup.subtree_control
  7c8f19714f cgroup-util: optimization — open subtree_control file only once for all controllers
  7999763781 cgroup: add explanatory comment
  2829342e7a cgroup: units that aren't loaded properly should not result in cgroup controllers being pulled in
  48a0d85047 cgroup: make unit_get_needs_bpf_firewall() static too
  888dc39134 cgroup: make some functions static
  6c0efa2f01 cgroup: suffix settings with "/="/ in log messages where appropriate
  e69d9927c6 cgroup: use structured initialization
  5174fb9622 core: fix message about detected memory hierarchy
  3b6443e1ee core: use safe_fclose() where we can
  906dcf1f6b udev: Fix sound.target dependency (bsc#1179363)
  2c9866d55a rules: enable hardware-related targets also for user instances
  127e546608 sd-event: fix delays assert brain-o (#17790)
  b98b6d230c core: serialize u->pids until the processes have been moved to the scope cgroup (bsc#1174436)
  2f50b9ecf1 time-util: treat /etc/localtime missing as UTC (bsc#1141597)
tcl
- bsc#1179615: TCL_LIBS in tclConfig.sh possibly breaks build on
  newer service packs and is not needed for linking to a dynamic
  libtcl anyway, so make it empty.
timezone
- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
  * 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
    fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
  * Volgograd switches to Moscow time on 2020-12-27 at 02:00.