- HANA-Firewall
-
- Missing SCR Agent for reading and writing /etc/sysconfig/hana-firewall from yast2
(bsc#1210981)
- SAPHanaSR
-
- Version bump to 0.162.1
* fix for SAPHanaTopology failing with error code 1
(OCF_ERR_GENERIC) during a normal stop action
(bsc#1207466)
* set srhook attribute to PRIM during a probe so that we do not
need to wait for the first srConnectionChanged() to set the
attribute
(bsc#1205535)
- Version bump to 0.162.0
* add improvements from SAP to the RA scripts regarding the
handling of the SAP tools 'HDB version', 'HDBSettings.sh' and
'pycd' and the SAPHana log filter handling
(jsc#PED-1739, jsc#PED-2608)
* fix for SAPHanaSR-monitor reporting "LPA status of one node is
missing"
(bsc#1192963, bsc#1203973)
* SAPHanaSRTools.pm: shows terminate node attribute too
- remove patch:
0001-bsc-1192963.patch
- 000release-packages:SLES_SAP-release
-
n/a
- aaa_base
-
- Drop patches (bsc#1199926 and bsc#1199927)
git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
ping broke in sle15 and sle15sp1 when adding
the sysctl setting for ping_group_range
- Add patch git-46-78b2a0b29381c16bec6b2a8fc7eabaa9925782d7.patch
* The wrapper rootsh is not a restricted shell (bsc#1199492)
- autofs
-
- autofs-5.1.3-revert-fix-argc-off-by-one-in-mount_aut.patch
Fix off-by-one error in recursive map handling. (bsc#1209653)
- bind
-
- Security Fix:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed.
[bsc#1215472, CVE-2023-3341, bind-CVE-2023-3341.patch]
- Security Fix:
* The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured
max-cache-size limit.
[bsc#1212544, CVE-2023-2828, bind-CVE-2023-2828.patch]
- binutils
-
- Update to version 2.41 [PED-5778]:
* The MIPS port now supports the Sony Interactive Entertainment Allegrex
processor, used with the PlayStation Portable, which implements the MIPS
II ISA along with a single-precision FPU and a few implementation-specific
integer instructions.
* Objdump's --private option can now be used on PE format files to display the
fields in the file header and section headers.
* New versioned release of libsframe: libsframe.so.1. This release introduces
versioned symbols with version node name LIBSFRAME_1.0. This release also
updates the ABI in an incompatible way: this includes removal of
sframe_get_funcdesc_with_addr API, change in the behavior of
sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
* SFrame Version 2 is now the default (and only) format version supported by
gas, ld, readelf and objdump.
* Add command-line option, --strip-section-headers, to objcopy and strip to
remove ELF section header from ELF file.
* The RISC-V port now supports the following new standard extensions:
- Zicond (conditional zero instructions)
- Zfa (additional floating-point instructions)
- Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,
Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)
* The RISC-V port now supports the following vendor-defined extensions:
- XVentanaCondOps
* Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
* A new .insn directive is recognized by x86 gas.
* Add SME2 support to the AArch64 port.
* The linker now accepts a command line option of --remap-inputs
<PATTERN>=<FILE> to relace any input file that matches <PATTERN> with
<FILE>. In addition the option --remap-inputs-file=<FILE> can be used to
specify a file containing any number of these remapping directives.
* The linker command line option --print-map-locals can be used to include
local symbols in a linker map. (ELF targets only).
* For most ELF based targets, if the --enable-linker-version option is used
then the version of the linker will be inserted as a string into the .comment
section.
* The linker script syntax has a new command for output sections: ASCIZ "string"
This will insert a zero-terminated string at the current location.
* Add command-line option, -z nosectionheader, to omit ELF section
header.
- Removed obsolete patches: binutils-2.40-branch.diff.gz,
riscv-dynamic-tls-reloc-pie.patch, riscv-pr22263-1.patch,
extensa-gcc-4_3-fix.diff .
- Add binutils-2.41-branch.diff.gz .
- Add binutils-old-makeinfo.diff for SLE-12 and older.
- Rebased aarch64-common-pagesize.patch and binutils-revert-rela.diff .
- Contains fixes for these non-CVEs (not security bugs per upstreams
SECURITY.md):
* bsc#1209642 aka CVE-2023-1579 aka PR29988
* bsc#1210297 aka CVE-2023-1972 aka PR30285
* bsc#1210733 aka CVE-2023-2222 aka PR29936
* bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
* bsc#1214565 aka CVE-2020-19726 aka PR26240
* bsc#1214567 aka CVE-2022-35206 aka PR29290
* bsc#1214579 aka CVE-2022-35205 aka PR29289
* bsc#1214580 aka CVE-2022-44840 aka PR29732
* bsc#1214604 aka CVE-2022-45703 aka PR29799
* bsc#1214611 aka CVE-2022-48065 aka PR29925
* bsc#1214619 aka CVE-2022-48064 aka PR29922
* bsc#1214620 aka CVE-2022-48063 aka PR29924
* bsc#1214623 aka CVE-2022-47696 aka PR29677
* bsc#1214624 aka CVE-2022-47695 aka PR29846
* bsc#1214625 aka CVE-2022-47673 aka PR29876
- Add binutils-disable-dt-relr.sh for an compatibility problem
caused by binutils-revert-rela.diff in SLE codestreams.
Needed for update of glibc as that would otherwise pick up
the broken relative relocs support. [bsc#1213282, PED-1435]
- This only existed only for a very short while in SLE-15, as the main
variant in devel:gcc subsumed this in binutils-revert-rela.diff.
Hence:
- Remove binutils-disable-dt-relr.sh as subsumed.
- riscv-dynamic-tls-reloc-pie.patch: Backport for PR ld/22263 and PR
ld/25694
- riscv-pr22263-1.patch: Backport for PR ld/22263
- Rebase branch patch (includes fix for PR30281).
- Document fixed CVEs:
* bnc#1208037 aka CVE-2023-25588 aka PR29677
* bnc#1208038 aka CVE-2023-25587 aka PR29846
* bnc#1208040 aka CVE-2023-25585 aka PR29892
* bnc#1208409 aka CVE-2023-0687 aka PR29444
- Enable bpf-none cross target and add bpf-none to the multitarget
set of supported targets.
- Disable packed-relative-relocs for old codestreams. They generate
buggy relocations when binutils-revert-rela.diff is active.
[bsc#1206556]
- Disable ZSTD debug section compress by default.
- Enable zstd compression algorithm (instead of zlib)
for debug info sections by default.
- Pack libgprofng only for supported platforms.
- Remove upstreamed patch binutils-maxpagesize.diff.
- Rebase binutils-2.40-branch.diff.gz as it includes fix for PR30043.
- Move libgprofng-related libraries to the proper locations (packages).
- Add --without=bootstrap for skipping of bootstrap (faster testing
of the package).
- Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]
- Update to version 2.40:
* Objdump has a new command line option --show-all-symbols which will make it
display all symbols that match a given address when disassembling. (Normally
only the first symbol that matches an address is shown).
* Add --enable-colored-disassembly configure time option to enable colored
disassembly output by default, if the output device is a terminal. Note,
this configure option is disabled by default.
* DCO signed contributions are now accepted.
* objcopy --decompress-debug-sections now supports zstd compressed debug
sections. The new option --compress-debug-sections=zstd compresses debug
sections with zstd.
* addr2line and objdump --dwarf now support zstd compressed debug sections.
* The dlltool program now accepts --deterministic-libraries and
- -non-deterministic-libraries as command line options to control whether or
not it generates deterministic output libraries. If neither of these options
are used the default is whatever was set when the binutils were configured.
* readelf and objdump now have a newly added option --sframe which dumps the
SFrame section.
* Add support for Intel RAO-INT instructions.
* Add support for Intel AVX-NE-CONVERT instructions.
* Add support for Intel MSRLIST instructions.
* Add support for Intel WRMSRNS instructions.
* Add support for Intel CMPccXADD instructions.
* Add support for Intel AVX-VNNI-INT8 instructions.
* Add support for Intel AVX-IFMA instructions.
* Add support for Intel PREFETCHI instructions.
* Add support for Intel AMX-FP16 instructions.
* gas now supports --compress-debug-sections=zstd to compress
debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
that selects the default compression algorithm
for --enable-compressed-debug-sections.
* Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,
XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,
XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head
ISA manual, which are implemented in the Allwinner D1.
* Add support for the RISC-V Zawrs extension, version 1.0-rc4.
* Add support for Cortex-X1C for Arm.
* New command line option --gsframe to generate SFrame unwind information
on x86_64 and aarch64 targets.
* The linker has a new command line option to suppress the generation of any
warning or error messages. This can be useful when there is a need to create
a known non-working binary. The option is -w or --no-warnings.
* ld now supports zstd compressed debug sections. The new option
- -compress-debug-sections=zstd compresses debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
that selects the default compression algorithm
for --enable-compressed-debug-sections.
* Remove support for -z bndplt (MPX prefix instructions).
- Rebased patches: add-ulp-section.diff, ld-relro.diff, binutils-revert-plt32-in-branches.diff,
cross-avr-size.patch.
- Removed patch: binutils-pr29482.diff.
- New patch: extensa-gcc-4_3-fix.diff.
- Includes fixes for these CVEs:
* bnc#1206080 aka CVE-2022-4285 aka PR29699
- Enable by default: --enable-colored-disassembly.
- fix build on x86_64_vX platforms
- Add binutils-maxpagesize.diff for a problem on old code
streams, where we would generate too large binaries.
- s390-pic-dso.diff: use %pB instead of %B
- SLE toolchain update of binutils. Update to 2.39 from 2.37,
which means obsoleting and hence removing these patches:
binutils-add-efi-aarch64-1.diff, binutils-add-efi-aarch64-2.diff,
binutils-add-efi-aarch64-3.diff, binutils-fix-keepdebug.diff,
binutils-add-z16-name.diff.
Implements [jsc#SLE-25046, jsc#PED-2029, jsc#PED-2035, jsc#PED-2033,
jsc#PED-2030, jsc#PED-2038, jsc#PED-2032, jsc#PED-2034, jsc#PED-2031,
jsc#SLE-25047]
- This fixes these CVEs relative to 2.37:
[bsc#1188374, bsc#1185597] aka (GCC) PR99935 aka CVE-2021-3648
[bsc#1193929] aka PR28694 aka CVE-2021-45078
[bsc#1194783] aka (GCC) PR98886 aka CVE-2021-46195
[bsc#1197592] aka (GCC) PR105039 aka CVE-2022-27943
[bsc#1202966] aka PR29289 aka CVE-2022-38126
[bsc#1202967] aka PR29290 aka CVE-2022-38127
[bsc#1202969] aka CVE-2021-3826
- add arm32-avoid-copyreloc.patch for PR16177 (bsc#1200962)
- Add binutils-pr29482.diff for PR29482, aka CVE-2022-38533
[bsc#1202816]
- Rebase binutils-2.39-branch.diff.gz that contains fix for PR29451.
- Add binutils-2.39-branch.diff.gz.
- Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.
- Add gprofng subpackage.
- Update to binutils 2.39:
* The ELF linker will now generate a warning message if the stack is made
executable. Similarly it will warn if the output binary contains a
segment with all three of the read, write and execute permission
bits set. These warnings are intended to help developers identify
programs which might be vulnerable to attack via these executable
memory regions.
The warnings are enabled by default but can be disabled via a command
line option. It is also possible to build a linker with the warnings
disabled, should that be necessary.
* The ELF linker now supports a --package-metadata option that allows
embedding a JSON payload in accordance to the Package Metadata
specification.
* In linker scripts it is now possible to use TYPE=<type> in an output
section description to set the section type value.
* The objdump program now supports coloured/colored syntax
highlighting of its disassembler output for some architectures.
(Currently: AVR, RiscV, s390, x86, x86_64).
* The nm program now supports a --no-weak/-W option to make it ignore
weak symbols.
* The readelf and objdump programs now support a -wE option to prevent
them from attempting to access debuginfod servers when following
links.
* The objcopy program's --weaken, --weaken-symbol, and
- -weaken-symbols options now works with unique symbols as well.
- Rebase binutils-compat-old-behaviour.diff, binutils-revert-hlasm-insns.diff,
binutils-revert-plt32-in-branches.diff and remove binutils-2.38-branch.diff.gz.
- For now use --disable-gprofng.
- Includes fixes for these CVEs:
bnc#1142579 aka CVE-2019-1010204 aka PR23765
(Fake entry from SLE for tracking purposes:)
- ca-certificates-mozilla
-
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
Added:
- Atos TrustedRoot Root CA ECC G2 2020
- Atos TrustedRoot Root CA ECC TLS 2021
- Atos TrustedRoot Root CA RSA G2 2020
- Atos TrustedRoot Root CA RSA TLS 2021
- BJCA Global Root CA1
- BJCA Global Root CA2
- LAWtrust Root CA2 (4096)
- Sectigo Public Email Protection Root E46
- Sectigo Public Email Protection Root R46
- Sectigo Public Server Authentication Root E46
- Sectigo Public Server Authentication Root R46
- SSL.com Client ECC Root CA 2022
- SSL.com Client RSA Root CA 2022
- SSL.com TLS ECC Root CA 2022
- SSL.com TLS RSA Root CA 2022
Removed CAs:
- Chambers of Commerce Root
- E-Tugra Certification Authority
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Hongkong Post Root CA 1
- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
Removed CAs:
- Global Chambersign Root
- EC-ACC
- Network Solutions Certificate Authority
- Staat der Nederlanden EV Root CA
- SwissSign Platinum CA - G2
Added CAs:
- DIGITALSIGN GLOBAL ROOT ECDSA CA
- DIGITALSIGN GLOBAL ROOT RSA CA
- Security Communication ECC RootCA1
- Security Communication RootCA3
Changed trust:
- TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
- Removed CAs (bsc#1206212) as most code does not handle "valid before nov 30 2022"
and it is not clear how many certs were issued for SSL middleware by TrustCor:
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2
- TrustCor ECA-1
Patch: remove-trustcor.patch
- catatonit
-
- Update to catatonit v0.2.0.
* Change license to GPL-2.0-or-later.
- Remove upstreamed patches:
- 99bb9048f.patch
- Update to catatont v0.1.7
- This release adds the ability for catatonit to be used as the only
process in a pause container, by passing the -P flag (in this mode no
subprocess is spawned and thus no signal forwarding is done).
- Add 99bb9048f.patch: configure.ac: call AM_INIT_AUTOMAKE only
once. Fix build with autocnf 2.71 / automake 1.16.5.
- Update to catatonit v0.1.6, which fixes a few bugs -- mainly ones related to
socket activation or features somewhat adjacent to socket activation (such as
passing file descriptors).
- Update catatonit-rpmlintrc in order to cover that static binaries are now an
error not a warning.
- cloud-netconfig
-
- Update to version 1.8:
+ Fix Azure metadata check (bsc#1214715)
+ Fix cleanup on ifdown
- Update to version 1.7:
+ Overhaul policy routing setup (issue #19)
+ Support alias IPv4 ranges (issue #14)
+ Add support for NetworkManager (bsc#1204549)
+ Remove dependency on netconfig
+ Install into libexec directory
+ Clear stale ifcfg files for accelerated NICs (bsc#1199853)
+ More debug messages
+ Documentation update
- /etc/netconfig.d/ moved to /usr/libexec/netconfig/netconfig.d/ in
Tumbleweed, update path (poo#116221)
- cloud-regionsrv-client
-
- Update to version 10.1.3 (bsc#1214801)
+ Add a warning if we detect a Python package cert bundle for certifi
This will help with debugging and point to potential issues when
using SUSE images in AWS, Azure, and GCE
- Update to version 10.1.2 (bsc#1211282)
+ Properly handle Ipv6 when checking update server responsiveness. If not
available fall back and use IPv4 information
+ Use systemd_ordered to allow use in a container without pulling systemd
into the container as a requirement
- Update to version 10.1.1 (bsc#1210020, bsc#1210021)
+ Clean up the system if baseproduct registraion fails to leave the
system in prestine state
+ Log when the registercloudguest command is invoked with --clean
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
- Removes a warning about system_token entry present in the credentials
file.
- Adds logrotate configuration for log rotation.
- Update to version 10.1.0 (bsc#1207133, bsc#1208097, bsc#1208099 )
- Removes a warning about system_token entry present in the credentials
file.
- Adds logrotate configuration for log rotation.
- Update to version 10.0.8 (bsc#1206428)
- Fix regression introduced by 10.0.7. When the hosts file was modified
such that there is no empty line at the end of the file the content
after removing the registration data does not match the content prior
to registration. The update fixes the issue triggered by an index
logic error.
- Guard dmidecode dependency (bsc#1206082)
- Update to version 10.0.7 (bsc#1191880, bsc#1195925, bsc#1195924)
- Implement functionality to detect if an update server has a new cert.
Import the new cert when it is detected.
- Forward port fix-for-sles12-disable-ipv6.patch
- From 10.0.6 (bsc#1205089)
- Credentials are equal when username and password are the same ignore
other entries in the credentials file
- Handle multiple zypper names in process table, zypper and Zypp-main
to properly detect the running process
- Add patch to block IPv6 on SLE12 (bsc#1203382)
- cluster-glue
-
- ibmhmc stonith needs to be aware of HMC version - ref:_00D1igLOd._5005qAMc5b:ref
(bsc#1203635)
* Add upstream patch:
38.patch
- kernel-default
-
- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- net: mana: Fix MANA VF unload when hardware is unresponsive
(bsc#1214764).
- commit 5ea585b
- powerpc: Don't clobber f0/vs0 during fp|altivec register save
(bsc#1217780).
- commit 6ad4ac9
- netfilter: conntrack: dccp: copy entire header to stack buffer,
not just basic one (CVE-2023-39197 bsc#1216976).
- commit 5e51ad1
- kernel-binary: suse-module-tools is also required when installed
Requires(pre) adds dependency for the specific sciptlet.
However, suse-module-tools also ships modprobe.d files which may be
needed at posttrans time or any time the kernel is on the system for
generating ramdisk. Add plain Requires as well.
- commit 8c12816
- net/tls: do not free tls_rec on async operation in
bpf_exec_tx_verdict() (bsc#1217332 CVE-2023-6176).
- commit 20678d9
- README.SUSE: fix patches.addon use
It's series, not series.conf in there.
And make it more precise on when the patches are applied.
- commit cb8969c
- Do not store build host name in initrd
Without this patch, kernel-obs-build stored the build host name
in its .build.initrd.kvm
This patch allows for reproducible builds of kernel-obs-build and thus
avoids re-publishing the kernel-obs-build.rpm when nothing changed.
Note that this has no influence on the /etc/hosts file
that is used during other OBS builds.
https://bugzilla.opensuse.org/show_bug.cgi?id=1084909
- commit fd3a75e
- Ensure ia32_emulation is always enabled for kernel-obs-build
If ia32_emulation is disabled by default, ensure it is enabled
back for OBS kernel to allow building 32bit binaries (jsc#PED-3184)
[ms: Always pass the parameter, no need to grep through the config which
may not be very reliable]
- commit 56a2c2f
- kobject: Fix slab-out-of-bounds in fill_kobj_path() (bsc#1216058
CVE-2023-45863).
- commit 1b6a097
- rpm: Define git commit as macro
- commit bcc92c8
- kernel-source: Move provides after sources
- commit dbbf742
- rpm/check-for-config-changes: add HAVE_SHADOW_CALL_STACK to IGNORED_CONFIGS_RE
Not supported by our compiler.
- commit eb32b5a
- igb: set max size RX buffer when store bad packet is enabled
(bsc#1216259 CVE-2023-45871).
- commit 9445d70
- drm/qxl: fix UAF on handle creation (CVE-2023-39198
bsc#1216965).
- commit a0819bc
- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in
HCIUARTGETPROTO (bsc#1210780 CVE-2023-31083).
- commit 0514f90
- perf/core: Fix potential NULL deref (bsc#1216584 CVE-2023-5717).
- commit dbf3f79
- perf: Disallow mis-matched inherited group reads (bsc#1216584 CVE-2023-5717).
Implement KABI fix for above
- commit c397b9e
- rpm/check-for-config-changes: add AS_WRUSS to IGNORED_CONFIGS_RE
Add AS_WRUSS as an IGNORED_CONFIGS_RE entry in check-for-config-changes
to fix build on x86_32.
There was a fix submitted to upstream but it was not accepted:
https://lore.kernel.org/all/20231031140504.GCZUEJkMPXSrEDh3MA@fat_crate.local/
So carry this in IGNORED_CONFIGS_RE instead.
- commit 7acca37
- Fix patches.suse/io_uring-used-cached-copies-of-sq-dropped-and-cq-ove.patch. (bsc#1214344)
To protect itself against userspace corrupting the counter of io_uring
dropped submission entries, the kernel relies on a cache of the counter
instead of reading the counter directly. But, the stable patch that was
brought to SP3 implementing the this mechanism was done incorrectly, and
let's the kernel read from the userspace value instead of the cache in
one situation. This allows userspace to subvert the counter, hanging the
application forever. Fix the backport to read from the cached value.
5.3 stable is long dead, so there is nothing to fix upstream or in
- stable.
- commit 2f88408
- ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085
bsc#1210778).
- commit cf2c572
- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- commit 3cd9fd7
- USB: ene_usb6250: Allocate enough memory for full object
(bsc#1216051 CVE-2023-45862).
- commit 850ea88
- bpf: Fix incorrect verifier pruning due to missing register
precision taints (bsc#1215518 CVE-2023-2163).
- commit 37a3998
- xen/events: replace evtchn_rwlock with RCU (bsc#1215745,
xsa-441, cve-2023-34324).
- commit 4227b23
- KVM: x86: fix sending PV IPI (git-fixes, bsc#1210853,
bsc#1216134).
- commit 9a0276d
- netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046
CVE-2023-39189).
- commit c154d64
- btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() (bsc#1212051 CVE-2023-3111).
- commit 2048118
- doc/README.PATCH-POLICY.SUSE: Convert the document to Markdown
(jsc#PED-5021)
- commit c05cfc9
- doc/README.SUSE: Convert the document to Markdown (jsc#PED-5021)
- commit bff5e3e
- Update
patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
(bsc#1211592 CVE-2023-2860).
- commit 267cf38
- net: xfrm: Fix xfrm_address_filter OOB read (CVE-2023-39194
bsc#1215861).
- commit 1bf7dab
- netfilter: xt_sctp: validate the flag_info count (CVE-2023-39193
bsc#1215860).
- commit 6fc23b4
- netfilter: xt_u32: validate user space input (CVE-2023-39192
bsc#1215858).
- commit 5f8a021
- ipv4: fix null-deref in ipv4_link_failure (CVE-2023-42754
bsc#1215467).
- commit ecc7c7a
- btrfs: fix root ref counts in error handling in
btrfs_get_root_ref (bsc#1214351 CVE-2023-4389).
- commit 14e72e8
- doc/README.PATCH-POLICY.SUSE: Remove the list of links (jsc#PED-5021)
All links have been incorporated into the text. Remove now unnecessary
list at the end of the document.
- commit 43d62b1
- doc/README.SUSE: Adjust heading style (jsc#PED-5021)
* Underscore all headings as a preparation for Markdown conversion.
* Use title-style capitalization for the document name and
sentence-style capitalization for section headings, as recommended in
the current SUSE Documentation Style Guide.
- commit 11e3267
- netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro
for ip_set_hash_netportnet.c (CVE-2023-42753 bsc#1215150).
- commit c0f449e
- tcp: Reduce chance of collisions in inet6_hashfn()
(CVE-2023-1206 bsc#1212703).
- commit fdc3ce8
- doc/README.PATCH-POLICY.SUSE: Reflow text to 80-column width
(jsc#PED-5021)
- commit be0158c
- doc/README.PATCH-POLICY.SUSE: Update information about the tools
(jsc#PED-5021)
* Replace bugzilla.novell.com with bugzilla.suse.com and FATE with Jira.
* Limit the range of commits in the exportpatch example to prevent it
from running for too long.
* Incorporate URLs directly into the text.
* Fix typos and improve some wording, in particular avoid use of "there
is/are" and prefer the present tense over the future one.
- commit c0bea0c
- doc/README.PATCH-POLICY.SUSE: Update information about the patch
format (jsc#PED-5021)
* Replace bugzilla.novell.com with bugzilla.suse.com and FATE with Jira.
* Remove references to links to the patchtools and kernel source. They
are incorporated in other parts of the text.
* Use sentence-style capitalization for section headings, as recommended
in the current SUSE Documentation Style Guide.
* Fix typos and some wording, in particular avoid use of "there is/are".
- commit ce98345
- doc/README.PATCH-POLICY.SUSE: Update the summary and background
(jsc#PED-5021)
* Drop information about patches being split into directories per
a subsystem because that is no longer the case.
* Remove the mention that the expanded tree is present since SLE11-SP2
as that is now only a historical detail.
* Incorporate URLs and additional information in parenthenses directly
into the text.
* Fix typos and improve some wording.
- commit 640988f
- net: sched: sch_qfq: Fix UAF in qfq_dequeue() (CVE-2023-4921
bsc#1215275).
- commit b3e4331
- kernel-binary: Move build-time definitions together
Move source list and build architecture to buildrequires to aid in
future reorganization of the spec template.
- commit 30e2cef
- x86/srso: Fix srso_show_state() side effect (git-fixes).
- commit 762ac00
- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes).
- commit dbfee2b
- x86/srso: Don't probe microcode in a guest (git-fixes).
- commit f91897c
- x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes).
- commit 748cc55
- Update
patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch.
(bsc#1207036 CVE-2023-23454)
Fold downstream fixup of caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12.
- commit bd0b138
- kernel-binary: python3 is needed for build
At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18
Other simimlar scripts may exist.
- commit c882efa
- af_unix: Fix null-ptr-deref in unix_stream_sendpage()
(CVE-2023-4622 bsc#1215117).
- commit bd1d942
- net/sched: sch_hfsc: Ensure inner classes have fsc curve
(CVE-2023-4623 bsc#1215115).
- commit 0cd315e
- cec-api: prevent leaking memory through hole in structure
(CVE-2020-36766 bsc#1215299).
- commit d226bc0
- doc/README.SUSE: Reflow text to 80-column width (jsc#PED-5021)
- commit e8f2c67
- doc/README.SUSE: Minor content clean up (jsc#PED-5021)
* Mark the user's build directory as a variable, not a command:
'make -C $(your_build_dir)' -> 'make -C $YOUR_BUILD_DIR'.
* Unify how to get the current directory: 'M=$(pwd)' -> 'M=$PWD'.
* 'GIT' / 'git' -> 'Git'.
- commit 1cb4ec8
- doc/README.SUSE: Update information about module paths
(jsc#PED-5021)
* Use version variables to describe names of the
/lib/modules/$VERSION-$RELEASE-$FLAVOR/... directories
instead of using specific example versions which get outdated quickly.
* Note: Keep the /lib/modules/ prefix instead of using the new
/usr/lib/modules/ location for now. The updated README is expected to
be incorporated to various branches that are not yet usrmerged.
- commit 7eba2f0
- doc/README.SUSE: Update information about custom patches
(jsc#PED-5021)
* Replace mention of various patches.* directories with only
patches.suse as the typical location for patches.
* Replace i386 with x86_64 in the example how to define a config addon.
* Fix some typos and wording.
- commit 2997d22
- 9p/xen : Fix use after free bug in xen_9pfs_front_remove due
to race condition (bsc#1215206, CVE-2023-1859).
- commit fe5b126
- doc/README.SUSE: Update information about config files
(jsc#PED-5021)
* Use version variables to describe a name of the /boot/config-... file
instead of using specific example versions which get outdated quickly.
* Replace removed silentoldconfig with oldconfig.
* Mention that oldconfig can automatically pick a base config from
"/boot/config-$(uname -r)".
* Avoid writing additional details in parentheses, incorporate them
instead properly in the text.
- commit cba5807
- sctp: leave the err path free in sctp_stream_init to
sctp_stream_free (CVE-2023-2177 bsc#1210643).
- commit 2ef1e9d
- netfilter: nftables: exthdr: fix 4-byte stack OOB write
(CVE-2023-4881 bsc#1215221).
- commit 780699b
- doc/README.SUSE: Update the patch selection section
(jsc#PED-5021)
* Make the steps how to obtain expanded kernel source more generic in
regards to version numbers.
* Use '#' instead of '$' as the command line indicator to signal that
the steps need to be run as root.
* Update the format of linux-$SRCVERSION.tar.bz2 to xz.
* Improve some wording.
- commit e14852c
- doc/README.SUSE: Update information about (un)supported modules
(jsc#PED-5021)
* Update the list of taint flags. Convert it to a table that matches the
upstream documentation format and describe specifically flags that are
related to module support status.
* Fix some typos and wording.
- commit e46f0df
- doc/README.SUSE: Bring information about compiling up to date
(jsc#PED-5021)
* When building the kernel, don't mention to initially change the
current directory to /usr/src/linux because later description
discourages it and specifies to use 'make -C /usr/src/linux'.
* Avoid writing additional details in parentheses, incorporate them
instead properly in the text.
* Fix the obsolete name of /etc/modprobe.d/unsupported-modules ->
/etc/modprobe.d/10-unsupported-modules.conf.
* Drop a note that a newly built kernel should be added to the boot
manager because that normally happens automatically when running
'make install'.
* Update a link to the Kernel Module Packages Manual.
* When preparing a build for external modules, mention use of the
upstream recommended 'make modules_prepare' instead of a pair of
'make prepare' + 'make scripts'.
* Fix some typos+grammar.
- commit b9b7e79
- doc/README.SUSE: Bring the overview section up to date
(jsc#PED-5021)
* Update information in the overview section that was no longer
accurate.
* Improve wording and fix some typos+grammar.
- commit 798c075
- doc/README.SUSE: Update the references list (jsc#PED-5021)
* Remove the reference to Linux Documentation Project. It has been
inactive for years and mostly contains old manuals that aren't
relevant for contemporary systems and hardware.
* Update the name and link to LWN.net. The original name "Linux Weekly
News" has been deemphasized over time by its authors.
* Update the link to Kernel newbies website.
* Update the reference to The Linux Kernel Module Programming Guide. The
document has not been updated for over a decade but it looks its
content is still relevant for today.
* Point Kernel Module Packages Manual to the current version.
* Add a reference to SUSE SolidDriver Program.
- commit 0edac75
- doc/README.SUSE: Update title information (jsc#PED-5021)
* Drop the mention of kernel versions from the readme title.
* Remove information about the original authors of the document. Rely as
in case of other readmes on Git metadata to get information about all
contributions.
* Strip the table of contents. The document is short and easy to
navigate just by scrolling through it.
- commit 06f5139
- doc/README.SUSE: Update information about DUD (jsc#PED-5021)
Remove a dead link to description of Device Update Disks found
previously on novell.com. Replace it with a short section summarizing
what DUD is and reference the mkdud + mksusecd tools and their
documentation for more information.
- commit 7eeba4e
- Delete patches.suse/genksyms-add-override-flag.diff.
The override flag is no longer used in kernel-binary.
- commit 79d5655
- rpm/kernel-binary.spec.in: Drop use of KBUILD_OVERRIDE=1
Genksyms has functionality to specify an override for each type in
a symtypes reference file. This override is then used instead of an
actual type and allows to preserve modversions (CRCs) of symbols that
reference the type. It is kind of an alternative to doing kABI fix-ups
with '#ifndef __GENKSYMS__'. The functionality is hidden behind the
genksyms --preserve option which primarily tells the tool to strictly
verify modversions against a given reference file or fail.
Downstream patch patches.suse/genksyms-add-override-flag.diff which is
present in various kernel-source branches separates the override logic.
It allows it to be enabled with a new --override flag and used without
specifying the --preserve option. Setting KBUILD_OVERRIDE=1 in the spec
file is then a way how the build is told that --override should be
passed to all invocations of genksyms. This was needed for SUSE kernels
because their build doesn't use --preserve but instead resulting CRCs
are later checked by scripts/kabi.pl.
However, this override functionality was not utilized much in practice
and the only use currently to be found is in SLE11-SP1-LTSS. It means
that no one should miss this option and KBUILD_OVERRIDE=1 together with
patches.suse/genksyms-add-override-flag.diff can be removed.
Notes for maintainers merging this commit to their branches:
* Downstream patch patches.suse/genksyms-add-override-flag.diff can be
dropped after merging this commit.
* Branch SLE11-SP1-LTSS uses the mentioned override functionality and
this commit should not be merged to it, or needs to be reverted
afterwards.
- commit 4aa02b8
- Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
(bsc#1214233 CVE-2023-40283).
- commit 11dc4cc
- x86/speculation: Mark all Skylake CPUs as vulnerable to GDS
(git-fixes).
- commit f5c624d
- drm/vmwgfx: Test shader type against SVGA3d_SHADERTYPE_MIN (bsc#1203517 CVE-2022-36402)
- commit 5b2dbae
- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
CVE-2023-1192).
- commit 87f52bf
- rpm/mkspec-dtb: support for nested subdirs
Commit 724ba6751532 ("ARM: dts: Move .dts files to vendor
sub-directories") moved the dts to nested subdirs, add a support for
that. That is, generate a %dir entry in %files for them.
- commit 6484eda
- x86/speculation: Add cpu_show_gds() prototype (git-fixes).
- commit e3d45b8
- x86: Move gds_ucode_mitigated() declaration to header (git-fixes).
- commit 267ee7a
- blacklist.conf: Blacklist redundant docu patch
- commit edd8e67
- Sort recent security patches
- commit df76142
- Refresh patches.suse/x86-srso-add-ibpb.patch.
Refresh patches.suse/x86-srso-add-ibpb-on-vmexit.patch.
- commit 73f5acb
- Input: cyttsp4_core - change del_timer_sync() to
timer_shutdown_sync() (bsc#1213971 CVE-2023-4134).
- commit 3ffe891
- x86/CPU/AMD: Fix the DIV(0) initial fix attempt (bsc#1213927, CVE-2023-20588).
- commit 334880d
- x86/CPU/AMD: Do not leak quotient data after a division by 0 (bsc#1213927, CVE-2023-20588).
- commit 766c409
- old-flavors: Drop 2.6 kernels.
2.6 based kernels are EOL, upgrading from them is no longer suported.
- commit 7bb5087
- net: vmxnet3: fix possible NULL pointer dereference in
vmxnet3_rq_cleanup() (bsc#1214451 CVE-2023-4459).
- commit 1ac9015
- net: nfc: Fix use-after-free caused by nfc_llcp_find_local
(bsc#1213601 CVE-2023-3863).
- nfc: llcp: simplify llcp_sock_connect() error paths (bsc#1213601
CVE-2023-3863).
- nfc: llcp: nullify llcp_sock->dev on connect() error paths
(bsc#1213601 CVE-2023-3863).
- commit 9d4529d
- kabi/severities: Ignore newly added SRSO mitigation functions
- commit 0a0322a
- x86/srso: Correct the mitigation status when SMT is disabled (git-fixes).
- commit 3d7f5a4
- x86/srso: Explain the untraining sequences a bit more (git-fixes).
- commit 1e6a656
- x86/cpu/kvm: Provide UNTRAIN_RET_VM (git-fixes).
- commit c15ca97
- x86/cpu: Cleanup the untrain mess (git-fixes).
- commit cd34a3b
- x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 (git-fixes).
- commit 802582f
- xfrm: add NULL check in xfrm_update_ae_params (bsc#1213666
CVE-2023-3772).
- commit fdc40c6
- x86/cpu: Rename original retbleed methods (git-fixes).
- commit 777d52c
- x86/srso: Disable the mitigation on unaffected configurations (git-fixes).
- commit 8b3e1dc
- x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() (git-fixes).
- commit 9183a18
- Update config files. Drop the dpt_i2o kernel module.
For: jsc#PED-4579, CVE-2023-2007
- commit 6a43698
- fs: jfs: fix possible NULL pointer dereference in dbFree() (bsc#1214348 CVE-2023-4385).
- commit ee83171
- mkspec: Allow unsupported KMPs (bsc#1214386)
- commit 55d8b82
- check-for-config-changes: ignore BUILTIN_RETURN_ADDRESS_STRIPS_PAC (bsc#1214380).
gcc7 on SLE 15 does not support this while later gcc does.
- commit 5b41c27
- net: vmxnet3: fix possible use-after-free bugs in
vmxnet3_rq_alloc_rx_buf() (bsc#1214350 CVE-2023-4387).
- commit 0fa208f
- io_uring: Acquire completion_lock around io_get_deferred_req
(bsc#1213272 CVE-2023-21400).
- commit 84db304
- kernel-binary: Common dependencies cleanup
Common dependencies are copied to a subpackage, there is no need for
copying defines or build dependencies there.
- commit 254b03c
- kernel-binary: Drop code for kerntypes support
Kerntypes was a SUSE-specific feature dropped before SLE 12.
- commit 2c37773
- media: usb: siano: Fix warning due to null work_func_t function
pointer (bsc#1213969 CVE-2023-4132).
- commit c44d7c3
- media: usb: siano: Fix use after free bugs caused by
do_submit_urb (bsc#1213969 CVE-2023-4132).
- commit a27f430
- net/sched: cls_route: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_fw: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_u32: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- commit ea3bad4
- exfat: check if filename entries exceeds max filename length
(bsc#1214120 CVE-2023-4273).
- commit d8c4244
- series.conf: resort
- commit b2ee92a
- cxgb4: fix use after free bugs caused by circular dependency
problem (bsc#1213970 CVE-2023-4133).
- timers: Provide timer_shutdown[_sync]() (bsc#1213970).
- timers: Add shutdown mechanism to the internal functions
(bsc#1213970).
- timers: Split [try_to_]del_timer[_sync]() to prepare for
shutdown mode (bsc#1213970).
- timers: Silently ignore timers with a NULL function
(bsc#1213970).
- timers: Rename del_timer() to timer_delete() (bsc#1213970).
- timers: Rename del_timer_sync() to timer_delete_sync()
(bsc#1213970).
- timers: Use del_timer_sync() even on UP (bsc#1213970).
- timers: Update kernel-doc for various functions (bsc#1213970).
- timers: Replace BUG_ON()s (bsc#1213970).
- clocksource/drivers/sp804: Do not use timer namespace for
timer_shutdown() function (bsc#1213970).
- clocksource/drivers/arm_arch_timer: Do not use timer namespace
for timer_shutdown() function (bsc#1213970).
- ARM: spear: Do not use timer namespace for timer_shutdown()
function (bsc#1213970).
- commit 6a1c404
- xen/netback: Fix buffer overrun triggered by unusual packet
(CVE-2023-34319, XSA-432, bsc#1213546).
- commit 3617080
- x86/srso: Tie SBPB bit setting to microcode patch detection (bsc#1213287, CVE-2023-20569).
- commit 7214312
- net: tun_chr_open(): set sk_uid from current_fsuid()
(CVE-2023-4194 bsc#1214019).
- commit 25c979d
- net: tap_open(): set sk_uid from current_fsuid() (CVE-2023-4194
bsc#1214019).
- commit b03d1d8
- Fix kabi when adding new cpuid leaves
- commit 672a07c
- x86/microcode/AMD: Make stub function static inline
(bsc#1213868).
- Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch.
- commit f587833
- mm: Move mm_cachep initialization to mm_init() (bsc#1206418, CVE-2022-40982).
- commit 0535132
- bpf: add missing header file include (bsc#1211738
CVE-2023-0459).
- commit 0e6ab49
- x86/srso: Add IBPB on VMEXIT (bsc#1213287, CVE-2023-20569).
- commit ae3c2fa
- x86/srso: Add IBPB (bsc#1213287, CVE-2023-20569).
- commit 5b3cdef
- x86/srso: Add SRSO_NO support (bsc#1213287, CVE-2023-20569).
- commit 675ebdf
- x86/cpu, kvm: Add support for CPUID_80000021_EAX (bsc#1213287, CVE-2023-20569).
- Refresh patches.suse/x86-cpufeatures-add-kabi-padding.patch.
- commit c41fd97
- x86/srso: Add IBPB_BRTYPE support (bsc#1213287, CVE-2023-20569).
- commit f38b004
- x86: Sanitize linker script (bsc#1213287, CVE-2023-20569).
- commit 09403df
- x86/retbleed: Add __x86_return_thunk alignment checks (bsc#1213287, CVE-2023-20569).
- commit 8d91ff3
- x86/srso: Add a Speculative RAS Overflow mitigation (bsc#1213287, CVE-2023-20569).
- commit 793278d
- kernel-binary.spec.in: Remove superfluous %% in Supplements
Fixes: 02b7735e0caf ("rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs")
- commit 264db74
- net/sched: sch_qfq: account for stab overhead in qfq_enqueue
(CVE-2023-3611 bsc#1213585).
- net/sched: sch_qfq: refactor parsing of netlink parameters
(bsc#1213585).
- blacklist follow-up commit 158810b261d0 ("net/sched: sch_qfq: reintroduce
lmax bound check for MTU") as unlike the original upstream commit, our
backport does not remove the check
- commit 609da2e
- net/sched: cls_u32: Fix reference counter leak leading to
overflow (CVE-2023-3609 bsc#1213586).
- commit b22e9b9
- net/sched: cls_fw: Fix improper refcount update leads to
use-after-free (CVE-2023-3776 bsc#1213588).
- commit b7fc513
- vc_screen: don't clobber return value in vcs_read (bsc#1213167
CVE-2023-3567).
- vc_screen: modify vcs_size() handling in vcs_read() (bsc#1213167
CVE-2023-3567).
- vc_screen: move load of struct vc_data pointer in vcs_read()
to avoid UAF (bsc#1213167 CVE-2023-3567).
- commit da930b7
- cifs: fix open leaks in open_cached_dir() (bsc#1209342).
- commit e2c659c
- x86/xen: Fix secondary processors' FPU initialization (bsc#1206418, CVE-2022-40982).
- commit f282169
- x86/fpu: Move FPU initialization into arch_cpu_finalize_init() (bsc#1206418, CVE-2022-40982).
- commit 20a8af1
- x86/fpu: Mark init functions __init (bsc#1206418, CVE-2022-40982).
- commit 60b7d17
- x86/fpu: Remove cpuinfo argument from init functions (bsc#1206418).
- commit afe8e9c
- init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() (bsc#1206418).
- commit aaaa10e
- init: Invoke arch_cpu_finalize_init() earlier (bsc#1206418).
- commit 72e1eef
- init: Remove check_bugs() leftovers (bsc#1206418).
- commit 1803c8e
- ARM: cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit 99d17d8
- x86/cpu: Switch to arch_cpu_finalize_init() (bsc#1206418).
- commit 7f259ee
- x86/mm: Initialize text poking earlier (bsc#1206418, CVE-2022-40982).
- Refresh patches.suse/init-provide-arch_cpu_finalize_init.patch.
- commit ba0b82d
- init: Provide arch_cpu_finalize_init() (bsc#1206418).
- commit d631cc2
- x86/mm: fix poking_init() for Xen PV guests (bsc#1206418, CVE-2022-40982).
- commit 8b3a58e
- x86/mm: Use mm_alloc() in poking_init() (bsc#1206418, CVE-2022-40982).
- commit 3c8681c
- rpm/mkspec-dtb: add riscv64 dtb-allwinner subpackage
- commit ec82ffc
- net: tun: fix bugs for oversize packet when napi frags enabled
(bsc#1213543 CVE-2023-3812).
- commit 5e9be17
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
(CVE-2023-35001 bsc#1213059).
- commit b0acbe2
- uaccess: Add speculation barrier to copy_from_user()
(bsc#1211738 CVE-2023-0459).
- commit 93eec59
- netfilter: nf_tables: incorrect error path handling with
NFT_MSG_NEWRULE (CVE-2023-3390 CVE-2023-3117 bsc#1212846
bsc#1213245).
- commit 176a7df
- KVM: Add GDS_NO support to KVM (bsc#1206418, CVE-2022-40982).
- commit 72be075
- x86/speculation: Add Kconfig option for GDS (bsc#1206418, CVE-2022-40982).
- commit 39c660b
- x86/speculation: Add force option to GDS mitigation (bsc#1206418, CVE-2022-40982).
- commit 04c8801
- x86/speculation: Add Gather Data Sampling mitigation (bsc#1206418, CVE-2022-40982).
- commit eb47a6f
- Refresh
patches.suse/keys-Fix-linking-a-duplicate-key-to-a-keyring-s-asso.patch.
- commit 6bb3804
- x86/cpu/amd: Add a Zenbleed fix (bsc#1213286, CVE-2023-20593).
- commit c2a9155
- x86/cpu/amd: Move the errata checking functionality up (bsc#1213286, CVE-2023-20593).
- commit d7a9bc3
- rpm: Update dependency to match current kmod.
- commit d687dc3
- keys: Do not cache key in task struct if key is requested from
kernel thread (bsc#1213354).
- commit 3915cd3
- net: mana: Add support for vlan tagging (bsc#1212301).
- commit 561f9d7
- fs: hfsplus: fix UAF issue in hfsplus_put_super (bsc#1211867, CVE-2023-2985).
- commit e01b911
- rpm/check-for-config-changes: ignore also RISCV_ISA_* and DYNAMIC_SIGFRAME
They depend on CONFIG_TOOLCHAIN_HAS_*.
- commit 1007103
- ubi: Fix failure attaching when vid_hdr offset equals to
(sub)page size (bsc#1210584).
- ubi: ensure that VID header offset + VID header size <= alloc,
size (bsc#1210584).
- commit 8f5f025
- keys: Fix linking a duplicate key to a keyring's assoc_array
(bsc#1207088).
- commit b465602
- Remove more packaging cruft for SLE < 12 SP3
- commit a16781c
- Get module prefix from kmod (bsc#1212835).
- commit f6691b0
- rpm/check-for-config-changes: ignore also PAHOLE_HAS_*
We now also have options like CONFIG_PAHOLE_HAS_LANG_EXCLUDE.
- commit 86b52c1
- usrmerge: Adjust module path in the kernel sources (bsc#1212835).
With the module path adjustment applied as source patch only
ALP/Tumbleweed kernel built on SLE/Leap needs the path changed back to
non-usrmerged.
- commit dd9a820
- ipvlan:Fix out-of-bounds caused by unclear skb->cb (bsc#1212842
CVE-2023-3090).
- commit ddb6922
- x86/build: Avoid relocation information in final vmlinux
(bsc#1187829).
- commit a354e28
- kernel-docs: Use python3 together with python3-Sphinx (bsc#1212741).
- commit 95a40a6
- HID: intel_ish-hid: Add check for ishtp_dma_tx_map (git-fixes
bsc#1212606 CVE-2023-3358).
- commit 7077c4f
- usb: gadget: udc: renesas_usb3: Fix use after free bug
in renesas_usb3_remove due to race condition (bsc#1212513
CVE-2023-35828).
- commit 1f06f62
- binfmt_elf: Take the mmap lock when walking the VMA list
(bsc#1209039 CVE-2023-1249).
- commit 3f46ff2
- bluetooth: Perform careful capability checks in hci_sock_ioctl()
(bsc#1210533 CVE-2023-2002).
- commit cb86eb0
- relayfs: fix out-of-bounds access in relay_file_read
(bsc#1212502 CVE-2023-3268).
- kernel/relay.c: fix read_pos error when multiple readers
(bsc#1212502 CVE-2023-3268).
- commit 73e4027
- media: dm1105: Fix use after free bug in dm1105_remove due to
race condition (bsc#1212501 CVE-2023-35824).
- commit 0c9d507
- media: saa7134: fix use after free bug in saa7134_finidev due
to race condition (bsc#1212494 CVE-2023-35823).
- commit 61b38d8
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
(CVE-2023-35788 bsc#1212504).
- commit 865936b
- Drop a buggy dvb-core fix patch (bsc#1205758)
Also the kabi workaround is dropped, too
- commit 7ace3fb
- kernel-docs: Add buildrequires on python3-base when using python3
The python3 binary is provided by python3-base.
- commit c5df526
- fbcon: Check font dimension limits (CVE-2023-3161 bsc#1212154).
- commit 6f6d21f
- Move setting %%build_html to config.sh
- commit 3f65cd5
- memstick: r592: Fix UAF bug in r592_remove due to race condition
(CVE-2023-3141 bsc#1212129 bsc#1211449).
- commit 4d760e7
- firewire: fix potential uaf in outbound_phy_packet_callback()
(CVE-2023-3159 bsc#1212128).
- commit 444321d
- Fix missing top level chapter numbers on SLE12 SP5 (bsc#1212158).
- commit 7ebcbd5
- Move setting %%split_optional to config.sh
- commit 8b0828d
- Move setting %%supported_modules_check to config.sh
- commit d9c64aa
- rpm/kernel-docs.spec.in: pass PYTHON=python3 to fix build error (bsc#1160435)
- commit 799f050
- rpm/kernel-binary.spec.in: Fix compatibility wth newer rpm
- commit 334fb4d
- Also include kernel-docs build requirements for ALP
- commit 114d088
- Move the kernel-binary conflicts out of the spec file.
Thie list of conflicting packages varies per release.
To reduce merge conflicts move the list out of the spec file.
- commit 4d81125
- sched/rt: pick_next_rt_entity(): check list_entry (bsc#1208600 CVE-2023-1077)
- commit a8f82d0
- Avoid unsuported tar parameter on SLE12
- commit f11765a
- gve: Remove the code of clearing PBA bit (bsc#1211519).
- gve: Secure enough bytes in the first TX desc for all TCP pkts
(bsc#1211519).
- gve: Cache link_speed value from device (bsc#1211519).
- gve: Handle alternate miss completions (bsc#1211519).
- gve: Adding a new AdminQ command to verify driver (bsc#1211519).
- gve: Fix error return code in gve_prefill_rx_pages()
(bsc#1211519).
- gve: Reduce alloc and copy costs in the GQ rx path
(bsc#1211519).
- gve: Fix GFP flags when allocing pages (bsc#1211519).
- google/gve:fix repeated words in comments (bsc#1211519).
- gve: Fix spelling mistake "droping" -> "dropping" (bsc#1211519).
- gve: enhance no queue page list detection (bsc#1211519).
- commit c8de18e
- Move obsolete KMP list into a separate file.
The list of obsoleted KMPs varies per release, move it out of the spec
file.
- commit 016bc55
- Trim obsolete KMP list.
SLE11 is out of support, we do not need to handle upgrading from SLE11
SP1.
- commit 08819bb
- Generalize kernel-doc build requirements.
- commit 23b058f
- kernel-binary: Add back kernel-default-base guarded by option
Add configsh option for splitting off kernel-default-base, and for
not signing the kernel on non-efi
- commit 28c22af
- Drivers: hv: vmbus: Optimize vmbus_on_event (bsc#1211622).
- scsi: storvsc: Parameterize number hardware queues
(bsc#1211622).
- commit 899d710
- usrmerge: Compatibility with earlier rpm (boo#1211796)
- commit 2191d32
- Fix usrmerge error (boo#1211796)
- commit da84579
- Update References
patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
(bsc#1198400 bsc#1209779 CVE-2023-1637).
- commit 23e11e7
- tcp: Fix data races around icsk->icsk_af_ops (bsc#1204405
CVE-2022-3566).
- commit d1f836b
- Remove usrmerge compatibility symlink in buildroot (boo#1211796)
Besides Makefile depmod.sh needs to be patched to prefix /lib/modules.
Requires corresponding patch to kmod.
- commit b8e00c5
- Update
patches.suse/netfilter-x_tables-use-correct-memory-barriers.patch
(bsc#1184208 CVE-2021-29650 bsc#1211596 CVE-2020-36694).
- commit 0092ed2
- HID: asus: use spinlock to safely schedule workers (bsc#1208604
CVE-2023-1079).
- commit df4ce9a
- HID: asus: use spinlock to protect concurrent accesses
(bsc#1208604 CVE-2023-1079).
- commit 4b7a2e4
- ipv6: sr: fix out-of-bounds read when setting HMAC data
(bsc#1211592).
- commit f37c1a1
- power: supply: bq24190: Fix use after free bug in bq24190_remove
due to race condition (CVE-2023-33288 bsc#1211590).
- commit 3e2047c
- kernel-source: Remove unused macro variant_symbols
- commit 915ac72
- media: dvb_net: kABI workaround (CVE-2022-45886 bsc#1205760).
- media: dvb_frontend: kABI workaround (CVE-2022-45885
bsc#1205758).
- commit c99685c
- media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
(CVE-2022-45887 bsc#1205762).
- media: dvb-core: Fix use-after-free due to race condition at
dvb_ca_en50221 (CVE-2022-45919 bsc#1205803).
- media: dvb-core: Fix use-after-free due to race at
dvb_register_device() (CVE-2022-45884 bsc#1205756).
- media: dvb-core: Fix use-after-free due on race condition at
dvb_net (CVE-2022-45886 bsc#1205760).
- media: dvb-core: Fix kernel WARNING for blocking operation in
wait_event*() (CVE-2023-31084 bsc#1210783).
- media: dvb-core: Fix use-after-free on race condition at
dvb_frontend (CVE-2022-45885 bsc#1205758).
- commit f5d1bea
- media: dvbdev: fix error logic at dvb_register_device()
(CVE-2022-45884 bsc#1205756).
- media: dvbdev: Fix memleak in dvb_register_device
(CVE-2022-45884 bsc#1205756).
- media: media/dvb: Use kmemdup rather than duplicating its
implementation (CVE-2022-45884 bsc#1205756).
- commit fa580d0
- net: sched: sch_qfq: prevent slab-out-of-bounds in
qfq_activate_agg (bsc#1210940 CVE-2023-31436).
- commit eeb865d
- i2c: xgene-slimpro: Fix out-of-bounds bug in
xgene_slimpro_i2c_xfer() (bsc#1210715 CVE-2023-2194).
- commit e9b03ca
- netrom: Fix use-after-free caused by accept on already
connected socket (bsc#1211186 CVE-2023-32269).
- commit e76516d
- rpm/constraints.in: Increase disk size constraint for riscv64 to 52GB
- commit 1c1a4cd
- netfilter: nf_tables: deactivate anonymous set from preparation
phase (CVE-2023-32233 bsc#1211043).
- commit 8d253dc
- act_mirred: use the backlog for nested calls to mirred ingress
(CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: better wording on protection against
excessive stack growth (CVE-2022-4269 bsc#1206024).
- net/sched: act_mirred: refactor the handle of xmit
(CVE-2022-4269 bsc#1206024).
- commit c36d39a
- wifi: brcmfmac: slab-out-of-bounds read in
brcmf_get_assoc_ies() (bsc#1209287 CVE-2023-1380).
- commit 238a208
- Remove obsolete rpm spec constructs
defattr does not need to be specified anymore
buildroot does not need to be specified anymore
- commit c963185
- kernel-spec-macros: Fix up obsolete_rebuilds_subpackage to generate
obsoletes correctly (boo#1172073 bsc#1191731).
rpm only supports full length release, no provides
- commit c9b5bc4
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
(bsc#1206878 bsc#1211105 CVE-2023-2513).
- commit 2a8658b
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878
bsc#1211105 CVE-2023-2513).
- commit 880db90
- kernel-binary: install expoline.o (boo#1210791 bsc#1211089)
- commit d6c8c20
- net: qcom/emac: Fix use after free bug in emac_remove due to
race condition (bsc#1211037 CVE-2023-2483).
- commit d3abec2
- Update patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch
Fix the missing the bsc# prefix for the bug number in the References tag.
- commit 704a6c4
- timens: Forbid changing time namespace for an io_uring process
(bsc#1208474 CVE-2023-23586).
- commit 89cf4b3
- xfs: verify buffer contents when we skip log replay (bsc#1210498
CVE-2023-2124).
- commit 8eed3d3
- io_uring: prevent race on registering fixed files (1210414
CVE-2023-1872).
- commit e53cfa3
- KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS
(bsc#1206992 CVE-2022-2196).
- commit f66a218
- xirc2ps_cs: Fix use after free bug in xirc2ps_detach
(bsc#1209871 CVE-2023-1670).
- commit cfec974
- Drivers: vmbus: Check for channel allocation before looking
up relids (git-fixes).
- commit 224a98a
- scsi: iscsi_tcp: Fix UAF during login when accessing the shost
ipaddress (bsc#1210647 CVE-2023-2162).
- commit d0a859e
- RDMA/core: Refactor rdma_bind_addr (bsc#1210629 CVE-2023-2176)
- commit 5886145
- RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (bsc#1210629 CVE-2023-2176)
- commit 8b6288f
- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1210629 CVE-2023-2176)
- commit c706a03
- RDMA/cma: Make the locking for automatic state transition more clear (bsc#1210629 CVE-2023-2176)
- commit 7a43827
- x86/speculation: Allow enabling STIBP with legacy IBRS
(bsc#1210506 CVE-2023-1998).
- commit 4ee927b
- cifs: fix negotiate context parsing (bsc#1210301).
- commit 5d87bbe
- power: supply: da9150: Fix use after free bug in
da9150_charger_remove due to race condition (CVE-2023-30772
bsc#1210329).
- commit 61aa622
- k-m-s: Drop Linux 2.6 support
- commit 22b2304
- Remove obsolete KMP obsoletes (bsc#1210469).
- commit 7f325c6
- udmabuf: add back sanity check (git-fixes bsc#1210453
CVE-2023-2008).
- commit b2b9158
- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove
due to race condition (CVE-2023-1855 bsc#1210202).
- commit 4401c6f
- netlink: limit recursion depth in policy validation
(CVE-2020-36691 bsc#1209613).
- Refresh
patches.suse/netlink-prevent-potential-spectre-v1-gadgets.patch.
- commit 374a1af
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race
condition (git-fixes bsc#1210337 CVE-2023-1990).
- commit 775e632
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
due to unfinished work (CVE-2023-1989 bsc#1210336).
- commit e27c00d
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv2-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-R.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
- Update
patches.suse/NFSD-Protect-against-send-buffer-overflow-in-NFSv3-Rdir.patch
(bsc#1205128 CVE-2022-43945 bsc#1210124).
Fix performance problem with these patches - bsc@1210124
- commit 4dbd22d
- btrfs: fix race between quota disable and quota assign ioctls
(CVE-2023-1611 bsc#1209687).
- commit 3fdcd22
- Fix double fget() in vhost_net_set_backend() (bsc#1210203
CVE-2023-1838).
- commit 7e671a8
- Define kernel-vanilla as source variant
The vanilla_only macro is overloaded. It is used for determining if
there should be two kernel sources built as well as for the purpose of
determmioning if vanilla kernel should be used for kernel-obs-build.
While the former can be determined at build time the latter needs to be
baked into the spec file template. Separate the two while also making
the latter more generic.
$build_dtbs is enabled on every single rt and azure branch since 15.3
when the setting was introduced, gate on the new $obs_build_variant
setting as well.
- commit 36ba909
- series.conf: cleanup
- update upstream references and resort:
- patches.suse/wifi-cfg80211-avoid-nontransmitted-BSS-list-corrupti.patch
- commit 9bae747
- net/ulp: use consistent error code when blocking ULP
(CVE-2023-0461 bsc#1208787).
- net/ulp: prevent ULP without clone op from entering the LISTEN
status (CVE-2023-0461 bsc#1208787).
- commit 028f0fd
- rpm/constraints.in: increase the disk size for armv6/7 to 24GB
It grows and the build fails recently on SLE15-SP4/5.
- commit 41ac816
- rpm/check-for-config-changes: add TOOLCHAIN_NEEDS_* to IGNORED_CONFIGS_RE
This new form was added in commit e89c2e815e76 ("riscv: Handle
zicsr/zifencei issues between clang and binutils").
- commit 234baea
- seq_buf: Fix overflow in seq_buf_putmem_hex() (bsc#1209549
CVE-2023-28772).
- commit 5c5e4d3
- PCI: hv: Add a per-bus mutex state_lock (bsc#1207185).
- Revert "PCI: hv: Fix a timing issue which causes kdump to fail
occasionally" (bsc#1207185).
- PCI: hv: Remove the useless hv_pcichild_state from struct
hv_pci_dev (bsc#1207185).
- PCI: hv: Fix a race condition in hv_irq_unmask() that can
cause panic (bsc#1207185).
- PCI: hv: fix a race condition bug in hv_pci_query_relations()
(bsc#1207185).
- commit 2555bc7
- kvm: initialize all of the kvm_debugregs structure before
sending it to userspace (bsc#1209532 CVE-2023-1513).
- commit bd9c11d
- Bluetooth: Fix double free in hci_conn_cleanup (bsc#1209052
CVE-2023-28464).
- commit 677d920
- net: tls: fix possible race condition between
do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
(bsc#1209366 CVE-2023-28466).
- commit 5f7c4a6
- RDMA/core: Don't infoleak GRH fields (bsc#1209778 CVE-2021-3923)
- commit 50ba48b
- tipc: fix NULL deref in tipc_link_xmit() (bsc#1209289
CVE-2023-1390).
- commit b2c1533
- tun: avoid double free in tun_free_netdev (bsc#1209635
CVE-2022-4744).
- commit c5cf205
- net/sched: tcindex: update imperfect hash filters respecting
rcu (CVE-2023-1281 bsc#1209634).
- commit 97b3f9d
- fs/proc: task_mmu.c: don't read mapcount for migration entry
(CVE-2023-1582, bsc#1209636).
- commit 35d5c42
- af_unix: Get user_ns from in_skb in unix_diag_get_exact()
(bsc#1209290 CVE-2023-28327).
- commit 000517c
- netlink: prevent potential spectre v1 gadgets (bsc#1209547
CVE-2017-5753).
- commit cec3f24
- tipc: add an extra conn_get in tipc_conn_alloc (bsc#1209288
CVE-2023-1382).
- commit 6a58da4
- tipc: set con sock in tipc_conn_alloc (bsc#1209288
CVE-2023-1382).
- commit 06eaf34
- Refresh
patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
- commit 890554b
- media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
(bsc#1209291 CVE-2023-28328).
- commit af7b7eb
- rpm/group-source-files.pl: Fix output difference when / is in location
While previous attempt to fix group-source-files.pl in 6d651362c38
"rpm/group-source-files.pl: Deal with {pre,post}fixed / in location"
breaks the infinite loop, it does not properly address the issue. Having
prefixed and/or postfixed forward slash still result in different
output.
This commit changes the script to use the Perl core module File::Spec
for proper path manipulation to give consistent output.
- commit 4161bf9
- Require suse-kernel-rpm-scriptlets at all times.
The kernel packages call scriptlets for each stage, add the dependency
to make it clear to libzypp that the scriptlets are required.
There is no special dependency for posttrans, these scriptlets run when
transactions are resolved. The plain dependency has to be used to
support posttrans.
- commit 56c4dbe
- Replace mkinitrd dependency with dracut (bsc#1202353).
Also update mkinitrd refrences in documentation and comments.
- commit e356c9b
- prlimit: do_prlimit needs to have a speculation check
(bsc#1209256 CVE-2017-5753).
- commit a2ac7fb
- rpm/kernel-obs-build.spec.in: Remove SLE11 cruft
- commit 871eeb4
- rds: rds_rm_zerocopy_callback() correct order for
list_add_tail() (CVE-2023-1078 bsc#1208601).
- rds: rds_rm_zerocopy_callback() use list_first_entry()
(CVE-2023-1078 bsc#1208601).
- commit ec0c93c
- net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075
bsc#1208598).
- commit d651270
- tap: tap_open(): correctly initialize socket uid (CVE-2023-1076
bsc#1208599).
- tun: tun_chr_open(): correctly initialize socket uid
(CVE-2023-1076 bsc#1208599).
- net: add sock_init_data_uid() (CVE-2023-1076 bsc#1208599).
- netfilter: nf_tables: fix null deref due to zeroed list head
(CVE-2023-1095 bsc#1208777).
- commit b65b67b
- cifs: fix use-after-free caused by invalid pointer `hostname`
(bsc#1208971).
- commit d1a37f1
- HID: bigben: use spinlock to safely schedule workers
(CVE-2023-25012 bsc#1207560).
- HID: bigben_worker() remove unneeded check on report_field
(CVE-2023-25012 bsc#1207560).
- HID: bigben: use spinlock to protect concurrent accesses
(CVE-2023-25012 bsc#1207560).
- commit 3c79258
- malidp: Fix NULL vs IS_ERR() checking (bsc#1208843
CVE-2023-23004).
- commit a8f9557
- Do not sign the vanilla kernel (bsc#1209008).
- commit cee4d89
- rpm/group-source-files.pl: Deal with {pre,post}fixed / in location
When the source file location provided with -L is either prefixed or
postfixed with forward slash, the script get stuck in a infinite loop
inside calc_dirs() where $path is an empty string.
user@localhost:/tmp> perl "$HOME/group-source-files.pl" -D devel.files -N nondevel.files -L /usr/src/linux-5.14.21-150500.41/
...
path = /usr/src/linux-5.14.21-150500.41/Documentation/Kconfig
path = /usr/src/linux-5.14.21-150500.41/Documentation
path = /usr/src/linux-5.14.21-150500.41
path = /usr/src
path = /usr
path =
path =
path =
... # Stuck in an infinite loop
This workarounds the issue by breaking out the loop once path is an
empty string. For a proper fix we'd want something that
filesystem-aware, but this workaround should be enough for the rare
occation that this script is ran manually.
Link: http://mailman.suse.de/mlarch/SuSE/kernel/2023/kernel.2023.03/msg00024.html
- commit 6d65136
- media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
(CVE-2023-1118 bsc#1208837).
- phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node
function (CVE-2023-23000 bsc#1208816).
- commit 52c897a
- Update kabi files.
- update from February 2023 maintenance update submission (commit cf7bcbf80b21)
- commit 806d304
- net/mlx5: DR, Fix NULL vs IS_ERR checking in
dr_domain_init_resources (bsc#1208845 CVE-2023-23006).
- commit 14082ec
- mm/slub: fix panic in slab_alloc_node() (bsc#1208023).
- commit a2a4dfd
- kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).
When -b is specified the script is prefixed with KMP_NEEDS_MKINITRD=1
which sets the variable for a simple command.
However, the script is no longer a simple command. Export the variable
instead.
- commit 152a069
- README.BRANCH: Update
Relieve Ivan Ivanov of his duties as branch maintainer as I am back.
- commit 1da55f1
- nfsd: fix use-after-free due to delegation race (bsc#1208813).
- commit fbfa8c0
- usb: dwc3: dwc3-qcom: Add missing platform_device_put() in
dwc3_qcom_acpi_register_core (bsc#1208741 CVE-2023-22995).
- commit 7a31d48
- net: mpls: fix stale pointer if allocation fails during device
rename (bsc#1208700 CVE-2023-26545).
- commit 18d9ec7
- x86/mm: Randomize per-cpu entry area (bsc#1207845
CVE-2023-0597).
- commit 3a695c7
- vmxnet3: move rss code block under eop descriptor (bsc#1208212).
- commit 75a9324
- usb: rndis_host: Secure rndis_query check against int overflow
(CVE-2023-23559 bsc#1207051).
- commit d9a137b
- net: mana: Assign interrupts to CPUs based on NUMA nodes
(bsc#1208153).
- Refresh
patches.suse/net-mana-Fix-IRQ-name-add-PCI-and-queue-number.patch.
- commit c025791
- net: mana: Fix accessing freed irq affinity_hint (bsc#1208153).
- genirq: Provide new interfaces for affinity hints (bsc#1208153).
- commit 7604d76
- drm/vmwgfx: Avoid NULL-ptr deref in vmw_cmd_dx_define_query() (bsc#1203331 CVE-2022-38096)
- commit 1f21d95
- module: Don't wait for GOING modules (bsc#1196058, bsc#1186449,
bsc#1204356, bsc#1204662).
- commit 63bdffb
- drm/vmwgfx: Validate the box size for the snooped cursor (bsc#1203332 CVE-2022-36280)
- commit f246cad
- net: mana: Fix IRQ name - add PCI and queue number
(bsc#1207875).
- commit 56af148
- x86/bugs: Flush IBP in ib_prctl_set() (bsc#1207773
CVE-2023-0045).
- commit baf6bec
- net: sched: fix race condition in qdisc_graft() (CVE-2023-0590
bsc#1207795).
- net_sched: add __rcu annotation to netdev->qdisc (CVE-2023-0590
bsc#1207795).
- commit c6f042b
- RDMA/core: Fix ib block iterator counter overflow (bsc#1207878).
- commit 49fdc06
- Refresh
patches.suse/sctp-fail-if-no-bound-addresses-can-be-used-for-a-gi.patch.
Updated patch-mainline tag.
- commit 09132d9
- mm: /proc/pid/smaps_rollup: fix no vma's null-deref
(bsc#1207769).
- commit be9727c
- sctp: fail if no bound addresses can be used for a given scope
(bsc#1206677).
- commit dcee4fd
- HID: check empty report_list in hid_validate_values()
(git-fixes, bsc#1206784).
- commit 028641d
- HID: check empty report_list in bigben_probe() (git-fixes,
bsc#1206784).
- commit c479b33
- HID: betop: check shape of output reports (git-fixes,
bsc#1207186).
- commit f6860d6
- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent
UAF (CVE-2023-0266 bsc#1207134).
- commit 9014493
- net: sched: disallow noqueue for qdisc classes (bsc#1207237
CVE-2022-47929).
- commit e015217
- ipv6: raw: Deduct extension header length in
rawv6_push_pending_frames (bsc#1207168).
- commit ad4a091
- rpm/mkspec-dtb: add riscv64 dtb-renesas subpackage
- commit 6020754
- Update
patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch
(bsc#1207036 CVE-2023-23454).
- commit 88c4e72
- Update
patches.suse/net-sched-atm-dont-intepret-cls-results-when-asked-t.patch
(bsc#1207125 CVE-2023-23455).
- commit e595908
- net: sched: atm: dont intepret cls results when asked to drop
(bsc#1207036).
- commit 49dc51c
- net: sched: cbq: dont intepret cls results when asked to drop
(bsc#1207036).
- commit 0726009
- README.BRANCH: Added myself as co-maintainer
And drop Oscars name.
- commit 0607a55
- ipv4: Handle attempt to delete multipath route when fib_info
contains an nh reference (bsc#1204171 CVE-2022-3435).
- commit d2a1bb2
- net: ipv4: fix route with nexthop object delete warning
(bsc#1204171 CVE-2022-3435).
- commit 51fb670
- rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs
This makes in-tree KMPs more consistent with externally built KMPs and
silences several rpmlint warnings.
- commit 02b7735
- rpm/check-for-config-changes: add OBJTOOL and FTRACE_MCOUNT_USE_*
Dummy gcc pretends to support -mrecord-mcount option but actual gcc on
ppc64le does not. Therefore ppc64le builds of 6.2-rc1 and later in OBS
enable FTRACE_MCOUNT_USE_OBJTOOL and OBJTOOL config options, resulting in
check failure.
As we already have FTRACE_MCOUNT_USE_CC and FTRACE_MCOUNT_USE_RECORDMCOUNT
in the exception list, replace them with a general pattern. And add OBJTOOL
as well.
- commit 887416f
- Refresh
patches.suse/NFS-Handle-missing-attributes-in-OPEN-reply.patch.
Update commit log to prevent patch and quilt from thinking it should apply the
example hunks and fail.
- commit f07faa0
- NFS: Handle missing attributes in OPEN reply (bsc#1203740).
- commit 839f5a1
- Fix kABI breakage in usb.h: struct usb_device:
hide new member (bsc#1206664 CVE-2022-4662).
- commit a53ec27
- USB: core: Prevent nested device-reset calls (bsc#1206664
CVE-2022-4662).
- commit 2d03a85
- drm: mali-dp: potential dereference of null pointer
(CVE-2022-3115 bsc#1206393).
- commit 9246c67
- wifi: wilc1000: validate pairwise and authentication suite
offsets (CVE-2022-47520 bsc#1206515).
- commit 10a48d9
- kabi/severities: ignore kABI change for meson driver fix (CVE-2022-3112 bsc#1206399)
- commit cecc04a
- media: meson: vdec: potential dereference of null pointer
(CVE-2022-3112 bsc#1206399).
- commit 32c7d25
- Bluetooth: L2CAP: Fix use-after-free caused by
l2cap_reassemble_sdu (CVE-2022-3564 bsc#1206073).
- commit 5495793
- Refresh
patches.suse/0001-sctp-sysctl-make-extra-pointers-netns-aware.patch.
- commit 4e49af8
- sctp: sysctl: make extra pointers netns aware (bsc#1204760).
- commit 7d53506
- drm/amdkfd: Check for null pointer after calling kmemdup
(CVE-2022-3108 bsc#1206389 git-fixes).
- commit 7a9defd
- RDMA/uverbs: Check for null return of kmalloc_array
(CVE-2022-3105 bsc#1206398 git-fixes).
- commit 73b6bff
- Update
patches.suse/msft-hv-2553-hv_netvsc-Add-check-for-kvmalloc_array.patch
(CVE-2022-3107 bsc#1206395 git-fixes).
- commit cec1c7c
- proc: proc_skip_spaces() shouldn't think it is working on C
strings (CVE-2022-4378 bsc#1206207).
- proc: avoid integer type confusion in get_proc_long
(CVE-2022-4378 bsc#1206207).
- commit 1e50bbf
- ipv6: ping: fix wrong checksum for large frames (bsc#1203183).
- commit 5e83a2f
- blacklist.conf: (fbdev: smscufx: Fix several use-after-free bugs)
We do not build this driver in any config.
- commit bd81015
- xen/netback: don't call kfree_skb() with interrupts disabled
(bsc#1206114, XSA-424, CVE-2022-42328, CVE-2022-42329).
- commit 18b6c2b
- xen/netback: Ensure protocol headers don't fall in the
non-linear area (bsc#1206113, XSA-423, CVE-2022-3643).
- commit ef1bd8e
- kabi: sk_buff.scm_io_uring (bsc#1204228 CVE-2022-2602).
- commit 1cb9473
- io_uring/af_unix: defer registered files gc to io_uring release
(bsc#1204228 CVE-2022-2602).
- commit fee5862
- atm: idt77252: fix use-after-free bugs caused by tst_timer
(CVE-2022-3635 bsc#1204631).
- commit 81a86f3
- Move upstreamed i915 patch into sorted section
- commit 4f7c541
- Add support for enabling livepatching related packages on -RT (jsc#PED-1706)
- commit 9d41244
- drm/i915: fix TLB invalidation for Gen12 video and compute
engines (CVE-2022-4139 bsc#1205700).
- commit 58aaa10
- Refresh patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch (CVE-2022-3424 bsc#1204166)
Taken from v10 patch in char-misc subsystem tree
- commit 09cd28d
- HID: roccat: Fix use-after-free in roccat_read() (bsc#1203960
CVE-2022-41850).
- commit 3bef7b9
- Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register() (git-fixes).
- Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work() (git-fixes).
- v3 of "PCI: hv: Only reuse existing IRTE allocation for Multi-MSI"
- commit 4274faa
- Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934 bsc#1205796).
- commit 9a43bb4
- l2tp: Serialize access to sk_user_data with sk_callback_lock
(bsc#1205711 CVE-2022-4129).
- commit add2103
- net: fix a concurrency bug in l2tp_tunnel_register()
(bsc#1205711 CVE-2022-4129).
- commit ced1fd6
- Bluetooth: L2CAP: Fix attempting to access uninitialized memory
(CVE-2022-42895 bsc#1205705).
- Bluetooth: L2CAP: Fix accepting connection request for invalid
SPSM (CVE-2022-42896 bsc#1205709).
- commit fc4b67c
- drivers: net: slip: fix NPD bug in sl_tx_timeout() (bsc#1205671
CVE-2022-41858).
- commit dd6f85a
- NFSD: Cap rsize_bop result based on send buffer size
(bsc#1205128 CVE-2022-43945).
- NFSD: Protect against send buffer overflow in NFSv3 READ
(bsc#1205128 CVE-2022-43945).
- NFSD: Protect against send buffer overflow in NFSv2 READ
(bsc#1205128 CVE-2022-43945).
- NFSD: Protect against send buffer overflow in NFSv3 READDIR
(bsc#1205128 CVE-2022-43945).
- NFSD: Protect against send buffer overflow in NFSv2 READDIR
(bsc#1205128 CVE-2022-43945).
- commit e93318a
- add another bug reference to some hyperv changes (bsc#1205617).
- commit 8dea780
- staging: rtl8712: fix use after free bugs (CVE-2022-4095
bsc#1205514).
- commit d8c38e0
- ipv6: Fix data races around sk->sk_prot (bsc#1204414
CVE-2022-3567).
- commit 12fec90
- ipv6: annotate some data-races around sk->sk_prot (bsc#1204414
CVE-2022-3567).
- commit 3b01230
- x86/speculation: Disable RRSBA behavior (bsc#1201455
CVE-2022-28693).
- commit 1c08940
- Move upstreamed fbdev fix into sorted section
- commit c2656f7
- x86/cpu: Restore AMD's DE_CFG MSR after resume (bsc#1205473).
- commit 84f9a38
- PCI: hv: Only reuse existing IRTE allocation for Multi-MSI (bsc#1200845).
- PCI: hv: Fix the definition of vector in hv_compose_msi_msg() (bsc#1200845).
- hv_netvsc: Fix race between VF offering and VF association message from host (bsc#1204850).
- scsi: storvsc: Drop DID_TARGET_FAILURE use (git-fixes).
- scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq (git-fixes).
- PCI: hv: Fix synchronization between channel callback and hv_pci_bus_exit() (bsc#1204017).
- PCI: hv: Add validation for untrusted Hyper-V values (bsc#1204017).
- PCI: hv: Fix interrupt mapping for multi-MSI (bsc#1200845).
- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (bsc#1200845).
- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (bsc#1200845).
- PCI: hv: Fix synchronization between channel callback and hv_compose_msi_msg() (bsc#1204017, bsc#1203860).
- Drivers: hv: vmbus: Introduce {lock,unlock}_requestor() (bsc#1204017).
- Drivers: hv: vmbus: Introduce vmbus_request_addr_match() (bsc#1204017).
- Drivers: hv: vmbus: Introduce vmbus_sendpacket_getid() (bsc#1204017).
- PCI: hv: Use vmbus_requestor to generate transaction IDs for VMbus hardening (bsc#1204017).
- Drivers: hv: vmbus: Fix handling of messages with transaction ID of zero (bsc#1204017).
- PCI: hv: Fix multi-MSI to allow more than one MSI vector (bsc#1200845).
- Drivers: hv: vmbus: Add VMbus IMC device to unsupported list (git-fixes).
- hv_netvsc: Fix potential dereference of NULL pointer (bsc#1204017).
- hv_netvsc: Print value of invalid ID in netvsc_send_{completion,tx_complete}() (bsc#1204017).
- net: hyperv: remove use of bpf_op_t (git-fixes).
- Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb() (bsc#1204017).
- Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer (git-fixes).
- Drivers: hv: vmbus: Fix potential crash on module unload (git-fixes).
- net: netvsc: remove break after return (git-fixes).
- x86/hyperv: Output host build info as normal Windows version number (git-fixes).
- hv_netvsc: Add check for kvmalloc_array (git-fixes).
- PCI: hv: Fix NUMA node assignment when kernel boots with custom NUMA topology (bsc#1199365).
- PCI: hv: Use PCI_ERROR_RESPONSE to identify config read errors (bsc#1204446).
- PCI: hv: Make the code arch neutral by adding arch specific interfaces (bsc#1200845).
- PCI: hv: Remove unnecessary use of %hx (bsc#1204446).
- hv_netvsc: use netif_is_bond_master() instead of open code (git-fixes).
- scsi: storvsc: Fix validation for unsolicited incoming packets (bsc#1204017).
- PCI: hv: Fix sleep while in non-sleep context when removing child devices from the bus (bsc#1204446).
- PCI: hv: Support for create interrupt v3 (bsc#1204446).
- PCI: hv: Remove bus device removal unused refcount/functions (bsc#1204446).
- PCI: hv: Fix a race condition when removing the device (bsc#1204446).
- PCI: hv: Add check for hyperv_initialized in init_hv_pci_drv() (bsc#1204446).
- scsi: storvsc: Use blk_mq_unique_tag() to generate requestIDs (bsc#1204017).
- PCI: hv: Drop msi_controller structure (bsc#1204446).
- hv_netvsc: Add error handling while switching data path (bsc#1204850).
- Drivers: hv: vmbus: Drop error message when 'No request id available' (bsc#1204017).
- scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback() (bsc#1204017).
- scsi: storvsc: Resolve data race in storvsc_probe() (bsc#1204017).
- scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and newer (bsc#1204017).
- hv_netvsc: Process NETDEV_GOING_DOWN on VF hot remove (bsc#1204850).
- hv_netvsc: Wait for completion on request SWITCH_DATA_PATH (bsc#1204017).
- hv_netvsc: Check VF datapath when sending traffic to VF (bsc#1204017).
- hv_netvsc: Reset the RSC count if NVSP_STAT_FAIL in netvsc_receive() (bsc#1204017).
- hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening (bsc#1204017).
- scsi: storvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening (bsc#1204017).
- Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening (bsc#1204017).
- Revert "scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()" (bsc#1204017).
- scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback() (bsc#1204017).
- Drivers: hv: vmbus: Allow cleanup of VMBUS_CONNECT_CPU if disconnected (bsc#1204017).
- PCI: hv: Fix hibernation in case interrupts are not re-created (bsc#1204446).
- Drivers: hv: vmbus: Move __vmbus_open() (bsc#1204017).
- hv_netvsc: Add validation for untrusted Hyper-V values (bsc#1204017).
- hv_netvsc: Cache the current data path to avoid duplicate call and message (bsc#1204017).
- hv_netvsc: Switch the data path at the right time during hibernation (bsc#1204850).
- hv_netvsc: Fix hibernation for mlx5 VF driver (bsc#1204850).
- PCI: hv: Use struct_size() helper (bsc#1204446).
- PCI: hv: Prepare hv_compose_msi_msg() for the VMBus-channel-interrupt-to-vCPU reassignment functionality (bsc#1204017).
- Drivers: hv: vmbus: Use a spin lock for synchronizing channel scheduling vs. channel removal (bsc#1204017).
- Drivers: hv: vmbus: Replace the per-CPU channel lists with a global array of channels (bsc#1204017).
- Drivers: hv: vmbus: Don't bind the offer&rescind works to a specific CPU (bsc#1204017).
- Drivers: hv: vmbus: Always handle the VMBus messages on CPU0 (bsc#1204017).
- hv_netvsc: Remove unnecessary round_up for recv_completion_cnt (bsc#1204017).
- PCI: hv: Add hibernation support (bsc#1204446).
- hv_netvsc: Add the support of hibernation (bsc#1204017).
- commit 3857f38
- netfilter: nfnetlink_osf: fix possible bogus match in
nf_osf_find() (bsc#1204614).
- commit e9ccbaa
- media: mceusb: Use new usb_control_msg_*() routines
(CVE-2022-3903 bsc#1205220).
- media: mceusb: fix control-message timeouts (CVE-2022-3903
bsc#1205220).
- USB: core: return -EREMOTEIO on short usb_control_msg_recv()
(CVE-2022-3903 bsc#1205220).
- USB: correct API of usb_control_msg_send/recv (CVE-2022-3903
bsc#1205220).
- USB: core: message.c: use usb_control_msg_send() in a few places
(CVE-2022-3903 bsc#1205220).
- USB: add usb_control_msg_send() and usb_control_msg_recv()
(CVE-2022-3903 bsc#1205220).
- USB: move snd_usb_pipe_sanity_check into the USB core
(CVE-2022-3903 bsc#1205220).
- commit 575009a
- drm/i915/gvt: fix double free bug in split_2MB_gtt_entry (bsc#1204780, CVE-2022-3707)
- commit 1da3c8a
- rpm/check-for-config-changes: add TOOLCHAIN_HAS_* to IGNORED_CONFIGS_RE
This new form was added in commit b8c86872d1dc (riscv: fix detection of
toolchain Zicbom support).
- commit e9f2ba6
- Add suse-kernel-rpm-scriptlets to kmp buildreqs (boo#1205149)
- commit 888e01e
- Update patch references to
patches.suse/0001-floppy-disable-FDRAWCMD-by-default.patch
(bsc#1200692 CVE-2022-33981).
- commit 2a514c4
- wifi: brcmfmac: Fix potential buffer overflow in
brcmf_fweh_event_worker() (CVE-2022-3628 bsc#1204868).
- commit c0bd14a
- Move upstreamed WiFi fix into sorted section
- commit 475a9c7
- Refresh
patches.suse/mm-hugetlb-fix-races-when-looking-up-a-CONT-PTE-PMD-.patch.
Fix the following compiler warning:
* unused-label (out) in ../mm/hugetlb.c in follow_huge_pmd_pte
../mm/hugetlb.c: In function 'follow_huge_pmd_pte':
../mm/hugetlb.c:5047:1: warning: label 'out' defined but not used [-Wunused-label]
- commit 183ca2c
- Fix build warning
Refreshed:
patches.suse/mm-hugetlb-fix-races-when-looking-up-a-CONT-PTE-PMD-.patch
- commit ca5cb24
- Add CVE reference to
patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
(bsc#1196018 CVE-2022-28748 CVE-2022-2964).
- commit 94992c9
- mm/hugetlb: fix races when looking up a CONT-PTE/PMD size
hugetlb page (bsc#1204575).
- commit 06c4f04
- fs: move S_ISGID stripping into the vfs_*() helpers (bsc#1198702
CVE-2021-4037).
- commit 2f39bf9
- fs: Add missing umask strip in vfs_tmpfile (bsc#1198702
CVE-2021-4037).
- commit ab394e7
- fs: add mode_strip_sgid() helper (bsc#1198702 CVE-2021-4037).
- commit 536e02f
- usb: mon: make mmapped memory read only (bsc#1204653
CVE-2022-43750).
- commit 1f646df
- devlink: Fix use-after-free after a failed reload (bsc#1204637
CVE-2022-3625).
- commit 3567978
- net: mvpp2: fix mvpp2 debugfs leak (bsc#1204417 CVE-2022-3535).
- bnx2x: fix potential memory leak in bnx2x_tpa_stop()
(bsc#1204402 CVE-2022-3542).
- nfp: fix use-after-free in area_cache_get() (bsc#1204415
CVE-2022-3545).
- commit 9a28d9e
- nilfs2: fix leak of nilfs_root in case of writer thread creation
failure (CVE-2022-3646 bsc#1204646).
- nilfs2: fix use-after-free bug of struct nilfs_root
(CVE-2022-3649 bsc#1204647).
- vsock: Fix memory leak in vsock_connect() (CVE-2022-3629
bsc#1204635).
- commit 772e9a5
- xfs: reserve data and rt quota at the same time (bsc#1203496).
- commit 8fe980b
- KVM: x86: do not report a vCPU as preempted outside instruction
boundaries (bsc#1203066 CVE-2022-39189).
- commit 89982eb
- nilfs2: fix NULL pointer dereference at
nilfs_bmap_lookup_at_level() (CVE-2022-3621 bsc#1204574).
- commit df5c951
- r8152: Rate limit overflow messages (CVE-2022-3594 bsc#1204479).
- commit 488dede
- HID: bigben: fix slab-out-of-bounds Write in bigben_probe
(CVE-2022-3577 bsc#1204470).
- commit e57339b
- kcm: avoid potential race in kcm_tx_work (bsc#1204355
CVE-2022-3521).
- commit d2eeccc
- tcp/udp: Fix memory leak in ipv6_renew_options() (bsc#1204354
CVE-2022-3524).
- commit ec8a71d
- Update metadata references
- commit 6d888aa
- sch_sfb: Also store skb len before calling child enqueue
(CVE-2022-3586 bsc#1204439).
- sch_sfb: Don't assume the skb is still around after enqueueing
to child (CVE-2022-3586 bsc#1204439).
- commit bbd433f
- mISDN: fix use-after-free bugs in l1oip timer handlers
(CVE-2022-3565 bsc#1204431).
- commit 1917bcf
- rpm/check-for-config-changes: loosen pattern for AS_HAS_*
This is needed to handle CONFIG_AS_HAS_NON_CONST_LEB128.
- commit bdc0bf7
- Move upstreamed WiFi fixes into sorted section
- commit 05342a3
- reenable patch "net: mana: Add the Linux MANA PF driver"
- commit f42bea3
- remove patch "net: mana: Add support of XDP_REDIRECT action"
It does not compile due to missing APIs in the base kernel.
- commit 711a9e3
- net: mana: Add rmb after checking owner bits (git-fixes).
- commit 4edbaf4
- kABI: fix kABI after "KVM: Add infrastructure and macro to mark
VM as bugged" (bsc#1200788 CVE-2022-2153).
- commit 1ddb693
- KVM: Add infrastructure and macro to mark VM as bugged
(bsc#1200788 CVE-2022-2153).
- commit 07862de
- KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't
activated (bsc#1200788 CVE-2022-2153).
- commit 8712ddf
- KVM: x86: hyper-v: disallow configuring SynIC timers with no
SynIC (bsc#1200788 CVE-2022-2153).
- commit 75749d4
- KVM: x86: Avoid theoretical NULL pointer dereference in
kvm_irq_delivery_to_apic_fast() (bsc#1200788 CVE-2022-2153).
- commit f23b172
- KVM: x86: Check lapic_in_kernel() before attempting to set a
SynIC irq (bsc#1200788 CVE-2022-2153).
- commit e02caef
- io_uring: disable polling signalfd pollfree files (CVE-2022-3176
bsc#1203391).
- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CVE-2022-2978
bsc#1202700).
- commit 8c7541d
- Update
patches.suse/mm-rmap-Fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch
(CVE-2022-42703, bsc#1204168, git-fixes, bsc#1203098).
- commit 15fe693
- misc: sgi-gru: fix use-after-free error in
gru_set_context_option, gru_fault and gru_handle_user_call_os
(CVE-2022-3424 bsc#1204166).
- commit 721c580
- containerd
-
- Update to containerd v1.7.8. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.8> bsc#1200528
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.7. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.7>
- Add patch to fix build on SLE-12:
+ 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.6> bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
Kubernetes packages
- Update to containerd v1.6.21 for Docker v23.0.6-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.21> bsc#1211578
- Require a minimum Go version explicitly rather than using golang(API).
Fixes the change for bsc#1210298.
[ This was only released in SLE. ]
- unversion to golang requires to always use the current default go.
(bsc#1210298)
- Update to containerd v1.6.20 for Docker v23.0.4-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.20>
- Update to containerd v1.6.19 for Docker v23.0.2-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.19>
Includes fixes for:
- CVE-2023-25153 bsc#1208423
- CVE-2023-25173 bsc#1208426
- Re-build containerd to use updated golang-packaging. jsc#1342
- Update to containerd v1.6.16 for Docker v23.0.1-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.16>
- Update to containerd v1.6.12 to fix CVE-2022-23471 bsc#1206235. Upstream
release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.12>
- Update to containerd v1.6.11. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.11>
- Update to containerd v1.6.9 for Docker v20.10.21-ce. Also includes a fix for
CVE-2022-27191. boo#1206065 bsc#1197284 Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.9>
- add devel subpackage, which is needed by open-vm-tools
- crash
-
- Enable the kmp-rt for SLERT15 SP2
- Updating crash from 15 SP2 version to 15 SP3 version (bsc#1206328)
- Fix build on ppc64 - it needs full TOC as much as ppc64le.
- crmsh
-
- Update to version 4.3.1+20230424.76f78edb:
* Fix: help: Long time to load and parse crm.8.adoc (bsc#1210198)
- Update to version 4.3.1+20221230.4c344416:
* Fix: report: Catch read exception (bsc#1206606)
- Update to version 4.3.1+20221205.3e7b59aa:
* Fix: pacemaker: As a workaroud, use getchildren instead of xpath to avoid segfault (bsc#1204565)
* Fix: qdevice: Adjust SBD_WATCHDOG_TIMEOUT when configuring qdevice not using stage (bsc#1205727)
* Fix: bootstrap: Use crmsh.parallax instead of parallax module directly (bsc#1202006)
* Dev: bootstrap: Don't sync csync2 when peer node's csync2 service not ready
- samba
-
- secure channel faulty since Windows 10/11 update 07/2023;
(bso#15418); (bsc#1213384).
- CVE-2022-2127: lm_resp_len not checked properly in
winbindd_pam_auth_crap_send; (bso#15072); (bsc#1213174).
- CVE-2023-0922: Samba AD DC admin tool samba-tool sends passwords
in cleartext; (bsc#1209481); (bso#15315);
- CVE-2021-20251: samba: Bad password count not incremented
atomically; (bso#14611); (bsc#1206546).
- CVE-2022-38023: RC4/HMAC-MD5 NetLogon Secure Channel is weak
and should be avoided; (bso#15240); (bsc#1206504);
- CVE-2022-37966: Warn about 'kerberos encryption types = legacy'
option which would force RC4-HMAC as a client even if the server
supports AES; (bso#15237); (bsc#1205385);
- cups
-
- cups-2.2.7-CVE-2023-4504.patch fixes CVE-2023-4504
"CUPS PostScript Parsing Heap Overflow"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
bsc#1215204
- cups-2.2.7-CVE-2023-32360.patch fixes CVE-2023-32360
"Information leak through Cups-Get-Document operation"
by requiring authentication for CUPS-Get-Document in cupsd.conf
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
bsc#1214254
- cups-2.2.7-additional_policies.patch is an updated version
of cups-2.0.3-additional_policies.patch that replaces it
to add the 'allowallforanybody' policy to cupsd.conf
after cups-2.2.7-CVE-2023-32360.patch was applied
- cups-2.2.7-CVE-2023-34241.patch fixes CVE-2023-34241
"use-after-free in cupsdAcceptClient()"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
bsc#1212230
- cups-2.2.7-CVE-2023-32324.patch fixes CVE-2023-32324
"Heap buffer overflow in cupsd"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
bsc#1211643
- 0001-cups-dests.c-cupsGetNamedDest-set-IPP_STATUS_ERROR_N.patch
improves logging on 'IPP_STATUS_ERROR_NOT_FOUND' error
that fixes bsc#1191467, bsc#1198932:
"lpr reports 'No such file or directory' for missing catalogue files"
"/usr/bin/lpr: No such file or directory"
- after-network_target-sssd_service.patch
is derived from https://github.com/apple/cups/issues/5550 with its
https://github.com/apple/cups/commit/aaebca5660fdd7f7b6f30461f0788d91ef6e2fee
and SUSE PTF:24471 cups.SUSE_SLE-15_Update cups-2.2.7-wait-for-network.patch
to add "After=network.target sssd.service" to the systemd unit
source files cupsd.service.in and cups.cups-lpdAT.service.in
to fix bsc#1201234, bsc#1200321:
"Missing network dependency in systemd unit for cups-2.2.7"
"CUPS may not always start if sssd is in use"
- cups-branch-2.2-commit-876fdc1c90a885a58644c8757bc1283c9fd5bcb7.diff
is https://github.com/OpenPrinting/cups/commit/876fdc1c90a885a58644c8757bc1283c9fd5bcb7
which belongs to https://github.com/OpenPrinting/cups/issues/308
that fixes bsc#1191525, bsc#1203446:
"Print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable)"
"/usr/bin/lpr: Error - The printer or class does not exist."
- curl
-
- Security fixes:
* [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
* Add patches:
- curl-http-lowercase-headernames-for-HTTP-2-and-HTTP-3.patch
- curl-CVE-2023-46218.patch
- Security fix: [bsc#1215889, CVE-2023-38546]
* Cookie injection with none file
* Add curl-CVE-2023-38546.patch
- Security fixes:
* [bsc#1211231, CVE-2023-28320] siglongjmp race condition
- Add curl-CVE-2023-28320.patch
* [bsc#1211232, CVE-2023-28321] IDN wildcard matching
- Add curl-CVE-2023-28321.patch [bsc#1211339]
* [bsc#1211233, CVE-2023-28322] POST-after-PUT confusion
- Add curl-CVE-2023-28322.patch
- Security fixes:
* [bsc#1209209, CVE-2023-27533] TELNET option IAC injection
Add curl-CVE-2023-27533-no-sscanf.patch curl-CVE-2023-27533.patch
* [bsc#1209210, CVE-2023-27534] SFTP path ~ resolving discrepancy
Add curl-CVE-2023-27534.patch curl-CVE-2023-27534-dynbuf.patch
* [bsc#1209211, CVE-2023-27535] FTP too eager connection reuse
Add curl-CVE-2023-27535.patch
* [bsc#1209212, CVE-2023-27536] GSS delegation too eager connection re-use
Add curl-CVE-2023-27536.patch
* [bsc#1209214, CVE-2023-27538] SSH connection too eager reuse still
Add curl-CVE-2023-27538.patch
- Security Fix: [bsc#1207992, CVE-2023-23916]
* HTTP multi-header compression denial of service
* Add curl-CVE-2023-23916.patch
- Security Fix: [bsc#1206309, CVE-2022-43552]
* HTTP Proxy deny use-after-free
* Add curl-CVE-2022-43552.patch
- dbus-1
-
- Sometimes unprivileged users were able to crash dbus-daemon
(CVE-2023-34969, bsc#1212126)
* fix-upstream-CVE-2023-34969.patch
- lvm2
-
- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)
+ bug-1214071-blkdeactivate_calls_wrong_mountpoint.patch
- killed lvmlockd doesn't clear/adopt locks leading to inability to start volume group (bsc#1203216)
- bug-1203216_lvmlockd-purge-the-lock-resources-left-in-previous-l.patch
- dracut-initqueue timeouts with 5.3.18-150300.59.63 kernel on ppc64le (bsc#1199074)
- in lvm2.spec, change device_mapper_version from 1.02.163 to %{lvm2_version}_1.02.163
- lvm2.spec %post deletes libdevmapper and triggers kernel panic (bsc#1198523)
- change %post behaviour, only do deleting job for non-link folder
- dhcp
-
- bsc#1203988, CVE-2022-2928, dhcp-CVE-2022-2928.patch:
An option refcount overflow exists in dhcpd
- bsc#1203989, CVE-2022-2929, dhcp-CVE-2022-2929.patch:
DHCP memory leak
- dmidecode
-
- use-read_file-to-read-from-dump.patch: Fix an old harmless bug
which would prevent root from using the --from-dump option since
the latest security fixes (bsc#1210418).
Security fixes (CVE-2023-30630)
- dmidecode-split-table-fetching-from-decoding.patch: dmidecode:
Clean up function dmi_table so that it does only one thing
(bsc#1210418).
- dmidecode-write-the-whole-dump-file-at-once.patch: When option
- -dump-bin is used, write the whole dump file at once, instead of
opening and closing the file separately for the table and then
for the entry point (bsc#1210418).
- dmidecode-do-not-let-dump-bin-overwrite-an-existing-file.patch:
Make sure that the file passed to option --dump-bin does not
already exist (bsc#1210418).
- ensure-dev-mem-is-a-character-device-file.patch: Add a safety
check on the type of the mem device file we are asked to read
from, if we are root (bsc#1210418).
3 recommended fixes from upstream:
- dmidecode-fortify-entry-point-length-checks.patch: Ensure that
the SMBIOS entry point is long enough to include all the fields
we need.
- dmidecode-fix-the-alignment-of-type-25-name.patch: Drop a stray
tabulation before the name of DMI record type 25.
- dmidecode-print-type-33-name-unconditionally.patch: Display the
name of DMI record type 33 even if we can't decode it.
- docker
-
- update to Docker 24.0.5-ce. See upstream changelong online at
<https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229
- Update to Docker 24.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2404>. bsc#1213500
- Update to Docker 24.0.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2403>. bsc#1213120
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Recommend docker-rootless-extras instead of Require(ing) it, given
it's an additional functionality and not inherently required for
docker to function.
- Add docker-rootless-extras subpackage
(https://docs.docker.com/engine/security/rootless)
- Update to Docker 24.0.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2402>. bsc#1212368
* Includes the upstreamed fix for the mount table pollution issue.
bsc#1210797
- Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as
being provided by this package.
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2306>. bsc#1211578
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Re-unify packaging for SLE-12 and SLE-15.
- Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers
(the uapi headers in SLE-12 are too old).
+ 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- Re-numbered patches:
- 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch`
- Update to Docker 23.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2305>.
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
- Fixes:
* bsc#1214107 - CVE-2023-28840
* bsc#1214108 - CVE-2023-28841
* bsc#1214109 - CVE-2023-28842
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Renumbered patches:
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Remove upstreamed patches:
- 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
built without internet access in OBS.
+ cli-0001-docs-include-required-tools-in-source-tree.patch
- update to 20.10.23-ce.
* see upstream changelog at https://docs.docker.com/engine/release-notes/#201023
- drop kubic flavor as kubic is EOL. this removes:
kubelet.env docker-kubic-service.conf 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
- Update to Docker 20.10.21-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201021>. bsc#1206065
bsc#1205375 CVE-2022-36109
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
* 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
* 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in
preparation for removing the feature). This feature was never meant to be
used by users directly (and is only available in the -kubic/CaaSP version of
the package anyway) and thus should not affect any users.
- Fix wrong After: in docker.service, fixes bsc#1188447
- Add apparmor-parser as a Recommends to make sure that most users will end up
with it installed even if they are primarily running SELinux.
- Fix syntax of boolean dependency
- Allow to install container-selinux instead of apparmor-parser.
- Change to using systemd-sysusers
- Backport <https://github.com/containerd/fifo/pull/32> to fix a crash-on-start
issue with dockerd. bsc#1200022
+ 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- dracut
-
- Update to version 049.1+suse.257.gf94c3fd1:
* fix(udev-rules): Correct network device naming (bsc#1192986)
- Update to version 049.1+suse.255.g19bd61fd:
* fix(dracut.sh): exit if resolving executable dependencies fails (bsc#1214081)
- Update to version 049.1+suse.253.g1008bf13:
* fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640)
- Update to version 049.1+suse.251.g0b8dad5:
* fix(dracut.sh): omission is an addition to other omissions in conf files (bsc#1208929)
* fix(nfs): chown using rpc default group (bsc#1204929)
- Update to version 049.1+suse.247.gfb7df05c:
* fix(systemd): add missing modprobe@.service (bsc#1203749)
* fix(i18n): do not fail if FONT in /etc/vconsole.conf has the file extension (bsc#1203267)
* fix(drm): consider also drm_dev_register when looking for gpu driver (bsc#1195618)
* fix(integrity): do not display any error if there is no IMA certificate (bsc#1187654)
- expat
-
- Security fix:
* (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
destruction of a shared DTD in XML_ExternalEntityParserCreate in
out-of-memory situations
- Added patch expat-CVE-2022-43680.patch
- fonts-config
-
- get the homedir from getpwuid when no $ENV{"HOME"} set
- added patches
fix bsc#1210700
+ fonts-config-homedir-getpwuid.patch
- gawk
-
- format-tree-positional-arg.patch: Validate index into argument list
(CVE-2023-4156, bsc#1214025)
- glib2
-
- Update glib2-fix-normal-form-handling-in-gvariant.patch:
Backported from upstream to fix regression on s390x.
(bsc#1210135, glgo#GNOME/glib!2978)
- Add glib2-fix-normal-form-handling-in-gvariant.patch: Backported
from upstream to fix normal form handling in GVariant.
(CVE-2023-24593, CVE-2023-25180, bsc#1209714, bsc#1209713,
glgo#GNOME/glib!3125)
- glibc
-
- elf-test-have-protected-data.patch: Run vismain only if linker supports
protected data symbol (bsc#1215505)
- gai-merge-continue-actions.patch: Simplify allocations and fix merge and
continue actions (CVE-2023-4813, bsc#1215286, BZ #28931)
- gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)
- gnutls
-
- Security Fix: [bsc#1208143, CVE-2023-0361]
* Bleichenbacher oracle in TLS RSA key exchange
* Add gnutls-CVE-2023-0361.patch
- Validate input when calling fmemopen() [bsc#1204511]
* Add gnutls-check-system_priority_buf-input.patch
- google-guest-agent
-
- Update to version 20230601.00 (bsc#1212418, bsc#1212759)
* Revert "Avoid conflict with automated package updates (#212)" (#214)
* Don't block google-osconfig-agent (#213)
- from version 20230531.00
* Avoid conflict with automated package updates (#212)
* Add a support of TrustedUserCAKeys into sshd configuration (#206)
- Update to version 20230510.00
* Fix dependencies after updating go ver to 1.17 (#211)
* Update Go version (#210)
- from version 20230426.00
* Fix compilation directives (#207)
- from version 20230403.00
* Mod update (#205)
* Update mod: update golang.org/x/net to
0.8.0 and its dependencies (#204)
- Bump go API version to 1.18 (bsc#1208723)
+ Address CVE-2021-38297 and CVE-2022-23806
- Update to version 20230221.00
* Allow a comment part of a pub ssh key to have an arbitrary format (#198)
+ Split GetUserKey() into two functions: get and validate
+ Correct the name of ValidateUser func as it validates only users
+ Update tests
* Update OWNERS (#201)
- from version 20230207.00
* Update OWNERS file (#199)
- Update to version 20230112.00
* Updating logging module so cloud logs are flushed prior to exit (#196)
* Windows: retry adding MDS route (#194)
- Update to version 20221109.00
* Validate user key for whitespace chars (#188)
- from version 20221107.00
* Fix typo with wsfc agent (#189)
- from version 20221104.00
* Updates to gce-workload-cert-refresh (#186)
- from version 20221025.00
* Add workload cert refresh to preset (#185)
- Update to version 20221018.00
* Write workload cert status file (#184)
- from version 20221017.00
* Update workload_cert permissions (#180)
- Update to version 20220927.00
* Workload certificate refresh (#182)
- Update to version 20220824.00
* Workload certs (#177)
- from version 20220823.00
* add members to OWNERS (#178)
* Expired key tests (#176)
* correct expired key handling (#175)
- avoid bashism in post-install scripts (bsc#1195391)
- google-guest-configs
-
- Update to version 20230808.00 (bsc#1214546, bsc#1214572)
* 64-gce-disk-removal.rules: delete (#51)
- from version 20230801.00
* Replace xxd with dd for google_nvme_id (#56)
- from version 20230729.00
* Setup irq binding for a3 8g vm (#57)
- from version 20230724.00
* Debian packaging: add xxd dependency (#55)
- Update to version 20230626.00 (bsc#1212418, bsc#1212759)
* Revert "Replace `xxd` to `cut` for google_nvme_id (#49)" (#54)
- Update to version 20230526.00
* dracut: Add a new dracut module for gcp udev rules (#53)
- from version 20230522.00
* src/lib/udev: only create symlinks for GCP devices (#52)
- from version 20230515.00
* Replace `xxd` to `cut` for google_nvme_id (#49)
- from version 20230328.00
* Set hostname: consider fully qualified static hostname (#46)
- Update to version 20230217.01
* Support multiple local SSD controllers (#39)
- from version 20230217.00
* Update OWNERS (#45)
- from version 20230215.00
* DHCP hostname: don't reset hostname if
the hostname hasn't changed (#44)
- from version 20230202.00
* Update OWNERS file (#43)
- from version 20230123.00
* Fix a repository URL in packaging specs (#41)
- Add nvme-cli to Requires (bsc#1204068, bsc#1204091)
- google-osconfig-agent
-
- Update to version 20230706.02 (bsc#1212418, bsc#1212759)
* Update go version in go.mod (#479)
- from version 20230706.01
* Fix condition to have 10 attempts rather than 11. (#477)
- from version 20230706.00
* Remove tests for Ubuntu 18.04 (EOL) (#476)
- from version 20230605.00
* Update old SLES images paths (#475)
- from version 20230602.00
* Adding what exit codes mean for OS Config policy (#474)
- from version 20230504.00
* Set DEBIAN_FRONTEND=noninteractive for apt-get (#472)
- from version 20230403.00
* Disable repos clean-up (#471)
- from version 20230330.00
* Revert "Call FQDN (#454)" (#470)
- from version 20230327.00
* support new format of zypper patch (#469)
* Fix comparing exec.Cmd in mock on Go1.20
- from version 20230316.00
* Remove old images from e2e tests image list
- from version 20230227.01
* Update dependencies (#466)
- from version 20230227.00
* Bump golang.org/x/sys from 0.0.0-20210923061019-b8560ed6a9b7 to 0.1.0 (#463)
- Bump go API version to 1.18 (bsc#1208723)
+ Address CVE-2021-38297 and CVE-2022-23806
- Update to version 20230222.00
* Remove Debian 9 from e2e tests image list (#460)
- from version 20230217.00
* Update OWNERS (#458)
- from version 20230208.00
* Fix the error in the `copy_file_from_bucket.yaml` example. (#456)
- from version 20230202.00
* Update owners file. (#455)
- from version 20230123.00
* Call FQDN (#454)
- Update to version 20221214.00
* Close clients that are not passed anywhere (#450)
- Update to version 20221013.01
* Don't print raw pointer data. (#446)
- from version 20221013.00
* Delete yum transaction files if created. (#445)
- Update to version 20220829.00
* Fix exclude packages field processing (#440)
- from version 20220824.00
* Check for exclusive patches. (#442)
- grub2
-
- Remove zfs modules (bsc#1205554)
* grub-remove-zfs-modules.patch
- Security fixes and hardenings
* 0001-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch
* 0002-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
- Fix CVE-2022-2601 (bsc#1205178)
* 0003-font-Fix-several-integer-overflows-in-grub_font_cons.patch
* 0004-font-Remove-grub_font_dup_glyph.patch
* 0005-font-Fix-integer-overflow-in-ensure_comb_space.patch
* 0006-font-Fix-integer-overflow-in-BMP-index.patch
* 0007-font-Fix-integer-underflow-in-binary-search-of-char-.patch
* 0008-fbutil-Fix-integer-overflow.patch
- Fix CVE-2022-3775 (bsc#1205182)
* 0009-font-Fix-an-integer-underflow-in-blit_comb.patch
* 0010-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch
* 0011-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
* 0012-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch
- Bump upstream SBAT generation to 3
- hawk2
-
- Update sass-ansible dependency in the hawk2.spec:
* Unable to activate sass-rails-5.1.0 (bsc#1208533)
- Update to version 2.6.4+git.1667244108.7a0cffe:
* Fix detection of partial upgrade (bsc#1196673,bsc#1203367)
* Improve handling of unmatched paths (bsc#1199258)
* Set HttpOnly by HAWK_COOKIE_HTTP_ONLY=true (bsc#1198647)
- ipmitool
-
- ipmitool duplicates the timestamp (bsc#1213390)
A Fix-time-format-for-sel-list-v.patch
- iputils
-
- Add fix for ICMP datagram socket ping6-Fix-device-binding.patch
(bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927).
- irqbalance
-
- Last changes log was wrong, this part has been added to SP4
changes but were missing in SP2/SP3 and are added now (bsc#1208717):
Fix segfault from previous update (bsc#1206668)
A Fix-uninitialized-variable.patch
- Fix segfault from previous update (bsc#1206668)
- Fix version - Maintainer forgot to increase version to 1.4.0
A fix_version_1_4_0
- Add mainline fixes (bnc#1204961):
The first 2 patches are cleanup patches which should not have any
functional change, but make life easier to backport the real fix.
All patches are mainline:
A Update-classify.c.patch
A irqbalance-properly-check-if-irq-is-banned.patch
A remove-unused-path-in-check_for_irq_ban.patch
- issue-generator
-
- Update to version 1.13
- SELinux: Do not call agetty --reload [bsc#1186178]
- Update to version 1.12
- Update manual page
- Use python3 instead of python 2.x
- Update to version 1.11
- Don't display issue.d/*.issue files, agetty will do that [bsc#1177891]
- Ignore /run/issue.d in issue-generator.path, else issue-generator will
be called too fast too often [bsc#1177865]
- Ignore *.bak, *~ and *.rpm* files [bsc#1118862]
- Handle the .path unit in scriptlets as well
- Update to version 1.10
- Display wlan interfaces [bsc#1169070]
- Update to version 1.9
- Fix path for systemd files
- Update to version 1.8
- Handle network interface renames
- java-1_8_0-ibm
-
- Update to Java 8.0 Service Refresh 8 Fix Pack 15:
* Oracle October 17 2023 CPU [bsc#1216640]
* IBM Security Update October 2023 [bsc#1216640]
* IBM Java idlj compiler switch definition because IBM java idlj
seems to confuse char and wchar for typedef types [bsc#1204264]
* Security fixes:
- [bsc#1216374, CVE-2023-22081] Enhanced TLS connections
- [bsc#1216379, CVE-2023-22067] IOR deserialization issue
in CORBA
- [bsc#1216339, CVE-2023-22025] Memory corruption issue on
x86_64 with AVX-512
- [bsc#1217214, CVE-2023-5676] Receiving a signal before
initialization may lead to an infinite loop or unexpected
crash.
* Defect Fixes:
- IJ47667 Class Libraries: Add/Edit property to write stdout/stderr
messages via file streams
- IJ48028 Class Libraries: IBM JAVA IDLJ COMPILER ENCOUNTER AMBIGUITY
BETWEEN CHAR AND WCHAR FOR TYPDEF TYPES
- IJ48844 Class Libraries: IMPROVE PERFORMANCE OF
JAVA.LANG.PACKAGE CLASS WHEN LOOKING UP CACHED PACKAGES
- IJ49091 Class Libraries: RFE: KERBEROS PRINCIPAL NAME
CANONICALIZATION AND CROSS-REALM REFERRALS (RFC 6806, SECTION 8)
- IJ47751 Java Virtual Machine: ASSERTION FAILURE AT
PARALLELSCAVENGETASK.CPP:120
- IJ48453 Security: IBMJCEPLUS/IBMJCEPLUSFIPS PROVIDERS, DURING
AESGCM, THROW AN INCORRECT ILLEGALSTATEEXCEPTION:CIPHER NOT
INITIALIZED
- IJ47691 Security: JGSS: HIGH MEMORY USE FROM LSACONNECTUNTRUSTED()
CALLS IN NATIVECREDS.DLL
- IJ48749 Security: KEYTOOL ERROR WHEN A KEYSTORE IS CREATED WITH
'-EXT EXTENDEDKEYUSAGE=SERVERAUTH'
- IJ49092 Security: RFE: KERBEROS PRINCIPAL NAME CANONICALIZATION
AND CROSS-REALM REFERRALS (RFC 6806, SECTION 8)
- IJ47941 Security: STRICT ENFORCEMENT OF RFC 5246 - TLS 1.2
SECTION 7.4.1.4.1. SIGNATURE ALGORITHMS
- PH55605 z/OS Extentions: ECDSA SIGNATURE SUPPORT FOR IBMJCEHYBRID
- PH55999 z/OS Extentions: JAVA8 - ENCOUNTERING -430 ON FUNCTION
DB2XML.HTTPGETCLOB
- PH56022 z/OS Extentions: TLSV1.3 SUPPORT USING RACF RSA HARDWARE
AND SOFTWARE KEYS WITH DIFFERENT SIGNING ALGORITHMS
- Update to Java 8.0 Service Refresh 8 Fix Pack 11
* Defect Fixes:
- IJ47696 Class Libraries: Code conversion issue for graphic
data type for the data ranging from 0x0040 and 0x0042 to 0x00f9
- IJ47427 JIT Compiler: Crash with adjacent malformed objects
- IJ47675 JIT Compiler: JAVA JIT: Divide by zero in
computeThreadCpuUtilOverLastNns()
- IJ48654 JIT Compiler: JAVA JIT: GC crash in doStackSlot()
on POWER10
- PH57123 z/OS Extentions: IBMPKCS11Impl fails to initialize
after customer migrated from z/OS 2.5 to z/OS 3.1
- IBM Security Update August 2023:
* [bsc#1214431, bsc#1213934, CVE-2022-40609]
* IBM SDK, Java Technology Edition could allow a remote attacker
to execute arbitrary code on the system, caused by an unsafe
deserialization flaw.
* Note that, this vulnerability was fixed in the already released
version 8.0.8.5 as reported in the IBM advisory, adding the
reference here.
- Update to Java 8.0 Service Refresh 8 Fix Pack 10 [bsc#1213541]
* Security fixes:
[bsc#1213475, CVE-2023-22041] [bsc#1213482, CVE-2023-22049]
[bsc#1213481, CVE-2023-22045] [bsc#1213479, CVE-2023-22044]
[bsc#1213474, CVE-2023-22036] [bsc#1207922, CVE-2023-25193]
[bsc#1213473, CVE-2023-22006]
- Update to Java 8.0 Service Refresh 8 Fix Pack 6 [bsc#1213000]
* Defect Fixes:
- Java Virtual Machine: outofmemory (OOM) killer terminates
the jvm due to failure in control groups detection.
- Update to Java 8.0 Service Refresh 8 Fix Pack 5 [bsc#1210826]
* Security Fixes:
- IJ46965 Class Libraries: [bsc#1210628, CVE-2023-21930]
- IJ46972 Class Libraries: [bsc#1210631, CVE-2023-21937]
- IJ46974 Class Libraries: [bsc#1210632, CVE-2023-21938]
- IJ46969 Class Libraries: [bsc#1210634, CVE-2023-21939]
- IJ46971 Class Libraries: [bsc#1210637, CVE-2023-21968]
- IJ47000 Java Virtual Machine: [bsc#1211615, CVE-2023-2597]
- IJ46967 Security: [bsc#1210636, CVE-2023-21967]
- Vulnerability in the Oracle Java SE, Oracle GraalVM
Enterprise Edition product of Oracle Java SE (component:
Hotspot). [bsc#1210635, CVE-2023-21954]
* Defect Fixes:
- IX90194 Java 8/Orb: ORB'S SOCKET TIMER THREAD HANGS IN COM.IBM.JSSE2
- IJ47092 Class Libraries: DEPRECATION OF RDMA
- IJ45888 Java Virtual Machine: ASSERTION FAILURE AT SCAVENGER.CPP
- IJ46813 Java Virtual Machine: JVM'S SIGUSR2 SIGNAL HANDLER
OVERWRITES NATIVE APP'S SIGUSR2 SIGNAL HANDLER
- IJ47094 Java Virtual Machine: FIX THE MISMATCHED FLAGS IN THE
STACKMAPS OF BYTECODE DURING THE BYTECODE VERIFICATION
- IJ45583 Java Virtual Machine: SOME CODE FOR IBM JAVA 8 COMPILED
WITH ARCH(10) ON Z/OS
- IJ46192 JIT Compiler: CRASH WHEN USING IBMJCEPLUS WITH BALANCED GC
- IJ45659 JIT Compiler: JAVA JIT: MISSING TYPE CHECKING ALLOWED
INVALID OBJECT FIELD ACCESSES
- IJ46620 Security: ADD NEW SUPPORT FOR RSAPSS SIGNATURES RECEIVED
BY CERTPATH WITHIN OCSP RESPONSES
- IJ45919 Security: DISABLE RSA KEY TRANSPORT CIPHER SUITES IN
FIPS 140-3 TECH PREVIEW
- IJ46173 Security: IBMJCEPLUS, IBMJCEPLUSFIPS PROVIDERS THROW AN
INCORRECT JAVA.SECURITY.SIGNATUREEXCEPTION
- IJ45883 Security: IBMJCEPLUSFIPS PROVIDER FAILS DURING SIGNATURE
OPERATIONS USING NON FIPS140-2 COMPLIANT EC KEYS.
- IJ45182 Security: IBMJCEPLUS PROVIDER FAILS IN RSAPSS DURING
SIGNATURE OPERATIONS RESULTING IN JAVA CORES.
- IJ46193 Security: SSLCONTEXT.GETINSTANCE FAILURES CAUSE
JAVA.LANG.EXCEPTIONININITIALIZERERROR
- IJ45599 Security: UPDATE IKEYMAN TO SUPPORT PBES2 AND OTHER MINOR
FIXES
- IJ45598 Security: UPDATE KDB FORMAT TO SUPPORT PBES2
- IJ45789 Security: -XVERIFY:ALL CAUSES FAILURE IN JSSE
- PH52970 z/OS Extentions: CHACHA20-POLY1305 CIPHER DECRYPTION CHUNK
UPDATE FIX
- PH52876 z/OS Extentions: RSA-PSS SIGNATURE SUPPORT FOR RSA HARDWARE
KEYS OVER TLSV1.3
- IBM Security Update April 2023: [bsc#1210711, CVE-2023-30441]
* The security vulnerability CVE-2023-30441 was fixed in version
8.0.7.15 as reported in the advisory, adding the reference here.
- Update to Java 8.0 Service Refresh 8: [bsc#1208480]
* Security fixes: [bsc#1207246, CVE-2023-21835]
[bsc#1207249, CVE-2023-21830] [bsc#1207248, CVE-2023-21843]
* New Features/Enhancements:
- Add RSA-PSS signature to IBMJCECCA.
* Defect Fixes:
- IJ45437 Service, Build, Packaging and Deliver: Getting
FIPSRUNTIMEEXCEPTION when calling java code:
MESSAGEDIGEST.GETINSTANCE("SHA256", "IBMJCEFIPS"); in MAC
- IJ45272 Class Libraries: Fix security vulnerability CVE-2023-21843
- IJ45280 Class Libraries: Update timezone information to the
latest TZDATA2022F
- IJ44896 Class Libraries: Update timezone information to the
latest TZDATA2022G
- IJ45436 Java Virtual Machine: Stack walking code gets into
endless loop, hanging the application
- IJ44079 Java Virtual Machine: When -DFILE.ENCODING is specified
multiple times on the same command line the first option takes
precedence instead of the last
- IJ44532 JIT Compiler: Java JIT: Crash in DECREFERENCECOUNT()
due to a NULL pointer
- IJ44596 JIT Compiler: Java JIT: Invalid hard-coding of static
final field object properties
- IJ44107 JIT Compiler: JIT publishes new object reference to other
threads without executing a memory flush
- IX90193 ORB: Fix security vulnerability CVE-2023-21830
- IJ44267 Security: 8273553: SSLENGINEIMPL.CLOSEINBOUND also has
similar error of JDK-8253368
- IJ45148 Security: code changes for tech preview
- IJ44621 Security: Computing Diffie-Hellman secret repeatedly,
using IBMJCEPLUS, causes a small memory leak
- IJ44172 Security: Disable SHA-1 signed jars for EA
- IJ44040 Security: Generating Diffie-Hellman key pairs repeatedly,
using IBMJCEPLUS, Causes a small memory leak
- IJ45200 Security: IBMJCEPLUS provider, during CHACHA20-POLY1305
crypto operations, incorrectly throws an ILLEGALSTATEEXCEPTION
- IJ45182 Security: IBMJCEPLUS provider fails in RSAPSS and ECDSA
during signature operations resulting in Java cores
- IJ45201 Security: IBMJCEPLUS provider failures (two) with AESGCM algorithm
- IJ45202 Security: KEYTOOL NPE if signing certificate does not contain
a SUBJECTKEYIDENTIFIER extension
- IJ44075 Security: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY()
method uses SHA1XXXX signature algorithms to match private and public keys
- IJ45203 Security: RSAPSS multiple names for KEYTYPE
- IJ43920 Security: The PKCS12 keystore update and the PBES2 support
- IJ40002 XML: Fix security vulnerability CVE-2022-21426
- IBM Security Update November 2022: [bsc#1205302, bsc#1204703]
* The security vulnerability CVE-2022-3676 was fixed in version
8.0.7.20, adding the reference here.
- Update to Java 8.0 Service Refresh 7 Fix Pack 20 [bsc#1205302]
[bsc#1204472, CVE-2022-21628] [bsc#1204471, CVE-2022-21626]
[bsc#1204468, CVE-2022-21618] [bsc#1204480, CVE-2022-39399]
[bsc#1204475, CVE-2022-21624] [bsc#1204473, CVE-2022-21619]
* Security:
- The IBM ORB Does Not Support Object-Serialisation Data Filtering
- Large Allocation In CipherSuite
- Avoid Evaluating Sslalgorithmconstraints Twice
- Cache The Results Of Constraint Checks
- An incorrect ShortBufferException is thrown by IBMJCEPlus,
IBMJCEPlusFIPS during cipher update operation
- Disable SHA-1 Signed Jars For Ea
- JSSE Performance Improvement
- Oracle Road Map Kerberos Deprecation Of 3DES And RC4 Encryption
* Java 8/Orb:
- Upgrade ibmcfw.jar To Version o2228.02
* Class Libraries:
- Crash In Libjsor.So During An Rdma Failover
- High CPU Consumption Observed In ZosEventPort$EventHandlerTask.run
- Update Timezone Information To The Latest tzdata2022c
* Jit Compiler:
- Crash During JIT Compilation
- Incorrect JIT Optimization Of Java Code
- Incorrect Return From Class.isArray()
- Unexpected ClassCastException
- Performance Regression When Calling VM Helper Code On X86
* X/Os Extentions:
- Add RSA-OAEP Cipher Function To IBMJCECCA
- Update to Java 8.0 Service Refresh 7 Fix Pack 16
* Java Virtual Machine
- Assertion failure at ClassLoaderRememberedSet.cpp
- Assertion failure at StandardAccessBarrier.cpp when
- Xgc:concurrentScavenge is set.
- GC can have unflushed ownable synchronizer objects which
can eventually lead to heap corruption and failure when
- Xgc:concurrentScavenge is set.
* JIT Compiler:
- Incorrect JIT optimization of Java code
- JAVA JIT Power: JIT compile time assert on AIX or LINUXPPC
* Reliability and Serviceability:
- javacore with "kill -3" SIGQUIT signal freezes Java process
- Update to Java 8.0 Service Refresh 7 Fix Pack 15 [bsc#1202427]
[bsc#1201684, CVE-2022-34169] [bsc#1201692, CVE-2022-21541]
[bsc#1201685, CVE-2022-21549] [bsc#1201694, CVE-2022-21540]
* Correction: These CVEs have been fixed in version 8.0-7.15 and
not in 8.0-7.11 as mentioned in the previous changelog entry.
- javapackages-tools
-
- Added patches:
* 0005-Interpolate-properties-also-in-the-current-artifact.patch
+ interpolate variables also in current artifactId, groupId and
version
* 0006-Test-variable-expansion-in-artifactId.patch
+ test previous changes
* 0007-Test-that-we-don-t-bomb-on-relativePath.patch
+ test gracious handling of empty <relativePath/> in parent
reference of a pom file
- Added patch:
* 0004-Reproducible-builds-keep-order-of-aliases-and-depend.patch
+ make the aliases and dependencies lists so that the order is
kept
- Added patch:
* 0003-Reproducible-exclusions-order-in-maven-metadata.patch
+ sort exclusions in maven metadata
- Modified patch:
* 0001-Make-the-alias-generation-reproducible.patch ->
0001-Make-maven_depmap-order-of-aliases-reproducible.patch
+ replace by the version of patch integrated by upstream
- Added patch:
* 0002-Do-not-bomb-on-relativePath-construct.patch
+ integrated patch fixing parent recursion with empty
<relativePath/> element
- Upgrade to upstream version 6.2.0
* Întegrate our changes from javapackages-6.1.0-maven-depmap.patch
- Removed patch:
* javapackages-6.1.0-maven-depmap.patch
+ upstreamed
- Added patch:
* 0001-Make-the-alias-generation-reproducible.patch
+ separate patch for our reproducible changes that was not
part of the integrated pull request
- Modified patch:
* javapackages-6.1.0-maven-depmap.patch
+ try to make the list of aliases more reproducible
- Enable the tests also for older distributions
- Require python3-xml (python-xml for distributions that use
versioned modules), since module xml needed by some scripts.
- Update to upstream version 6.1.0
* Release version 6.1.0
* Introduce common and extra subpackages
* Update documentation
* Add lua interpreter to check and GH actions
* Remove license headers from wrapper scripts
* Make scripts compatible with rpmlua
* Add more tests, fix behaviour
* Implement separate simple class name matching
* Minor changes
* Modularize Lua scripts
* Add Lua scripts for removing annotations
* Update build status badge in README.md
* Migrate CI from TravisCI to GitHub Actions
* Fix running tests without coverage
* Update ivy-local-classpath
* Release version 6.0.0
* Fix extra XML handling of pom_change_dep
* Add reproducer for #82
* Respect %jpb_env RPM macro
* Add bootstrap metadata to XMvn resolver config
* Delete run_tests.py
* Replace nose by pytest
* [install] Make glob pattern work with Python 3.10
* Adding ppc64le architecture support on travis-ci
* Drop deprecated add_maven_depmap macro
* Drop SCL support
* Fix provides matching
* Fix builddep snippet generation
* [test] Add test for builddep snippet generation
* Add location of java binary used by the java-1.8.0-openjdk
(JRE) package so that setting JAVA_HOME will work correctly
* Use XMvn Javadoc MOJO by default
* Remove explicit import of Python 3 features
* Remove dependency on Six compatibility library
* Fix invalid <skippedPlugins> in XMvn configuration
* [test] Don't try to kill PID 1 during tests
* [travis] Drop Python 2 from test matrix
* Add separate subpackage with RPM generators
* mvn_build: replace inline shell scriptlet with native python
code
* [test] Don't use networking during tests
* Add apache-rat-plugin to skippedPlugins
* Skip execution of various Maven plugins
* Remove Python 3.5 from .travis.yml
* Make generated javadoc package noarch
- Added patch:
* javapackages-6.1.0-maven-depmap.patch
+ Bulk patch correspoding to our pull request
https://github.com/fedora-java/javapackages/pull/92 which
brings back some of the removed tools that we depend on
heavily
- Modified patches:
* python-optional.patch
* suse-use-libdir.patch
+ Rediff to changed context
- Removed patches:
* 0001-Let-maven_depmap.py-generate-metadata-with-dependenc.patch
* 0002-Do-not-try-to-construct-POM-from-maven-coordinate-st.patch
* 0003-Fix-tests-after-the-recent-maven_depmap.py-changes.patch
+ Already part of the above-mentioned bulk patch
* 0004-Remove-dependency-on-Six-compatibility-library.patch
+ Upstream patch already integrated in the 6.x code-line
- Fix wrong conditioning of the python-six require.
- Added patch:
* 0004-Remove-dependency-on-Six-compatibility-library.patch
+ remove dependency on python-six for newer distributions
- Added patches:
* 0001-Let-maven_depmap.py-generate-metadata-with-dependenc.patch
* 0002-Do-not-try-to-construct-POM-from-maven-coordinate-st.patch
* 0003-Fix-tests-after-the-recent-maven_depmap.py-changes.patch
+ Let maven_depmap.py generate metadata with dependencies under
certain circumstances
- Fix typo in suse-use-libdir.patch:
%{_libdir}/jvm-commmon -> %{_libdir}/jvm-common
- Do not run tests on SLE12, since python3-test is not accessible
- Can't assume non-existence of python38 macros in Leap.
gh#openSUSE/python-rpm-macros#107
Test for suse_version instead. Only Tumbleweed has and needs the
python_subpackage_only support.
- Fix typo in spec file sitearch -> sitelib
- Fix the python subpackage generation
gh#openSUSE/python-rpm-macros#79
- Support python subpackages for each flavor
gh#openSUSE/python-rpm-macros#66
- Replace old nose with pytest gh#fedora-java/javapackages#86
- when building extra flavor, BuildRequire javapackages-filesystem:
/etc/java is being cleaned out of the filesystems package.
- Upgrade to version 5.3.1
- Modified patch:
* suse-use-libdir.patch
+ rediff to changed context
- Define _rpmmacrodir for distributions that don't have it
- Use %{_rpmmacrodir} instead of %{_libexecdir}/rpm/macros.d: this
just happens to overlap in some distros.
- krb5
-
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
(CVE-2023-36054);
- Added patches:
* 0014-Ensure-array-count-consistency-in-kadm5-RPC.patch
- Fix integer overflows in PAC parsing; (CVE-2022-42898);
(bsc#1205126);
- Added patches:
* 0013-Fix-integer-overflows-in-PAC-parsing.patch
- resource-agents
-
- ECO: Maint: Remove ocf_heartbeat_ZFS (jsc#PED-2841)
Add patch:
remove-zfs-support.patch
- SAPInstance can break if kill.sap includes unexpected content.
(bsc#1206100)
Include upstream patch:
1825.patch
- ECO: Maint: AWS EFS Support in Filesystem OCF required
(jsc#PED-2794)
Include upstream patch:
0001-Filesystem-Add-support-for-Amazon-EFS-mount-helper.patch
- Pacemaker should provide a dynamic option to specify a logfile
(jsc#PED-121)
Add upstream patch:
1739.patch
- libqt5-qtbase
-
- Add patch from upstream to fix a bug that allows to trigger a
DoS in the SQL ODBC driver with a specifically crafted string
(CVE-2023-24607, bsc#1209616):
* CVE-2023-24607-qtbase-5.15.diff
- Add patch from upstream (backport taken from Qt5PatchCollection)
to fix certificate validation for TLS which does not always
consider whether the root of a chain is a configured CA
certificate (CVE-2023-34410, bsc#1211994):
* 0001-Ssl-Copy-the-on-demand-cert-loading-bool-from-default-config.patch
- Add patch from upstream to fix a buffer overflow in QDnsLookup
(CVE-2023-33285, bsc#1211642):
* CVE-2023-33285-qtbase-5.15.diff
- Add patch from upstream to fix QtNetwork to parse the
strict-transport-security (HSTS) header case-insensitively
(CVE-2023-32762, QTBUG-113392, bsc#1211797):
* 0001-Hsts-match-header-names-case-insensitively.patch
- Add rebased patch from upstream to fix infinite loops in
QXmlStreamReader and raise error on unexpected tokens
which is a new behaviour (CVE-2023-38197, QTBUG-92113,
QTBUG-95188, bsc#1213326):
* 0001-QXmlStreamReader-Raise-error-on-unexpected-tokens.patch
- Add rebased patch from upstream to fix an overflow in QTextLayout
(CVE-2023-32763, QTBUG-113337, bsc#1211798):
* 0001-Fix-specific-overflow-in-qtextlayout-CVE-2023-32763.patch
- Remove wrong comment about patch not being merged yet (it was)
and add links to the patch comment for reference:
* 0001-QProcess-Unix-ensure-we-don-t-accidentally-execute-s.patch
- libqt5-qtsvg
-
- Add patch from upsteam to fix a missing variable initialization
of QSvgFont's m_unitsPerEm and remove two unused variable in
that private class (CVE-2023-32573, bsc#1211298):
* 0001-QSvgFont-Initialize-used-member-remove-unused.patch
- Add patch from upstream to fix an out-of-bounds write that may
lead to a DoS (bsc#1196654, CVE-2021-45930, QTBUG-96044):
* 0001-Do-stricter-error-checking-when-parsing-path-nodes.patch
- libX11
-
- U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
U_0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch
U_0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
* CVE-2023-43785 libX11: out-of-bounds memory access in
_XkbReadKeySyms() (boo#1215683)
* CVE-2023-43786 libX11: stack exhaustion from infinite recursion
in PutSubImage() (boo#1215684)
* CVE-2023-43787 libX11: integer overflow in XCreateImage()
leading to a heap overflow (boo#1215685)
- U_InitExt.c-Add-bounds-checks-for-extension-request-ev.patch
* Buffer overflows in InitExt.c (boo#1212102, CVE-2023-3138)
- U_Don-t-try-to-destroy-NULL-condition-variables.patch
* fixes regression introduced with security update for
CVE-2022-3555 (bsc#1204425, bsc#1208881)
- U_fix-a-memory-leak-in-XRegisterIMInstantiateCallback.patch
* security update for CVE-2022-3554 (bsc#1204422)
- U_Fix-two-memory-leaks-in-_XFreeX11XCBStructure.patch
* security update for CVE-2022-3555 (bsc#1204425)
- libXpm
-
- U_0000-test-Add-unit-tests-using-glib-framework.patch
U_0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
U_0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch
U_0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
* fixes CVE-2023-43788 libXpm: out of bounds read in
XpmCreateXpmImageFromBuffer() (boo#1215686)
* fixes CVE-2023-43789 libXpm: out of bounds read on XPM with
corrupted colormap (boo#1215687)
- U_0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch
U_0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch
U_0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch
U_0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch
* avoids to trigger CVE-2023-43786,CVE-2023-43787 (boo#1215684,
boo#1215685); see changelog in libX11 update ...
- U_regression2-bug1207029_1207030_1207031.patch
* second regression fix: Use gzip -d instead of gunzip
- U_regression-bug1207029_1207030_1207031.patch
* regression fix for above patches
- U_0000-Update-README-for-gitlab-migration.patch
* needed by U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
- U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
* needed by U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
- U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
* libXpm: Infinite loop on unclosed comments (CVE-2022-46285,
bsc#1207029)
- U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
* libXpm: Runaway loop on width of 0 and enormous height
(CVE-2022-44617, bsc#1207030)
- U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
* libXpm: compression commands depend on $PATH (CVE-2022-4883,
bsc#1207031)
- avahi
-
- Add avahi-CVE-2023-1981.patch: emit error if requested service
is not found (boo#1210328 CVE-2023-1981).
- Add avahi-bsc1163683.patch: do not cache responses generated
locally (bsc#1163683).
- util-linux
-
- Add upstream patch util-linux-bash-completion-shell-character-escape-CVE-2018-7738.patch
Fix shell code injection in umount bash-completions (bsc#1213865, CVE-2018-7738)
- Add upstream patch fix-lib-internal-cache-size.patch
bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- Fix tests not passing when '@' character is in build path:
Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
- Add util-linux-fix-tests-when-at-symbol-in-path.patch
- libuuid continuous clock handling for time based UUIDs:
Prevent use of the new libuuid ABI by uuidd %post before update
of libuuid1 (bsc#1205646).
- libuuid improvements (bsc#1201959, PED-1150):
* libuuid: Fix range when parsing UUIDs
(util-linux-libuuid-uuid_parse-overrun.patch).
* Improve cache handling for short running applications-increment
the cache size over runtime
(util-linux-libuuid-improve-cache-handling.patch).
* Implement continuous clock handling for time based UUIDs
(util-linux-libuuid-continuous-clock-handling.patch).
* Check clock value from clock file to provide seamless libuuid
update (util-linux-libuuid-check-clock-value.patch).
- libcap
-
- Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup()
(bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch
- c-ares
-
- Update to version 1.19.1
Security:
* CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
(bsc#1211604)
* CVE-2023-31147 Moderate. Insufficient randomness in generation
of DNS query IDs (bsc#1211605)
* CVE-2023-31130. Moderate. Buffer Underwrite in
ares_inet_net_pton() (bsc#1211606)
* CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
during cross compilation (bsc#1211607)
Bug fixes:
* Fix uninitialized memory warning in test
* ares_getaddrinfo() should allow a port of 0
* Fix memory leak in ares_send() on error
* Fix comment style in ares_data.h
* Fix typo in ares_init_options.3
* Sync ax_pthread.m4 with upstream
* Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support
- Update to version 1.19.0
Security:
* Low. Stack overflow in ares_set_sortlist() which is used
during c-ares initialization and typically provided by an
administrator and not an end user.
(bsc#1208067, CVE-2022-4904)
Changes:
* Add ARES_OPT_HOSTS_FILE similar to ARES_OPT_RESOLVCONF for
specifying a custom hosts file location.
Bug fixes:
* Fix memory leak in reading /etc/hosts when using localhost
fallback.
* Fix chain building c-ares when libresolv is already included by
another project.
* File lookup should not immediately abort as there may be other
tries due to search criteria.
* Asterisks should be allowed in host validation as CNAMEs may
reference wildcard domains.
* AutoTools build system referenced bad STDC_HEADERS macro.
* Even if one address class returns a failure for
ares_getaddrinfo() we should still return the results we have.
* Fix ares_getaddrinfo() numerical address resolution with
AF_UNSPEC
* Fix tools and help information.
* Various documentation fixes and cleanups.
* Add include guards to ares_data.h
* c-ares could try to exceed maximum number of iovec entries
supported by system.
* The RFC6761 6.3 states localhost subdomains must be offline too
- update to 1.18.1. Changes since 1.17.2:
* Allow '/' as a valid character for a returned name for
CNAME in-addr.arpa delegation
* no longer forwards requests for localhost resolution per RFC6761
* During a domain search, treat ARES_ENODATA as ARES_NXDOMAIN so
that the search process will continue to the next domain
in the search.
* Provide ares_nameser.h as a public interface as needed by NodeJS
* Add support for URI(Uniform Resource Identifier) records via
ares_parse_uri_reply()
- disable unit tests for SLE12 since GCC compiler too old to build
unit tests
- 5c995d5.patch: upstreamed
- disable-live-tests.patch: refreshed
- new upstream website
- drop multibuild - tests do not require static library anymore
- spec file cleanup
- drop sources that were re-added to upstream distibution
(c-ares-config.cmake.in ares_dns.h libcares.pc.cmake)
- cryptsetup
-
- luksFormat: Handle system with low memory and no swap space [bsc#1211079]
* Check for physical memory available also in PBKDF benchmark.
* Try to avoid OOM killer on low-memory systems without swap.
* Use only half of detected free memory on systems without swap.
* Add patches:
- cryptsetup-Check-for-physical-memory-available-also-in-PBKDF-be.patch
- cryptsetup-Try-to-avoid-OOM-killer-on-low-memory-systems-withou.patch
- cryptsetup-Use-only-half-of-detected-free-memory-on-systems-wit.patch
- libdb-4_8
-
- Fix incomplete license tag. [bsc#1099695]
- Security fix: [bsc#1174414, CVE-2019-2708]
* libdb: Data store execution leads to partial DoS
* Backport the upsteam commits:
- Fixed several possible crashes when running db_verify
on a corrupted database. [#27864]
- Fixed several possible hangs when running db_verify
on a corrupted database. [#27864]
- Added a warning message when attempting to verify a queue
database which has many extent files. Verification will take
a long time if there are many extent files. [#27864]
* Add libdb-4_8-CVE-2019-2708.patch
- mozilla-nss
-
- update to NSS 3.90
* bmo#1623338 - ride along: remove a duplicated doc page
* bmo#1623338 - remove a reference to IRC
* bmo#1831983 - clang-format lib/freebl/stubs.c
* bmo#1831983 - Add a constant time select function
* bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* bmo#1830973 - output early build errors by default
* bmo#1804505 - Update the technical constraints for KamuSM
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates
* bmo#1790763 - Enable default UBSan Checks
* bmo#1786018 - Add explicit handling of zero length records
* bmo#1829391 - Tidy up DTLS ACK Error Handling Path
* bmo#1786018 - Refactor zero length record tests
* bmo#1829112 - Fix compiler warning via correct assert
* bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
* bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* bmo#1784163 - Fix reading raw negative numbers
* bmo#1748237 - Repairing unreachable code in clang built with gyp
* bmo#1783647 - Integrate Vale Curve25519
* bmo#1799468 - Removing unused flags for Hacl*
* bmo#1748237 - Adding a better error message
* bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* bmo#1782980 - Fall back to the softokn when writing certificate trust
* bmo#1806010 - FIPS-104-3 requires we restart post programmatically
* bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
* bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes
* bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf
* bmo#1822076 - fix rst warnings in nss doc
* bmo#1821997 - Fix incorrect pygment style
* bmo#1821292 - Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- Add nss-fix-bmo1836925.patch to fix build-errors
- Merge the libfreebl3-hmac and libsoftokn3-hmac packages
into the respective libraries. (bsc#1185116)
- update to NSS 3.89.1
* bmo#1804505 - Update the technical constraints for KamuSM.
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
- update to NSS 3.89
* bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* bmo#1820175 - PR_STATIC_ASSERT is cursed
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1820175 - Fix unreachable code warning in fuzz builds
* bmo#1820175 - Fix various compiler warnings in NSS
* bmo#1820175 - Enable various compiler warnings for clang builds
* bmo#1815136 - set PORT error after sftk_HMACCmp failure
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt
* bmo#1804660 - Make high tag number assertion failure an error
* bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key
length from 284 to 384
* bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello
* bmo#1789436 - Fix build failure on Windows
* bmo#1811337 - migrate Win 2012 tasks to Azure
* bmo#1810702 - fix title length in doc
* bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite
* bmo#1570615 - Add presence/absence tests for TLS GREASE
* bmo#1804688 - Correct addition of GREASE value to ALPN xtn
* bmo#1789436 - CH extension permutation
* bmo#1570615 - TLS GREASE (RFC8701)
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
- update to NSS 3.88.1
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
- update to NSS 3.88
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
* bmo#1212915 - Add check for ClientHello SID max length
* bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
* bmo#1790357 - ECH client - Discard resumption TLS < 1.3
Session(IDs|Tickets) if ECH configs are setup
* bmo#1714245 - On HRR skip PSK incompatible with negotiated
ciphersuites hash algorithm
* bmo#1789410 - ECH client: Send ech_required alert on server
negotiating TLS 1.2. Fixed misleading Gtest,
enabled corresponding BoGo test
* bmo#1771100 - Added Bogo ECH rejection test support
* bmo#1771100 - Added ECH 0Rtt support to BoGo shim
* bmo#1747957 - RSA OAEP Wycheproof JSON
* bmo#1747957 - RSA decrypt Wycheproof JSON
* bmo#1747957 - ECDSA Wycheproof JSON
* bmo#1747957 - ECDH Wycheproof JSON
* bmo#1747957 - PKCS#1v1.5 wycheproof json
* bmo#1747957 - Use X25519 wycheproof json
* bmo#1766767 - Move scripts to python3
* bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
* bmo#1805907 - Extending RSA-PSS bltest test coverage
(Adding SHA-256 and SHA-384)
* bmo#1804091 - NSS needs to move off of DSA for integrity checks
* bmo#1805815 - Add initial testing with ACVP vector sets using
acvp-rust
* bmo#1806369 - Don't clone libFuzzer, rely on clang instead
- update to NSS 3.87
* bmo#1803226 - NULL password encoding incorrect
* bmo#1804071 - Fix rng stub signature for fuzzing builds
* bmo#1803595 - Updating the compiler parsing for build
* bmo#1749030 - Modification of supported compilers
* bmo#1774654 - tstclnt crashes when accessing gnutls server
without a user cert in the database.
* bmo#1751707 - Add configuration option to enable source-based
coverage sanitizer
* bmo#1751705 - Update ECCKiila generated files.
* bmo#1730353 - Add support for the LoongArch 64-bit architecture
* bmo#1798823 - add checks for zero-length RSA modulus to avoid
memory errors and failed assertions later
* bmo#1798823 - Additional zero-length RSA modulus checks
- Remove nss-fix-bmo1774654.patch which is now upstream
- update to NSS 3.86
* bmo#1803190 - conscious language removal in NSS
* bmo#1794506 - Set nssckbi version number to 2.60
* bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3
TrustCor Root Certificates
* bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
* bmo#1797559 - Remove EC-ACC root cert from NSS
* bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
* bmo#1794495 - Remove Network Solutions Certificate Authority
* bmo#1802331 - compress docker image artifact with zstd
* bmo#1799315 - Migrate nss from AWS to GCP
* bmo#1800989 - Enable static builds in the CI
* bmo#1765759 - Removing SAW docker from the NSS build system
* bmo#1783231 - Initialising variables in the rsa blinding code
* bmo#320582 - Implementation of the double-signing of the message
for ECDSA
* bmo#1783231 - Adding exponent blinding for RSA.
- update to NSS 3.85
* bmo#1792821 - Modification of the primes.c and dhe-params.c in
order to have better looking tables
* bmo#1796815 - Update zlib in NSS to 1.2.13
* bmo#1796504 - Skip building modutil and shlibsign when building
in Firefox
* bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard
* bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15
* bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare
and -Wtype-limits warnings
* bmo#1796281 - Followup: add missing stdint.h include
* bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings
* bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable}
warnings on Windows
* bmo#1796079 - Fix -Wstring-conversion warnings
* bmo#1796075 - Fix -Wempty-body warnings
* bmo#1795242 - Fix unused-but-set-parameter warning
* bmo#1795241 - Fix unreachable-code warnings
* bmo#1795222 - Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.
- update to NSS 3.84
* bmo#1791699 - Bump minimum NSPR version to 4.35
* bmo#1792103 - Add a flag to disable building libnssckbi.
- update to NSS 3.83
* bmo#1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
* bmo#1563221 - remove older oses that are unused part3/ BeOS
* bmo#1563221 - remove older unix support in NSS part 3 Irix
* bmo#1563221 - remove support for older unix in NSS part 2 DGUX
* bmo#1563221 - remove support for older unix in NSS part 1 OSF
* bmo#1778413 - Set nssckbi version number to 2.58
* bmp#1785297 - Add two SECOM root certificates to NSS
* bmo#1787075 - Add two DigitalSign root certificates to NSS
* bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS
* bmo#1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
* bmo#1779361 - Removed skipping of ECH on equality of private and
public server name
* bmo#1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
* bmo#1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
* bmo#1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
* bmo# 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
* bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
* bmo#1771100 - Update BoGo tests to recent BoringSSL version
* bmo#1785846 - Bump minimum NSPR version to 4.34.1
- update to NSS 3.82
* bmo#1330271 - check for null template in sec_asn1{d,e}_push_state
* bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length
* bmo#1784724 - Initialize local variables in
TlsConnectTestBase::ConnectAndCheckCipherSuite
* bmo#1784191 - Cast the result of GetProcAddress
* bmo#1681099 - pk11wrap: Tighten certificate lookup based on
PKCS #11 URI.
- update to NSS 3.81
* bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD
* bmo#1775359 - make NSS_SecureMemcmp 0/1 valued
* bmo#1779285 - Add no_application_protocol alert handler and
test client error code is set
* bmo#1777672 - Gracefully handle null nickname in
CERT_GetCertNicknameWithValidity
* required for Firefox 104
- raised NSPR requirement to 4.34.1
- changing some Requires from (pre) to generic as (pre) is not
sufficient (boo#1202118)
- update to NSS 3.80
* bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* bmo#1617956 - Add support for asynchronous client auth hooks.
* bmo#1497537 - nss-policy-check: make unknown keyword check optional.
* bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced
redundant code with assert. Debug builds: Added
buffer freeing/allocation for each record.
* bmo#1773022 - Mark 3.79 as an ESR release.
* bmo#1764206 - Bump nssckbi version number for June.
* bmo#1759815 - Remove Hellenic Academic 2011 Root.
* bmo#1770267 - Add E-Tugra Roots.
* bmo#1768970 - Add Certainly Roots.
* bmo#1764392 - Add DigitCert Roots.
* bmo#1759794 - Protect SFTKSlot needLogin with slotLock.
* bmo#1366464 - Compare signature and signatureAlgorithm fields in
legacy certificate verifier.
* bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld.
* bmo#1771495 - Unchecked return code in sec_DecodeSigAlg.
* bmo#1771498 - Uninitialized value in cert_ComputeCertType.
* bmo#1760998 - Avoid data race on primary password change.
* bmo#1769063 - Replace ppc64 dcbzl intrinisic.
* bmo#1771036 - Allow LDFLAGS override in makefile builds.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with
fixes to PBKDF2 parameter validation.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to
validate extra PBKDF2 parameters according to FIPS 140-3.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to
update session->lastOpWasFIPS before destroying the key after
derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE,
CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases.
- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some
excess code.
- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546).
- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
checks. Thanks to Martin for the DHKey parts.
- Add manpages to mozilla-nss-tools (bsc#1208242)
- update to NSS 3.79.4 (bsc#1208138)
* Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
(CVE-2023-0767)
- Add upstream patch nss-fix-bmo1774654.patch to fix CVE-2022-3479
(bsc#1204272)
- update to NSS 3.79.3 (bsc#1207038)
* Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
(CVE-2022-23491)
- Update nss-fips-approved-crypto-non-ec.patch to disapprove the
creation of DSA keys, i.e. mark them as not-fips (bsc#1201298)
- Update nss-fips-approved-crypto-non-ec.patch to allow the use SHA
keygen mechs (bsc#1191546).
- Update nss-fips-constructor-self-tests.patch to ensure abort() is
called when the repeat integrity check fails (bsc#1198980).
- freetype2
-
- Added patch:
* CVE-2023-2004.patch
+ fixes bsc#1210419, CVE-2023-2004: Integer overflow
- graphite2
-
- fixed license string [bsc#1207676]:
LGPL-2.1-or-later OR MPL-2.0 OR GPL-2.0-or-later
- harfbuzz
-
- Add CVE-2023-25193.patch: limit how far we skip when looking
back (bsc#1207922 CVE-2023-25193).
- libjansson
-
- Update to 2.14 (boo#1201817):
* New Features:
+ Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the
corresponding `nocheck` functions.
+ Add jansson_version_str() and jansson_version_cmp() for runtime
version checking
+ Add json_object_update_new(), json_object_update_existing_new()
and json_object_update_missing_new() functions
+ Add json_object_update_recursive()
+ Add `json_pack()` format specifiers s*, o* and O* for values
that can be omitted if null (#339).
+ Add `json_error_code()` to retrieve numeric error codes
(#365, #380, #381).
+ Enable thread safety for `json_dump()` on all systems.
Enable thread safe `json_decref()` and `json_incref()` for
modern compilers (#389).
+ Add `json_sprintf()` and `json_vsprintf()` (#393).
* Fixes:
+ Handle `sprintf` corner cases.
+ Add infinite loop check in json_deep_copy()
+ Enhance JANSSON_ATTRS macro to support earlier C standard(C89)
+ Update version detection for sphinx-build
+ Fix error message in `json_pack()` for NULL object (#409).
+ Avoid invalid memory read in `json_pack()` (#421).
+ Call va_end after va_copy in `json_vsprintf()` (#427).
+ Improve handling of formats with '?' and '*' in `json_pack()`
(#438).
+ Remove inappropriate `jsonp_free()` which caused
segmentation fault in error handling (#444).
+ Fix incorrect report of success from `json_dump_file()` when
an error is returned by `fclose()` (#359).
+ Make json_equal() const-correct (#344).
+ Fix incomplete stealing of references by `json_pack()` (#374)
- Use GitHub as source URLs: Release hasn't been uploaded to digip.org.
- Add check section.
- libksba
-
- Security fix: [bsc#1206579, CVE-2022-47629]
* Integer overflow in the CRL signature parser.
* Add libksba-CVE-2022-47629.patch
- openldap2
-
- bsc#1212260 - crash in libldap when non-ldap data responds
* 0245-ITS-9803-Drop-connection-when-receiving-non-LDAP-dat.patch
- bsc#1211795 - CVE-2023-2953 - Null pointer deref in ber_memalloc_x
* 0244-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
- liblognorm
-
- Upgrade to liblognorm v2.0.6 (jsc#PED-4883)
* 2018-11-02: nitfixes: issues deteced by CodeFactor.com
* 2018-11-01: more cleanup of shell scripting
* 2018-10-31: cleanup shell scripting
* 2018-10-26: implement Checkpoint LEA transfer format
* 2018-10-31: fix mising shebangs in test scripts
* 2018-10-30: fix some bash style nits
* 2018-07-15: fix very theoretic misadressing (gcc-8 warning)
* 2018-06-26: string parser: add "lazy" matching mode
* 2018-05-30: Update lognormalizer.c
* 2018-05-30: Update lognormalizer.c to support case fallthrough
* 2018-05-30: Update README
* 2018-05-10: Fix for #229 (cisco-interface-spec at end of line)
* 2018-03-21: Suppress invalid param error for name to fix #270
- Upgrade to liblognorm v2.0.5
* 2018-04-25: fix potential NULL pointer addressing
* 2018-04-07: Add test for nested user types
* 2018-04-07: Fix use after free with nested user types (#235)
* 2018-04-25: build system: fix gcc warning
* 2018-04-25: make "make check" "succeed" on solaris 10
* 2018-04-16: fix build warnings with some newer compilers
* 2018-04-16: remove dead code
* 2018-04-16: fix potential memory leaks during config processing
* 2018-04-16: fix memory leak during config processing
* 2018-04-16: csv encoder: fix format error when processing arrays
* 2018-03-29: Explicitly list supported whitespace characters
* 2018-03-28: "fix" return type of unused dummy function
- replaces liblognorm-2.0.4-no-return-in-nonvoid-function.patch
* 2018-03-21: Suppress invalid param error for name to fix #270
* 2018-03-19: fix header guard
* 2018-03-06: Correct CLI options in the docs
* 2018-01-13: AIX port : added compatibility and modified lognormalizer for AIX.
* 2017-11-29: codestyle: correct line length to 120
* 2017-11-29: codestyle: set max line length to 120
* 2017-11-25: fix some very bad line length violations
* 2017-11-25: travis: temporarily permit longer line length
* 2017-10-19: make build with gcc7
* 2017-10-05: es_str2cstr leak in string-to v1 parse
- ncurses
-
- Modify patch ncurses-6.1.dif
* Secure writing terminfo entries by setfs[gu]id in s[gu]id
(boo#1210434, CVE-2023-29491)
* Reading is done since 2000/01/17
- nghttp2
-
- security update
- added patches
fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack
+ nghttp2-CVE-2023-44487.patch
- Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be
sent, and nghttp2_on_stream_close_callback fails with a fatal error.
[CVE-2023-35945 bsc#1215713]
+ nghttp2-CVE-2023-35945.patch
- openssl-1_1
-
- Security fix: [bsc#1216922, CVE-2023-5678]
* Fix excessive time spent in DH check / generation with large Q
parameter value.
* Applications that use the functions DH_generate_key() to generate
an X9.42 DH key may experience long delays. Likewise,
applications that use DH_check_pub_key(), DH_check_pub_key_ex
() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an
untrusted source this may lead to a Denial of Service.
* Add openssl-CVE-2023-5678.patch
- Displays "fips" in the version string (bsc#1215215)
* Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
- Security fix: (bsc#1213853, CVE-2023-3817)
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Add openssl-1_1-CVE-2023-3817.patch
- Dont pass zero length input to EVP_Cipher because assembler
optimized AES cannot handle zero size. [bsc#1213517]
* Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("p" parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Reworked the Fix for the Timing Oracle in RSA Decryption
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case
compared to 1.1.1s.
* Add openssl-CVE-2022-4304.patch
* Removed patches:
- openssl-CVE-2022-4304-1of2.patch
- openssl-CVE-2022-4304-2of2.patch
* Refreshed openssl-CVE-2023-0286.patch
- Update further expiring certificates that affect tests [bsc#1201627]
* Add openssl-Update-further-expiring-certificates.patch
- Security Fix: [CVE-2023-2650, bsc#1211430]
* Possible DoS translating ASN.1 object identifiers
* Add openssl-CVE-2023-2650.patch
- Security Fix: [CVE-2023-0465, bsc#1209878]
* Invalid certificate policies in leaf certificates are silently ignored
* Add openssl-CVE-2023-0465.patch
- Security Fix: [CVE-2023-0466, bsc#1209873]
* Certificate policy check not enabled
* Add openssl-CVE-2023-0466.patch
- Security Fix: [CVE-2023-0464, bsc#1209624]
* Excessive Resource Usage Verifying X.509 Policy Constraints
* Add openssl-CVE-2023-0464.patch
- Security Fix: [bsc#1207533, CVE-2023-0286]
* Fix X.400 address type confusion in X.509 GENERAL_NAME_cmp
for x400Address
* Add openssl-CVE-2023-0286.patch
- Security Fix: [bsc#1207536, CVE-2023-0215]
* Use-after-free following BIO_new_NDEF()
* Add patches:
- openssl-CVE-2023-0215-1of4.patch
- openssl-CVE-2023-0215-2of4.patch
- openssl-CVE-2023-0215-3of4.patch
- openssl-CVE-2023-0215-4of4.patch
- Security Fix: [bsc#1207538, CVE-2022-4450]
* Double free after calling PEM_read_bio_ex()
* Add patches:
- openssl-CVE-2022-4450-1of2.patch
- openssl-CVE-2022-4450-2of2.patch
- Security Fix: [bsc#1207534, CVE-2022-4304]
* Timing Oracle in RSA Decryption
* Add patches:
- openssl-CVE-2022-4304-1of2.patch
- openssl-CVE-2022-4304-2of2.patch
- FIPS: list only FIPS approved public key algorithms
[bsc#1121365, bsc#1198472]
* Add openssl-1_1-fips-list-only-approved-pubkey-algorithms.patch
- Added openssl-1_1-paramgen-default_to_rfc7919.patch
* bsc#1180995
* Default to RFC7919 groups when generating ECDH parameters
using 'genpkey' or 'dhparam' in FIPS mode.
- Fix memory leaks introduced by openssl-1.1.1-fips.patch [bsc#1203046]
* Add patch openssl-1.1.1-fips-fix-memory-leaks.patch
- pacemaker
-
- controller: update node state correctly based on any existing node cache entry (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
* bsc#1198767-0006-Fix-controller-update-node-state-correctly-based-on-.patch
- libcrmcluster: internal functions for getting a node cache entry by uuid instead of id (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
* bsc#1198767-0005-Refactor-libcrmcluster-internal-functions-for-gettin.patch
- libcrmcluster: ability to search for a node cache entry by uuid instead of id (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
* bsc#1198767-0004-Refactor-libcrmcluster-ability-to-search-for-a-node-.patch
- cts-scheduler: update regression test about not fencing a pending node that doesn't have an uname in node state yet (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
* bsc#1198767-0003-Test-cts-scheduler-update-regression-test-about-not-.patch
- scheduler: Do not fence a pending node that doesn't have an uname in node state yet (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
* bsc#1198767-0002-Fix-scheduler-Do-not-fence-a-pending-node-that-doesn.patch
- cts-scheduler: add regression test about a pending node that doesn't have an uname in node state yet (bsc#1198767, bsc#1202177, bsc#1206268, bsc#1208380, bsc#1211098)
* bsc#1198767-0001-Test-cts-scheduler-add-regression-test-about-a-pendi.patch
- rpm: build with --enable-legacy-links only for suse_version < 1600
- rpm: build with --with-nagios=true only for suse_version < 1600
- agents: create symlink ocf:pacemaker:NodeUtilization only for suse_version < 1600 in favor of ocf:heartbeat:NodeUtilization (bsc#1070347)
- rpm: avoid bare wildcards under shared directories in spec
- fencer: fencing timeout sent to peer takes no delay into account (bsc#1210074)
* bsc#1210074-0011-Fix-fencer-fencing-timeout-sent-to-peer-takes-no-del.patch
- libpacemaker: initial timeout for fencing callback takes any requested fencing delay into account (bsc#1210074)
* bsc#1210074-0010-Fix-libpacemaker-initial-timeout-for-fencing-callbac.patch
- controller: use "target" terminology consistently (bsc#1210074)
* bsc#1210074-0009-Log-controller-use-target-terminology-consistently.patch
- controller: log fencing timeout consistently in seconds as priority fencing delay (bsc#1210074)
* bsc#1210074-0008-Log-controller-log-fencing-timeout-consistently-in-s.patch
- controller: initial timeout for fencing callback takes any priority fencing delay into account (bsc#1210074)
* bsc#1210074-0007-Fix-controller-initial-timeout-for-fencing-callback-.patch
- fencer: apply requested fencing delay only for the first device (bsc#1210074)
* bsc#1210074-0006-Fix-fencer-apply-requested-fencing-delay-only-for-th.patch
- fencer: fencing timeouts take any pcmk_delay_base into account (bsc#1210074)
* bsc#1210074-0005-Fix-fencer-fencing-timeouts-take-any-pcmk_delay_base.patch
- fencer: add correct values of pcmk_delay_base/max to query rely (bsc#1210074)
* bsc#1210074-0004-Fix-fencer-add-correct-values-of-pcmk_delay_base-max.patch
- fencer: per-operation fencing timeout takes any requested fencing delay into account (bsc#1210074)
* bsc#1210074-0003-Fix-fencer-per-operation-fencing-timeout-takes-any-r.patch
- fencer: total fencing timeout takes any requested fencing delay into account (bsc#1210074)
* bsc#1210074-0002-Fix-fencer-total-fencing-timeout-takes-any-requested.patch
- cts-fencing: regression test for fencing timeouts taking fencing delays into account (bsc#1210074)
* bsc#1210074-0001-Test-cts-fencing-regression-test-for-fencing-timeout.patch
- cts-fencing: update expected total timeouts
* 0001-Test-cts-fencing-update-expected-total-timeouts.patch
- fenced: Correctly log the total fencing timeout.
* 0001-Low-fenced-Correctly-log-the-total-fencing-timeout.patch
- controller: avoid use-after-free when disconnecting proxy IPCs during shutdown (bsc#1209640)
* bsc#1209640-0001-Fix-controller-avoid-use-after-free-when-disconnecti.patch
- controller: Delay join finalization if a transition is in progress
* 0001-Fix-controller-Delay-join-finalization-if-a-transiti.patch
- extra/resources/SysInfo.in: This calculation of cpu_load returns an incorrect value in Darwin and Linux
* 0001-Fix-extra-resources-SysInfo.in-This-calculation-of-c.patch
- tools: avoid memory leaks in crm_mon (bsc#1211678)
* bsc#1211678-0008-Fix-tools-avoid-memory-leaks-in-crm_mon.patch
- tools: avoid (insignificant) memory leaks (bsc#1211678)
* bsc#1211678-0007-Low-tools-avoid-insignificant-memory-leaks.patch
- tools: Free --resource=/--node= memory in crm_mon. (bsc#1211678)
* bsc#1211678-0006-Fix-tools-Free-resource-node-memory-in-crm_mon.patch
- scheduler: Free the result of pe__node_display_name in one place. (bsc#1211678)
* bsc#1211678-0005-Fix-scheduler-Free-the-result-of-pe__node_display_na.patch
- tools: Free command-line related memory. (bsc#1211678)
* bsc#1211678-0004-Fix-tools-Free-command-line-related-memory.patch
- libcrmcommon: Don't leak memory in pcmk__cmdline_preproc. (bsc#1211678)
* bsc#1211678-0003-Fix-libcrmcommon-Don-t-leak-memory-in-pcmk__cmdline_.patch
- libpe_rules, libcrmcommon: Free the whole xml doc, not just the node. (bsc#1211678)
* bsc#1211678-0001-Test-libpe_rules-libcrmcommon-Free-the-whole-xml-doc.patch
- Revert "Fix: libpacemaker: ensure any pending recurring monitor gets updated if it fails" (bsc#1206263)
* Drop obsolete bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch
- tool: update crm_mon synopsis (bsc#1208868)
* bsc#1208868-0001-Fix-tool-update-crm_mon-synopsis.patch
- libcrmcommon: Don't parse "-INFINITY" as a list of cmdline options (CLBZ#5509)
* CLBZ#5509-0001-Fix-libcrmcommon-Don-t-parse-INFINITY-as-a-list-of-c.patch
- tools: crm_shadow --commit now works with CIB_file
* 0001-Fix-tools-crm_shadow-commit-now-works-with-CIB_file.patch
- fencer: Prevent double g_source_remove of op_timer_one (rh#2166967)
* rh#2166967-0001-Fix-fencer-Prevent-double-g_source_remove-of-op_time.patch
- libpacemaker: avoid assertion failure if a node_state entry doesn't have an uname yet (bsc#1207319)
* bsc#1207319-0002-Fix-libpacemaker-avoid-assertion-failure-if-a-node_s.patch
- libpacemaker: unify bailing out in pcmk__inject_node() (bsc#1207319)
* bsc#1207319-0001-Refactor-libpacemaker-unify-bailing-out-in-pcmk__inj.patch
- cts-scheduler: update test for preventing inactive instances from starting if probe is unrunnable on any nodes (bsc#1206263)
* bsc#1206263-0006-Test-cts-scheduler-update-test-for-preventing-inacti.patch
- scheduler: prevent inactive instances from starting if probe is unrunnable on any nodes (bsc#1206263)
* bsc#1206263-0005-Fix-scheduler-prevent-inactive-instances-from-starti.patch
- libpacemaker: ensure any pending recurring monitor gets updated if it fails (bsc#1206263)
* bsc#1206263-0004-Fix-libpacemaker-ensure-any-pending-recurring-monito.patch
- cts-scheduler: update test for preventing a leftover pending monitor from causing unexpected stop of other instances (bsc#1206263)
* bsc#1206263-0003-Test-cts-scheduler-update-test-for-preventing-a-left.patch
- scheduler: prevent a leftover pending monitor from causing unexpected stop of other instances (bsc#1206263)
* bsc#1206263-0002-Fix-scheduler-prevent-a-leftover-pending-monitor-fro.patch
- cts-scheduler: add test for preventing a leftover pending monitor from causing unexpected stop of other instances (bsc#1206263)
* bsc#1206263-0001-Test-cts-scheduler-add-test-for-preventing-a-leftove.patch
- Use effective OCF rc-code to avoid increasing failcount for DEGRADED statuses (bsc#1205861)
* bsc#1205861-0002-Fix-Use-effective-OCF-rc-code-to-avoid-increasing-fa.patch
- Accept PCMK_OCF_DEGRADED and PCMK_OCF_DEGRADED_MASTER status codes (bsc#1205861)
* bsc#1205861-0001-Fix-Accept-PCMK_OCF_DEGRADED-and-PCMK_OCF_DEGRADED_M.patch
- tools: prevent possible crm_resource segfaults if multiple commands are specified (bsc#1198409)
* bsc#1198409-0002-Fix-tools-prevent-possible-crm_resource-segfaults-if.patch
- tools: set commands in crm_resource before changing any options (bsc#1198409)
* bsc#1198409-0001-Refactor-tools-set-commands-in-crm_resource-before-c.patch
- controller: log an info instead of a warning for a stonith/shutdown that is unknown to the new DC (bsc#1198715)
* bsc#1198715-0001-Log-controller-log-an-info-instead-of-a-warning-for-.patch
- controller: record CRM feature set as a transient attribute (bsc#1196673, bsc#1203367, fate#320759)
* bsc#1196673-0001-Feature-controller-record-CRM-feature-set-as-a-trans.patch
- pcre2
-
- Security fix: [bsc#1213514, CVE-2022-41409]
* Integer overflow vulnerability in pcre2test before 10.41
allows attackers to cause a denial of service or other
unspecified impacts via negative input.
* Add pcre2-CVE-2022-41409.patch
- pixman
-
- Add pixman-CVE-2022-44638.patch: avoid an integer overflow
(boo#1205033 CVE-2022-44638).
- procps
-
- Add patch CVE-2023-4016.patch
* CVE-2023-4016: ps buffer overflow (bsc#1214290)
- Add patch bsc1209122-a6c0795d.patch
* Fix for bsc#1209122 to allow `-´ as leading character to ignore
possible errors on systctl entries
- Extend patch procps-3.3.17-library-bsc1181475.patch (bsc#1206412)
- Make sure that correct library version is installed (bsc#1206412)
- protobuf
-
- Fix a potential DoS issue in protobuf-cpp and protobuf-python,
CVE-2022-1941, bsc#1203681
* Add protobuf-CVE-2022-1941.patch
- Fix a potential DoS issue when parsing with binary data in
protobuf-java, CVE-2022-3171, bsc#1204256
* Add protobuf-CVE-2022-3171.patch
- Refresh protobuf-CVE-2021-22570.patch
- Backport changes from 3.16.x tree for apply recent CVE patches
* Add protobuf-51026d922970e06475f005b39287963594134b96.patch
* Add protobuf-6ee16a9c60e734104aeb738503fe3f411c97bd88.patch
* Add protobuf-73e0d748b9acdc40b693f2879ce82ecb1a849b81.patch
* Add protobuf-7bff8393cab939bfbb9b5c69b3fe76b4d83c41ee.patch
* Add protobuf-4f02f056b5cea99052bfdfb6698afe47a3cf2964.patch
* Add protobuf-763c3588740b97e8e80b1b1a1a2dc4f417647133.patch
* Add protobuf-6c92f9dff1807c142edf6780d775b58a3b078591.patch
* Add protobuf-4e93585e8bb234efeacb7737b8d080968c5ab91e.patch
* Add protobuf-58d4420e2dd8a3cd354fff9db0052881c25369ce.patch
- Reorganize patch set ordering
- Fix potential Denial of Service in protobuf-java in the parsing procedure
for binary data, CVE-2021-22569, bsc#1194530
* Add protobuf-improve-performance-of-parsing-unknown-fields-in-Java.patch
- python-base
-
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
- Allow nis.so for SLE-12.
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
Revert-gh105127-left-tests.patch (as per discussion on
bsc#1210638).
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
- Fix the application of the python-2.7.17-switch-off-failing-SSL-tests.patch.
- python-2.7.5-multilib.patch: Update for riscv64
- Don't fail if _ctypes or dl extension was not built
- The condition around libnsl-devel BuildRequires is NOT
switching off NIS support on SLE < 15, support for NIS used to
be in the glibc itself. Partial revert of sr#1061583.
- Add PygmentsBridge-trime_doctest_flags.patch to allow build of
the documentation even with the current Sphinx. (SUSE-ONLY
PATCH, DO NOT SEND UPSTREAM!)
- Enable --with-system-ffi for non-standard architectures.
- SLE-12 builds nis.so as well.
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
- Disable NIS for new products, it's deprecated and gets removed
- Add skip_unverified_test.patch because apparently switching off
SSL verification doesn't work on older SLE.
- Restore python-2.7.9-sles-disable-verification-by-default.patch
for SLE-12.
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
extremely long domain names.
- Add bpo34990-2038-problem-compileall.patch making compileall.py
compliant with year 2038 (bsc#1202666, gh#python/cpython#79171),
backport of fix to Python 2.7.
- python3
-
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
- Use python3 modules to build the documentation.
- Add bpo-44434-libgcc_s-for-pthread_cancel.patch
which eliminates unnecessary and dangerous calls to
PyThread_exit_thread() (bsc#1203355).
- Add CVE-2023-24329-blank-URL-bypass.patch (CVE-2023-24329,
bsc#1208471) blocklists bypass via the urllib.parse component
when supplying a URL that starts with blank characters
- Add bpo27321-email-no-replace-header.patch to stop
email.generator.py from replacing a non-existent header
(bsc#1208443, gh#python/cpython#71508).
- Add bsc1188607-pythreadstate_clear-decref.patch to fix crash in
the garbage collection (bsc#1188607).
- Add CVE-2022-45061-DoS-by-IDNA-decode.patch to avoid
CVE-2022-45061 (bsc#1205244) allowing DoS by IDNA decoding
extremely long domain names.
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
overflow in hashlib.sha3_* implementations (originally from the
XKCP library).
- Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix
CVE-2020-10735 (bsc#1203125) to limit amount of digits
converting text to int and vice vera (potential for DoS).
Originally by Victor Stinner of Red Hat.
- libqb
-
- log: fix potential overflow with long log messages (CVE-2023-39976, bsc#1214066)
* bsc#1214066-fix-potential-overflow-with-long-log-messages.patch
- libsolv
-
- handle learnt rules in solver_alternativeinfo()
- support x86_64_v[234] architecture levels
- implement decision sorting for package decisionlists
- add back findutils requires for the libsolv-tools packagse
[bsc#1195633]
- bump version to 0.7.24
- fix "keep installed" jobs not disabling "best update" rules
- do not autouninstall suse ptf packages
- ensure duplinvolvedmap_all is reset when a solver is reused
- special case file dependencies in the testcase writer
- support stringification of multiple solvables
- new weakdep introspection interface similar to ruleinfos
- support decision reason queries
- support merging of related decissions
- support stringification of ruleinfo, decisioninfo and decision reasons
- support better info about alternatives
- new '-P' and '-W' options for testsolv
- bump version to 0.7.23
- sqlite3
-
- Sync version 3.44.0 from Factory
* Fixes bsc#1210660, CVE-2023-2137: Heap buffer overflow
* sqlite3-rtree-i686.patch: temporary build fix for 32-bit x86.
* Obsoletes sqlite-CVE-2022-46908.patch
* Obsoletes sqlite-src-3390000-func7-pg-181.patch
- bsc#1206337, CVE-2022-46908, sqlite-CVE-2022-46908.patch:
relying on --safe for execution of an untrusted CLI script
- libssh2_org
-
- Upgrade to version 1.11.0 in SLE-15: [jsc#PED-7040]
* Add the keyring file: libssh2_org.keyring
* Rebase libssh2-ocloexec.patch
* Remove libssh2_org-CVE-2020-22218.patch
- Security fix: [bsc#1214527, CVE-2020-22218]
* The function _libssh2_packet_add() allows to access out of
bounds memory.
* Add libssh2_org-CVE-2020-22218.patch
- Update to 1.11.0:
* Enhancements and bugfixes
- Adds support for encrypt-then-mac (ETM) MACs
- Adds support for AES-GCM crypto protocols
- Adds support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys
- Adds support for RSA certificate authentication
- Adds FIDO support with *_sk() functions
- Adds RSA-SHA2 key upgrading to OpenSSL, WinCNG, mbedTLS, OS400 backends
- Adds Agent Forwarding and libssh2_agent_sign()
- Adds support for Channel Signal message libssh2_channel_signal_ex()
- Adds support to get the user auth banner message libssh2_userauth_banner()
- Adds LIBSSH2_NO_{MD5, HMAC_RIPEMD, DSA, RSA, RSA_SHA1, ECDSA, ED25519,
AES_CBC, AES_CTR, BLOWFISH, RC4, CAST, 3DES} options
- Adds direct stream UNIX sockets with libssh2_channel_direct_streamlocal_ex()
- Adds wolfSSL support to CMake file
- Adds mbedTLS 3.x support
- Adds LibreSSL 3.5 support
- Adds support for CMake "unity" builds
- Adds CMake support for building shared and static libs in a single pass
- Adds symbol hiding support to CMake
- Adds support for libssh2.rc for all build tools
- Adds .zip, .tar.xz and .tar.bz2 release tarballs
- Enables ed25519 key support for LibreSSL 3.7.0 or higher
- Improves OpenSSL 1.1 and 3 compatibility
- Now requires OpenSSL 1.0.2 or newer
- Now requires CMake 3.1 or newer
- SFTP: Adds libssh2_sftp_open_ex_r() and libssh2_sftp_open_r() extended APIs
- SFTP: No longer has a packet limit when reading a directory
- SFTP: now parses attribute extensions if they exist
- SFTP: no longer will busy loop if SFTP fails to initialize
- SFTP: now clear various errors as expected
- SFTP: no longer skips files if the line buffer is too small
- SCP: add option to not quote paths
- SCP: Enables 64-bit offset support unconditionally
- Now skips leading \r and \n characters in banner_receive()
- Enables secure memory zeroing with all build tools on all platforms
- No longer logs SSH_MSG_REQUEST_FAILURE packets from keepalive
- Speed up base64 encoding by 7x
- Assert if there is an attempt to write a value that is too large
- WinCNG: fix memory leak in _libssh2_dh_secret()
- Added protection against possible null pointer dereferences
- Agent now handles overly large comment lengths
- Now ensure KEX replies don't include extra bytes
- Fixed possible buffer overflow when receiving SSH_MSG_USERAUTH_BANNER
- Fixed possible buffer overflow in keyboard interactive code path
- Fixed overlapping memcpy()
- Fixed Windows UWP builds
- Fixed DLL import name
- Renamed local RANDOM_PADDING macro to avoid unexpected define on Windows
- Support for building with gcc versions older than 8
- Improvements to CMake, Makefile, NMakefile, GNUmakefile, autoreconf files
- Restores ANSI C89 compliance
- Enabled new compiler warnings and fixed/silenced them
- Improved error messages
- Now uses CIFuzz
- Numerous minor code improvements
- Improvements to CI builds
- Improvements to unit tests
- Improvements to doc files
- Improvements to example files
- Removed "old gex" build option
- Removed no-encryption/no-mac builds
- Removed support for NetWare and Watcom wmake build files
* Rebase libssh2-ocloexec.patch
- Bump to version 1.10.0
Enhancements and bugfixes:
* support ECDSA certificate authentication
* fix detailed _libssh2_error being overwritten by generic errors
* unified error handling
* fix _libssh2_random() silently discarding errors
* don't error if using keys without RSA
* avoid OpenSSL latent error in FIPS mode
* fix EVP_Cipher interface change in openssl 3
* fix potential overwrite of buffer when reading stdout of command
* use string_buf in ecdh_sha2_nistp() to avoid attempting to parse malformed data
* correct a typo which may lead to stack overflow
* fix random big number generation to match openssl
* added key exchange group16-sha512 and group18-sha512.
* add support for an OSS Fuzzer fuzzing target
* adds support for ECDSA for both key exchange and host key algorithms
* clean up curve25519 code
* update the min, preferred and max DH group values based on RFC 8270.
* changed type of LIBSSH2_FX_* constants to unsigned long
* added diffie-hellman-group14-sha256 kex
* fix for use of uninitialized aes_ctr_cipher.key_len when using HAVE_OPAQUE_STRUCTS, regression
* fixes memory leaks and use after free AES EVP_CIPHER contexts when using OpenSSL 1.0.x.
* fixes crash with delayed compression option using Bitvise server.
* adds support for PKIX key reading
* use new API to parse data in packet_x11_open() for better bounds checking.
* double the static buffer size when reading and writing known hosts
* improved bounds checking in packet_queue_listener
* improve message parsing (CVE-2019-17498)
* improve bounds checking in kex_agree_methods()
* adding SSH agent forwarding.
* fix agent forwarding message, updated example.
* added integration test code and cmake target. Added example to cmake list.
* don't call `libssh2_crypto_exit()` until `_libssh2_initialized` count is down to zero.
* add an EWOULDBLOCK check for better portability
* fix off by one error when loading public keys with no id
* fix use-after-free crash on reinitialization of openssl backend
* preserve error info from agent_list_identities()
* make sure the error code is set in _libssh2_channel_open()
* fixed misspellings
* fix potential typecast error for `_libssh2_ecdsa_key_get_curve_type`
* rename _libssh2_ecdsa_key_get_curve_type to _libssh2_ecdsa_get_curve_type
- Rebased patch libssh2-ocloexec.path
- Removed patch libssh2_org-CVE-2019-17498.patch: the security fix
is already included in the latest version.
- tiff
-
- security update:
* CVE-2023-38289 [bsc#1213589]
+ tiff-CVE-2023-38289.patch
* CVE-2023-38288 [bsc#1213590]
+ tiff-CVE-2023-38288.patch
* CVE-2023-3576 [bsc#1213273]
+ tiff-CVE-2023-3576.patch
* CVE-2020-18768 [bsc#1214574]
+ tiff-CVE-2020-18768.patch
* CVE-2023-26966 [bsc#1212881]
+ tiff-CVE-2023-26966.patch
* CVE-2023-3618 [bsc#1213274]
+ tiff-CVE-2023-3618.patch
* CVE-2023-2908 [bsc#1212888]
+ tiff-CVE-2023-2908.patch
* CVE-2023-3316 [bsc#1212535]
+ tiff-CVE-2023-3316.patch
- security update:
* CVE-2023-0795 [bsc#1208226]
* CVE-2023-0796 [bsc#1208227]
* CVE-2023-0797 [bsc#1208228]
* CVE-2023-0798 [bsc#1208229]
* CVE-2023-0799 [bsc#1208230]
* CVE-2023-25433 [bsc#1212883]
+ tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch
* CVE-2023-0800 [bsc#1208231]
* CVE-2023-0801 [bsc#1208232]
* CVE-2023-0802 [bsc#1208233]
* CVE-2023-0803 [bsc#1208234]
* CVE-2023-0804 [bsc#1208236]
+ tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch
- security update:
* CVE-2022-48281 [bsc#1207413]
+ tiff-CVE-2022-48281.patch
- security update:
* CVE-2022-3570 [bsc#1205422]
* CVE-2022-3598 [bsc#1204642]
+ tiff-CVE-2022-3598,3570.patch
- security update:
* CVE-2022-3597 [bsc#1204641]
* CVE-2022-3626 [bsc#1204644]
* CVE-2022-3627 [bsc#1204645]
+ tiff-CVE-2022-3597,CVE-2022-3626,CVE-2022-3627.patch
* CVE-2022-3599 [bsc#1204643]
+ tiff-CVE-2022-3599.patch
* CVE-2022-3970 [bsc#1205392]
+ tiff-CVE-2022-3970.patch
- libvirt
-
- qemu: Fix potential crash during driver cleanup
15277033-qemu-Fix-potential-crash-during-driver-cleanup.patch
bsc#1209861
- CVE-2022-0897: nwfilter: fix crash when counting number of
network filters
a4947e8f-nwfilter-CVE-2022-0897.patch
bsc#1197636
- libxl: Mark auto-allocated graphics ports to used on reconnect
e0241f33-libxl-mark-allocated-graphics-ports.patch
- libxl: Release all auto-allocated graphics ports
18ec405a-libxl-release-graphics-ports.patch
bsc#1191668
- libxl: Add lock process indicator to saved VM state
31e937fb-libxl-save-lock-indicator.patch
bsc#1191668
- wayland
-
- U_util-Limit-size-of-wl_map.patch
U_util-set-errno-when-hitting-WL_MAP_MAX_OBJECTS.patch
* fixes Reference-count overflow in libwayland-server SHM
handling (CVE-2021-3782, bsc#1190486)
- libwebp
-
- Add 0001-Fix-OOB-write-in-BuildHuffmanTable.patch
Add 0001-Fix-invalid-incremental-decoding-check.patch:
[boo#1215231] [CVE-2023-4863]
- Add libwebp-double-free.patch: Avoid a double free, upstream
commit a486d800 (bsc#1210212 CVE-2023-1999).
- libxml2
-
- Security update:
* [CVE-2023-45322, bsc#1216129] use-after-free in xmlUnlinkNode()
in tree.c
- Added file libxml2-CVE-2023-45322.patch
- Security update:
* [CVE-2023-39615, bsc#1214768] Crafted xml can cause global
buffer overflow
- Added file libxml2-CVE-2023-39615.patch
- Security update:
* [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings
isn't deterministic
- Added patch libxml2-CVE-2023-29469.patch
* [CVE-CVE-2023-28484, bsc#1210411] NULL dereference in
xmlSchemaFixupComplexType
- Added patch libxml2-CVE-2023-28484-1.patch
- Added patch libxml2-CVE-2023-28484-2.patch
- Fix changelog entries in both .changes files.
- Apply al patches correctly for libxml2 and python-libxml2.
- Add W3C conformance tests to the testsuite (bsc#1204585):
* Added file xmlts20080827.tar.gz
- libxslt
-
- Security Fix: [bsc#1208574, CVE-2021-30560]
* Use after free in Blink XSLT
* Add libxslt-CVE-2021-30560.patch
- Fix broken license symlink for libxslt-tools [bsc#1203669]
- libyajl
-
- add libyajl-CVE-2023-33460.patch (CVE-2023-33460, bsc#1212928)
- zlib
-
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
overflow in zipOpenNewFileInZip4_6, bsc#1216378
* CVE-2023-45853.patch
- Fix deflateBound() before deflateInit(), bsc#1210593
bsc1210593.patch
- Add DFLTCC support for using inflate() with a small window,
fixes bsc#1206513
* bsc1206513.patch
- Follow up fix for bsc#1203652 due to libxml2 breakage
* bsc1203652-2.patch
- Fix bsc#1203652, inflate() does not update strm.adler if DFLTCC is used
* bsc1203652.patch
- zstd
-
- Fix CVE-2022-4899, bsc#1209533
* Disallow empty --output-dir-flat=
- Added patch:
* Disallow-empty-output-directory.patch
- libzypp
-
- Preliminary disable 'rpm --runposttrans' usage for chrooted
systems (bsc#1216091)
This limits the %transfiletrigger(postun|in) support in the
default installer if --root is used (as described in bsc#1041742).
The chrooted execution of the scripts in 'rpm --runposttrans'
broke in rpm-4.18. It's expected to be fixed in rpm-4.19.
Then we'll enable the feature again.
- fix comment typo on zypp.conf (boo#1215979)
- version 17.31.22 (22)
- Attempt to delay %transfiletrigger(postun|in) execution if rpm
supports it (bsc#1041742)
Decide during installation whether rpm is capable of delayed
%posttrans %transfiletrigger(postun|in) execution or whether we
can just handle the packages %posttrans. On TW a delayed
%transfiletrigger handling is possible since rpm-4.17.
- Make sure the old target is deleted before a new one is created
(bsc#1203760)
- version 17.31.21 (22)
- Fixup changes for 17.31.16. Remove faulty reference to a bug
actually fixed in 2019.
- version 17.31.20 (22)
- Fix zypp-tui/output/Out.h to build with clang.
- Fix zypp/Arch.h for clang (fixes #478)
Clang seems to have issues with picking the overload in
std::men_fn if there is a static overload of a member function.
We need to explicitely specify the correct type of the function
pointer. To make sure this would not break compiling a
application with clang that builds against libzypp this patch
works around the problem.
- version 17.31.19 (22)
- SINGLE_RPMTRANS: Respect ZYPP_READONLY_HACK when checking the
zypp-rpm lock (fixes openSUSE/openSUSE-repos#29)
- version 17.31.18 (22)
- Fix wrong filesize exceeded dl abort in zyppng::Downloader
(bsc#1213673)
In some cases when downloading very small files we can run into
issues when the URL is protected by credentials.
- version 17.31.17 (22)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Don't cleanup orphaned dirs if read-only mode was promised
(bsc#1210740)
- version 17.31.16 (22)
- Fix build against protobuf >= 22 (fixes #465, closes #466)
Port away from protobuf_generate_cpp. Upstream protobuf does not
export protobuf_generate_cpp by default anymore.
Use protobuf_generate instead, which is also available on older
versions.
- Remove SUSE < SLE11 constructs (fixes #464).
- version 17.31.15 (22)
- build: honor libproxy.pc's includedir (bsc#1212222)
- Curl: trim all custom headers (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. So we make
sure all custom headers are trimmed. This also includes headers
returned by URL-Resolver plugins.
- version 17.31.14 (22)
- curl: Trim user agent string (bsc#1212187)
HTTP/2 RFC 9113 forbids fields ending with a space. Violation
results in curl error: 92: HTTP/2 PROTOCOL_ERROR.
- version 17.31.13 (22)
- Do not unconditionally release a medium if provideFile failed
(bsc#1211661)
- libzypp.spec.cmake: remove duplicate file listing.
- version 17.31.12 (22)
- MediaCurl: Fix endless loop if wrong credentials are stored in
credentials.cat (bsc#1210870)
Since libzypp-17.31.7 wrong credentials stored in credentials.cat
may lead to an endless loop. Rather than asking for the right
credentials, the stored ones are used again and again.
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.]
(bsc#1208329)
Maximum time in seconds that you allow the connection phase to
the server to take. This only limits the connection phase, it has
no impact once it has connected. (see also CURLOPT_CONNECTTIMEOUT)
- commit: Try to provide /dev fs if not present (fixes #444)
- fix build with boost 1.82.
- version 17.31.11 (22)
- fix build with boost 1.82
- BuildRequires: libsolv-devel >= 0.7.24 for x86_64_v[234]
support.
- version 17.31.10 (22)
- Workround bsc#1195633 while libsolv <= 0.7.23 is used.
- Fix potential endless loop in new ZYPP_MEDIANETWORK.
- ZYPP_METALINK_DEBUG=1: Log URL and priority of the mirrors
parsed from a metalink file.
- multicurl: propagate ssl settings stored in repo url
(boo#1127591)
Closes #335.
- Teach MediaNetwork to retry on HTTP2 errors.
- fix CapDetail to return Rel::NONE if an EXPRESSION is used as a
NAMED cap.
- Capability: support parsing richdeps from string.
- defaultLoadSystem: default to LS_NOREFRESH if not root.
- Detect x86_64_v[234]: Fix LZCNT bit used in detection (fixes
[#439])
Merges rpm-software-management/rpm#2412: The bit for LZCNT is in
CPUID 0x80000001, not 1.
- Detect x86_64_v[234] architecture levels (fixes #439)
- Support x86_64_v[234] architecture levels (for #439)
- version 17.31.9 (22)
- ProgressData: enforce reporting the INIT||END state
(bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems
(bsc#1205636)
- version 17.31.8 (22)
- Hint to "zypper removeptf" to remove PTFs.
- Removing a PTF without enabled repos should always fail
(bsc#1203248)
Without enabled repos, the dependent PTF-packages would be
removed (not replaced!) as well. To remove a PTF "zypper install
- - -PTF" or a dedicated "zypper removeptf PTF" should be used.
This will update the installed PTF packages to theit latest
version.
- version 17.31.7 (22)
- Avoid calling getsockopt when we know the info already.
This patch hopefully fixes logging on WSL, getsockopt seems to
not be fully supported but the code required it when accepting
new socket connections. (for bsc#1178233)
- Enhance yaml-cpp detection (fixes #428)
- No need to redirect 'history.logfile=/dev/null' into the target.
- MultiCurl: Make sure to reset the progress function when
falling back.
- version 17.31.6 (22)
- Create '.no_auto_prune' in the package cache dir to prevent auto
cleanup of orphaned repositories (bsc#1204956)
- properly reset range requests (bsc#1204548)
- version 17.31.5 (22)
- Do not clean up MediaSetAccess before using the geoip file
(fixes #424)
- version 17.31.4 (22)
- Improve download of optional files (fixes #416)
- Do not use geoip rewrites if the repo has explicit country
settings.
- Implement geoIP feature for zypp.
This patch adds a feature to rewrite request URLs to the repo
servers by querying a geoIP file from download.opensuse.org. This
file can return a redirection target depending on the clients IP
adress, this way we can directly contact a local mirror of d.o.o
instead. The redir target stays valid for 24hrs.
This feature can be disabled in zypp.conf by setting
'download.use_geoip_mirror = false'.
- Use a dynamic fallback for BLKSIZE in downloads.
When not receiving a blocklist via metalink file from the server
MediaMultiCurl used to fallback to a fixed, relatively small
BLKSIZE. This patch changes the fallback into a dynamic value
based on the filesize using a similar metric as the MirrorCache
implementation on the server side.
- Skip media.1/media download for http repo status calc.
This patch allows zypp to skip a extra media.1/media download to
calculate if a repository needs to be refreshed. This
optimisation only takes place if the repo does specify only
downloading base urls.
- version 17.31.3 (22)
- lifecycle-data-sle-module-live-patching
-
- Added data for 4_12_14-150100_197_151, 5_14_21-150400_24_69,
5_14_21-150500_55_7, 5_3_18-150200_24_157,
5_3_18-150300_59_127,
+kernel-livepatch-5_14_21-150400_15_37-rt,*,+kernel-livepatch-5_14_21-150400_15_40-rt,*,+kernel-livepatch-5_14_21-150500_11-rt,*,+kernel-livepatch-5_14_21-150500_13_5-rt,*. (bsc#1020320)
- Added data for 4_12_14-150100_197_145,
4_12_14-150100_197_148, 5_14_21-150400_24_63,
5_14_21-150400_24_66, 5_14_21-150500_53,
5_3_18-150200_24_151, 5_3_18-150200_24_154,
5_3_18-150300_59_121, 5_3_18-150300_59_124,
+kernel-livepatch-5_14_21-150400_15_28-rt,*,2024-05-17+kernel-livepatch-5_14_21-150500_11-rt,*,TBD (bsc#1020320)
- Added data for 4_12_14-150100_197_137,
4_12_14-150100_197_142, 5_14_21-150400_24_49,
5_14_21-150400_24_55, 5_14_21-150400_24_60,
5_3_18-150200_24_145, 5_3_18-150200_24_148,
5_3_18-150300_59_115, 5_3_18-150300_59_118,
+kernel-livepatch-5_14_21-150400_15_14-rt,*,2024-03-15+kernel-livepatch-5_14_21-150400_15_18-rt,*,2024-03-28+kernel-livepatch-5_14_21-150400_15_23-rt,*,2024-04-25 (bsc#1020320)
- Added data for 4_12_14-150100_197_134, 5_14_21-150400_24_41,
5_14_21-150400_24_46, 5_3_18-150200_24_142,
5_3_18-150300_59_109, 5_3_18-150300_59_112,
+kernel-livepatch-5_14_21-150400_15_11-rt,*,2024-02-23+kernel-livepatch-5_14_21-150400_15_8-rt,*,2024-01-26 (bsc#1020320)
- Added data for 4_12_14-150000_150_109,
4_12_14-150100_197_131, 5_14_21-150400_24_33,
5_14_21-150400_24_38, 5_3_18-150200_24_139,
5_3_18-150300_59_101, 5_3_18-150300_59_106,
+kernel-livepatch-5_14_21-150400_15_5-rt,*,2023-12-23 (bsc#1020320)
- Added data for 4_12_14-150000_150_101, 4_12_14-150000_150_104,
4_12_14-150100_197_123, 4_12_14-150100_197_126,
5_14_21-150400_24_21, 5_14_21-150400_24_28,
5_3_18-150200_24_129, 5_3_18-150200_24_134,
5_3_18-150300_59_93, 5_3_18-150300_59_98. (bsc#1020320)
- man
-
- Use inverted exit status in exec option of find command to
avoid refreshing man database (boo#1155879)
- Minor corrections on %ghost /var/cache/man
- mlocate
-
- Set umask 0022 before running /usr/bin/updatedb (boo#1209409)
- Pass "--shell=/bin/sh" to "su" when running the "updatedb"
command so that we don't depend on the "${RUN_UPDATEDB_AS}"
user's login shell. Since that user is "nobody" by default, the
login shell will oftentimes be "/bin/false". [jsc#PED-1717]
- mozilla-nspr
-
- update to version 4.35
* fixes for building with clang
* use the number of online processors for the
PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture
- nfs-utils
-
- Add 0032-exportfs-Ingnore-export-failures-in-nfs-server.seriv.patch
Inconsistencies in /etc/exports shouldn't be fatal.
(bsc#1212594)
- Add 0030-systemd-use-correct-modprobe-d-directory
SLE15-SP5 an earlier don't use /usr/lib/modprobe.d
(bsc#1200710)
- Add 0031-mountd-don-t-advertise-krb5-for-v4root-when-not-conf.patch
Avoid unhelpful warning if rpcsec_gss_krb5.ko not installed
- Add 0028-mount.nfs-always-include-mountpoint-or-spec-if-error.patch
boo#1157881
- Add 0029-nfsd.man-fix-typo-in-section-on-scope.patch
bsc#1209859
- Allow scope to be set in sysconfig: NFSD_SCOPE
- Rename all drop-in options.conf files as 10-options.conf
This makes it easier for other packages to over-ride
with a drop-in with a later sequence number.
resource-agents does this.
(bsc#1207843)
- 0026-modprobe-avoid-error-messages-if-sbin-sysctl-fail.patch
Avoid modprobe errors when sysctl is not installed.
(bsc#1200710 bsc#1207022 bsc#1206781)
- 0027-nfsd-allow-server-scope-to-be-set-with-config-or-com.patch
Add "-S scope" option to rpc.nfsd to simplify fail-over cluster
config.
(bsc#1203746)
- add 0025-nfsdcltrack-getopt_long-fails-on-a-non-x86_64-archs.patch
Fix nfsdcltrack bug that affected non-x86 archs.
(bsc#1202627)
- 0024-systemd-Apply-all-sysctl-settings-when-NFS-related-m.patch
Ensure sysctl setting work (bsc#1199856)
- nfsidmap
-
- 0001-Removed-some-unused-and-set-but-not-used-warnings.patch
0002-Handle-NULL-names-better.patch
0003-Strip-newlines-out-of-IDMAP_LOG-messages.patch
0004-onf_parse_line-Ignore-whitespace-at-the-beginning-of.patch
0005-nss.c-wrong-check-of-return-value.patch
0006-Fixed-a-memory-leak-nss_name_to_gid.patch
Various bugfixes and improvemes from upstream
In particular, 0001 fixes a crash that can happen when
a 'static' mapping is configured.
(bnc#1200901)
- openssh
-
- Add openssh-clientalivecount-allow-disable.patch from upstream.
This allows disabling the client timeout by setting
ClientAliveCountMax=0 in the sshd configuration (bsc#1216709).
- Add openssh-CVE-2023-38408-PKCS11-execution.patch, Abort if
requested to load a PKCS#11 provider that isnt a PKCS#11
provider (bsc#1213504,CVE-2023-38408)
- Revert addition of openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish:
This caused invalid and irrelevant environment assignments (bsc#1207014).
- Update openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: Update
dbus environment only for "ssh -X" connections i.e. only when the
DISPLAY variable is set (bsc#1179465).
- pam
-
- Update pam_motd to the most current version. This fixes various issues
and adds support for mot.d directories [jsc#PED-1712].
* Added: pam-ped1712-pam_motd-directory-feature.patch
- patterns-server-enterprise
-
- [aarch64] install system with all patterns, nothing provides 'sapconf' when installing pattern ‘sap_server’
(bsc#1214811)
The pattern sap_server is only available for x86_64 and ppc64le
- permissions
-
- Update to version 20181225:
* Backport postfix to SLE-15-SP2 (bsc#1206738)
- psmisc
-
- Fix version at configure time as there was no .tarball-version
- purge-kernels-service
-
- Change service type to exec (boo#1198668).
- python-certifi
-
- remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle
certs (bsc#1206212 CVE-2022-23491)
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2
- TrustCor ECA-1
- Add removeTrustCor.patch
- python-configobj
-
- Add CVE-2023-26112.patch (bsc#1210070)
- python-cryptography
-
- Add patch CVE-2023-23931-dont-allow-update-into.patch (bsc#1208036, CVE-2023-23931)
* Don't allow update_into to mutate immutable objects
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Update in SLE-15 (bsc#1177083, jsc#PM-2730, jsc#SLE-18312)
- Refresh patches for new version
+ 5507-mitigate-Bleichenbacher-attacks.patch
- python-packaging
-
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Add patch to fix testsuite on big-endian targets
+ fix-big-endian-build.patch
- Ignore python3.6.2 since the test doesn't support it.
- update to 21.3:
* Add a pp3-none-any tag (gh#pypa/packaging#311)
* Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion
(gh#pypa/packaging#481), (gh#pypa/packaging#486)
* Fix a spelling mistake (gh#pypa/packaging#479)
- update to 21.2:
* Update documentation entry for 21.1.
* Update pin to pyparsing to exclude 3.0.0.
* PEP 656: musllinux support
* Drop support for Python 2.7, Python 3.4 and Python 3.5.
* Replace distutils usage with sysconfig
* Add support for zip files in ``parse_sdist_filename``
* Use cached ``_hash`` attribute to short-circuit tag equality comparisons
* Specify the default value for the ``specifier`` argument to ``SpecifierSet``
* Proper keyword-only "warn" argument in packaging.tags
* Correctly remove prerelease suffixes from ~= check
* Fix type hints for ``Version.post`` and ``Version.dev``
* Use typing alias ``UnparsedVersion``
* Improve type inference for ``packaging.specifiers.filter()``
* Tighten the return type of ``canonicalize_version()``
- Add Provides: for python*dist(packaging): work around boo#1186870
- skip tests failing because of no-legacyversion-warning.patch
- add no-legacyversion-warning.patch to restore compatibility with 20.4
- update to 20.9:
* Run [isort](https://pypi.org/project/isort/) over the code base (:issue:`377`)
* Add support for the ``macosx_10_*_universal2`` platform tags (:issue:`379`)
* Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``
- update to 20.8:
* Revert back to setuptools for compatibility purposes for some Linux distros (:issue:`363`)
* Do not insert an underscore in wheel tags when the interpreter version number
is more than 2 digits (:issue:`372`)
* Fix flit configuration, to include LICENSE files (:issue:`357`)
* Make `intel` a recognized CPU architecture for the `universal` macOS platform tag (:issue:`361`)
* Add some missing type hints to `packaging.requirements` (issue:`350`)
* Officially support Python 3.9 (:issue:`343`)
* Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes (:issue:`321`)
* Handle ``OSError`` on non-dynamic executables when attempting to resolve
the glibc version string.
- update to 20.4:
* Canonicalize version before comparing specifiers. (:issue:`282`)
* Change type hint for ``canonicalize_name`` to return
``packaging.utils.NormalizedName``.
This enables the use of static typing tools (like mypy) to detect mixing of
normalized and un-normalized names.
- python-parallax
-
- Fix: manager: writer thread can only be started once (bsc#1208817)
Add patch 0001-Fix-manager-writer-thread-can-only-be-started-once-b.patch
- Fix: manager: file descriptor leakage (bsc#1205116)
- Release 1.0.8
- Release 1.0.7
- Remove patches since already included:
Remove patch 0001-Add-ssh_key-option-used-by-i-option-of-ssh-scp.patch
Remove patch 0002-Change-format-of-scp-command-for-ipv6-compatible.patch
Remove patch 0003-Fix-task-Don-t-use-ssh-if-command-running-on-local-b.patch
Remove patch 0004-Fix-Error-inherit-from-Exception-instead-of-BaseExce.patch
Remove patch 0005-Dev-add-parallax.run-to-return-non-zero-rc-without-r.patch
- Dev: add parallax.run() to return non-zero rc without raising exceptions
Add patch 0005-Dev-add-parallax.run-to-return-non-zero-rc-without-r.patch
- Fix: Error: inherit from Exception instead of BaseExceptin
Add patch 0004-Fix-Error-inherit-from-Exception-instead-of-BaseExce.patch
- python-pyasn1
-
- To avoid users of this package having to recompile bytecode
files, change the mtime of any __init__.py. (bsc#1207805)
- python-py
-
- Remove all traces of py._path.svn{url,wc}. (bsc#1204364, CVE-2022-42969)
- Add patch remove-svn-remants.patch to help with that goal.
- Refresh pr_222.patch as needed for above.
- python-requests
-
- Add CVE-2023-32681.patch to fix unintended leak of
Proxy-Authorization header (CVE-2023-32681, bsc#1211674)
Upstream commit: gh#psf/requests@74ea7cf7a6a2
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Don't pin idna<3 in the egg-info so that depending packages
can install the new idna dropping python2
- update to 2.25.1:
- Requests now treats `application/json` as `utf8` by default. Resolving
inconsistencies between `r.text` and `r.json` output. (#5673)
- python-rsa
-
- Add cve_2020-25658.patch (CVE-2020-25658 bsc#1178676)
+ Reduce timing sensitivity on devryption for false ciphers
- python-setuptools
-
- Add CVE-2022-40897-ReDos.patch to fix Regular Expression Denial of Service
(ReDoS) in package_index.py.
bsc#1206667
- python-urllib3
-
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
gh#urllib3/urllib3@4e98d57809da
- Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804)
gh#urllib3/urllib3#3139
* Added the Cookie header to the list of headers to strip from
requests when redirecting to a different host. As before,
different headers can be set via Retry.remove_headers_on_redirect.
- regionServiceClientConfigGCE
-
- Update to version 4.0.1 (bsc#1217538)
+ Replace 130.211.242.136.pem and 130.211.88.88.pem certs
expiring in 8 years and new length of 4096
These certs will replace the current certs that
expire soon
- rsync
-
- Drop rsync-fix-external-compression.patch, rsync-iconv-segfault.patch
- Fix --delay-updates never updates after interruption [bsc#1204538]
* Added patch rsync-fix-delay-updates-never-updates-after-interruption.patch
- rsyslog
-
- fix rsyslog crash in imrelp (bsc#1210286)
* add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
- fix segfaults in modExit() of imklog.c (bsc#1211757)
* add 0001-imklog-fix-invalid-memory-adressing-could-cause-abor.patch
- fix removal of imfile state files (bsc#1213212)
* add 0001-fixing-the-deleteStateOnFileDelete-option.patch
- fix parsing of legacy config syntax (bsc#1205275)
* add:
0001-testbench-add-test-for-legacy-permittedPeer-statemen.patch
0002-imtcp-bugfix-legacy-config-directives-did-no-longer-.patch
- rubygem-actionpack-5_1
-
- security update
- added patches
fix CVE-2023-28362 [bsc#1213312], Possible XSS via User Supplied Values to redirect_to
+ 0008-CVE-2023-28362.patch
- Add patch to fix CVE-2023-22795 (bsc#1207451)
0007-CVE-2023-22795.patch
- Add patch to fix CVE-2023-22792 (bsc#1207455)
0006-CVE-2023-22792.patch
- rubygem-actionview-5_1
-
- security update
- added patches
fix CVE-2023-23913 [bsc#1209826], DOM Based Cross-site Scripting in rails-ujs
+ rubygem-actionview-5_1-CVE-2023-23913.patch
- Add patch to fix CVE-2022-27777 (bsc#1199060)
0004-CVE-2022-27777.patch
- Add patch to fix CVE-2020-15169 (bsc#1176421)
0003-CVE-2020-15169.patch
- Add patch to fix CVE-2020-8167 (bsc#1172184)
0002-CVE-2020-8167.patch
- rubygem-activerecord-5_1
-
- Add patch to fix CVE-2022-44566 (bsc#1207450)
CVE-2022-44566.patch
- rubygem-activesupport-5_1
-
- Add patch to fix CVE-2023-22796 (bsc#1207454)
CVE-2023-22796.patch
- rubygem-globalid
-
- security update
- added patches
fix CVE-2023-22799 [bsc#1207587], ReDoS vulnerability
+ rubygem-globalid-CVE-2023-22799.patch
- rubygem-loofah
-
- Added patch CVE-2022-23516.patch to fix CVE-2022-23516 (bsc#1206416)
- Added patch CVE-2022-23514.patch to fix CVE-2022-23514 (bsc#1206415)
- Added patch CVE-2022-23515.patch to fix CVE-2022-23515 (bsc#1206417)
- rubygem-nokogiri
-
- add 003-CVE-2022-24836.patch (CVE-2022-24836, bsc#1198408)
fixes possibility to DoS because of inefficient RE in HTML encoding
- add 004_CVE-2022-29181.patch (CVE-2022-29181, bsc#1199782)
fixes Improper Handling of Unexpected Data Types
- rubygem-puma
-
- Add CVE-2023-40175.patch (bsc#1214425, CVE-2023-40175.patch)
Reject empty string for Content-Length
- rubygem-rack
-
- security update
- added patches
fix CVE-2023-27539 [bsc#1209503], denial of service in header parsing
+ rubygem-rack-CVE-2023-27539.patch
- security update
- added patches
fix CVE-2023-27530 [bsc#1209095], Denial of service in Multipart MIME parsing
+ rubygem-rack-CVE-2023-27530.patch
- security update
- added patches
fix CVE-2022-44570 [bsc#1207597], denial of service in Content-Disposition parsing
+ rubygem-rack-CVE-2022-44570.patch
fix CVE-2022-44571 [bsc#1207599], denial of service in Content-Disposition parsing
+ rubygem-rack-CVE-2022-44571.patch
fix CVE-2022-44572 [bsc#1207596], denial of service in Content-Disposition parsing
+ rubygem-rack-CVE-2022-44572.patch
- rubygem-rails-html-sanitizer
-
- Fixing typos in CVEs corrected by prior submission
- Add patch 0002_CVE-2022-23517_CVE-2022-23518_CVE-2022-23519_CVE-2022-23520.patch
This patch fixes 4 different CVEs:
* CVE-2022-23517 (bsc#1206433)
* CVE-2022-23518 (bsc#1206434)
* CVE-2022-23519 (bsc#1206435)
* CVE-2022-23520 (bsc#1206436)
In order to have the
0002_CVE-2022-23517_CVE-2022-23518_CVE-2022-23519_CVE-2022-23520.patch
working smoothly I monkey patched loofah API and crass rubygem code into
rails-html-sanitizer.
- rubygem-websocket-extensions
-
- security update
- added patches
fix CVE-2020-7663 [bsc#1172445], Denial of Service (DoS) via Regex Backtracking
+ rubygem-websocket-extensions-CVE-2020-7663.patch
- runc
-
- Update to runc v1.1.10. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.10>.
- Update to runc v1.1.9. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.9>.
- Update to runc v1.1.8. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
- Update to runc v1.1.7. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.7>.
- Update runc.keyring to upstream version.
- Update to runc v1.1.6. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.6>.
- Update to runc v1.1.5. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.5>.
Includes fixes for the following CVEs:
- CVE-2023-25809 bsc#1209884
- CVE-2023-27561 bsc#1208962
- CVE-2023-28642 bsc#1209888
* Fix the inability to use `/dev/null` when inside a container. bsc#1168481
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
(a regression in 1.1.1). bsc#1207004
* Fix rare runc exec/enter unshare error on older kernels.
* nsexec: Check for errors in `write_log()`.
- Drop version-specific Go requirement.
- sapconf
-
- version update from 5.0.5 to 5.0.6
- add parameter IGNORE_RELOAD to /etc/sysconfig/sapconf to prevent
sapconf from changing any system tunables during package update
(bsc#1209408)
- fix for a race condition which leads to a missing start/restart
of sapconf, which ends up with restored kernel parameters to
defaults
(bsc#1207899)
- version update from 5.0.4 to 5.0.5
- adapt check of an active saptune service during the initial
package installation to work in a chroot environment and fix the
missing enablement of sapconf.
(bsc#1190736, bsc#1190787)
- saptune
-
- update package version of saptune to 3.1.1
* typo in logfile directory name creates /varlog/saptune instead
of /var/log/saptune
(bsc#1215969)
* SAP Note 2382421
fix missing handling for Azure systems regarding parameter
'net.ipv4.tcp_timestamps'. This exclude setting was left out
during the last SAP Note update by mistake.
* add parameter IGNORE_RELOAD to /etc/sysconfig/saptune to
prevent saptune from stopping and starting the system tuning
during package update
Related to sapconf bug bsc#1209408.
- create a flag file in preinstall and remove it in posttrans of
the package installation to inform saptune that currently a
package installation/update takes place so that some special
situations can be handled as expected.
- update package version of saptune to 3.1.0
* machine readable interfaces for saptune
add json output support
related json v1 schemas can be found after installation
on the system at /usr/share/saptune/schemas/1.0/
(jsc#PED-2194, jsc#PED-2195, jsc#SLE-23696)
* enhance the identification of the cloud service provider
(jsc#SLE-23779)
* add a command line syntax check
* colorized and filtered output for 'saptune note verify'
It is now possible to uses a 'color scheme' for the output to
highlight the non-compliant parameter or to limit the verify
output to show only non-compliant parameter.
(jsc#SLE-23727)
* add action 'saptune solution change' to switch to a new
solution even that another solution was already applied.
It's basically a 'revert OLDSOLUTION' && 'apply NEWSOLUTION'.
This will change the Note order in case of additional applied
Notes, but this is intended.
The confirmation for the revert of the old solution can be
suppressed by '--force'
(jsc#PED-2196)
* introduce a Trento naming convention for custom solutions in
the saptune man page to support trento checks.
(jsc#PED-4118)
* deprecate action 'saptune note|solution simulate'.
The action might get removed in a future saptune version
(jsc#PED-2199)
* deprecate support for the v1 vendor or custom specific Note
definition file format
(jsc#SLE-23725)
* detect virtualization environment by 'systemd-detect-virt' and
add the information to 'saptune status'.
(jsc#SLE-23885)
* enhance saptune with the new action 'check' to directly call
the external check script '/usr/sbin/saptune_check'.
(jsc#SLE-23726)
* de-deprecate the MAXDB solution definition. It is still active
supported by SAP.
And add solution NETWEAVER+MAXDB
(jsc#SLE-23724)
* support inline comments in the Note definition files
(jsc#SLE-23729)
* rework Note representation in 'saptune status' output
(jsc#SLE-24530)
* fix problem with 'verify' output, if a sysctl parameter is
empty on the system
(bsc#1199527)
* add hint to the manual page of saptune(8) regarding 'missing'
line feed for 'saptune note applied' and 'saptune note enabled'
It's intended.
(bsc#1193714)
* rework the version section to make it clear, which information
needs to be provided
(jsc#SLE-23722)
* add more information to 'saptune status':
differ between 'enabled' and 'applied' Solutions and add the
related Notes.
differ between Notes and Solutions in the staging area.
rename 'system state' line to 'systemd system state' to prevent
misunderstandings.
add virtualisation information.
* add tuning state to 'saptune status' output.
The check of the tuning state (an internal 'verify' operation)
can be skipped by using the flag '--non-compliance-check'.
In this case the tuning state will be reported as
unknown (checking disabled)
'saptune status' will exit with a return code of '4', if the
saptune service is enabled, the system is tuned, but the
tuning state is 'not compliant'.
(jsc#SLE-24928)
* add support for the IBM Power architecture to the vendor and
model section tagging
(jsc#SLE-23824)
* add new SAP Note 1868829 to set fs.aio-max-nr and add it to
the HANADB related solutions for SLE12 and SLE15.
* SAP Note 3024346 updated to Version 6
SAP Note 1557506 updated to Version 16
SAP Note 1656250 updated to Version 46
SAP Note 1805750 updated to Version 9
SAP Note 2161991 updated to Version 28
SAP Note 2205917 updated to Version 63
SAP Note 2382421 updated to Version 45
SAP Note 2534844 updated to Version 15
SAP Note BOBJ updated to Version 1
but without parameter value changes, only house keeping of the
version section and comment updates
* SAP Note 1984787 updated to Version 40
SAP Note 2578899 updated to Version 46
SAP Note 2684254 updated to Version 23
SAP Note 1680803 updated to Version 27
includes version 3.1 of 'SAP Applications on SAP Adaptive
Server Enterprise - Best Practices for Migration and Runtime'
* Solution 'SAP-ASE' changed - remove SAP Note 1410736.
The best practice document (version 3.1) for ASE was changed
and the SAP Note 1410736 is no longer referenced. Instead the
parameter 'net.ipv4.tcp_keepalive_time' is set in
SAP Note 1680803 (the ASE SAP Note) directly.
* introduce an additional parameter 'SKIP_SYSCTL_FILES' in the
/etc/sysconfig/saptune configuration file, which contains a
comma separated list of sysctl.conf files or directories
containing sysctl.conf files, which should be excluded from
the 'additional defined' WARNING messages.
Default is
SKIP_SYSCTL_FILES="/boot"
to skip the WARNINGS for '/boot/sysctl.conf-<kernelversion>'
- check in preinstall and posttrans of the package installation,
if the active tuned profile is still 'saptune', even that this
profile no longer exists. If yes, try to remove it.
(bsc#1194688)
- shadow
-
- bsc#1214806 (CVE-2023-4641):
Fix potential password leak
- Add shadow-CVE-2023-4641.patch
- bsc#1210507 (CVE-2023-29383):
Check for control characters
- Add shadow-CVE-2023-29383.patch
- shim
-
- Update shim to 15.7-150300.4.11.1 from SLE15-SP3
+ Version: 15.7, "Thu Mar 17 2023"
+ Update the SLE signatures
+ Include the fixes for bsc#1205588, bsc#1202120, bsc#1201066,
(bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282
- 000release-packages:sle-ha-release
-
n/a
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-desktop-applications-release
-
n/a
- 000release-packages:sle-module-development-tools-release
-
n/a
- 000release-packages:sle-module-live-patching-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-sap-applications-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- 000release-packages:sle-module-web-scripting-release
-
n/a
- sudo
-
- Fix CVE-2023-28486, sudo does not escape control characters in
log messages, (CVE-2023-28486, bsc#1209362)
* Add sudo-CVE-2023-28486.patch
- Fix CVE-2023-28487, sudo does not escape control characters in
sudoreplay output (CVE-2023-28487, bsc#1209361)
- sudo-dont-enable-read-after-pty_finish.patch
* bsc#1203201
* Do not re-enable the reader when flushing the buffers as part
of pty_finish().
* While sudo-observe-SIGCHLD patch applied earlier prevents a
race condition from happening, this fixes a related buffer hang.
- Added sudo-fix_NULL_deref_RunAs.patch
* bsc#1206483
* Fix a situation where "sudo -U otheruser -l" would dereference
a NULL pointer.
- Added sudo-CVE-2023-22809.patch
* CVE-2023-22809
* bsc#1207082
* Prevent '--' in the EDITOR environment variable which can allow
users to edit sensitive files as root.
- Modified sudo-1-8-27-bsc1201462-ignore-no-sudohost.patch
* Fixes crash while using sssd plugin caused by regression
introduced by this patch
* bsc#1206170
- Added sudo-utf8-ldap-schema.patch
* Change sudo-ldap schema from ASCII to UTF8.
* Fixes bsc#1197998
* Credit to William Brown <william.brown@suse.com>
* https://github.com/sudo-project/sudo/pull/163
- Added sudo-observe-SIGCHLD.patch
* Make sure SIGCHLD is not ignored when sudo is executed; fixes
race condition.
* bsc#1203201
* Sourced from https://github.com/sudo-project/sudo/commit/727056e
- Modified sudo-sudoers.patch
* Fixes bsc#1177578
- Removed redundant and confusing 'secure_path' settings in
sudo-sudoers file.
* Fixes bsc#1205325
- Restore uncommented 'secure_path' entry in sudoers file.
- Added sudo-CVE-2022-43995.patch
* CVE-2022-43995
* bsc#1204986
* Fixed a potential heap-based buffer over-read when entering a password
of seven characters or fewer and using the crypt() password backend.
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.8 (bsc#1213951)
+ Capture CSP billing adapter config and log (issue#13)
+ Accept upper case Amazon string in DMI table (issue#12)
- Update to version 1.0.7 (bsc#1209026)
+ Include information about the cached registration data
+ Collect the data that is sent to the update infrastructure during
registration
- supportutils
-
- Changes in version 3.1.26
+ powerpc plugin to collect the slots and active memory (bsc#1210950)
+ A Cleartext Storage of Sensitive Information vulnerability CVE-2022-45154
+ supportconfig: collect BPF information (pr#154)
+ Added additional iscsi information (pr#155)
- Added run time detection (bsc#1213127)
- ha_info sle15 uses /var/log/pacemaker/ (pq#153)
- Changes for supportutils version 3.1.25
+ Removed iSCSI passwords CVE-2022-45154 (bsc#1207598)
+ powerpc: Collect lsslot,amsstat, and opal elogs (pr#149)
+ powerpc: collect invscout logs (pr#150)
+ powerpc: collect RMC status logs (pr#151)
+ Added missing nvme nbft commands (bsc#1211599)
+ Fixed invalid nvme commands (bsc#1211598)
+ Added missing podman information (PED-1703, bsc#1181477)
+ Removed dependency on sysfstools
+ Check for systool use (bsc#1210015)
+ Added selinux checking (bsc#1209979)
+ Updated SLES_VER matrix
- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Applies limit equally to sar data and text files (bsc#1207543)
- Collects hwinfo hardware logs (bsc#1208928)
- Collects lparnumascore logs (issue#148)
- Add dependency to `numactl` on ppc64le and `s390x`, this enforces
that `numactl --hardware` data is provided in supportconfigs
- Changes to supportconfig.rc version 3.1.11-35
+ Corrected _sanitize_file to include iscsi.conf and others (bsc#1206402)
- Changes to supportconfig version 3.1.11-46.4
+ Added plymouth_info
- Changes to getappcore version 1.53.02
+ The location of chkbin was updated earlier. This documents that
change (bsc#1205533, bsc#1204942)
- Changes to supportconfig version 3.1.11-46.3
+ Added missed sanitation check on crash.txt (bsc#1203818)
- Changes to supportconfig.rc version 3.1.11-30
+ Added check to _sanitize_file
+ Using variable for replement text in _sanitize_file
- Added lifecycle information (issue#140)
- Changes to version 3.1.21
+ Added type output with df command in fs-diskio.txt (issue#141)
+ Gather all files in /etc/security/limits.d/ (issue#142)
+ Fixed KVM virtualization detection on bare metal (bsc#1184689)
+ Added logging using journalctl (bsc#1200330)
+ Passwords correctly removed from email.txt, updates.txt and fs-iscsi.txt (bsc#1203818)
+ Added system logging configuration and checking in messages_config.txt (issue#103)
+ If rsyslog not installed collect more from journalctl (issue#120)
+ Added systemd-status.txt for the status of all service units (issue#125)
+ autofs includes files in (+dir:<path>) (issue#111)
+ Get current sar data before collecting files (bsc#1192648)
+ Collects everything in /etc/multipath/ (bsc#1192252)
+ Collects power management information in hardware.txt (bsc#1197428)
+ Checks for suseconnect-ng or SUSEConnect packages (bsc#1202337)
+ Fixed conf_files and conf_text_files so y2log is gathered (issue#134, bsc#1202269)
+ Update to nvme_info and block_info #133 (bsc#1202417)
+ Added IO scheduler (issue#136)
+ Added includedir directories from /etc/sudoers (bsc#1188086)
- Added a listing to /dev/mapper/. #129
- suse-build-key
-
- replace libzypp-post-script based installation with a systemd timer
and service.
- suse-build-key-import.service
- suse-build-key-import.timer
- add and run a import-suse-build-key scripts, this will be ran
after installation with libzypp based installers. (jsc#PED-2777)
- Establish multiple new 4096 RSA keys that we will switch
to mid of 2023. (jsc#PED-2777)
- gpg-pubkey-3fa1d6ce-63c9481c.asc: new 4096 RSA signing key for SLE (RPM+repos).
- gpg-pubkey-d588dc46-63c939db.asc: new 4096 RSA reserver key for SLE (RPM+repos).
- suse_ptf_key_4096.asc: new 4096 RSA signing key for PTF RPMs.
- build-container-8fd6c337-63c94b45.asc/build-container-8fd6c337-63c94b45.pem:
new RSA 4096 key for the SUSE registry registry.suse.com, installed as
suse-container-key-2023.pem and suse-container-key-2023.asc
- suse_ptf_containerkey_2023.asc suse_ptf_containerkey_2023.pem:
New PTF container signing key for registry.suse.com/ptf/ space.
- added /usr/share/pki/containers directory for container pem keys
(cosign/sigstore style), put our PEM key there too (bsc#1204706)
- suse-module-tools
-
- Update to version 15.2.18:
* blacklist RNDIS modules (bsc#1205767, jsc#PED-5731)
* modprobe.conf: Blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829)
* modprobe.conf: s390x: remove softdep on fbcon
- systemd-presets-common-SUSE
-
- Enable systemd-pstore.service by default (jsc#PED-2663)
- tar
-
- Fix CVE-2022-48303, tar has a one-byte out-of-bounds read that
results in use of uninitialized memory for a conditional jump
(CVE-2022-48303, bsc#1207753)
* fix-CVE-2022-48303.patch
- Fix hang when unpacking test tarball, bsc#1202436
* remove bsc1202436.patch
* bsc1202436-1.patch
* bsc1202436-1.patch
- Fix hang when unpacking test tarball, bsc#1202436
* bsc1202436.patch
- Fix unexpected inconsistency when making directory, bsc#1203600
* tar-avoid-overflow-in-symlinks-tests.patch
* tar-fix-extract-unlink.patch
- Update race condition fix, bsc#1200657
* tar-fix-race-condition.patch
- Refresh bsc1200657.patch
- timezone
-
- timezone update 2023c:
* Revert changes made in 2023b
- timezone update 2023b:
* Lebanon delays the start of DST this year.
- timezone update 2023a:
* Egypt now uses DST again, from April through October.
* This year Morocco springs forward April 23, not April 30.
* Palestine delays the start of DST this year.
* Much of Greenland still uses DST from 2024 on.
* America/Yellowknife now links to America/Edmonton.
* tzselect can now use current time to help infer timezone.
* The code now defaults to C99 or later.
- Refresh tzdata-china.diff
- timezone update 2022g (bsc#1177460):
* In the Mexican state of Chihuahua, the border strip near the US
will change to agree with nearby US locations on 2022-11-30.
The strip's western part, represented by Ciudad Juárez, switches
from -06 all year to -07/-06 with US DST rules, like El Paso, TX.
The eastern part, represented by Ojinaga, will observe US DST next
year, like Presidio, TX.
A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
* Much of Greenland, represented by America/Nuuk, stops observing
winter time after March 2023, so its daylight saving time becomes
standard time.
* Changes for pre-1996 northern Canada
* Update to past DST transition in Colombia (1993), Singapore
(1981)
* timegm is now supported by default
- timezone update 2022f (bsc#1177460):
* Mexico will no longer observe DST except near the US border
* Chihuahua moves to year-round -06 on 2022-10-30
* Fiji no longer observes DST
* Move links to 'backward'
* In vanguard form, GMT is now a Zone and Etc/GMT a link
* zic now supports links to links, and vanguard form uses this
* Simplify four Ontario zones
* Fix a Y2438 bug when reading TZif data
* Enable 64-bit time_t on 32-bit glibc platforms
* Omit large-file support when no longer needed
* In C code, use some C23 features if available
* Remove no-longer-needed workaround for Qt bug 53071
- Refreshed patches:
* fat.patch
* tzdata-china.diff
- timezone update 2022e (bsc#1177460):
* Jordan and Syria switch from +02/+03 with DST to year-round +03
- timezone update 2022d:
* Palestine transitions are now Saturdays at 02:00
* Simplify three Ukraine zones into one
- timezone update 2022c:
* Work around awk bug
* Improve tzselect on intercontinental Zones
- timezone update 2022b:
* Chile's DST is delayed by a week in September 2022 boo#1202324
* Iran no longer observes DST after 2022
* Rename Europe/Kiev to Europe/Kyiv
* New zic -R option
* Vanguard form now uses %z
* Finish moving duplicate-since-1970 zones to 'backzone'
- Refresh tzdata-china.diff
- Remove upstreamed bsc1202310.patch
- util-linux-systemd
-
- Add upstream patch util-linux-bash-completion-shell-character-escape-CVE-2018-7738.patch
Fix shell code injection in umount bash-completions (bsc#1213865, CVE-2018-7738)
- Add upstream patch fix-lib-internal-cache-size.patch
bsc#1210164, gh#util-linux/util-linux@2fa4168c8bc9
- Fix tests not passing when '@' character is in build path:
Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
- Add util-linux-fix-tests-when-at-symbol-in-path.patch
- libuuid continuous clock handling for time based UUIDs:
Prevent use of the new libuuid ABI by uuidd %post before update
of libuuid1 (bsc#1205646).
- libuuid improvements (bsc#1201959, PED-1150):
* libuuid: Fix range when parsing UUIDs
(util-linux-libuuid-uuid_parse-overrun.patch).
* Improve cache handling for short running applications-increment
the cache size over runtime
(util-linux-libuuid-improve-cache-handling.patch).
* Implement continuous clock handling for time based UUIDs
(util-linux-libuuid-continuous-clock-handling.patch).
* Check clock value from clock file to provide seamless libuuid
update (util-linux-libuuid-check-clock-value.patch).
- vim
-
- Updated to version 9.0 with patch level 2103, fixes the following security problems
* Fixing bsc#1215940 (CVE-2023-5344) - VUL-0: CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969.
* Fixing bsc#1216001 (CVE-2023-5441) - VUL-0: CVE-2023-5441: vim: segfault in exmode when redrawing
* Fixing bsc#1216167 (CVE-2023-5535) - VUL-0: CVE-2023-5535: vim: use-after-free from buf_contents_changed()
* Fixing bsc#1216696 (CVE-2023-46246) - VUL-0: CVE-2023-46246: vim: Integer Overflow in :history command
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1894...v9.0.2103
- Updated to version 9.0 with patch level 1894, fixes the following security problems
* Fixing bsc#1214922 (CVE-2023-4738) - VUL-0: CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both
* Fixing bsc#1214924 (CVE-2023-4735) - VUL-0: CVE-2023-4735: vim: OOB Write ops.c
* Fixing bsc#1214925 (CVE-2023-4734) - VUL-0: CVE-2023-4734: vim: segmentation fault in function f_fullcommand
* Fixing bsc#1215004 (CVE-2023-4733) - VUL-0: CVE-2023-4733: vim: use-after-free in function buflist_altfpos
* Fixing bsc#1215006 (CVE-2023-4752) - VUL-0: CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp
* Fixing bsc#1215033 (CVE-2023-4781) - VUL-0: CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both
- drop patches: disable-unreliable-tests.patch
ignore-flaky-test-failure.patch
vim-8.1.0297-dump3.patch
- dropped %check - most of tests didn't work correctly in OBS
and maintenance burden of this was getting too big
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1632...v9.0.1894
- Use app icon generated from vimlogo.eps in source tarball; add
higher res icons of sizes 128, 256, and 512px as png sources.
Our current icons deviate from upstream flatpaks for example.
- Updated to version 9.0 with patch level 1632
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1443...v9.0.1632
- Updated to version 9.0 with patch level 1572, fixes the following security problems
* Fixing bsc#1210996 (CVE-2023-2426) - VUL-0: CVE-2023-2426: vim: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
* Fixing bsc#1211256 (CVE-2023-2609) - VUL-1: CVE-2023-2609: vim: NULL Pointer Dereference prior to 9.0.1531
* Fixing bsc#1211257 (CVE-2023-2610) - VUL-1: CVE-2023-2610: vim: Integer Overflow or Wraparound prior to 9.0.1532
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1443...v9.0.1572
- Fixing bsc#1211461 - L3: vim "eats" first character from prompt in xterm
* Add: reorder-exit-raw-mode.patch
* Swaps out_str_t_TE() and cursor_on() during exit to prevent missing characters in xterm prompt on exit.
- Fixing bsc#1211144 - [Build 96.1] openQA test fails in zypper_migration - conflict between xxd and vim
* Revert the creation standalone xxd packages
- Updated to version 9.0 with patch level 1443, fixes the following security problems
* Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392
* Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402.
* Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we
remove during %prep anyway. And this breaks quilt setup.
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1386...v9.0.1443
- Updated to version 9.0 with patch level 1386, fixes the following security problems
* Fixing bsc#1207780 - (CVE-2023-0512) VUL-0: CVE-2023-0512: vim: Divide By Zero in GitHub repository vim/vim prior to 9.0.1247
* Fixing bsc#1208957 - (CVE-2023-1175) VUL-0: CVE-2023-1175: vim: Incorrect Calculation of Buffer Size
* Fixing bsc#1208959 - (CVE-2023-1170) VUL-0: CVE-2023-1170: vim: Heap-based Buffer Overflow in vim prior to 9.0.1376
* Fixing bsc#1208828 - (CVE-2023-1127) VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386
- Updated to version 9.0 with patch level 1234, fixes the following security problems
* Fixing bsc#1207396 VUL-0: CVE-2023-0433: vim: Heap-based Buffer Overflow in vim prior to 9.0.1225
* Fixing bsc#1207162 VUL-1: CVE-2023-0288: vim: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.
* Fixing bsc#1206868 VUL-1: CVE-2023-0054: vim: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.
* Fixing bsc#1206867 VUL-1: CVE-2023-0051: vim: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.
* Fixing bsc#1206866 VUL-1: CVE-2023-0049: vim: Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.
- refreshed vim-7.4-highlight_fstab.patch
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1040...v9.0.1234
- Updated to version 9.0 with patch level 1040, fixes the following security problems
* Fixing bsc#1206028 VUL-0: CVE-2022-3491: vim: Heap-based Buffer Overflow prior to 9.0.0742
* Fixing bsc#1206071 VUL-0: CVE-2022-3520: vim: Heap-based Buffer Overflow
* Fixing bsc#1206072 VUL-0: CVE-2022-3591: vim: Use After Free
* Fixing bsc#1206075 VUL-0: CVE-2022-4292: vim: Use After Free in GitHub repository vim/vim prior to 9.0.0882.
* Fixing bsc#1206077 VUL-0: CVE-2022-4293: vim: Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.
* Fixing bsc#1205797 VUL-0: CVE-2022-4141: vim: heap-buffer-overflow in alloc.c 246:11
* Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.814...v9.0.1040
- Updated to version 9.0 with patch level 0814, fixes the following problems
* Fixing bsc#1192478 VUL-1: CVE-2021-3928: vim: vim is vulnerable to Stack-based Buffer Overflow
* Fixing bsc#1203508 VUL-0: CVE-2022-3234: vim: Heap-based Buffer Overflow prior to 9.0.0483.
* Fixing bsc#1203509 VUL-1: CVE-2022-3235: vim: Use After Free in GitHub prior to 9.0.0490.
* Fixing bsc#1203820 VUL-0: CVE-2022-3324: vim: Stack-based Buffer Overflow in prior to 9.0.0598.
* Fixing bsc#1204779 VUL-0: CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c
* Fixing bsc#1203152 VUL-1: CVE-2022-2982: vim: use after free in qf_fill_buffer()
* Fixing bsc#1203796 VUL-1: CVE-2022-3296: vim: stack out of bounds read in ex_finally() in ex_eval.c
* Fixing bsc#1203797 VUL-1: CVE-2022-3297: vim: use-after-free in process_next_cpt_value() at insexpand.c
* Fixing bsc#1203110 VUL-1: CVE-2022-3099: vim: Use After Free in ex_docmd.c
* Fixing bsc#1203194 VUL-1: CVE-2022-3134: vim: use after free in do_tag()
* Fixing bsc#1203272 VUL-1: CVE-2022-3153: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.
* Fixing bsc#1203799 VUL-1: CVE-2022-3278: vim: NULL pointer dereference in eval_next_non_blank() in eval.c
* Fixing bsc#1203924 VUL-1: CVE-2022-3352: vim: vim: use after free
* Fixing bsc#1203155 VUL-1: CVE-2022-2980: vim: null pointer dereference in do_mouse()
* Fixing bsc#1202962 VUL-1: CVE-2022-3037: vim: Use After Free in vim prior to 9.0.0321
- ignore-flaky-test-failure.patch: Ignore failure of flaky tests
- disable-unreliable-tests-arch.patch: Removed
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.0313...v9.0.0814
- wget
-
- Update 0001-possibly-truncate-pathname-components.patch
* Truncate file name even if no directory structure
* [bsc#1204720]
- xen
-
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
fully effective (XSA-446)
xsa446.patch
- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
IOMMU quarantine page table levels (XSA-445)
xsa445.patch
- bsc#1215744 - VUL-0: CVE-2023-34323: xen: xenstored: A
transaction conflict can crash C Xenstored (XSA-440)
xsa440.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
TLB flushing (XSA-442)
xsa442.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
vulnerabilities in libfsimage disk handling (XSA-443)
xsa443-01.patch
xsa443-02.patch
xsa443-03.patch
xsa443-04.patch
xsa443-05.patch
xsa443-06.patch
xsa443-07.patch
xsa443-08.patch
xsa443-09.patch
xsa443-10.patch
xsa443-11.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
Debug Mask handling (XSA-444)
xsa444-1.patch
xsa444-2.patch
- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
execution leak via division by zero (XSA-439)
xsa439-01.patch
xsa439-02.patch
xsa439-03.patch
xsa439-04.patch
xsa439-05.patch
xsa439-06.patch
xsa439-07.patch
xsa439-08.patch
xsa439-09.patch
- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
reference dropped too early for 64-bit PV guests (XSA-438)
xsa438.patch
- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
(XSA-433)
64e5b4ac-x86-AMD-extend-Zenbleed-check.patch
- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data
Sampling (XSA-435)
xsa435-0-09.patch
- Update to Xen 4.13.5 bug fix release (bsc#1027519)
xen-4.13.5-testing-src.tar.bz2
* No upstream changelog found in sources or webpage
- bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative
Return Stack Overflow (XSA-434)
xsa434-1.patch
xsa434-2.patch
xsa434-3.patch
- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data
Sampling (XSA-435)
xsa435-0-01.patch
xsa435-0-02.patch
xsa435-0-03.patch
xsa435-0-04.patch
xsa435-0-05.patch
xsa435-0-06.patch
xsa435-0-07.patch
xsa435-0-08.patch
xsa435-0-09.patch
xsa435-0-10.patch
xsa435-0-11.patch
xsa435-0-12.patch
xsa435-0-13.patch
xsa435-0-14.patch
xsa435-0-15.patch
xsa435-0-16.patch
xsa435-0-17.patch
xsa435-0-18.patch
xsa435-0-19.patch
xsa435-0-20.patch
xsa435-0-21.patch
xsa435-0-22.patch
xsa435-0-23.patch
xsa435-0-24.patch
xsa435-0-25.patch
xsa435-0-26.patch
xsa435-0-27.patch
xsa435-0-28.patch
xsa435-0-29.patch
xsa435-0-30.patch
xsa435-0-31.patch
xsa435-0-32.patch
xsa435-0-33.patch
xsa435-0-34.patch
xsa435-0-35.patch
xsa435-0-36.patch
xsa435-0-37.patch
xsa435-0-38.patch
xsa435-0-39.patch
xsa435-0-40.patch
xsa435-0-41.patch
xsa435-0-42.patch
xsa435-0-43.patch
xsa435-0-44.patch
xsa435-0-45.patch
xsa435-0-46.patch
xsa435-0-47.patch
xsa435-0-48.patch
xsa435-0-49.patch
xsa435-0-50.patch
xsa435-0-51.patch
xsa435-0-52.patch
xsa435-0-53.patch
xsa435-0-54.patch
xsa435-0-55.patch
xsa435-1.patch
xsa435-2.patch
xsa435-3.patch
- Dropped patches contained in new tarball
6138b7a1-x86-spec-ctrl-split-diagnostics-line.patch
6138b7a2-x86-AMD-enum-speculative-hints.patch
6138b7a3-x86-AMD-use-newer-SSBD.patch
6139f1b1-x86-spec-ctrl-print-AMD-features.patch
6148453b-VT-d-hidden-devices-unmap.patch
615c9fd0-VT-d-fix-deassign-of-device-with-RMRR.patch
619b7ac9-harden-assign_pages.patch
619b8cb0-x86-PoD-misaligned-GFNs.patch
619b8cb1-x86-PoD-intermediate-page-orders.patch
619b8cb2-x86-P2M-set-partial-success.patch
xsa393.patch
xsa394.patch
xsa395.patch
xsa398-1.patch
xsa398-2.patch
xsa398-3.patch
xsa398-4.patch
xsa398-5.patch
xsa398-6.patch
xsa397.patch
xsa399.patch
xsa400-00.patch
xsa400-01.patch
xsa400-02.patch
xsa400-03.patch
xsa400-04.patch
xsa400-05.patch
xsa400-06.patch
xsa400-07.patch
xsa400-08.patch
xsa400-09.patch
xsa400-10.patch
xsa400-11.patch
624ebcef-VT-d-dont-needlessly-look-up-DID.patch
624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch
624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch
xsa401-1.patch
xsa401-2.patch
xsa402-1.patch
xsa402-2.patch
xsa402-3.patch
xsa402-4.patch
xsa402-5.patch
xsa404-1.patch
xsa404-2.patch
xsa404-3.patch
xsa407-0a.patch
xsa407-0b.patch
xsa407-0c.patch
xsa407-0d.patch
xsa407-0e.patch
xsa407-0f.patch
xsa407-0g.patch
xsa407-0h.patch
xsa407-0i.patch
xsa407-1.patch
xsa407-2.patch
xsa407-3.patch
xsa407-4.patch
xsa407-5.patch
xsa407-6.patch
xsa407-7.patch
xsa407-8.patch
xsa408.patch
xsa410-01.patch
xsa410-02.patch
xsa410-03.patch
xsa410-04.patch
xsa410-05.patch
xsa410-06.patch
xsa410-07.patch
xsa410-08.patch
xsa410-09.patch
xsa410-10.patch
xsa411.patch
63569723-x86-shadow-replace-bogus-assertions.patch
xsa414.patch
xsa415.patch
xsa326-01.patch
xsa326-02.patch
xsa326-03.patch
xsa326-04.patch
xsa326-05.patch
xsa326-06.patch
xsa326-07.patch
xsa326-08.patch
xsa326-09.patch
xsa326-10.patch
xsa326-11.patch
xsa326-12.patch
xsa326-13.patch
xsa326-14.patch
xsa326-15.patch
xsa326-16.patch
xsa416.patch
xsa417.patch
xsa418-01.patch
xsa418-02.patch
xsa418-03.patch
xsa418-04.patch
xsa418-05.patch
xsa418-06.patch
xsa419-01.patch
xsa419-02.patch
xsa419-03.patch
xsa421-01.patch
xsa421-02.patch
xsa422-01.patch
xsa422-02.patch
- Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch
A bit is an index in bitmap, while bits is the allocated size
of the bitmap.
- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
(XSA-433)
xsa433.patch
- Updated fix for XSA-417 (bsc#1204489)
64ba268b-xenstore-fix-XSA-417.patch
- bsc#1209017 - VUL-0: CVE-2022-42332: xen: x86 shadow plus
log-dirty mode use-after-free (XSA-427)
xsa427.patch
- bsc#1209018 - VUL-0: CVE-2022-42333,CVE-2022-42334: xen: x86/HVM
pinned cache attributes mis-handling (XSA-428)
xsa428-1.patch
xsa428-2.patch
- bsc#1209019 - VUL-0: CVE-2022-42331: xen: x86: speculative
vulnerability in 32bit SYSCALL path (XSA-429)
xsa429.patch
- bsc#1205209 - VUL-0: CVE-2022-23824: xen: x86: Multiple
speculative security issues (XSA-422)
xsa422-01.patch
xsa422-02.patch
- bsc#1193923 - VUL-1: xen: Frontends vulnerable to backends
(XSA-376)
61dd5f64-limit-support-statement-for-Linux-and-Windows-frontends.patch
- bsc#1204482 - VUL-0: CVE-2022-42311, CVE-2022-42312,
CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316,
CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let
xenstored run out of memory (XSA-326)
xsa326-01.patch
xsa326-02.patch
xsa326-03.patch
xsa326-04.patch
xsa326-05.patch
xsa326-06.patch
xsa326-07.patch
xsa326-08.patch
xsa326-09.patch
xsa326-10.patch
xsa326-11.patch
xsa326-12.patch
xsa326-13.patch
xsa326-14.patch
xsa326-15.patch
xsa326-16.patch
- bsc#1204485 - VUL-0: CVE-2022-42309: xen: Xenstore: Guests can
crash xenstored (XSA-414)
xsa414.patch
- bsc#1204487 - VUL-0: CVE-2022-42310: xen: Xenstore: Guests can
create orphaned Xenstore nodes (XSA-415)
xsa415.patch
- bsc#1204488 - VUL-0: CVE-2022-42319: xen: Xenstore: Guests can
cause Xenstore to not free temporary memory (XSA-416)
xsa416.patch
- bsc#1204489 - VUL-0: CVE-2022-42320: xen: Xenstore: Guests can
get access to Xenstore nodes of deleted domains (XSA-417)
xsa417.patch
- bsc#1204490 - VUL-0: CVE-2022-42321: xen: Xenstore: Guests can
crash xenstored via exhausting the stack (XSA-418)
xsa418-01.patch
xsa418-02.patch
xsa418-03.patch
xsa418-04.patch
xsa418-05.patch
xsa418-06.patch
- bsc#1204494 - VUL-0: CVE-2022-42322,CVE-2022-42323: xen:
Xenstore: cooperating guests can create arbitrary numbers of
nodes (XSA-419)
xsa419-01.patch
xsa419-02.patch
xsa419-03.patch
- bsc#1204496 - VUL-0: CVE-2022-42325,CVE-2022-42326: xen:
Xenstore: Guests can create arbitray number of nodes via
transactions (XSA-421)
xsa421-01.patch
xsa421-02.patch
- Upstream bug fix (bsc#1027519)
63569723-x86-shadow-replace-bogus-assertions.patch
- Updated fix for XSA-402 (bsc#1199966)
xsa402-4.patch
- bsc#1203806 - VUL-0: CVE-2022-33746: xen: P2M pool freeing may
take excessively long (XSA-410)
xsa410-01.patch
xsa410-02.patch
xsa410-03.patch
xsa410-04.patch
xsa410-05.patch
xsa410-06.patch
xsa410-07.patch
xsa410-08.patch
xsa410-09.patch
xsa410-10.patch
- bsc#1203807 - VUL-0: CVE-2022-33748: xen: lock order inversion in
transitive grant copy handling (XSA-411)
xsa411.patch
- bsc#1185104 - VUL-0: CVE-2021-28689: xen: x86: Speculative
vulnerabilities with bare (non-shim) 32-bit PV guests (XSA-370)
Part of already released 4.13.4 tarball
- bsc#1167608 - adjust limit for max_event_channels
A previous change allowed an unbound number of event channels
to make sure even large domUs can start of of the box.
This may have a bad side effect in the light of XSA-344.
Adjust the built-in limit based on the number of vcpus.
In case this is not enough, max_event_channels=/maxEventChannels=
has to be used to set the limit as needed for large domUs
adjust libxl.max_event_channels.patch
- xrdb
-
- Downgrade cpp requires to recommends (bsc#1211267)
- xterm
-
- xterm-CVE-2023-40359.patch: Fixed reporting characterset names
in ReGiS graphics mode (bsc#1214282)
- xterm-CVE-2022-45063.patch: Fixed use-after-free in fontops when
a font is not present (bsc#1205305 CVE-2022-45063)
- xterm-CVE-2022-24130.patch: Fixed buffer overflow in set_sixel
when Sixel support is enabled (bsc#1195387)
- yast2-bootloader
-
- prevent leak of grub2 password to logs(bsc#1201962)
- 4.2.29
- yast2-cluster
-
- bsc#1204530, set crypto_hash as "sha1" and set crypto_cipher as "aes256",
- set transport as "udpu" by default,
- set default values for mcastaddr/mcastport/bindnedaddr when cluster firstly configured
- Set focus on "Generate Auth Key File" when secauth is true
- Implement ValidateSecurity method
- Set focus on memberaddr add when using udpu
- Version 4.2.12
- yast2-installation
-
- Fix file copying when using relurl:// and file:// naming schemes
(bsc#1191160).
- 4.2.55
- yast2-online-update
-
- Fix showing of release notes when we update a rubygem
(bsc#1205913)
- 4.2.3
- yast2-registration
-
- Switch to the new SUSEConnect-ng (bsc#1212799)
- Includes a SSL reload fix (bsc#1195220)
- Depends on a new suseconnect-ruby-bindings package instead of
the old rubygem-suseconnect
- 4.2.48
- yast2-sap-ha
-
- Clean up Rakefile
- 1.0.18
- Use ruby base64 to replace uuencode/uudecode
(bsc#1206601)
- 1.0.17
- YaST2 HA Setup for SAP Products - cannot input several instance numbers
(bsc#1202979)
- 1.0.16
- yast2-transfer
-
- Fixed TFTP download, truncate the target file to avoid garbage
at the end of the file when saving to an already existing file
(bsc#1208754)
- 4.1.1
- zypper
-
- Return 104 also if info suggests near matches (fixes #504)
- Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
- Fix typo (fixes #484)
- version 1.14.66
- Fix some typos and spelling errors found by Lintian (fixes #501)
- Prefer unaliased `grep` to avoid unexpected/wrong completions.
(#503)
- commit: Insert a headline to separate output of different rpm
scripts (bsc#1041742)
- Fix typo in changes file.
- version 1.14.65
- Fix name of the bash completion script (bsc#1215007)
In 1.14.63 the location of the bash completion script was changed
to /usr/share/bash-completion/completions/. But the patch failed
to also rename the completion script. The original script name
zypper.sh is not recognized at the new location.
- Update notes about failing signature checks (bsc#1214395)
It might be a transient issue if the server is in the midst of
receiving new data. Retry after a few minutes might work.
- Improve the SIGINT handler to be signal safe (bsc#1214292)
This patch updates the SIGINT handling strategy to be signal
safe. Meaning the signal handler will do not much more than
setting a flag, which we are going to check in the normal program
flow as much as possible.
- version 1.14.64
- Changed location of bash completion script (bsc#1213854).
This changes the location of zypper.sh bash completion script
from /usr/share/bash-completion/completions/.
- version 1.14.63
- man: revised explanation of --force-resolution (bsc#1213557)
Point out that the option not only allows to remove packages but
may also violate any other active policy if there is no other way
to resolve the job.
- Print summary hint if policies were violated due to
- -force-resolution (bsc#1213557)
- BuildRequires: libzypp-devel >= 17.31.16 (for zypp-tui)
- version 1.14.62
- targetos: Add an error note if XPath:/product/register/target
is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
- version 1.14.61
- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority (fixes #480)
- version 1.14.60
- BuildRequires: libzypp-devel >= 17.31.7.
- Provide "removeptf" command (bsc#1203249)
A remove command which prefers replacing dependant packages to
removing them as well.
A PTF is typically removed as soon as the fix it provides is
applied to the latest official update of the dependant packages.
But you don't want the dependant packages to be removed together
with the PTF, which is what the remove command would do. The
removeptf command however will aim to replace the dependant
packages by their official update versions.
- patterns: Avoid dispylaing superfluous @System entries
(bsc#1205570)
- version 1.14.59
- Update man page and explain '.no_auto_prune' (bsc#1204956)
- Allow to (re)add a service with the same URL (bsc#1203715)
- Explain outdatedness of repos (fixes #463)
- BuildRequires: libzypp-devel >= 17.31.5
- version 1.14.58