sles-15-sp5-chost-byos-v20230704-x86-64 Package Source Changes

bind

- Update to release 9.16.42
  Security Fixes:
  * The overmem cleaning process has been improved, to prevent the
    cache from significantly exceeding the configured
    max-cache-size limit. (CVE-2023-2828)
  * A query that prioritizes stale data over lookup triggers a
    fetch to refresh the stale data in cache. If the fetch is
    aborted for exceeding the recursion quota, it was possible for
    named to enter an infinite callback loop and crash due to stack
    overflow. This has been fixed. (CVE-2023-2911)
  Bug Fixes:
  * Previously, it was possible for a delegation from cache to be
    returned to the client after the stale-answer-client-timeout
    duration. This has been fixed.
  [bsc#1212544, bsc#1212567, jsc#SLE-24600]

- Update to release 9.16.41
  Bug Fixes:
  * When removing delegations from an opt-out range,
    empty-non-terminal NSEC3 records generated by those delegations
    were not cleaned up. This has been fixed.
  [jsc#SLE-24600]

- Update to release 9.16.40
  Bug Fixes:
  * Logfiles using timestamp-style suffixes were not always
    correctly removed when the number of files exceeded the limit
    set by versions. This has been fixed for configurations which
    do not explicitly specify a directory path as part of the file
    argument in the channel specification.
  * Performance of DNSSEC validation in zones with many DNSKEY
    records has been improved.

- Update to release 9.16.39
  Feature Changes:
  * libuv support for receiving multiple UDP messages in a single
    recvmmsg() system call has been tweaked several times between
    libuv versions 1.35.0 and 1.40.0; the current recommended libuv
    version is 1.40.0 or higher. New rules are now in effect for
    running with a different version of libuv than the one used at
    compilation time. These rules may trigger a fatal error at
    startup:
  - Building against or running with libuv versions 1.35.0 and
    1.36.0 is now a fatal error.
  - Running with libuv version higher than 1.34.2 is now a
    fatal error when named is built against libuv version
    1.34.2 or lower.
  - Running with libuv version higher than 1.39.0 is now a
    fatal error when named is built against libuv version
    1.37.0, 1.38.0, 1.38.1, or 1.39.0.
  * This prevents the use of libuv versions that may trigger an
    assertion failure when receiving multiple UDP messages in a
    single system call.
  Bug Fixes:
  * named could crash with an assertion failure when adding a new
    zone into the configuration file for a name which was already
    configured as a member zone for a catalog zone. This has been
    fixed.
  * When named starts up, it sends a query for the DNSSEC key for
    each configured trust anchor to determine whether the key has
    changed. In some unusual cases, the query might depend on a
    zone for which the server is itself authoritative, and would
    have failed if it were sent before the zone was fully loaded.
    This has now been fixed by delaying the key queries until all
    zones have finished loading.
  [jsc#SLE-24600]

containerd

- Update to containerd v1.6.21 for Docker v23.0.6-ce. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.6.21> bsc#1211578
- Require a minimum Go version explicitly rather than using golang(API).
  Fixes the change for bsc#1210298.

cpupower

- Add Emerald Ridge Intel CPU model support:
  * jsc#PED-4393
    intel-speed-select tool support for EMR
  A tools-power-turbostat-Introduce-support-for-EMR.patch
  A add_emerald_ridge_intel_family.patch
  * jsc#PED-4395
    Add EMR CPU support to turbostat
  A tools-power-x86-intel-speed-select-Add-Emerald-Rapid-quirk.patch

docker

- Update to Docker 23.0.6-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/23.0/#2306>. bsc#1211578
- Rebase patches:
  * cli-0001-docs-include-required-tools-in-source-tree.patch
- Re-unify packaging for SLE-12 and SLE-15.
- Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers
  (the uapi headers in SLE-12 are too old).
  + 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- Re-numbered patches:
  - 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch`

- Update to Docker 23.0.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/23.0/#2305>.
- Rebase patches:
  * cli-0001-docs-include-required-tools-in-source-tree.patch

- Update to Docker 23.0.4-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Renumbered patches:
  - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Remove upstreamed patches:
  - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
  - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
  built without internet access in OBS.
  + cli-0001-docs-include-required-tools-in-source-tree.patch

dracut

- Update to version 055+suse.366.g14047665:
  * fix(dracut-install): continue parsing if ldd prints "cannot execute binary file" (bsc#1212662)

hwdata

- update to 0.371:
  * Update pci, usb and vendor ids

- update to 0.370:
  * Update pci, usb and vendor ids

- update to 0.369:
  * Update pci, usb and vendor ids

libcap

- Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create()
  (bsc#1211418 / CVE-2023-2602) CVE-2023-2602.patch
- Fixed integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup()
  (bsc#1211419 / CVE-2023-2603) CVE-2023-2603.patch

gcc12

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204
  * includes regression bug fixes
- Add gcc12-testsuite-fixes.patch to pick testsuite related fixes
  from the branch after the release.

- Speed up builds with --enable-link-serialization.

- Update to gcc-12 branch head, 193f7e62815b4089dfaed4c2bd3, git749

- Don't rely on %usrmerged, set it based on standard %suse_version

- Update to gcc-12 branch head, e4b5fec75aa8d0d01f6e042ec28, git696
  * remove gcc12-fifo-jobserver-support.patch which is now
    included upstream

- avoid trailing backslashes at the end of post install scripts

- Update to gcc-12 branch head, 0aaef83351473e8f4eb774f8f99, git537

- Update embedded newlib to version 4.2.0
  * includes newlib-4.1.0-aligned_alloc.patch

- add gcc12-riscv-inline-atomics.patch,
  gcc12-riscv-pthread.patch: handle subword size inline atomics
  (needed by several openSUSE packages)

openssl-1_1

- Security Fix: [bsc#1207534, CVE-2022-4304]
  * Reworked the Fix for the Timing Oracle in RSA Decryption
    The previous fix for this timing side channel turned out to cause
    a severe 2-3x performance regression in the typical use case
    compared to 1.1.1s.
  * Add openssl-CVE-2022-4304.patch
  * Removed patches:
  - openssl-CVE-2022-4304-1of2.patch
  - openssl-CVE-2022-4304-2of2.patch
  * Refreshed patches:
  - openssl-CVE-2023-0464.patch
  - openssl-CVE-2023-0465.patch

- Update further expiring certificates that affect tests [bsc#1201627]
  * Add openssl-Update-further-expiring-certificates.patch

- Security Fix: [CVE-2023-2650, bsc#1211430]
  * Possible DoS translating ASN.1 object identifiers
  * Add openssl-CVE-2023-2650.patch

libzypp

- build: honor libproxy.pc's includedir (bsc#1212222)
- Curl: trim all custom headers (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. So we make
  sure all custom headers are trimmed. This also includes headers
  returned by URL-Resolver plugins.
- version 17.31.14 (22)

runc

- Update to runc v1.1.7. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.7>.
- Update runc.keyring to upstream version.

- Update to runc v1.1.6. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.6>.

000release-packages:sle-module-basesystem-release

n/a

000release-packages:sle-module-containers-release

n/a

000release-packages:sle-module-public-cloud-release

n/a

000release-packages:sle-module-server-applications-release

n/a

000release-packages:SLES-release

n/a

suseconnect-ng

- Update to version 1.1.0~git2.f42b4b2a060e:
  * Keep keepalive timer states when replacing SUSEConnect (bsc#1211588)

wicked

- extensions/nbft: add post-up script (bsc#1211647)
  In multipath scenarios, not all NBFT interfaces and respective
  connections may have been brought up during initramfs processing.
  If wicked brings up some NBFT interfaces after switching to the
  root file system, run a post-up script to initiate the NVMe
  connections.
  [+ 0002-extensions-nbft-add-post-up-script.bsc-1211647.patch]

- bond: workaround 6.1 kernel enslave regression (boo#1206674)
  The kernel bond enslave rtnetlink message processing changed
  breaking an `ip link set down master bond0 dev eth0` like
  enslave which worked with all kernels from 4.12 up to 6.0.
  [+ 0001-bond-workaround-6.1-enslave-regression-boo-1206674.patch]

zypper

- targetos: Add an error note if XPath:/product/register/target
  is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)
- version 1.14.61