- curl
-
- Fix: libssh: Implement SFTP packet size limit (bsc#1216987)
* Add curl-libssh_Implement_SFTP_packet_size_limit.patch
- docker
-
- Update to Docker 24.0.7-ce. See upstream changelong online at
<https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513
* Deny containers access to /sys/devices/virtual/powercap by default.
- CVE-2020-8694 bsc#1170415
- CVE-2020-8695 bsc#1170446
- CVE-2020-12912 bsc#1178760
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of
version-specific templating for the default apparmor profile. bsc#1213500
+ 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Update to Docker 24.0.6-ce. See upstream changelong online at
<https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Switch from disabledrun to manualrun in _service.
- Add a docker.socket unit file, but with socket activation effectively
disabled to ensure that Docker will always run even if you start the socket
individually. Users should probably just ignore this unit file. bsc#1210141
- google-guest-agent
-
- Update to version 20231031.01 (bsc#1216547, bsc#1216751)
* Add prefix to scheduler logs (#325)
- from version 20231030.00
* Test configuration files are loaded in the documented
order. Fix initial integration test. (#324)
* Enable mTLS by default (#323)
- from version 20231026.00
* Rotate MDS root certificate (#322)
- from version 20231020.00
* Update response struct, add tests (#315)
* Don't try to schedule mTLS job twice (#317)
- from version 20231019.00
* snapshot: Add context cancellation handling (#318)
- Bump the golang compiler version to 1.21 (bsc#1216546)
- Update to version 20231016.00
* instance setup: trust/rely on metadata package's retry (#316)
- from version 20231013.01
* Update known cert dirs for updaters (#314)
- from version 20231011.00
* Verify cert refresher is enabled before running (#312)
- from version 20231009.00
* Add support for the SSH key options (#296)
- from version 20231006.01
* Events interface improvement (#290)
- from version 20231006.00
* Refactor script runner to use common metadata package (#311)
* Schedule MTLS job before notifying systemd (#310)
* Refactor authorized keys to use metadata package (#300)
- from version 20231005.00
* docs update: add configuration and event manager's docs. (#309)
- from version 20231004.01
* Fix license header (#301)
* packaging(deb): add epoch to oslogin dep declaration (#308)
- from version 20231004.00
* packaging(deb): ignore suffix of version (#306)
* packaging: force epoch and ignore suffix of version (#305)
- from version 20231003.01
* oslogin: declare explicitly dependency (#304)
* oslogin: remove Unstable.pamless_auth_stack feature flag (#303)
- from version 20231003.00
* oslogin: resort ssh configuration keys (#299)
- from version 20230925.00
* oslogin: introduce a feature flag to cert auth (#298)
- from version 20230923.00
* gitignore: unify ignore in the root dir (#297)
- from version 20230921.01
* managers: we accidentally disabled addressMgr, bring it back (#295)
* cfg: fix typos (#294)
* cfg: config typos (#293)
* cfg: introduce a configuration management package (#288)
- from version 20230921.00
* mtls: bring it back (#292)
- from version 20230920.01
* Fix permissions on file created by SaferWriteFile() (#291)
- from version 20230920.00
* sshca: re-enable the event watcher & handler (#289)
- from version 20230919.01
* oslogin: add PAMless Authorization Stack configuration (#285)
- from version 20230919.00
* Preparing it for review (#287)
* sshca: make sure to restore SELinux context of the pipe (#286)
* remove deprecated usage, fix warnings (#282)
* Update system store (#278)
* Update workload certificate endpoints, use metadata package (#275)
* metadata: use url package to form metadata URLs (#284)
- from version 20230913.00
* release prep: disable ssh trusted ca module (#281)
- from version 20230912.00
* New Guest Agent Release (#280)
- from version 20230909.00
* Revert "service: remove the use of the service library (#273)" (#276)
* service: remove the use of the service library (#273)
- from version 20230906.01
* Store keys to machine keyset (#272)
- from version 20230905.00
* restorecon: first try to determine if it's installed (#271)
* run: change all commands to use CommandContext (#268)
* Notify systemd after scheduling required jobs (#270)
* Store certs in ProgramData instead of Program Files (#269)
* metadata watcher: remove local retry & implement unit tests (#267)
* run: split command running utilities into its own package (#265)
- Update to version 20230828.00
* snapshot: Use main context rather than create its own (#266)
- from version 20230825.01
* Verify if cert was successfully added to certpool (#264)
- from version 20230825.00
* Find previous cert for cleanup using one stored on disk (#263)
- from version 20230823.00
* Revert "sshtrustedca: configure selinux context
for sshtrustedca pipe (#256)" (#262)
* Update credentials directory on Linux (#260)
- from version 20230821.00
* Update owners (#261)
- from version 20230819.00
* Revert "guest-agent: prepare for public release (#258)" (#259)
- from version 20230817.00
* guest-agent: prepare for public release (#258)
- from version 20230816.01
* Enable telemetry collection by default (#253)
- from version 20230816.00
* Add pkcs12 license and update retry logic (#257)
* sshtrustedca: Configure selinux context for sshtrustedca pipe (#256)
* Store windows certs in certstore (#255)
* events: Multiplex event watchers (#250)
* Scheduler fixes (#254)
* Update license files (#251)
* Run telemetry every 24 hours, record pretty name on linux (#248)
- Update to version 20230811.00
* sshca: move the event handler to its own package (#247)
- from version 20230809.02
* Move scheduler package to google_guest_agent (#249)
- from version 20230809.01
* Add scheduler utility to run jobs at interval (#244)
- from version 20230809.00
* sshca: transform the format from json to openssh (#246)
- from version 20230803.00
* Add support for reading UEFI variables on windows (#243)
- from version 20230801.03
* sshtrustedca watcher: fix concurrency error (#242)
- from version 20230801.02
* metadata: add a delta between http client timeout and hang (#241)
- from version 20230801.00
* metadata: properly set request config (#240)
* main: bring back the mds client initialization (#239)
* metadata: don't try to use metadata before agentInit() is done (#238)
* Add (disabled) telemetry logic to GuestAgent (#219)
* metadata event handler: updates and bug fixes (#235)
* Verify client credentials are signed by root CA before writing on disk (#236)
* metadata: properly handle context cancelation (#234)
* metadata: fix context cancelation error check (#233)
* metadata: remove the sleep around metadata in instance setup (#232)
* metadata: implement backoff strategy (#231)
* Decrypt and store client credentials on disk (#230)
* Upgrade Go version 1.20 (#228)
* Fetch guest credentials and add MDS response proto (#226)
* metadata: pass main context to WriteGuestAttributes() (#227)
* Support for reading & writing Root CA cert from UEFI variable (#225)
* ssh_trusted_ca: enable the feature (#224)
* sshTrustedCA: add pipe event handler (#222)
* events: start using events layer (#223)
- from version 20230726.00
* events: introducing a events handling subsystem (#221)
- from version 20230725.00
* metadata: add metadata client interface (#220)
- from version 20230711.00
* metadata: moving to its own package (#218)
- from version 20230707.00
* snapshot: fix request handling error (#217)
- Bump Go API version to 1.20
- google-guest-oslogin
-
- Update to version 20231101.00 (bsc#1216548, bsc#1216750)
* Fix HTTP calls retry logic (#117)
- Update to version 20231004
* packaging: Make the dependency explicit (#120)
- update to 20230926.00:
* fix suse build
* selinux: fix selinux build (#114)
* test: align CXX Flags
* sshca: Make the implementation more C++ like
* sshca: Add a SysLog wrapper
* oslogin_utils: introduce AuthorizeUser() API
* sshca: move it out of pam dir
* pam: start disabling the use of oslogin_sshca
* sshca: consider sshca API to assume a cert only
* authorized principals: introduce the new command
* authorize keys: update to use new APIs
* pam modules: remove pam_*_admin and update pam_*_login
* cache_refresh: should be catching by reference.
- Update to version 20230823.00
* selinux: Add sshd_key_t type enforcement to trusted user ca (#113)
- from version 20230822.00
* sshca: Add tests with fingerprint and multiple extensions (#111)
- from version 20230821.01
* sshca: Support method token and handle multi line (#109)
- from version 20230821.00
* Update owners (#110)
- Update to version 20230808.00
* byoid: extract and apply the ca fingerprint to policy call (#106)
- Update to version 20230502.00
* Improve the URL in 2fa prompt (#104)
- from version 20230406.02
* Check open files (#101)
- from version 20230406.01
* Initialize variables (#100)
* Fix formatting (#102)
- from version 20230406.00
* PAM cleanup: remove duplicates (#97)
- from version 20230405.00
* NSS cleanup (#98)
- from version 20230403.01
* Cleanup Makefiles (#95)
- from version 20230403.00
* Add anandadalton to the owners list (#96)
- Update to version 20230217.00
* Update OWNERS (#91)
- from version 20230202.00
* Update owners file (#89)
- avahi
-
- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
- libxcrypt
-
- fix variable name for datamember in 'struct crypt_data' [bsc#1215496]
- added patches
fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2
+ libxcrypt-man-fix-variable-name.patch
- gnutls
-
- Security fix: [bsc#1217277, CVE-2023-5981]
* Fix timing side-channel inside RSA-PSK key exchange.
* auth/rsa_psk: side-step potential side-channel
* Add curl-CVE-2023-5981.patch
- ncurses
-
- Add patch bsc1218014-cve-2023-50495.patch
* Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry()
- Add patch boo1201384.patch
* Do not fully reset serial lines
- procps
-
- Submit latest procps 3.3.17 to SLE-15 tree for jira#PED-3244
and jira#PED-6369
- The patches now upstream had been dropped meanwhile
* procps-vmstat-1b9ea611.patch (bsc#1185417)
- For support up to 2048 CPU as well
* bsc1209122-a6c0795d.patch (bnc#1209122)
- allow `-ยด as leading character to ignore possible errors
on systctl entries
* patch procps-ng-3.3.9-bsc1121753-Cpus.patch (bsc#1121753)
- was a backport of an upstream fix to get the first CPU
summary correct
- Enable pidof for SLE-15 as this is provided by sysvinit-tools
- Use a check on syscall __NR_pidfd_open to decide if
the pwait tool and its manual page will be build
- Modify patches
* procps-ng-3.3.9-w-notruncate.diff
* procps-ng-3.3.17-logind.patch
to real to not truncate output of w with option -n
- procps-ng-3.3.17-logind.patch: Backport from 4.x git, prefer
logind over utmp (jsc#PED-3144)
- libsolv
-
- add zstd support for the installcheck tool
- add putinowndirpool cache to make file list handling in
repo_write much faster
- bump version to 0.7.27
- fix evr roundtrip in testcases
- do not use deprecated headerUnload with newer rpm versions
- bump version to 0.7.26
- support complex deps in SOLVABLE_PREREQ_IGNOREINST
- fix minimization not prefering installed packages in some cases
- reduce memory usage in repo_updateinfoxml
- fix lock-step interfering with architecture selection
- fix choice rule handing for package downgrades
- fix complex dependencies with an "else" part sometimes leading
to unsolved dependencies
- bump version to 0.7.25
- libzypp
-
- CheckAccessDeleted: fix 'running in container' filter
(bsc#1218291)
- version 17.31.27 (22)
- Call zypp commit plugins during transactional update (fixes #506)
- Add support for loongarch64 (fixes #504)
- Teach MediaMultiCurl to download HTTP Multibyte ranges.
- Teach zsync downloads to MultiCurl.
- Expand RepoVars in URLs downloading a .repo file (bsc#1212160)
Convenient and helps documentation as it may refer to a single
command for a bunch of distributions. Like e.g. "zypper ar
'https://server.my/$releasever/my.repo'".
- version 17.31.26 (22)
- Fix build issue with zchunk build flags (fixes #500)
- version 17.31.25 (22)
- Open rpmdb just once during execution of %posttrans scripts
(bsc#1216412)
- Avoid using select() since it does not support fd numbers >
1024 (fixes #447)
- tools/DownloadFiles: use standard zypp progress bar (fixes #489)
- Revert "Color download progress bar" (fixes #475)
Cyan is already used for the output of RPM scriptlets. Avoid this
colorific collision between download progress bar and scriptlet
output.
- Fix ProgressBar's calculation of the printed tag position (fixes #494)
- Switch zypp::Digest to Openssl 3.0 Provider API (fixes #144)
- Fix usage of deprecated CURL features (fixes #486)
- version 17.31.24 (22)
- Stop using boost version 1 timer library (fixes #489,
bsc#1215294)
- version 17.31.23 (22)
- openssh
-
- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
This mitigates a prefix truncation attack that could be used to
undermine channel security.
- Enhanced SELinux functionality. Added
* openssh-7.8p1-role-mls.patch
Proper handling of MLS systems and basis for other SELinux
improvements
* openssh-6.6p1-privsep-selinux.patch
Properly set contexts during privilege separation
* openssh-6.6p1-keycat.patch
Add ssh-keycat command to allow retrival of authorized_keys
on MLS setups with polyinstantiation
* openssh-6.6.1p1-selinux-contexts.patch
Additional changes to set the proper context during privilege
separation
* openssh-7.6p1-cleanup-selinux.patch
Various changes and putting the pieces together
For now we don't ship the ssh-keycat command, but we need the patch
for the other SELinux infrastructure
This change fixes issues like bsc#1214788, where the ssh daemon
needs to act on behalf of a user and needs a proper context for this
- python-instance-billing-flavor-check
-
- Version 0.0.4
Run the command as sudo only (bsc#1217696, bsc#1217695)
- Version 0.0.3
Handle exception for Python 3.4
- python3-cryptography
-
- Add CVE-2023-49083.patch to fix A null-pointer-dereference and
segfault could occur when loading certificates from a PKCS#7 bundle.
bsc#1217592
- rsyslog
-
- restart daemon after modules packages have been updated
(bsc#1217292)
- samba
-
- Add new idmap_nss option 'use_upn' for those NSS modules able to
handle UPNs or DOMAIN/user name format; (bsc#1215369);
- Avoid unnecessary locking in idmap parent setup; (bsc#1215369);
- Add "net offlinejoin composeodj" command; (bsc#1214076);
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-containers-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- 000release-packages:SLES-release
-
n/a
- tar
-
- Fix CVE-2023-39804, Incorrectly handled extension attributes in
PAX archives can lead to a crash, bsc#1217969
* fix-CVE-2023-39804.patch
- xen
-
- Update to Xen 4.17.3 bug fix release (bsc#1027519)
xen-4.17.3-testing-src.tar.bz2
* No upstream changelog found in sources or webpage
- Dropped patches contained in new tarball
64763137-x86-AutoIBRS-definitions.patch
64e5b4ac-x86-AMD-extend-Zenbleed-check.patch
64e6459b-revert-VMX-sanitize-rIP-before-reentering.patch
64eef7e9-x86-reporting-spurious-i8259-interrupts.patch
64f71f50-Arm-handle-cache-flush-at-top.patch
65084ba5-x86-AMD-dont-expose-TscFreqSel.patch
65087000-x86-spec-ctrl-SPEC_CTRL_EXIT_TO_XEN-confusion.patch
65087001-x86-spec-ctrl-fold-DO_SPEC_CTRL_EXIT_TO_XEN.patch
65087002-x86-spec-ctrl-SPEC_CTRL-ENTRY-EXIT-asm-macros.patch
65087003-x86-spec-ctrl-SPEC_CTRL-ENTER-EXIT-comments.patch
65087004-x86-entry-restore_all_xen-stack_end.patch
65087005-x86-entry-track-IST-ness-of-entry.patch
65087006-x86-spec-ctrl-VERW-on-IST-exit-to-Xen.patch
65087007-x86-AMD-Zen-1-2-predicates.patch
65087008-x86-spec-ctrl-Zen1-DIV-leakage.patch
650abbfe-x86-shadow-defer-PV-top-level-release.patch
65263470-AMD-IOMMU-flush-TLB-when-flushing-DTE.patch
65263471-libfsimage-xfs-remove-dead-code.patch
65263472-libfsimage-xfs-amend-mask32lo.patch
65263473-libfsimage-xfs-sanity-check-superblock.patch
65263474-libfsimage-xfs-compile-time-check.patch
65263475-pygrub-remove-unnecessary-hypercall.patch
65263476-pygrub-small-refactors.patch
65263477-pygrub-open-output-files-earlier.patch
65263478-libfsimage-function-to-preload-plugins.patch
65263479-pygrub-deprivilege.patch
6526347a-libxl-allow-bootloader-restricted-mode.patch
6526347b-libxl-limit-bootloader-when-restricted.patch
6526347c-SVM-fix-AMD-DR-MASK-context-switch-asymmetry.patch
6526347d-x86-PV-auditing-of-guest-breakpoints.patch
652fef4f-x86-AMD-erratum-1485.patch
65319724-VT-d-SAGAW-parsing.patch
6532858d-x86-DOITM.patch
654370e2-x86-x2APIC-remove-ACPI_FADT_APIC_CLUSTER-use.patch
65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch
65536847-AMD-IOMMU-correct-level-for-quarantine-pt.patch
65536848-x86-spec-ctrl-remove-conditional-IRQs-on-ness.patch
655b2ba9-fix-sched_move_domain.patch
xsa440.patch
- Upstream bug fixes (bsc#1027519)
64763137-x86-AutoIBRS-definitions.patch
652fef4f-x86-AMD-erratum-1485.patch
65319724-VT-d-SAGAW-parsing.patch
6532858d-x86-DOITM.patch
654370e2-x86-x2APIC-remove-ACPI_FADT_APIC_CLUSTER-use.patch
65437103-x86-i8259-dont-assume-IRQs-always-target-CPU0.patch
655b2ba9-fix-sched_move_domain.patch
- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
IOMMU quarantine page table levels (XSA-445)
65536847-AMD-IOMMU-correct-level-for-quarantine-pt.patch
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
fully effective (XSA-446)
65536848-x86-spec-ctrl-remove-conditional-IRQs-on-ness.patch
- Patches replaced by newer upstream versions
xsa445.patch
xsa446.patch
- zypper
-
- Fix search/info commands ignoring --ignore-unknown (bsc#1217593)
The switch makes search commands return 0 rather than 104 for
empty search results.
- version 1.14.68
- patch: Make sure reboot-needed is remembered until next boot
(bsc#1217873)
- version 1.14.67