- SAPHanaSR
-
- SAPHanaSR-monitor not reporting correctly
(bsc#1192963)
add patch:
0001-bsc-1192963.patch
- Version bump to 0.161.1_BF
- add the required 'xmllint' to the package
(bsc#1201945)
- changes to the demote_clone function of the resource agent:
if the role is '1:P' (topology agent run into timeouts) the
function fail with rc=1, to get the managed resource stopped
changes to the stop_clone function of the topology agent:
call landscapeHostConfiguration.py and set the roles as they were
reported. If the command timed out, set the role to '1:P' and
return 1 to get the node fenced.
The used timeout for the landscapeHostConfiguration.py call can
be configured by the cluster action timeout, if needed. It will
be 50% of the action timeout or the minimum of 300s.
(bsc#1198127)
- add new HA/DR provider hook susChkSrv
(jsc#PED-1241, jsc#PED-1240)
- add new tool SAPHanaSR-manageProvider to show, add and delete
HA/DR provider sections in the global.ini of SAP HANA.
- update suse icon to new branding
- Version bump to 0.160.1
- fix HANA_CALL function to support MCOS environments again
(bsc#1198780)
- fix SAPHanaSR-replay-archive to handle hb_report archives again
(bsc#1198897)
- add HANA_CALL_TIMEOUT parameter back to the resource agents and
read the setting from the cluster configuration, if available.
Defaults to '60'.
Related to github issue#36
- add new HA/DR provider hook susTkOver
(jsc#SLE-16347)
- add new hook script for SAP HANA System Replication Scale-Up Cost
Optimized Scenario.
(jsc#SLE-18613)
- add a new instance parameter 'REMOVE_SAP_SOCKETS'.
It is an optional parameter and defaults to 'true'. Now you can
control, if the RA should remove the unix domain sockets related
to sapstartsrv before (re-)start sapstartsrv or if it should try
to adjust the permissions and ownership of these files instead.
- aaa_base
-
- Drop patches (bsc#1199926 and bsc#1199927)
git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
ping broke in sle15 and sle15sp1 when adding
the sysctl setting for ping_group_range
- Add patch git-46-78b2a0b29381c16bec6b2a8fc7eabaa9925782d7.patch
* The wrapper rootsh is not a restricted shell (bsc#1199492)
- bind
-
- Security Fixes:
* Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused
to severely impact the performance of named running as a recursive
resolver. This has been fixed.
[bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
* A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm.
[bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
* Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm.
[bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
- ca-certificates-mozilla
-
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
Added:
- Certainly Root E1
- Certainly Root R1
- DigiCert SMIME ECC P384 Root G5
- DigiCert SMIME RSA4096 Root G5
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
Removed:
- Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
Added:
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- D-TRUST BR Root CA 1 2020
- D-TRUST EV Root CA 1 2020
- GlobalSign ECC Root CA R4
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- HiPKI Root CA - G1
- ISRG Root X2
- Telia Root CA v2
- vTrus ECC Root CA
- vTrus Root CA
Removed:
- Cybertrust Global Root
- DST Root CA X3
- DigiNotar PKIoverheid CA Organisatie - G2
- GlobalSign ECC Root CA R4
- GlobalSign Root CA R2
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
+ HARICA Client ECC Root CA 2021
+ HARICA Client RSA Root CA 2021
+ HARICA TLS ECC Root CA 2021
+ HARICA TLS RSA Root CA 2021
+ TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
- NAVER Global Root Certification Authority
- Removed old root CA:
- GeoTrust Global CA
- GeoTrust Primary Certification Authority
- GeoTrust Primary Certification Authority - G3
- GeoTrust Universal CA
- GeoTrust Universal CA 2
- thawte Primary Root CA
- thawte Primary Root CA - G2
- thawte Primary Root CA - G3
- VeriSign Class 3 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G5
- cifs-utils
-
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
(bsc#1198976, CVE-2022-29869)
* add cifs-utils-CVE-2022-29869.patch
- cloud-regionsrv-client
-
- Follow up fix to 10.0.4 (bsc#1202706)
- While the source code was updated to support SLE Micro the spec file
was not updated for the new locations of the cache and the certs.
Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
- Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
- Store the update server certs in the /etc path instead of /usr to
accomodate read only setup of SLE-Micro
- crmsh
-
- Update to version 4.3.1+20220610.733357e2:
* Dev: crm report: put info/warning/debug messages into stdout
* Fix: crm report: use sudo when under non root and hacluster user (bsc#1199634)
* Fix: utils: wait4dc: Make change since output of 'crmadmin -S' changed(bsc#1199412)
* Fix: bootstrap: stop and disable csync2.socket on removed node (bsc#1199325)
- cups
-
- cups-branch-2.2-commit-3e4dd41459dabc5d18edbe06eb5b81291885204b.diff
is 'git show 3e4dd41459dabc5d18edbe06eb5b81291885204b' for
https://github.com/apple/cups/commit/3e4dd41459dabc5d18edbe06eb5b81291885204b
(except the not needed hunk for patching CHANGES.md which fails)
that fixes handling of MaxJobTime 0 (Issue #5438) in the CUPS 2.2 branch
bsc#1201511:
Stuck print jobs being cancelled immediately, despite MaxJobTime being set to 0
- curl
-
- Security Fix: [bsc#1204383, CVE-2022-32221]
* POST following PUT confusion
* Add curl-CVE-2022-32221.patch
- Security fix: [bsc#1202593, CVE-2022-35252]
* Control codes in cookie denial of service
* Add curl-CVE-2022-35252.patch
- cyrus-sasl
-
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
has an out-of-bounds write leading to unauthenticated remote
denial-of-service in OpenLDAP via a malformed LDAP packet
o apply upstream patch
- 0001-Fix-587.patch
- cyrus-sasl-saslauthd
-
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
has an out-of-bounds write leading to unauthenticated remote
denial-of-service in OpenLDAP via a malformed LDAP packet
o apply upstream patch
- 0001-Fix-587.patch
- dbus-1
-
- Fix a potential crash that could be triggered by an invalid signature.
(CVE-2022-42010, bsc#1204111)
* fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
bsc#1204112)
* fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
would cause a use-after-free and possible memory corruption CVE-2022-42012,
bsc#1204113)
* fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
* fix-upstream-CVE-2020-35512.patch
- docker
-
- Backport <https://github.com/containerd/fifo/pull/32> to fix a crash-on-start
issue with dockerd. bsc#1200022
+ 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- dracut
-
- Update to version 049.1+suse.238.gd8dbb075:
* fix(nfs): /var is not mounted during the transactional-update run (bsc#1184970)
* fix(nfs): give /run/rpcbind ownership to rpc user (bsc#1177461)
- expat
-
- Security fix:
* (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
destruction of a shared DTD in XML_ExternalEntityParserCreate in
out-of-memory situations
- Added patch expat-CVE-2022-43680.patch
- Security fix:
* (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
function in xmlparse.c
- Added patch expat-CVE-2022-40674.patch
- fence-agents
-
- Azure fence agent doesn’t work correctly on SLES15 SP3 - fence_azure_arm
fails with error 'MSIAuthentication' object has no attribute 'get_token' - SFSC00334437
(bsc#1195891)
- Apply proposed patch
0001-fix_support_for_sovereign_clouds_and_MSI-439.patch
- freetype2
-
- disable brotli linkage / WOFF2 support for now to keep dependencies
as before.
- Added patches:
* CVE-2022-27404.patch
+ fixes bsc#1198830, CVE-2022-27404: Buffer Overflow
* CVE-2022-27405.patch
+ fixes bsc#1198832, CVE-2022-27405: Segmentation Fault
* CVE-2022-27406.patch
+ fixes bsc#1198823, CVE-2022-27406: Segmentation violation
- Update to version 2.10.4
* Fix a heap buffer overflow has been found in the handling of
embedded PNG bitmaps, introduced in FreeType version 2.6
(CVE-2020-15999 bsc#1177914)
* Minor improvements to the B/W rasterizer.
* Auto-hinter support for Medefaidrin script.
* Fix various memory leaks (mainly for CFF) and other issues that
might cause crashes in rare circumstances.
- Update to version 2.10.2
* Support for WOFF2 fonts, add BR on pkgconfig(libbrotlidec)
* Function `FT_Get_Var_Axis_Flags' returned random data for Type 1
MM fonts.
* Type 1 fonts with non-integer metrics are now supported by the new
(CFF) engine introduced in FreeType 2.9.
* Drop support for Python 2 in Freetype's API reference generator
* Auto-hinter support for Hanifi Rohingya
* Document the `FT2_KEEP_ALIVE' debugging environment variable.
- gdk-pixbuf
-
- Add gdk-pixbuf-CVE_2021-44648.patch: check for maximum LZW code
size (boo#1194633 CVE-2021-44648). Also add
gdk_pixbuf_new_tests.tar.xz for some new gif tests.
- Add gdk-pixbuf-CVE-2021-46829.patch: check for overflow when
compositing or clearing frames (boo#1201826 CVE-2021-46829).
- gnutls
-
- Security fix: [bsc#1202020, CVE-2022-2509]
* Fixed double free during verification of pkcs7 signatures
* Add gnutls-CVE-2022-2509.patch
- google-guest-agent
-
- Update to version 20220713.00 (bsc#1202100, bsc#1202101)
* try restoring module mode (#172)
* update for golang 1.16 (#171)
- from version 20220614.00
* Remove log that can break startup scripts (#170)
- from version 20220603.00
* repeat fix for arm (#169)
* no authorized keys on debian (#168)
- from version 20220527.00
* Add authorized keys command to the Windows agent package. (#167)
* Support for Windows SSH (#164)
- from version 20220523.00
* restore double slash metadata url (#166)
- from version 20220520.00
* Support .exe as an option for scripts and refactor runScript (#165)
- Update to version 20220429.00
* Move some functionality to a utils module (#162)
- Update to version 20220412.00
* enable goproxy during build (#163)
- from version 20220321.00
* enable routes for ipv6 (#160)
- google-guest-oslogin
-
- Update to version 20220721.00 (bsc#1202100, bsc#1202101)
* prune outdated info from readme (#86)
- from version 20220714.00
* strip json-c version symbol (#84)
- from version 20220622.00
* pam login: split conditions for logging (#83)
- use pam_moduledir (boo#1191036)
* Support UsrMerge project
- Update to version 20220411.00
* pam login: split conditions for logging (#83)
- google-osconfig-agent
-
- Use install command in %post section to create state file (bsc#1202826)
- Remove useless creation of state file directory in /var/lib
- avoid bashim in post install scripts (bsc#1195391)
- Update to version 20220801.00 (bsc#1202100, bsc#1202101)
* update OWNERS (#438)
* Close client when RegisterAgent fails. (#436)
- from version 20220714.00
* Add timeouts for pip/gem updates. (#433)
- from version 20220623.00
* upgrade to golang 1.16 and override deb build settings for compatibility (#432)
- from version 20220606.00
* new example policy to ensure sshd is running on windows VMs (#430)
- from version 20220531.00
* Add default timeout for pip and gem list commands (#429)
- Don't restart daemon on package upgrade, create a state file instead (bsc#1194319)
- Update to version 20220314.01
* Support COS on arm64 (#426)
- from version 20220314.00
* Fix previous PR: exec.CommandContext cannot be reused (#425)
- from version 20220304.00
* Update the error message when an exec task is run on Windows
without an interpreter (#423)
* Fix string that apt-get returns when requiring downgrade (#422)
* e2e_tests: fix patch test rerun (#421)
* Add --allow-downgrades flag to apt-get calls when it
fails because of wanting to downgrade a package (#418)
* Create e2e test that runs apt-get in a state that makes
it downgrade a package (#420)
* e2e_tests: update OS targets, adjust retries (#419)
* Create change_group.yaml (#416)
- from version 20220215.00
* Add regex support to package exclusion in OS Patch (#415)
- gpg2
-
- Security fix [CVE-2022-34903, bsc#1201225]
- Vulnerable to status injection
- Added patch gnupg-CVE-2022-34903.patch
- harfbuzz
-
- Add harfbuzz-CVE-2022-33068.patch: sbix: limit glyph extents
(boo#1200900 CVE-2022-33068).
- icu
-
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
from upstream, use LocalMemory for cmd to prevent use after free
(bsc#1193951 CVE-2020-21913).
- ipmitool
-
- When really starting the daemon, in lib/helper.c::ipmi_start_daemon()
stdin/stdout/stderr are redirected to /dev/null and this is checked
but the check for stderr tests for STDOUT_FILENO. This is, most
likely, a copy-paste error.
[bsc#1175328, 0007-bsc#1175328-check-for-correct-fd.patch]
- Do not append the device number to the PIDFILE pathname
as this will confuse systemd.
[bsc#1181063, 0008-bsc#1181063-dont-parametrize-pidfile-name.patch]
- iputils
-
- Add fix for ICMP datagram socket ping6-Fix-device-binding.patch
(bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927).
- java-1_8_0-ibm
-
- Update to Java 8.0 Service Refresh 7 Fix Pack 11 [bsc#1202427]
[bsc#1201684, CVE-2022-34169] [bsc#1201692, CVE-2022-21541]
[bsc#1201685, CVE-2022-21549] [bsc#1201694, CVE-2022-21540]
* Defect Fixes:
- Java Virtual Machine: Long dely in AttachAPI
- Update to Java 8.0 Service Refresh 7 Fix Pack 10 [bsc#1201643]
[bsc#1198671, CVE-2022-21476] [bsc#1198670, CVE-2022-21449]
[bsc#1198673, CVE-2022-21496] [bsc#1198674, CVE-2022-21434]
[bsc#1198672, CVE-2022-21426] [bsc#1198675, CVE-2022-21443]
[bsc#1191912, CVE-2021-35561] [bsc#1194931, CVE-2022-21299]
* Class Libraries:
- BigDecimal gives incorrect arithmetic results for the add
and subtract operations on the result of a divide
* Java Virtual Machine:
- jstacktrace sub-option of xtrace doesn't print java stack
while doing method trace
* Security:
- 8217633: Configurable Extensions with system properties
- 8241248: NullPointerException in com.ibm.jsse2.ssl.HKDF.extract
- 8270344: Session resumption errors
- 8277967: Validate the SSLLogger object in KeyShareExtension
- JVM crashes computing Diffie-Hellman shared secrets and JNI
errors while creating elliptic curve public key using IBMJCEPlus
- Key Certificate Manager authority key identifier value incorrect
- SSLv2Hello property value is ignored if specified in
jdk.tls.disabledAlgorithms and SSLv2Hello is set by
setEnabledProtocols()
- There is a memory growth observed during digest operations
using IBMJCEPlus as the provider.
- Update to Java 8.0 Service Refresh 7 Fix Pack 6
* Java Virtual Machine: Crash while generating javacore, or
javacore contains 'Unable to walk in-flight data on call stack'
instead of java stack
* JIT Compiler:
- Java JIT, bad field reference from a tenured object into
the nursery
- JIT compiler crash with vmstate=0x0005ff04
* XML: Fix security vulnerability CVE-2022-21299
- kernel-default
-
- wifi: cfg80211: avoid nontransmitted BSS list corruption
(CVE-2022-42721 bsc#1204060).
- commit ad43041
- wifi: mac80211: fix MBSSID parsing use-after-free
(CVE-2022-42719 bsc#1204051).
- commit 561b313
- wifi: mac80211: refactor elements parsing with parameter struct
(CVE-2022-42719 bsc#1204051).
- commit 7b3171e
- mac80211: fix memory leaks with element parsing (CVE-2022-42719
bsc#1204051).
- mac80211: always allocate struct ieee802_11_elems
(CVE-2022-42719 bsc#1204051).
- commit 1d0e42c
- wifi: cfg80211: fix BSS refcounting bugs (CVE-2022-42720
bsc#1204059).
- cfg80211: hold bss_lock while updating nontrans_list
(CVE-2022-42719 bsc#1204051).
- mac80211: mlme: find auth challenge directly (CVE-2022-42719
bsc#1204051).
- mac80211: move CRC into struct ieee802_11_elems (CVE-2022-42719
bsc#1204051).
- mac80211: don't re-parse elems in ieee80211_assoc_success()
(CVE-2022-42719 bsc#1204051).
- commit 36cb3f6
- Add CVE reference on lightnvm removal patch
modified:
- patches.drivers/lightnvm-remove-lightnvm-implemenation.patch
- commit 6251214
- Guard out the mana driver update
The patches were not ready yet, I accidentally picked them up too
early. Guard them out until they have been properly backported.
Note: this means that despite what the changelog suggests,
jsc#PED-529 is NOT implemented yet.
- commit 4de885b
- char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops
(CVE-2022-41848 bsc#1203987).
- commit c6f643b
- fbdev: smscufx: Fix use-after-free in ufx_ops_open()
(CVE-2022-41849 bsc#1203992).
- commit 1b1c9cc
- net: mana: Add support of XDP_REDIRECT action (bug#1201310, jsc#PED-529).
- commit d4f48f2
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit 8429558
- wifi: cfg80211: ensure length byte is present before access
(CVE-2022-41674 bsc#1203770).
- wifi: cfg80211/mac80211: reject bad MBSSID elements
(CVE-2022-41674 bsc#1203770).
- wifi: cfg80211: fix u8 overflow in
cfg80211_update_notlisted_nontrans() (CVE-2022-41674
bsc#1203770).
- commit a878ee7
- mm/mremap: hold the rmap lock in write mode when moving page
table entries (CVE-2022-41222 bsc#1203622).
- commit 07909f0
- ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (CVE-2022-3303
bsc#1203769).
- commit aa1dc74
- Move upstreamed patches into sorted section
- commit 8fc0f8a
- media: dvb-core: Fix UAF due to refcount races at releasing
(CVE-2022-41218 bsc#1202960).
- commit 260d985
- media: em28xx: initialize refcount before kref_get
(CVE-2022-3239 bsc#1203552).
- commit b9d53ba
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
bsc#1202677).
- commit cb91fc5
- x86/bugs: Reenable retbleed=off
While for older kernels the return thunks are statically built in and
cannot be dynamically patched out, retbleed=off should still work so
that it can be disabled.
- Update
patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch
(bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- Update patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch
(bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- commit eb85c2d
- Update references:
- patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
- patches.suse/secure_seq-use-the-64-bits-of-the-siphash-for-port-o.patch
- patches.suse/tcp-add-small-random-increments-to-the-source-port.patch
- patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch
- patches.suse/tcp-dynamically-allocate-the-perturb-table-used-by-s.patch
- patches.suse/tcp-increase-source-port-perturb-table-to-2-16.patch
- patches.suse/tcp-resalt-the-secret-every-10-seconds.patch
- patches.suse/tcp-use-different-parts-of-the-port_offset-for-index.patch
(add CVE-2022-32296 bsc#1200288)
- commit d9e9e6c
- mmc: block: fix read single on recovery logic (CVE-2022-20008
bsc#1199564).
- commit de3f02b
- dccp: don't duplicate ccid when cloning dccp sock
(CVE-2020-16119 bsc#1177471).
- commit 7c77568
- netfilter: nf_tables: do not allow RULE_ID to refer to another
chain (CVE-2022-2586 bsc#1202095).
- netfilter: nf_tables: do not allow SET_ID to refer to another
table (CVE-2022-2586 bsc#1202095).
- commit 9335568
- mm: pagewalk: Fix race between unmap and page walker (git-fixes,
bsc#1203159).
- commit 173564a
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
(CVE-2022-39188, bsc#1203107).
- commit 84aac57
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
(CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
bsc#1202097).
- commit a949534
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
(git-fixes, bsc#1203098).
kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit cfac9ee
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
"/find -xtype l"/ will report them, so use that to make the search a bit
faster (without using shell).
- commit 13bbc51
- mkspec: eliminate @NOSOURCE@ macro
This should be alsways used with @SOURCES@, just include the content
there.
- commit 403d89f
- kernel-source: include the kernel signature file
We assume that the upstream tarball is used for released kernels.
Then we can also include the signature file and keyring in the
kernel-source src.rpm.
Because of mkspec code limitation exclude the signature and keyring from
binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
Same as other kernel binary packages there is no need to carry duplicate
sources in dtb packages.
- commit 1bd288c
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
CVE-2022-3028).
- commit 50479c7
- Update patch reference for USB gadget fix (CVE-2020-27784 bsc#1202895)
- commit 8033d12
- xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like
fallocate (bsc#1194272 CVE-2021-4155).
- commit 049d5e6
- bpf: Don't use tnum_range on array range checking for poke
descriptors (bsc#1202564 bsc#1202860 CVE-2022-2905).
- commit c59b8fc
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
bsc#1202672).
- commit b71aab0
- cifs: fix uninitialized pointer in error case in
dfs_cache_get_tgt_share (bsc#1188944).
- commit 6366996
- cifs: skip trailing separators of prefix paths (bsc#1188944).
- commit 6e6a2e7
- fuse: handle kABI change in struct sock (bsc#1194535
CVE-2021-4203).
- commit 53bc420
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
(bsc#1194535 CVE-2021-4203).
- commit 603bd9d
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
(CVE-2022-2588 bsc#1202096).
- commit b08a235
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
ZDI-CAN-17325).
- commit 1b534db
- ext4: Fix check for block being out of directory size
(bsc#1198577 CVE-2022-1184).
- commit e41d129
- ext4: make sure ext4_append() always allocates new block
(bsc#1198577 CVE-2022-1184).
- commit 5c3a0a2
- ext4: check if directory block is within i_size (bsc#1198577
CVE-2022-1184).
- commit d289dcd
- Update config files (bsc#1201361 bsc#1192968 https://github.com/rear/rear/issues/2554).
ppc64: NVRAM=y
- commit dc3f9b9
- Refresh
patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Updated
patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
Add missing objtool annotations from upstream commits and update the latter
patch to fix bsc#1202396.
- commit 377da7c
- objtool: Add support for intra-function calls (bsc#1202396).
- commit a72253f
- objtool: Remove INSN_STACK (bsc#1202396).
- commit c38cd13
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 493d9e5
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 8697c43
- objtool: Support multiple stack_op per instruction
(bsc#1202396).
- Refresh
patches.suse/objtool-allow-no-op-cfi-ops-in-alternatives.patch.
- Refresh
patches.suse/objtool-fix-cfi-insn_state-propagation.patch.
- Refresh patches.suse/objtool-fix-orc-vs-alternatives.patch.
- Refresh patches.suse/objtool-rename-struct-cfi_state.patch.
- commit db13a33
- kabi: return type change of secure_ipv_port_ephemeral()
(CVE-2022-1012 bsc#1199482).
- tcp: drop the hash_32() part from the index calculation
(CVE-2022-1012 bsc#1199482).
- tcp: increase source port perturb table to 2^16 (CVE-2022-1012
bsc#1199482).
- tcp: dynamically allocate the perturb table used by source ports
(CVE-2022-1012 bsc#1199482).
- tcp: add small random increments to the source port
(CVE-2022-1012 bsc#1199482).
- tcp: resalt the secret every 10 seconds (CVE-2022-1012
bsc#1199482).
- tcp: use different parts of the port_offset for index and offset
(CVE-2022-1012 bsc#1199482).
- secure_seq: use the 64 bits of the siphash for port offset
calculation (CVE-2022-1012 bsc#1199482).
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
- tcp: change source port randomizarion at connect() time
(bsc#1180153).
- commit 11d737c
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
The type test and print line are the same for both cases. The usrmerged
case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
in xfrm_bundle_lookup() (CVE-2022-36879 bsc#1201948).
- commit 97b83f0
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
(CVE-2022-20368 bsc#1202346).
- commit e8bbbca
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
across ioctls (bsc#1202347 CVE-2022-20369).
- commit 36d8575
- md/bitmap: don't set sb values if can't pass sanity check
(bsc#1197158).
- commit 5acc079
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
CVE-2022-26373).
- commit 470f698
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
CVE-2022-26373).
- commit 93929be
- acpi: Disable APEI error injection if the kernel is locked down
(bsc#1023051, CVE-2016-3695).
- commit 80750a7
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
(bsc#1201726 CVE-2022-26373).
- commit 29edec0
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
bsc#1202154).
- commit bfc6551
- ipv4: avoid using shared IP generator for connected sockets
(CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
bsc#1196616).
- commit 6c53c05
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- netfilter: nf_queue: do not allow packet truncation below
transport header offset (bsc#1201940 CVE-2022-36946).
- commit f4f33cd
- KVM: emulate: do not adjust size of fastop and setcc subroutines
(bsc#1201930).
- commit c66c17b
- kvm/emulate: Fix SETcc emulation function offsets with SLS
(bsc#1201930).
- Refresh
patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- commit 46a6214
- Refresh
patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch.
- commit f2664df
- Update
patches.suse/netfilter-nf_tables-disallow-non-stateful-expression.patch
references (add CVE-2022-32250).
- commit 8871b3f
- net/sched: cls_u32: fix netns refcount changes in u32_change()
(CVE-2022-29581 bsc#1199665).
- commit e1d6992
- fsnotify: invalidate dcache before IN_DELETE event
(bsc#1195478i bsc#1200905).
- commit 7cf8b1d
- kABI workaround for including mm.h in fs/sysfs/file.c
(bsc#1200598 cve-2022-20166).
- commit 29d7d8a
- Update patches.suse/vt-vt_ioctl-fix-race-in-VT_RESIZEX.patch
(git-fixes bsc#1200910 CVE-2020-36558).
Add references.
- commit d84e9d7
- Fix 1201644, 1201664, 1201672, 1201673, 1201676
All are reports of the same problem - the IBRS_* regs push/popping was
wrong but it needs
1b331eeea7b8 ("/x86/entry: Remove skip_r11rcx"/)
too.
- commit 161f935
- Update
patches.suse/vt-vt_ioctl-fix-VT_DISALLOCATE-freeing-in-use-virtua.patch
(git-fixes bsc#1201429 CVE-2020-36557).
Add references.
- commit 76ab189
- lockdown: Fix kexec lockdown bypass with ima policy
(CVE-2022-21505 bsc#1201458).
- commit 5806b46
- x86/entry: Remove skip_r11rcx (bsc#1201644).
- Refresh
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- commit 2479e4a
- x86/bugs: Remove apostrophe typo (bsc#1114648).
- commit 783ffdb
- Sort in RETbleed backport into the sorted section
Now that it is upstream...
- Refresh
patches.suse/KVM-VMX-Convert-launched-argument-to-flags.patch.
- Refresh
patches.suse/KVM-VMX-Fix-IBRS-handling-after-vmexit.patch.
- Refresh patches.suse/KVM-VMX-Flatten-__vmx_vcpu_run.patch.
- Refresh
patches.suse/KVM-VMX-Prevent-RSB-underflow-before-vmenter.patch.
- Refresh
patches.suse/KVM-VMX-Prevent-guest-RSB-poisoning-attacks-with-eIBRS.patch.
- Refresh
patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
patches.suse/documentation-hw-vuln-update-spectre-doc.patch.
- Refresh
patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh patches.suse/x86-Add-magic-AMD-return-thunk.patch.
- Refresh patches.suse/x86-Undo-return-thunk-damage.patch.
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- Refresh patches.suse/x86-bpf-Use-alternative-RET-encoding.patch.
- Refresh
patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Add-retbleed-ibpb.patch.
- Refresh
patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch.
- Refresh
patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-not-supp.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- Refresh
patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch.
- Refresh
patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch.
- Refresh
patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch.
- Refresh
patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch.
- Refresh
patches.suse/x86-common-Stamp-out-the-stepping-madness.patch.
- Refresh patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch.
- Refresh patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch.
- Refresh
patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch.
- Refresh
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- Refresh patches.suse/x86-retpoline-Use-mfunction-return.patch.
- Refresh
patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch.
- Refresh
patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
patches.suse/x86-speculation-Fill-RSB-on-vmexit-for-IBRS.patch.
- Refresh
patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch.
- Refresh
patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch.
- Refresh
patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch.
- Refresh
patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch.
- Refresh
patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch.
- Refresh
patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch.
- Refresh patches.suse/x86-xen-Rename-SYS-entry-points.patch.
- commit 43fbd8f
- Refresh
patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-not-supp.patch.
- commit 648f79b
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
sysfs_emit (bsc#1200598 cve-2022-20166).
- commit 6f05f26
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
cve-2022-20166).
- commit 6ff7ebb
- drivers core: Remove strcat uses around sysfs_emit and neaten
(bsc#1200598 cve-2022-20166).
- commit 4cafd1f
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit bcf7213
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
* ...) functions (bsc#1200598 cve-2022-20166).
- commit 747b6a7
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
(bsc#1200598 cve-2022-20166).
- commit 4aaf7f0
- fbmem: Check virtual screen sizes in fb_set_var()
(CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
(CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
(CVE-2021-33655 bsc#1201635).
- commit a7693d8
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
Dwarves 1.22 or newer is required to build kernels with BTF information
embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
(bsc#1198829 CVE-2022-1462).
- commit ce8f318
- tty: use new tty_insert_flip_string_and_push_buffer() in
pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit cbf8ad3
- io_uring: fix fs->users overflow (CVE-2022-1116, bsc#1199647).
- commit e8dfed6
- net: rose: fix UAF bugs caused by timer handler (CVE-2022-2318
bsc#1201251).
- commit 84c7e09
- xen/netfront: force data bouncing when backend is untrusted
(bsc#1200762, CVE-2022-33741, XSA-403).
- commit 7daee4f
- xen/netfront: fix leaking data in shared pages (bsc#1200762,
CVE-2022-33740, XSA-403).
- commit bfb8cc2
- xen/blkfront: force data bouncing when backend is untrusted
(bsc#1200762, CVE-2022-33742, XSA-403).
- commit 9c6c1df
- xen/blkfront: fix leaking data in shared pages (bsc#1200762,
CVE-2022-26365, XSA-403).
- commit 7095954
- Add dtb-starfive
- commit 85335b1
- dma: kABI: Add back removed exports (bsc#1196472 ltc#192278).
- commit bddf636
- powerpc: dma: kABI workaround for moving around dma_bypass bit
(bsc#1196472 ltc#192278).
- commit bd1c9b6
- dma-mapping: move the remaining DMA API calls out of line
(bsc#1196472 ltc#192278).
- commit 504fce8
- powerpc/pseries/iommu: Update call to ibm, query-pe-dma-windows
(bsc#1196472 ltc#192278).
- powerpc/pseries/iommu: Create defines for operations in ibm,
ddw-applicable (bsc#1196472 ltc#192278).
- commit cde6266
- powerpc/pseries/iommu: Fix window size for direct mapping with
pmem (bsc#1196472 ltc#192278).
- powerpc/dma: Fallback to dma_ops when persistent memory present
(bsc#1196472 ltc#192278).
Update config files.
- dma-mapping: Allow mixing bypass and mapped DMA operation
(bsc#1196472 ltc#192278).
- dma-direct: Fix potential NULL pointer dereference (bsc#1196472
ltc#192278).
- commit c5ebdbd
- Add dtb-microchip
- commit c797107
- rpm/kernel-source.spec.in: temporary workaround for a build failure
Upstream c6x architecture removal left a dangling link behind which
triggers openSUSE post-build check in kernel-source, failing
kernel-source build.
A fix deleting the danglink link has been submitted but it did not make
it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
utility does not handle symlink removal. Add a temporary band-aid which
deletes all dangling symlinks after unpacking the kernel source tarball.
[jslaby] It's not that temporary as we are dragging this for quite some
time in master. The reason is that this can happen any time again, so
let's have this in packaging instead.
- commit 52a1ad7
- powerpc: use the generic dma_ops_bypass mode (bsc#1196472 ltc#192278).
- Refresh patches.suse/powerpc-dma-Fix-dma_map_ops-get_required_mask.patch
- Update config files.
- commit 865c59d
- dma-mapping: add a dma_ops_bypass flag to struct device (bsc#1196472 ltc#192278).
- Refresh patches.suse/0003-kabi-Add-placeholders-to-a-couple-of-important-struc.patch.
- blacklist.conf: Remove f1565c24b596 powerpc: use the generic dma_ops_bypass mode
- commit 9b4bd0f
- libassuan
-
- update to 2.5.5:
* Fix a crash in the logging code
* Upgrade autoconf
- update to 2.5.4:
* Fix some minor build annoyances
- Update to 2.5.3:
* Add a timeout for writing to a SOCKS5 proxy.
* Add workaround for a problem with LD_LIBRARY_PATH on newer systems.
- qemu-disable-fdpassing-test.patch: remove
-Update to 2.5.2:
* configure.ac: Bump LT version to C8/A8/R2
* include libassuan.pc in the spec file
- libjpeg-turbo
-
fix CVE-2020-35538 [bsc#1202915], Null pointer dereference in jcopy_sample_rows() function
+ libjpeg-turbo-CVE-2020-35538.patch
- security update
- added patches
- libjpeg62-turbo
-
fix CVE-2020-35538 [bsc#1202915], Null pointer dereference in jcopy_sample_rows() function
+ libjpeg-turbo-CVE-2020-35538.patch
- security update
- added patches
- libksba
-
- Security fix: [bsc#1204357, CVE-2022-3515]
* Detect a possible overflow directly in the TLV parser.
* Add libksba-CVE-2022-3515.patch
- libtasn1
-
- Add libtasn1-CVE-2021-46848.patch: Fixed off-by-one array size check
that affects asn1_encode_simple_der (CVE-2021-46848, bsc#1204690).
- libtirpc
-
- fix CVE-2021-46828: libtirpc: DoS vulnerability with lots of
connections (bsc#1201680)
- backport 0001-Fix-DoS-vulnerability-in-libtirpc.patch
- exclude ipv6 addresses in client protocol 2 code (bsc#1200800)
- update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- fix memory leak in params.r_addr assignement (bsc#1198752)
- add 0001-fix-parms.r_addr-memory-leak.patch
- libxml2
-
- Security fixes:
* [CVE-2022-40303, bsc#1204366] Fix integer overflows with
XML_PARSE_HUGE
+ Added patch libxml2-CVE-2022-40303.patch
* [CVE-2022-40304, bsc#1204367] Fix dict corruption caused by
entity reference cycles
+ Added patch libxml2-CVE-2022-40304.patch
- Security fix: [bsc#1201978, CVE-2016-3709]
* Cross-site scripting vulnerability after commit 960f0e2
* Add libxml2-CVE-2016-3709.patch
- libyajl
-
- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405)
- libzypp
-
- Resolver: Fix missing --[no]-recommends initialization in
update (fixes #openSUSE/zypper#459, bsc#1201972)
- Log ONLY_NAMESPACE_RECOMMENDED because this is what corresponds
to --[no]-recommends.
- version 17.31.2 (22)
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
(fixes #402)
- Log backtrace on SIGABRT too.
- Need to explicitly enable building experimental code. Otherwise
an old Notcurses++ package which happens to be present in the
buildenv breaks the build (fixes #412).
- Work around libyui/libyui#78 on code 15.4 and older.
- Stop using std::*ary_function; deprecated and removed in c++17.
- Don't expose header files which use types not available in
c++11. In 15.3 and older, YAST and PK compile with -std=c++11.
- Remove no longer needed %post code (bsc#1203649)
- Enable zck support for SLE15-SP4 and newer. On Leap it is enabled
since 15.1 (bsc#1189282)
- version 17.31.1 (22)
- Add PoolItem::statusReinit to reset the status it's initial
state in the ResPool (might help bsc#1199895)
This may either be 'KEEP_STATE bySOLVER' or 'LOCKED byUSER' if
the PoolItem matched a hard lock defined in /etc/zypp/locks.
- Fix building with GCC 13 on i586 (fixes #407, fixes #396)
- Be prepared to receive exceptions from curl_easy_cleanup
(bsc#1201092)
- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
- Remove Medianetwork and dependend code.
This commit removes the MediaNetwork tech preview and all related
code. First reason for this is that MediaNetwork was just meant
as a way to test the new CURL based downloader and second: since
the Provide API is going to completely replace the current media
backend it would be extra work to ensure that changes on the
Downloader do not break MediaNetwork.
- version 17.31.0 (22)
- Fix building with GCC 12.x release (#396)
- version 17.30.3 (22)
- appdata plugin: Pass path to the repodata/ directory inside the
cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending
endOfScriptTag.
- version 17.30.2 (22)
- PluginRepoverification: initial version hooked into
repo::Downloader and repo refresh.
- Immediately start monitoring the download.transfer_timeout.
Do not wait until the first data arrived. (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only.
- Work around cases where sat repo.start points to an invalid
solvable. May happen if (wrong arch) solvables were removed
at the beginning of the repo.
- fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER
(fixes #388)
- version 17.30.1 (22)
- logrotate
-
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
* enforce stricter parsing to avoid CVE-2021-3864
* Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
* Added patch logrotate-dont_warn_on_size=_syntax.patch
- mozilla-nspr
-
- update to version 4.34.1
* add file descriptor sanity checks in the NSPR poll function.
- update to version 4.34
* add an API that returns a preferred loopback IP on hosts that
have two IP stacks available.
- update to 4.33:
* fixes to build system and export of private symbols
- mozilla-nss
-
- Require libjitter only for SLE15-SP4 and greater
- update to NSS 3.79.2 (bsc#1204729)
* bmo#1785846 - Bump minimum NSPR version to 4.34.1.
* bmo#1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- Add nss-allow-slow-tests.patch, which allows a timed test to run
longer than 1s. This avoids turning slow builds into broken
builds.
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
DSA keys (verification only) (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to add
sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
longer symmetric keys via the service level indicator
(bsc#1191546).
- Update nss-fips-constructor-self-tests.patch to hopefully export
sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to prevent sessions
from getting flagged as non-FIPS (bsc#1191546).
- Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- Enable nss-fips-drbg-libjitter.patch now that we have a patched
libjitter to build with (bsc#1202870).
- Update nss-fips-approved-crypto-non-ec.patch to prevent keys
from getting flagged as non-FIPS and add remaining TLS mechanisms.
- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for
entropy. This is disabled until we can avoid the inline assembler
in the latter's header file that relies on GNU extensions.
- Update nss-fips-constructor-self-tests.patch to fix an abort()
when both NSS_FIPS and /proc FIPS mode are enabled.
- update to NSS 3.79.1 (bsc#1202645)
* bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
* bmo#1771498 - Uninitialized value in cert_ComputeCertType.
* bmo#1759794 - protect SFTKSlot needLogin with slotLock.
* bmo#1760998 - avoid data race on primary password change.
* bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
rest of the DSA ciphers, keeping signature verification only
(bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
we removed the code to short-circuit broken hashes and moved to
using the SLI.
- Remove upstreamed patches:
* nss-fips-version-indicators.patch
* nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
- bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- bmo#1766907 - Update mercurial in clang-format docker image.
- bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
- bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
- bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- bmo#1764788 - Correct invalid record inner and outer content type alerts.
- bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
- bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
* bmo#1767590 - Initialize pointers passed to
NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
bmo#1763120 - Add ECH Grease Support to tstclnt
bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
* Bug 1762244 - resolve mpitests build failure on Windows.
* bmo#1761779 - Fix link to TLS page on wireshark wiki
* bmo#1754890 - Add two D-TRUST 2020 root certificates.
* bmo#1751298 - Add Telia Root CA v2 root certificate.
* bmo#1751305 - Remove expired explicitly distrusted certificates
from certdata.txt.
* bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
* bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
* bmo#1756271 - Remove token member from NSSSlot struct.
* bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
* bmo#1757279 - Support UTF-8 library path in the module spec string.
* bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
* bmo#1760827 - Add a CI Target for gcc-11.
* bmo#1760828 - Change to makefiles for gcc-4.8.
* bmo#1741688 - Update googletest to 1.11.0
* bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
* bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
* bmo#1755904 - Fix calculation of ECH HRR Transcript.
* bmo#1758741 - Allow ld path to be set as environment variable.
* bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
* bmo#1758478 - Fix DataBuffer Move Assignment.
* bmo#1552254 - internal_error alert on Certificate Request with
sha1+ecdsa in TLS 1.3
* bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
NSS 3.76.1
* bmo#1756271 - Remove token member from NSSSlot struct.
NSS 3.76
* bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
nssTrustDomain_GetActiveSlots.
* bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
* bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
* bmo#1679803 - Add SHA256 fingerprint comments to old
certdata.txt entries.
* bmo#1753505 - Avoid truncating files in nss-release-helper.py.
* bmo#1751157 - Throw illegal_parameter alert for illegal extensions
in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
* bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
* bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
* bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
* bmo#1748386 - Remove redundant key type check.
* bmo#1749869 - Update ABI expectations to match ECH changes.
* bmo#1748386 - Enable CKM_CHACHA20.
* bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
* bmo#1747310 - real move assignment operator.
* bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
* bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
* bmo#1747772 - Allow to build using clang's integrated assembler.
* bmo#1321398 - Allow to override python for the build.
* bmo#1747317 - test HKDF output rather than input.
* bmo#1747316 - Use ASSERT macros to end failed tests early.
* bmo#1747310 - move assignment operator for DataBuffer.
* bmo#1712879 - Add test cases for ECH compression and unexpected
extensions in SH.
* bmo#1725938 - Update tests for ECH-13.
* bmo#1725938 - Tidy up error handling.
* bmo#1728281 - Add tests for ECH HRR Changes.
* bmo#1728281 - Server only sends GREASE HRR extension if enabled
by preference.
* bmo#1725938 - Update generation of the Associated Data for ECH-13.
* bmo#1712879 - When ECH is accepted, reject extensions which were
only advertised in the Outer Client Hello.
* bmo#1712879 - Allow for compressed, non-contiguous, extensions.
* bmo#1712879 - Scramble the PSK extension in CHOuter.
* bmo#1712647 - Split custom extension handling for ECH.
* bmo#1728281 - Add ECH-13 HRR Handling.
* bmo#1677181 - Client side ECH padding.
* bmo#1725938 - Stricter ClientHelloInner Decompression.
* bmo#1725938 - Remove ECH_inner extension, use new enum format.
* bmo#1725938 - Update the version number for ECH-13 and adjust
the ECHConfig size.
- update to NSS 3.74
* bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
OCSP responses
* bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
* bmo#1721426 - NSS does not properly restrict server keys based on policy
* bmo#1733003 - Set nssckbi version number to 2.54
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
* bmo#1735407 - Replace GlobalSign ECC Root CA R4
* bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
* bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
certificates
* bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
CIF A62634068 root certificate
* bmo#1740095 - Add iTrusChina ECC root certificate
* bmo#1740095 - Add iTrusChina RSA root certificate
* bmo#1738805 - Add ISRG Root X2 root certificate
* bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
* bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
* bmo#1735028 - Check for missing signedData field
* bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
* Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
* bmo#1735028 - check for missing signedData field.
* bmo#1737470 - Ensure DER encoded signatures are within size limits.
* bmo#1729550 - NSS needs FiPS 140-3 version indicators.
* bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
* bmo#1738600 - sunset Coverity from NSS
MFSA 2021-51 (bsc#1193170)
* CVE-2021-43527 (bmo#1737470)
Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
* Remove newline at the end of coreconf.dep
* bmo#1731911 - Fix nsinstall parallel failure.
* bmo#1729930 - Increase KDF cache size to mitigate perf
regression in about:logins
- update to NSS 3.71
* bmo#1717716 - Set nssckbi version number to 2.52.
* bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
* bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
* bmo#1717707 - Add HARICA Client ECC Root CA 2021.
* bmo#1717707 - Add HARICA Client RSA Root CA 2021.
* bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
* bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
* bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
* bmo#1726022 - Update test case to verify fix.
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
* bmo#1681975 - Avoid using a lookup table in nssb64d.
* bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
* bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
* bmo#1726022 - Cache additional PBE entries.
* bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
* bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
* bmo#1720226 (Backout) - integrity checks in key4.db not happening
on private components with AES_CBC
NSS 3.69
* bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
* bmo#1720226 - integrity checks in key4.db not happening on private
components with AES_CBC (backed out again)
* bmo#1720235 - SSL handling of signature algorithms ignores
environmental invalid algorithms.
* bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
nss failures.
(removed obsolete nss-btrfs-sqlite.patch)
* bmo#1720230 - Gtest update changed the gtest reports, losing gtest
details in all.sh reports.
* bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
* bmo#1720232 - SQLite calls could timeout in starvation situations.
* bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
* bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
* bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Mozilla NSS 3.68.4 (bsc#1200027)
* Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
(bmo#1767590)
- Update nss-fips-constructor-self-tests.patch to scan
LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
test certificate creation and disables the library checksum
validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
Most of the relevant changes are already upstream since NSS 3.60.
- ncurses
-
- Add patch ncurses-bnc1198627.patch
* Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
- openldap2
-
- bsc#1198341 - Prevent memory reuse which may lead to instability
* 0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
- openssl-1_1
-
- Added openssl-1_1-paramgen-default_to_rfc7919.patch
* bsc#1180995
* Default to RFC7919 groups when generating ECDH parameters
using 'genpkey' or 'dhparam' in FIPS mode.
- Fix memory leaks introduced by openssl-1.1.1-fips.patch [bsc#1203046]
* Add patch openssl-1.1.1-fips-fix-memory-leaks.patch
- pacemaker
-
- scheduler: do not enforce resource stop if any new probe/monitor indicates the resource was not running on the target of a failed migrate_to (bsc#1196340)
* bsc#1196340-0009-Test-scheduler-do-not-enforce-resource-stop-if-any-n.patch
- scheduler: do not enforce resource stop on a rejoined node that was the target of a failed migrate_to (bsc#1196340)
* bsc#1196340-0008-Test-scheduler-do-not-enforce-resource-stop-on-a-rej.patch
- scheduler: do not enforce resource stop if any new probe/monitor indicates the resource was not running on the target of a failed migrate_to (bsc#1196340)
* bsc#1196340-0007-Fix-scheduler-do-not-enforce-resource-stop-if-any-ne.patch
- scheduler: find_lrm_op() to be able to check against a specified target_rc (bsc#1196340)
* bsc#1196340-0006-Refactor-scheduler-find_lrm_op-to-be-able-to-check-a.patch
- cts-scheduler: fix on_node attribute of lrm_rsc_op entries in the tests (bsc#1196340)
* bsc#1196340-0005-Test-cts-scheduler-fix-on_node-attribute-of-lrm_rsc_.patch
- scheduler: is_newer_op() to be able to compare lrm_rsc_op entries from different nodes (bsc#1196340)
* bsc#1196340-0004-Refactor-scheduler-is_newer_op-to-be-able-to-compare.patch
- scheduler: compare ids of lrm_rsc_op entries case-sensitively (bsc#1196340)
* bsc#1196340-0003-Fix-scheduler-compare-ids-of-lrm_rsc_op-entries-case.patch
- scheduler: functionize comparing which lrm_rsc_op is newer (bsc#1196340)
* bsc#1196340-0002-Refactor-scheduler-functionize-comparing-which-lrm_r.patch
- scheduler: do not enforce resource stop on a rejoined node that was the target of a failed migrate_to (bsc#1196340)
* bsc#1196340-0001-Fix-scheduler-do-not-enforce-resource-stop-on-a-rejo.patch
- OCF: controld: Give warning when no-quorum-policy not set as freeze while using DLM (bsc#1129707)
* bsc#1129707-0001-OCF-controld-Give-warning-when-no-quorum-policy-not-.patch
- Pacemaker high resolution timestamps (bsc#1197668)
* 0001-Log-all-use-high-resolution-timestamps-in-detail-log.patch
- pam
-
- Update pam_motd to the most current version. This fixes various issues
and adds support for mot.d directories [jsc#PED-1712].
* Added: pam-ped1712-pam_motd-directory-feature.patch
- pciutils
-
- Add "/pciutils-Add-PCIe-5.0-data-rate-32-GT-s-support.patch"/ and
"/pciutils-Add-PCIe-6.0-data-rate-64-GT-s-support.patch"/ to fix
LnkCap speed recognition in lspci for multi PCIe ports such as
the ML110 Gen11. [bsc#1192862]
- pcre2
-
- Added pcre2-bsc1199235-CVE-2022-1587.patch
* CVE-2022-1587 / bsc#1199235
* Fix out-of-bounds read due to bug in recursions
* Sourced from:
- https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0
- Added pcre2-Fix_crash_when_X_is_used_without_UTF_in_JIT.patch
* CVE-2019-20454 / bsc#1164384
* Fix crash when X is used in non-UTF mode on certain inputs.
* Sourced from:
- https://github.com/PCRE2Project/pcre2/commit/342c16ecd31bd12fc350ee31d2dcc041832ebb3f
- https://github.com/PCRE2Project/pcre2/commit/e118e60a68f03f38dd2ff3d16ca2e2e0d800e1d9
- perl-HTTP-Daemon
-
- Fix request smuggling in HTTP::Daemon
(CVE-2022-31081, bsc#1201157)
* CVE-2022-31081.patch
* CVE-2022-31081-2.patch
* CVE-2022-31081-Add-new-test-for-Content-Length-issues.patch
- permissions
-
* Revert "/drop ping capabilities in favor of ICMP_PROTO sockets"/. Older
SLE-15 versions don't properly support this feature yet (bsc#1204137)
- Update to version 20181225:
* fix regression introduced by backport of security fix (bsc#1203911)
- Update to version 20181225:
* chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)
- Update to version 20181225:
- procps
-
- Add the patches
* procps-3.3.17-library-bsc1181475.patch
* procps-3.3.17-top-bsc1181475.patch
which are backports of current newlib tree to solve bug bsc#1181475
* 'free' command reports misleading "/used"/ value
- python-M2Crypto
-
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
bsc#1178829), which mitigates the Bleichenbacher timing attacks
in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
- python-base
-
- Add patch CVE-2021-28861-double-slash-path.patch:
* BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- python-lxml
-
- add CVE-2022-2309.patch (bsc#1201253, CVE-2022-2309)
- python-parallax
-
- Don't use ssh if command running on local (bsc#1200833)
Add patch 0003-Fix-task-Don-t-use-ssh-if-command-running-on-local-b.patch
- python-psutil
-
- Add patch mem-used-bsc1181475.patch (bsc#1181475)
* Adopt change of used memory calculation from upstream of procps
- python-py
-
- Update in SLE-15 (bsc#1195916, bsc#1196696, jsc#PM-3356, jsc#SLE-23972)
- Drop CVE-2020-29651.patch, issue fixed upstream in 1.10.0
- Update to 1.10.0
* Fix a regular expression DoS vulnerability in the py.path.svnwc
SVN blame functionality (CVE-2020-29651)
- Devendor apipkg and iniconfig
- Add pr_222.patch to activate test suite
- Update to 1.9.0
* Add type annotation stubs
- python3
-
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- regionServiceClientConfigGCE
-
- Update to version 4.0.0 (bsc#1199668)
+ Move the cert location to /usr for compatibility with ro setup of
SLE-Micro
+ Fix url in spec file to pint to the proper location of the source
- resource-agents
-
- DB2 HADR resource-agents bug (bsc#1203758)
Add patches:
0001-db2-HADR-add-STANDBY-REMOTE_CATCHUP_PENDING-DISCONNE.patch
0001-db2-add-PRIMARY-REMOTE_CATCHUP_PENDING-CONNECTED-sta.patch
- ECO: Maint: Azure Events RA can not handle AV Zones (jsc#PED-2000)
Add upstream patch:
0001-azure-events-az-new-resource-agent-1774.patch
- rsync
-
- Add support for --trust-sender parameter (patch by Jie Gong in
bsc#1202970). (related to CVE-2022-29154, bsc#1201840)
* Added patch rsync-CVE-2022-29154-trust-sender-1.patch
* Added patch rsync-CVE-2022-29154-trust-sender-2.patch
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
- rsyslog
-
- - fix segfault in qDeqLinkedList during shutdown (bsc#1199283)
* add 0001-queue-Add-NULL-check-in-qDeqLinkedList.patch
- ruby2
-
- Update suse.patch to 41adc98ad1:
- Cookie Prefix Spoofing in CGI::Cookie.parse (boo#1193081 CVE-2021-41819)
- add back some lost chunks to the suse.patch
- rubygem-activesupport-5_1
-
- Add patch to fix CVE-2022-27777 (bsc#1199060)
CVE-2022-27777.patch
- rubygem-kramdown
-
- security update
- added patches
fix CVE-2020-14001 [bsc#1174297], processing template options inside documents allows unintended read access or embedded Ruby code execution
+ rubygem-kramdown-CVE-2020-14001.patch
- rubygem-loofah
-
- Added patch CVE-2019-15587.patch to fix CVE-2019-15587 (bsc#1154751)
- rubygem-puma
-
- updated to version 4.3.12
* fix bsc#1197818, CVE-2022-24790
rubygem-puma: HTTP request smuggling if proxy is not RFC7230 compliant
- rubygem-rack
-
fix CVE-2020-8184 [bsc#1173351], percent-encoded cookies can be used to overwrite existing prefixed cookie names
+ rubygem-rack-CVE-2020-8184.patch
fix CVE-2020-8161 [bsc#1172037], directory traversal in Rack:Directory
+ rubygem-rack-CVE-2020-8161.patch
- security update
- added patches
- rubygem-rails-html-sanitizer
-
- Add patch 0001_CVE-2022-32209.patch
This patch fixes CVE-2022-32209 (bsc#1201183)
- rubygem-tzinfo
-
- security update
- added patches
fix CVE-2022-31163 [bsc#1201835], Relative path traversal vulnerability allows TZInfo::Timezone.get to load arbitrary files
+ rubygem-tzinfo-CVE-2022-31163.patch
- runc
-
- Update to runc v1.1.4. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.4.
* Fix mounting via wrong proc fd. When the user and mount namespaces are
used, and the bind mount is followed by the cgroup mount in the spec,
the cgroup was mounted using the bind mount's mount fd.
* Switch kill() in libcontainer/nsenter to sane_kill().
* Fix "/permission denied"/ error from runc run on noexec fs.
* Fix failed exec after systemctl daemon-reload. Due to a regression
in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
(boo#1202821)
- salt
-
- Handle non-UTF-8 bytes in core grains generation (bsc#1202165)
- Fix Syndic authentication errors (bsc#1199562)
- Add Amazon EC2 detection for virtual grains (bsc#1195624)
- Fix the regression in schedule module releasded in 3004 (bsc#1202631)
- Fix state.apply in test mode with file state module on user/group checking (bsc#1202167)
- Change the delimeters to prevent possible tracebacks on some packages with dpkg_lowpkg
- Make zypperpkg to retry if RPM lock is temporarily unavailable (bsc#1200596)
- Fix test_ipc unit test
- Added:
* change-the-delimeters-to-prevent-possible-tracebacks.patch
* fix-state.apply-in-test-mode-with-file-state-module-.patch
* add-amazon-ec2-detection-for-virtual-grains-bsc-1195.patch
* fix-test_ipc-unit-tests.patch
* backport-syndic-auth-fixes.patch
* retry-if-rpm-lock-is-temporarily-unavailable-547.patch
* ignore-non-utf8-characters-while-reading-files-with-.patch
* fix-the-regression-in-schedule-module-releasded-in-3.patch
- Add support for gpgautoimport in zypperpkg module
- Update Salt to work with Jinja >= and <= 3.1.0 (bsc#1198744)
- Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc#1199372)
- Make Salt 3004 compatible with pyzmq >= 23.0.0 (bsc#1201082)
- Add support for name, pkgs and diff_attr parameters to upgrade function for zypper and yum (bsc#1198489)
- Fix ownership of salt thin directory when using the Salt Bundle
- Set default target for pip from VENV_PIP_TARGET environment variable
- Normalize package names once with pkg.installed/removed using yum (bsc#1195895)
- Save log to logfile with docker.build
- Use Salt Bundle in dockermod
- Ignore erros on reading license files with dpkg_lowpkg (bsc#1197288)
- Added:
* fix-62092-catch-zmq.error.zmqerror-to-set-hwm-for-zm.patch
* fix-jinja2-contextfuntion-base-on-version-bsc-119874.patch
* normalize-package-names-once-with-pkg.installed-remo.patch
* add-support-for-name-pkgs-and-diff_attr-parameters-t.patch
* use-salt-bundle-in-dockermod.patch
* add-support-for-gpgautoimport-539.patch
* fix-ownership-of-salt-thin-directory-when-using-the-.patch
* fix-salt.states.file.managed-for-follow_symlinks-tru.patch
* ignore-erros-on-reading-license-files-with-dpkg_lowp.patch
* set-default-target-for-pip-from-venv_pip_target-envi.patch
* save-log-to-logfile-with-docker.build.patch
- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
- samba
-
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
(bsc#1201496).
- sqlite3
-
- update to 3.39.3:
* Use a statement journal on DML statement affecting two or more
database rows if the statement makes use of a SQL functions
that might abort.
* Use a mutex to protect the PRAGMA temp_store_directory and
PRAGMA data_store_directory statements, even though they are
decremented and documented as not being threadsafe.
- update to 3.39.2:
* Fix a performance regression in the query planner associated
with rearranging the order of FROM clause terms in the
presences of a LEFT JOIN.
* Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
1345947, forum post 3607259d3c, and other minor problems
discovered by internal testing. [boo#1201783]
- update to 3.39.1:
* Fix an incorrect result from a query that uses a view that
contains a compound SELECT in which only one arm contains a
RIGHT JOIN and where the view is not the first FROM clause term
of the query that contains the view
* Fix a long-standing problem with ALTER TABLE RENAME that can
only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
to a very small value.
* Fix a long-standing problem in FTS3 that can only arise when
compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
option.
* Fix the initial-prefix optimization for the REGEXP extension so
that it works correctly even if the prefix contains characters
that require a 3-byte UTF8 encoding.
* Enhance the sqlite_stmt virtual table so that it buffers all of
its output.
- update to 3.39.0:
* Add (long overdue) support for RIGHT and FULL OUTER JOIN
* Add new binary comparison operators IS NOT DISTINCT FROM and
IS DISTINCT FROM that are equivalent to IS and IS NOT,
respective, for compatibility with PostgreSQL and SQL standards
* Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
interface that indicates a query that has both DISTINCT and
ORDER BY clauses
* Added the sqlite3_db_name() interface
* The unix os interface resolves all symbolic links in database
filenames to create a canonical name for the database before
the file is opened
* Defer materializing views until the materialization is actually
needed, thus avoiding unnecessary work if the materialization
turns out to never be used
* The HAVING clause of a SELECT statement is now allowed on any
aggregate query, even queries that do not have a GROUP BY
clause
* Many microoptimizations collectively reduce CPU cycles by about
2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
related test failures on 32 bit
- update to 3.38.5:
* Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
* fix a byte-code problem in the Bloom filter pull-down
optimization added by release 3.38.0 in which an error in the
byte code causes the byte code engine to enter an infinite loop
when the pull-down optimization encounters a NULL key
- update to 3.38.3:
* Fix a case of the query planner be overly aggressive with
optimizing automatic-index and Bloom-filter construction,
using inappropriate ON clause terms to restrict the size of the
automatic-index or Bloom filter, and resulting in missing rows
in the output.
* Other minor patches. See the timeline for details.
- update to 3.38.2:
* Fix a problem with the Bloom filter optimization that might
cause an incorrect answer when doing a LEFT JOIN with a WHERE
clause constraint that says that one of the columns on the
right table of the LEFT JOIN is NULL.
* Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
of SQLite (bsc#1195773).
- update to 3.38.1:
* Fix problems with the new Bloom filter optimization that might
cause some obscure queries to get an incorrect answer.
* Fix the localtime modifier of the date and time functions so
that it preserves fractional seconds.
* Fix the sqlite_offset SQL function so that it works correctly
even in corner cases such as when the argument is a virtual
column or the column of a view.
* Fix row value IN operator constraints on virtual tables so that
they work correctly even if the virtual table implementation
relies on bytecode to filter rows that do not satisfy the
constraint.
* Other minor fixes to assert() statements, test cases, and
documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
sqlite-src-3380100-atof1.patch
- update to 3.38.0
* Add the -> and ->> operators for easier processing of JSON
* The JSON functions are now built-ins
* Enhancements to date and time functions
* Rename the printf() SQL function to format() for better
compatibility, with alias for backwards compatibility.
* Add the sqlite3_error_offset() interface for helping localize
an SQL error to a specific character in the input SQL text
* Enhance the interface to virtual tables
* CLI columnar output modes are enhanced to correctly handle tabs
and newlines embedded in text, and add options like "/--wrap N"/,
"/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
* Query planner enhancements using a Bloom filter to speed up
large analytic queries, and a balanced merge tree to evaluate
UNION or UNION ALL compound SELECT statements that have an
ORDER BY clause.
* The ALTER TABLE statement is changed to silently ignores
entries in the sqlite_schema table that do not parse when
PRAGMA writable_schema=ON
- update to 3.37.2:
* Fix a bug introduced in version 3.35.0 (2021-03-12) that can
cause database corruption if a SAVEPOINT is rolled back while
in PRAGMA temp_store=MEMORY mode, and other changes are made,
and then the outer transaction commits
* Fix a long-standing problem with ON DELETE CASCADE and ON
UPDATE CASCADE in which a cache of the bytecode used to
implement the cascading change was not being reset following a
local DDL change
- update to 3.37.1:
* Fix a bug introduced by the UPSERT enhancements of version
3.35.0 that can cause incorrect byte-code to be generated for
some obscure but valid SQL, possibly resulting in a NULL-
pointer dereference.
* Fix an OOB read that can occur in FTS5 when reading corrupt
database files.
* Improved robustness of the --safe option in the CLI.
* Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
* STRICT tables provide a prescriptive style of data type
management, for developers who prefer that kind of thing.
* When adding columns that contain a CHECK constraint or a
generated column containing a NOT NULL constraint, the
ALTER TABLE ADD COLUMN now checks new constraints against
preexisting rows in the database and will only proceed if no
constraints are violated.
* Added the PRAGMA table_list statement.
* Add the .connection command, allowing the CLI to keep multiple
database connections open at the same time.
* Add the --safe command-line option that disables dot-commands
and SQL statements that might cause side-effects that extend
beyond the single database file named on the command-line.
* CLI: Performance improvements when reading SQL statements that
span many lines.
* Added the sqlite3_autovacuum_pages() interface.
* The sqlite3_deserialize() does not and has never worked
for the TEMP database. That limitation is now noted in the
documentation.
* The query planner now omits ORDER BY clauses on subqueries and
views if removing those clauses does not change the semantics
of the query.
* The generate_series table-valued function extension is modified
so that the first parameter ("/START"/) is now required. This is
done as a way to demonstrate how to write table-valued
functions with required parameters. The legacy behavior is
available using the -DZERO_ARGUMENT_GENERATE_SERIES
compile-time option.
* Added new sqlite3_changes64() and sqlite3_total_changes64()
interfaces.
* Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
* Use less memory to hold the database schema.
* bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
extension when a column has no collating sequence.
- sudo
-
- Added sudo-1-8-27-bsc1201462-ignore-no-sudohost.patch
* Ignore entries when converting LDAP to sudoers. Prevents empty
host list being treated as "/ALL"/ wildcard.
* bsc#1201462
* Sourced from https://www.sudo.ws/repos/sudo/rev/484d0d3b892e
- supportutils-plugin-ha-sap
-
- Update to version 0.0.4+git.1663748456.ad13e75:
* fix basic support for saptune
add saptune version 3 awareness and add a hint for the new
saptune supportconfig plugin delivered within the saptune
package >= 3.x
(bsc#1203202)
- Update to version 0.0.3+git.1659022100.39bfcd6:
* Update README.md
* Replace spaces to tabs.
* Search for other groups too.
* Include /etc/group in plugin-ha_sap.txt (bsc#1201831)
* Update ha_sap
* Update pacemaker.log location change
* suppress link path in Readme.md
* add section 'Additional information' to the Readme.md
* change release status of the project
* Update README.md
* Update ha_sap
- sysconfig
-
- version 0.85.9
- spec: revert to recommend wicked-service on <= 15.4
- netconfig: remove sed dependency
- netconfig/dns-resolver: remove search limit of 6 domains (bsc#1199093)
- netconfig: cleanup /var/run leftovers (bsc#1194557)
- netconfig: update ntp man page documentation, fix typos
- spec: drop legacy migration (from sle11) and rpm-utils
- version 0.85.8
- netconfig: revert NM default policy change change (boo#1185882)
With the change to the default policy, netconfig with NetworkManager
as network.service accepted settings from all services/programs
directly instead only from NetworkManager, where plugins/services
have to deliver their settings to apply them.
- version 0.85.7
- spec: Drop hard dependency on /sbin/ifup
- spec: Suggest instead of recommend wicked-service
- spec: Mention that the .spec file is in git as well
- Also support service(network) provides
- systemd
-
- Import commit 5183646e041a0ac78107bc4e5b06594e3a27657f
8187a5e5f6 Allow control characters in environment variable values (bsc#1200170)
da394cc0b0 test-env-util: Verify that r is disallowed in env var values
da0120492d test-env-util: print function headers
0702ce5b4e basic/env-util: Allow newlines in values of environment variables
6fda9a8c7b udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
52174bfc1a man: tweak description of auto/noauto (bsc#1191502)
8a57b62f90 shared/install: ignore failures for auxiliary files
86079f3522 systemctl: supress enable/disable messages when -q is given (#7067)
aa4b7b7925 shared/install: fix error codes returned by install_context_apply()
ce671cf6e3 shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
- systemd-presets-common-SUSE
-
- enable ignition-delete-config by default (bsc#1199524)
- Modify branding-preset-states to fix systemd-presets-common-SUSE
not enabling new user systemd service preset configuration just
as it handles system service presets. By passing an (optional)
second parameter "/user"/, the save/apply-changes commands now
work with user services instead of system ones (boo#1200485)
- Add the wireplumber user service preset to enable it by default
in SLE15-SP4 where it replaced pipewire-media-session, but keep
pipewire-media-session preset so we don't have to branch the
systemd-presets-common-SUSE package for SP4 (boo#1200485)
- tar
-
- bsc1200657.patch was previously incomplete leading to deadlocks
* bsc#1202436
* bsc1200657.patch updated
- Fix race condition while creating intermediate subdirectories,
bsc#1200657
* bsc1200657.patch
- telnet
-
- Fix CVE-2022-39028, NULL pointer dereference in telnetd
(CVE-2022-39028, bsc#1203759)
CVE-2022-39028.patch
- tiff
-
- security update:
* CVE-2022-2519 [bsc#1202968]
* CVE-2022-2520 [bsc#1202973]
* CVE-2022-2521 [bsc#1202971]
+ tiff-CVE-2022-2519,CVE-2022-2520,CVE-2022-2521.patch
* CVE-2022-2867 [bsc#1202466]
* CVE-2022-2868 [bsc#1202467]
* CVE-2022-2869 [bsc#1202468]
+ tiff-CVE-2022-2867,CVE-2022-2868,CVE-2022-2869.patch
- CVE-2022-34266 [bsc#1201971] and [bsc#1201723]:
Rename tiff-CVE-2022-0561.patch to
tiff-CVE-2022-0561,CVE-2022-34266.patch
This CVE is actually a duplicate.
- security update:
* CVE-2022-34526 [bsc#1202026]
+ tiff-CVE-2022-34526.patch
- security update
* CVE-2022-2056 [bsc#1201176]
* CVE-2022-2057 [bsc#1201175]
* CVE-2022-2058 [bsc#1201174]
+ tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch
- tigervnc
-
- U_Handle-pending-data-in-TLS-buffers.patch
* Vncclient wasn't refreshing screen correctly due to an issue on
TLS stream buffers.
* bsc#1199477
- timezone
-
- Update to reflect new Chile DST change, bsc#1202310
* bsc1202310.patch
- unzip
-
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
to a local string (CVE-2022-0530, bsc#1196177)
* CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
* CVE-2022-0529.patch
- util-linux
-
- su: Change owner and mode for pty (bsc#1200842,
util-linux-login-move-generic-setting-to-ttyutils.patch,
util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
(bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
in utab (bsc#1198731,
util-linux-libmount-moving-mount-point-sub-mounts.patch,
util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
- util-linux-systemd
-
- su: Change owner and mode for pty (bsc#1200842,
util-linux-login-move-generic-setting-to-ttyutils.patch,
util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
(bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
in utab (bsc#1198731,
util-linux-libmount-moving-mount-point-sub-mounts.patch,
util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
- vim
-
- Updated to version 9.0 with patch level 0313, fixes the following problems
* Fixing bsc#1200884 Vim: Error on startup
* Fixing bsc#1200902 VUL-0: CVE-2022-2183: vim: Out-of-bounds Read through get_lisp_indent() Mon 13:32
* Fixing bsc#1200903 VUL-0: CVE-2022-2182: vim: Heap-based Buffer Overflow through parse_cmd_address() Tue 08:37
* Fixing bsc#1200904 VUL-0: CVE-2022-2175: vim: Buffer Over-read through cmdline_insert_reg() Tue 08:37
* Fixing bsc#1201249 VUL-0: CVE-2022-2304: vim: stack buffer overflow in spell_dump_compl()
* Fixing bsc#1201356 VUL-1: CVE-2022-2343: vim: Heap-based Buffer Overflow in GitHub repository vim prior to 9.0.0044
* Fixing bsc#1201359 VUL-1: CVE-2022-2344: vim: Another Heap-based Buffer Overflow vim prior to 9.0.0045
* Fixing bsc#1201363 VUL-1: CVE-2022-2345: vim: Use After Free in GitHub repository vim prior to 9.0.0046.
* Fixing bsc#1201620 PUBLIC SUSE Linux Enterprise Server 15 SP4 Basesystem zbalogh@suse.com NEW --- SLE-15-SP4-Full-x86_64-GM-Media1 and vim-plugin-tlib-1.27-bp154.2.18.noarch issue
* Fixing bsc#1202414 VUL-1: CVE-2022-2819: vim: Heap-based Buffer Overflow in compile_lock_unlock()
* Fixing bsc#1202552 VUL-1: CVE-2022-2874: vim: NULL Pointer Dereference in generate_loadvar()
* Fixing bsc#1200270 VUL-1: CVE-2022-1968: vim: use after free in utf_ptr2char
* Fixing bsc#1200697 VUL-1: CVE-2022-2124: vim: out of bounds read in current_quote()
* Fixing bsc#1200698 VUL-1: CVE-2022-2125: vim: out of bounds read in get_lisp_indent()
* Fixing bsc#1200700 VUL-1: CVE-2022-2126: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1200701 VUL-1: CVE-2022-2129: vim: out of bounds write in vim_regsub_both()
* Fixing bsc#1200732 VUL-1: CVE-2022-1720: vim: out of bounds read in grab_file_name()
* Fixing bsc#1201132 VUL-1: CVE-2022-2264: vim: out of bounds read in inc()
* Fixing bsc#1201133 VUL-1: CVE-2022-2284: vim: out of bounds read in utfc_ptr2len()
* Fixing bsc#1201134 VUL-1: CVE-2022-2285: vim: negative size passed to memmove() due to integer overflow
* Fixing bsc#1201135 VUL-1: CVE-2022-2286: vim: out of bounds read in ins_bytes()
* Fixing bsc#1201136 VUL-1: CVE-2022-2287: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1201150 VUL-1: CVE-2022-2231: vim: null pointer dereference skipwhite()
* Fixing bsc#1201151 VUL-1: CVE-2022-2210: vim: out of bounds read in ml_append_int()
* Fixing bsc#1201152 VUL-1: CVE-2022-2208: vim: null pointer dereference in diff_check()
* Fixing bsc#1201153 VUL-1: CVE-2022-2207: vim: out of bounds read in ins_bs()
* Fixing bsc#1201154 VUL-1: CVE-2022-2257: vim: out of bounds read in msg_outtrans_special()
* Fixing bsc#1201155 VUL-1: CVE-2022-2206: vim: out of bounds read in msg_outtrans_attr()
* Fixing bsc#1201863 VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand
* Fixing bsc#1202046 VUL-1: CVE-2022-2571: vim: Heap-based Buffer Overflow related to ins_comp_get_next_word_or_line()
* Fixing bsc#1202049 VUL-1: CVE-2022-2580: vim: Heap-based Buffer Overflow related to eval_string()
* Fixing bsc#1202050 VUL-1: CVE-2022-2581: vim: Out-of-bounds Read related to cstrchr()
* Fixing bsc#1202051 VUL-1: CVE-2022-2598: vim: Undefined Behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput()
* Fixing bsc#1202420 VUL-1: CVE-2022-2817: vim: Use After Free in f_assert_fails()
* Fixing bsc#1202421 VUL-1: CVE-2022-2816: vim: Out-of-bounds Read in check_vim9_unlet()
* Fixing bsc#1202511 VUL-1: CVE-2022-2862: vim: use-after-free in compile_nested_function()
* Fixing bsc#1202512 VUL-1: CVE-2022-2849: vim: Invalid memory access related to mb_ptr2len()
* Fixing bsc#1202515 VUL-1: CVE-2022-2845: vim: Buffer Over-read related to display_dollar()
* Fixing bsc#1202599 VUL-1: CVE-2022-2889: vim: use-after-free in find_var_also_in_script() in evalvars.c
* Fixing bsc#1202687 VUL-1: CVE-2022-2923: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240
* Fixing bsc#1202689 VUL-1: CVE-2022-2946: vim: use after free in function vim_vsnprintf_typval
* Fixing bsc#1202862 VUL-1: CVE-2022-3016: vim: Use After Free in vim prior to 9.0.0285 Mon 12:00
- xen
-
- bsc#1200549 VUL-0: CVE-2022-21123,CVE-2022-21125,CVE-2022-21166:
xen: x86: MMIO Stale Data vulnerabilities (XSA-404)
xsa404-1.patch
xsa404-2.patch
xsa404-3.patch
- bsc#1201469 - VUL-0: CVE-2022-23816,CVE-2022-23825,CVE-2022-29900:
xen: retbleed - arbitrary speculative code execution with return
instructions (XSA-407)
xsa407-0a.patch
xsa407-0b.patch
xsa407-0c.patch
xsa407-0d.patch
xsa407-0e.patch
xsa407-0f.patch
xsa407-0g.patch
xsa407-0h.patch
xsa407-0i.patch
xsa407-1.patch
xsa407-2.patch
xsa407-3.patch
xsa407-4.patch
xsa407-5.patch
xsa407-6.patch
xsa407-7.patch
xsa407-8.patch
- Upstream bug fix (bsc#1027519)
61d5687a-x86-spec-ctrl-opt_srb_lock-default.patch
- bsc#1201394 - VUL-0: CVE-2022-33745: xen: insufficient TLB flush
for x86 PV guests in shadow mode (XSA-408)
xsa408.patch
- bsc#1199965 - VUL-0: CVE-2022-26362: xen: Race condition in
typeref acquisition (XSA-401)
fix xsa401-1.patch
- bsc#1199966 - VUL-0: EMBARGOED: CVE-2022-26363,CVE-2022-26364: xen:
Insufficient care with non-coherent mappings
use upstream fix in xsa402-5.patch
- yast2-network
-
- AY: Added missing route extrapara element to the networking
section (bsc#1201129)
- 4.2.110
- yast2-sap-ha
-
- YaST2 sap_ha tool does not allow digits at the beginning of site names
(bsc#1200427)
- 1.0.15
- Introduce a new function refresh_all_proposals.
This reads the proposal for the modules watchdog and fence.
This is neccessary when reading an earlier configuration.
- Use .gsub instead of File.basename to find all modules files.
Replace tab with spaces.
(bsc#1197290)
- 1.0.14
- system/watchdog.rb searches watchdog modules with .ko extension
but we ship .ko.xz (bsc#1197290)
- 1.0.13
- softdog missing in Yast while configuring HA for SAP Products
(bsc#1199029)
- 1.0.12
- kmod-compat has broken dependencies (bsc#1186618)
Update requirement
- 1.0.11
- "/SUSE SAP HA Yast wizard for HANA doesn´t configure the HANA hooks.
(bsc#1190774)
Add SAPHanaSR via global.ini as proposed in
https://documentation.suse.com/sbp/all/html/SLES4SAP-hana-sr-guide-PerfOpt-15/index.html#id-1.10.6.6"/
- 1.0.10
- bsc#1158843 hana-*: Broken gettext support
- 1.0.9
- yast2-schema
-
- Add 'extrapara' to routes in the networking section (bsc#1201129)
- 4.2.17
- zlib
-
- Fix heap-based buffer over-read or buffer overflow in inflate via
large gzip header extra field (bsc#1202175, CVE-2022-37434,
CVE-2022-37434-extra-header-1.patch,
CVE-2022-37434-extra-header-2.patch).
- zypper
-
- BuildRequires: libzypp-devel >= 17.31.2.
- Fix --[no]-allow-vendor-change feedback in install command
(bsc#1201972)
- version 1.14.57
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
(fixes #441, fixes #444)
- Remove unneeded code to compute the PPP status.
Since libzypp 17.23.0 the PPP status is auto established. No
extra solver run is needed.
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Fix tests to use locale "/C.UTF-8"/ rather than "/en_US"/.
- Fix man page (fixes #451)
- version 1.14.56
- lr: Allow shortening the Name column if table is wider than the
terminal (bsc#1201638)
- Don't accepts install/remove modifier without argument
(bsc#1201576)
- zypper-download: Set correct ExitInfoCode when failing to
resolve argument.
- zypper-download: Handle unresolvable arguments as error.
This commit changes zypper-download such that it behaves more
consistent to zypper-install when an argument can't be resolved.
- version 1.14.55
- Fix building with GCC 13 (fixes #448)
- Put signing key supplying repository name in quotes.
- version 1.14.54
- Basic JobReport for "/cmdout/monitor"/.
- versioncmp: if verbose, also print the edition 'parts' which are
compared.
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally (fixes #433)
- Honor the NO_COLOR environment variable when auto-detecting
whether to use color (fixes #432)
- Define table columns which should be sorted natural [case
insensitive] (fixes #391, closes #396, fixes #424)
- lr/ls: Use highlight color on name and alias as well.
- version 1.14.53