- aaa_base
-
- Drop patches (bsc#1199926 and bsc#1199927)
git-34-9a1bc15517d6da56d75182338c0f1bc4518b2b75.patch
git-35-91f496b1f65af29832192bad949685a7bc25da0a.patch
git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
ping broke in sle15 and sle15sp1 when adding
the sysctl setting for ping_group_range
- Add patch git-46-78b2a0b29381c16bec6b2a8fc7eabaa9925782d7.patch
* The wrapper rootsh is not a restricted shell (bsc#1199492)
- bind
-
- Security Fixes:
* Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused
to severely impact the performance of named running as a recursive
resolver. This has been fixed.
[bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
* A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm.
[bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
* Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm.
[bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
- ca-certificates-mozilla
-
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
Added:
- Certainly Root E1
- Certainly Root R1
- DigiCert SMIME ECC P384 Root G5
- DigiCert SMIME RSA4096 Root G5
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
Removed:
- Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
Added:
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- D-TRUST BR Root CA 1 2020
- D-TRUST EV Root CA 1 2020
- GlobalSign ECC Root CA R4
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- HiPKI Root CA - G1
- ISRG Root X2
- Telia Root CA v2
- vTrus ECC Root CA
- vTrus Root CA
Removed:
- Cybertrust Global Root
- DST Root CA X3
- DigiNotar PKIoverheid CA Organisatie - G2
- GlobalSign ECC Root CA R4
- GlobalSign Root CA R2
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
+ HARICA Client ECC Root CA 2021
+ HARICA Client RSA Root CA 2021
+ HARICA TLS ECC Root CA 2021
+ HARICA TLS RSA Root CA 2021
+ TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
- NAVER Global Root Certification Authority
- Removed old root CA:
- GeoTrust Global CA
- GeoTrust Primary Certification Authority
- GeoTrust Primary Certification Authority - G3
- GeoTrust Universal CA
- GeoTrust Universal CA 2
- thawte Primary Root CA
- thawte Primary Root CA - G2
- thawte Primary Root CA - G3
- VeriSign Class 3 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G5
- cifs-utils
-
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
(bsc#1198976, CVE-2022-29869)
* add cifs-utils-CVE-2022-29869.patch
- cloud-regionsrv-client
-
- Follow up fix to 10.0.4 (bsc#1202706)
- While the source code was updated to support SLE Micro the spec file
was not updated for the new locations of the cache and the certs.
Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
- Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
- Store the update server certs in the /etc path instead of /usr to
accomodate read only setup of SLE-Micro
- cups
-
- cups-branch-2.2-commit-3e4dd41459dabc5d18edbe06eb5b81291885204b.diff
is 'git show 3e4dd41459dabc5d18edbe06eb5b81291885204b' for
https://github.com/apple/cups/commit/3e4dd41459dabc5d18edbe06eb5b81291885204b
(except the not needed hunk for patching CHANGES.md which fails)
that fixes handling of MaxJobTime 0 (Issue #5438) in the CUPS 2.2 branch
bsc#1201511:
Stuck print jobs being cancelled immediately, despite MaxJobTime being set to 0
- curl
-
- Security Fix: [bsc#1204383, CVE-2022-32221]
* POST following PUT confusion
* Add curl-CVE-2022-32221.patch
- Security fix: [bsc#1202593, CVE-2022-35252]
* Control codes in cookie denial of service
* Add curl-CVE-2022-35252.patch
- Security fix: [bsc#1200735, CVE-2022-32206]
* HTTP compression denial of service
* Add curl-CVE-2022-32206.patch
- Security fix: [bsc#1200737, CVE-2022-32208]
* FTP-KRB bad message verification
* Add curl-CVE-2022-32208.patch
- Securiy fix: [bsc#1199224, CVE-2022-27782]
* TLS and SSH connection too eager reuse
* Add curl-CVE-2022-27782.patch
- Securiy fix: [bsc#1199223, CVE-2022-27781]
* CERTINFO never-ending busy-loop
* Add curl-CVE-2022-27781.patch
- cyrus-sasl
-
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
has an out-of-bounds write leading to unauthenticated remote
denial-of-service in OpenLDAP via a malformed LDAP packet
o apply upstream patch
- 0001-Fix-587.patch
- cyrus-sasl-saslauthd
-
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
has an out-of-bounds write leading to unauthenticated remote
denial-of-service in OpenLDAP via a malformed LDAP packet
o apply upstream patch
- 0001-Fix-587.patch
- dbus-1
-
- Fix a potential crash that could be triggered by an invalid signature.
(CVE-2022-42010, bsc#1204111)
* fix-upstream-CVE-2022-42010.patch
- Fix an out of bounds read caused by a fixed length array (CVE-2022-42011,
bsc#1204112)
* fix-upstream-CVE-2022-42011.patch
- A message in non-native endianness with out-of-band Unix file descriptors
would cause a use-after-free and possible memory corruption CVE-2022-42012,
bsc#1204113)
* fix-upstream-CVE-2022-42012.patch
- Disable asserts (bsc#1087072)
- Refreshed patches
* fix-upstream-CVE-2020-35512.patch
- docker
-
- Backport <https://github.com/containerd/fifo/pull/32> to fix a crash-on-start
issue with dockerd. bsc#1200022
+ 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- expat
-
- Security fix:
* (CVE-2022-43680, bsc#1204708) use-after free caused by overeager
destruction of a shared DTD in XML_ExternalEntityParserCreate in
out-of-memory situations
- Added patch expat-CVE-2022-43680.patch
- Security fix:
* (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
function in xmlparse.c
- Added patch expat-CVE-2022-40674.patch
- freetype2
-
- disable brotli linkage / WOFF2 support for now to keep dependencies
as before.
- Added patches:
* CVE-2022-27404.patch
+ fixes bsc#1198830, CVE-2022-27404: Buffer Overflow
* CVE-2022-27405.patch
+ fixes bsc#1198832, CVE-2022-27405: Segmentation Fault
* CVE-2022-27406.patch
+ fixes bsc#1198823, CVE-2022-27406: Segmentation violation
- Update to version 2.10.4
* Fix a heap buffer overflow has been found in the handling of
embedded PNG bitmaps, introduced in FreeType version 2.6
(CVE-2020-15999 bsc#1177914)
* Minor improvements to the B/W rasterizer.
* Auto-hinter support for Medefaidrin script.
* Fix various memory leaks (mainly for CFF) and other issues that
might cause crashes in rare circumstances.
- Update to version 2.10.2
* Support for WOFF2 fonts, add BR on pkgconfig(libbrotlidec)
* Function `FT_Get_Var_Axis_Flags' returned random data for Type 1
MM fonts.
* Type 1 fonts with non-integer metrics are now supported by the new
(CFF) engine introduced in FreeType 2.9.
* Drop support for Python 2 in Freetype's API reference generator
* Auto-hinter support for Hanifi Rohingya
* Document the `FT2_KEEP_ALIVE' debugging environment variable.
- gnutls
-
- Security fix: [bsc#1202020, CVE-2022-2509]
* Fixed double free during verification of pkcs7 signatures
* Add gnutls-CVE-2022-2509.patch
- Security fix: [bsc#1196167, CVE-2021-4209]
* Null pointer dereference in MD_UPDATE
* Add gnutls-CVE-2021-4209.patch
- gpg2
-
- Security fix [CVE-2022-34903, bsc#1201225]
- Vulnerable to status injection
- Added patch gnupg-CVE-2022-34903.patch
- icu
-
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
from upstream, use LocalMemory for cmd to prevent use after free
(bsc#1193951 CVE-2020-21913).
- iputils
-
- Add fix for ICMP datagram socket ping6-Fix-device-binding.patch
(bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927).
- kernel-default
-
- char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops
(CVE-2022-41848 bsc#1203987).
- commit 4b5f9dc
- net: mana: Add rmb after checking owner bits (git-fixes).
- commit ff59700
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit 7299efc
- ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (CVE-2022-3303
bsc#1203769).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit accf4df
- media: dvb-core: Fix UAF due to refcount races at releasing
(CVE-2022-41218 bsc#1202960).
- commit 231362a
- media: em28xx: initialize refcount before kref_get
(CVE-2022-3239 bsc#1203552).
- commit 477c587
- x86/bugs: Reenable retbleed=off
While for older kernels the return thunks are statically built in and
cannot be dynamically patched out, retbleed=off should still be possible
to do so that the mitigation can still be disabled on Intel who don't
use the return thunks but IBRS.
- Update
patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch
(bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- Update patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch
(bsc#1199657 CVE-2022-29900 CVE-2022-29901 bsc#1203271).
- commit 86274ff
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
bsc#1202677).
- commit b644c0f
- Update references:
- patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
- patches.suse/secure_seq-use-the-64-bits-of-the-siphash-for-port-o.patch
- patches.suse/tcp-add-small-random-increments-to-the-source-port.patch
- patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch
- patches.suse/tcp-dynamically-allocate-the-perturb-table-used-by-s.patch
- patches.suse/tcp-increase-source-port-perturb-table-to-2-16.patch
- patches.suse/tcp-resalt-the-secret-every-10-seconds.patch
- patches.suse/tcp-use-different-parts-of-the-port_offset-for-index.patch
(add CVE-2022-32296 bsc#1200288)
- commit 579fd9c
- mmc: block: fix read single on recovery logic (CVE-2022-20008
bsc#1199564).
- commit 33bc9c9
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
(CVE-2022-39188, bsc#1203107).
- commit 7df6276
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
(CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
bsc#1202097).
- commit 7253cd6
- objtool: Track original function across branches (bsc#1202396).
- Refresh
patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- Refresh
patches.suse/objtool-make-bp-scratch-register-warning-more-robust.patch.
- commit 605a5ad
- objtool: Don't use ignore flag for fake jumps (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- commit 12eddc4
- objtool: Add --backtrace support (bsc#1202396).
- Refresh
patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- commit effa706
- objtool: Set insn->func for alternatives (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- Refresh
patches.suse/objtool-add-relocation-check-for-alternative-sections.patch.
- commit 95cdf2a
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
(git-fixes, bsc#1203098).
kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit 9b79372
- mm/rmap.c: don't reuse anon_vma if we just want a copy
(git-fixes, bsc#1203098).
- commit d3fffdb
- Update
patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Update
patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
Add missing objtool annotations from upstream commits to fix bsc#1202396.
- commit 295ff2a
- objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
- commit d671632
- objtool: Add support for intra-function calls (bsc#1202396).
- commit af5ea4a
- objtool: Remove INSN_STACK (bsc#1202396).
- commit 33aa32e
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 6582ceb
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 613c1d4
- objtool: Fix ORC vs alternatives (bsc#1202396).
- commit 1510f8a
- objtool: Uniquely identify alternative instruction groups
(bsc#1202396).
- commit 55eebf6
- objtool: Remove check preventing branches within alternative
(bsc#1202396).
- commit b9fa125
- objtool: Fix !CFI insn_state propagation (bsc#1202396).
- commit f547c3d
- objtool: Rename struct cfi_state (bsc#1202396).
- commit 5f74a63
- objtool: Support multiple stack_op per instruction
(bsc#1202396).
- commit 9cac986
- objtool: Support conditional retpolines (bsc#1202396).
- commit 2278221
- objtool: Convert insn type to enum (bsc#1202396).
- commit dd14429
- objtool: Rename elf_open() to prevent conflict with libelf
from elftoolchain (bsc#1202396).
- commit 5ae25e4
- objtool: Use Elf_Scn typedef instead of assuming struct name
(bsc#1202396).
- commit c52e4de
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
"/find -xtype l"/ will report them, so use that to make the search a bit
faster (without using shell).
- commit 13bbc51
- mkspec: eliminate @NOSOURCE@ macro
This should be alsways used with @SOURCES@, just include the content
there.
- commit 403d89f
- kernel-source: include the kernel signature file
We assume that the upstream tarball is used for released kernels.
Then we can also include the signature file and keyring in the
kernel-source src.rpm.
Because of mkspec code limitation exclude the signature and keyring from
binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
Same as other kernel binary packages there is no need to carry duplicate
sources in dtb packages.
- commit 1bd288c
- objtool: Fix sibling call detection (bsc#1202396).
- commit cd4d674
- objtool: Rewrite alt->skip_orig (bsc#1202396).
- commit 69eca79
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
CVE-2022-3028).
- commit e68eb5b
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit c9ac9a2
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit d995183
- cifs: fix error paths in cifs_tree_connect() (bsc#1177440).
- commit 4e1c426
- cifs: report error instead of invalid when revalidating a
dentry fails (bsc#1177440).
- commit d980344
- Backport causes crashes on all arches so revert the patch until
I find the root cause
- commit 83c44b2
- check sk_peer_cred pointer before put_cred() call
- commit 78087f4
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
bsc#1202672).
- commit 743f12e
- net: handle kABI change in struct sock (bsc#1194535
CVE-2021-4203).
- commit c37013b
- Drop the unused function after porting on 4.12
- commit a8cf8a3
- fuse: handle kABI change in struct sock (bsc#1194535
CVE-2021-4203).
- commit cb0be42
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
(bsc#1194535 CVE-2021-4203).
- commit cfbed38
- cifs: fix uninitialized pointer in error case in
dfs_cache_get_tgt_share (bsc#1188944).
- commit a2cd44e
- cifs: skip trailing separators of prefix paths (bsc#1188944).
- commit 080c5db
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- commit 8e65d52
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
(CVE-2022-2588 bsc#1202096).
- commit 05c19f7
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
ZDI-CAN-17325).
- commit 30cd9be
- ext4: make sure ext4_append() always allocates new block
(bsc#1198577 CVE-2022-1184).
- commit bc8c541
- ext4: check if directory block is within i_size (bsc#1198577
CVE-2022-1184).
- commit b9efa04
- ext4: Fix check for block being out of directory size
(bsc#1198577 CVE-2022-1184).
- commit be40637
- kabi: return type change of secure_ipv_port_ephemeral()
(CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: drop the hash_32() part from the index calculation
(CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: increase source port perturb table to 2^16 (CVE-2022-1012
bsc#1199482 bsc#1202335).
- tcp: dynamically allocate the perturb table used by source ports
(CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: add small random increments to the source port
(CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: resalt the secret every 10 seconds (CVE-2022-1012
bsc#1199482 bsc#1202335).
- tcp: use different parts of the port_offset for index and offset
(CVE-2022-1012 bsc#1199482 bsc#1202335).
- secure_seq: use the 64 bits of the siphash for port offset
calculation (CVE-2022-1012 bsc#1199482 bsc#1202335).
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153
bsc#1202335).
- tcp: change source port randomizarion at connect() time
(bsc#1180153 bsc#1202335).
- commit aef5879
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
The type test and print line are the same for both cases. The usrmerged
case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
in xfrm_bundle_lookup() (bsc#1201948 CVE-2022-36879).
- commit 6a240fe
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
(CVE-2022-20368 bsc#1202346).
- commit bcc8988
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
across ioctls (bsc#1202347 CVE-2022-20369).
- commit 0cf8c8f
- md/bitmap: don't set sb values if can't pass sanity check
(bsc#1197158).
- commit 23dc403
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
CVE-2022-26373).
- commit f0dc9a3
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
CVE-2022-26373).
- commit fdf6cad
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1201726
CVE-2022-26373).
- commit 730dc3a
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
(bsc#1201726 CVE-2022-26373).
- commit 0637fb7
- net/sched: cls_u32: fix netns refcount changes in u32_change()
(CVE-2022-29581 bsc#1199665).
- commit ad4e35c
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
bsc#1202154).
- commit 0d36370
- ipv4: avoid using shared IP generator for connected sockets
(CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
bsc#1196616).
- commit df5e606
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- cifs: fix memory leak of smb3_fs_context_dup::server_hostname
(bsc#1201926).
- commit 3d2ce6d
- cifs: To match file servers, make sure the server hostname
matches (bsc#1201926).
- commit 6a5bd2a
- KVM: emulate: do not adjust size of fastop and setcc subroutines
(bsc#1201930).
- commit 34cfe0a
- kvm/emulate: Fix SETcc emulation function offsets with SLS
(bsc#1201930).
- Refresh
patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- commit 73546bb
- netfilter: nf_queue: do not allow packet truncation below
transport header offset (bsc#1201940 CVE-2022-36946).
- commit 06aa700
- cifs: set a minimum of 120s for next dns resolution
(bsc#1201926).
- commit 726509e
- cifs: use the expiry output of dns_query to schedule next
resolution (bsc#1201926).
- commit 5137045
- cifs: On cifs_reconnect, resolve the hostname again
(bsc#1201926).
- commit 8b80115
- cifs: Simplify reconnect code when dfs upcall is enabled
(bsc#1201926).
- commit a15e604
- Refresh
patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch.
- commit 5cd8e8f
- Remove homegrown IBRS implementation
... and replace with the upstream one.
- Refresh
patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Delete
patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete
patches.suse/0002-x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Delete
patches.suse/0003-x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch.
- Delete
patches.suse/0004-x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch.
- Delete
patches.suse/0005-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Delete patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 4b0356c
- kABI workaround for including mm.h in fs/sysfs/file.c
(bsc#1200598 CVE-2022-20166).
- commit fe1fe6b
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
sysfs_emit (bsc#1200598 CVE-2022-20166).
- commit 3d23964
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
CVE-2022-20166).
- commit c8e2e5b
- drivers core: Remove strcat uses around sysfs_emit and neaten
(bsc#1200598 CVE-2022-20166).
- commit 5cd9512
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
* ...) functions (bsc#1200598 CVE-2022-20166).
- commit 7554520
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
(bsc#1200598 CVE-2022-20166).
- commit c5a70d7
- Refresh
patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- commit af9c97a
- x86/entry: Remove skip_r11rcx (bsc#1201644).
- Refresh
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- commit c154137
- Sort in RETbleed backport into the sorted section
Now that it is upstream...
- blacklist.conf:
- Refresh
patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh
patches.suse/0002-x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Refresh
patches.suse/0005-x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Refresh
patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
patches.suse/documentation-hw-vuln-update-spectre-doc.patch.
- Refresh
patches.suse/edac-amd64-cache-secondary-chip-select-registers.patch.
- Refresh
patches.suse/edac-amd64-find-chip-select-memory-size-using-address-mask.patch.
- Refresh
patches.suse/edac-amd64-initialize-dimm-info-for-systems-with-more-than-two-channels.patch.
- Refresh
patches.suse/edac-amd64-recognize-dram-device-type-ecc-capability.patch.
- Refresh
patches.suse/edac-amd64-support-asymmetric-dual-rank-dimms.patch.
- Refresh
patches.suse/edac-amd64-support-more-than-two-controllers-for-chip-selects-handling.patch.
- Refresh
patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch.
- Refresh patches.suse/x86-Add-magic-AMD-return-thunk.patch.
- Refresh patches.suse/x86-Undo-return-thunk-damage.patch.
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- Refresh
patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Add-retbleed-ibpb.patch.
- Refresh
patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch.
- Refresh
patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- Refresh
patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch.
- Refresh
patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch.
- Refresh
patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch.
- Refresh
patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch.
- Refresh
patches.suse/x86-common-Stamp-out-the-stepping-madness.patch.
- Refresh
patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch.
- Refresh
patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch.
- Refresh patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch.
- Refresh patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch.
- Refresh
patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch.
- Refresh
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- Refresh patches.suse/x86-retpoline-Use-mfunction-return.patch.
- Refresh
patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch.
- Refresh
patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch.
- Refresh
patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch.
- Refresh
patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch.
- Refresh
patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch.
- Refresh
patches.suse/x86-speculation-add-eibrs-retpoline-options.patch.
- Refresh
patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- Refresh
patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch.
- Refresh
patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- Refresh
patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch.
- Refresh
patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
patches.suse/x86-speculation-use-generic-retpoline-by-default-on-amd.patch.
- Refresh
patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch.
- commit bc36bfa
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1200910
CVE-2020-36558).
- commit 3c76a1f
- vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
(bsc#1201429 CVE-2020-36557).
- commit f15e18d
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit 704434f
- Refresh patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch
Fix the build error due to missing is_console_locked()
- commit 39e2064
- fbmem: Check virtual screen sizes in fb_set_var()
(CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
(CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
(CVE-2021-33655 bsc#1201635).
- commit c1a0922
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
Dwarves 1.22 or newer is required to build kernels with BTF information
embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
(bsc#1198829 CVE-2022-1462).
- commit c0b9f34
- tty: use new tty_insert_flip_string_and_push_buffer() in
pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit 1b70eb4
- Refresh
patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch.
Fix a build warning.
- commit 837f0e2
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
universally for now) added two new compiler-dependent configs:
* CC_NO_ARRAY_BOUNDS
* GCC12_NO_ARRAY_BOUNDS
Ignore them -- they are unset by dummy tools (they depend on gcc version
== 12), but set as needed during real compilation.
- commit a14607c
- kernel-binary.spec: check s390x vmlinux location
As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
directly into arch/s390/boot. As the specfile is shared among branches,
check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- kernel-binary.spec: Support radio selection for debuginfo.
To disable debuginfo on 5.18 kernel a radio selection needs to be
switched to a different selection. This requires disabling the currently
active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- Add dtb-starfive
- commit 85335b1
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- pahole 1.22 required for full BTF features.
also recommend pahole for kernel-source to make the kernel buildable
with standard config
- commit 364f54b
- use jobs not processors in the constraints
jobs is the number of vcpus available to the build, while processors
is the total processor count of the machine the VM is running on.
- commit a6e141d
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
bsc#1198484)
Let's iron out the reduced initrd optimisation in Tumbleweed.
Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- Add dtb-microchip
- commit c797107
- rpm/kernel-source.spec.in: temporary workaround for a build failure
Upstream c6x architecture removal left a dangling link behind which
triggers openSUSE post-build check in kernel-source, failing
kernel-source build.
A fix deleting the danglink link has been submitted but it did not make
it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
utility does not handle symlink removal. Add a temporary band-aid which
deletes all dangling symlinks after unpacking the kernel source tarball.
[jslaby] It's not that temporary as we are dragging this for quite some
time in master. The reason is that this can happen any time again, so
let's have this in packaging instead.
- commit 52a1ad7
- libassuan
-
- update to 2.5.5:
* Fix a crash in the logging code
* Upgrade autoconf
- update to 2.5.4:
* Fix some minor build annoyances
- Update to 2.5.3:
* Add a timeout for writing to a SOCKS5 proxy.
* Add workaround for a problem with LD_LIBRARY_PATH on newer systems.
- qemu-disable-fdpassing-test.patch: remove
-Update to 2.5.2:
* configure.ac: Bump LT version to C8/A8/R2
* include libassuan.pc in the spec file
- libcroco
-
- Add libcroco-CVE-2020-12825.patch: limit recursion in block and
any productions (boo#1171685 CVE-2020-12825).
- libksba
-
- Security fix: [bsc#1204357, CVE-2022-3515]
* Detect a possible overflow directly in the TLV parser.
* Add libksba-CVE-2022-3515.patch
- libtasn1
-
- Add libtasn1-CVE-2021-46848.patch: Fixed off-by-one array size check
that affects asn1_encode_simple_der (CVE-2021-46848, bsc#1204690).
- libtirpc
-
- fix CVE-2021-46828: libtirpc: DoS vulnerability with lots of
connections (bsc#1201680)
- backport 0001-Fix-DoS-vulnerability-in-libtirpc.patch
- exclude ipv6 addresses in client protocol 2 code (bsc#1200800)
- update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- fix memory leak in params.r_addr assignement (bsc#1198752)
- add 0001-fix-parms.r_addr-memory-leak.patch
- libxml2
-
- Security fixes:
* [CVE-2022-40303, bsc#1204366] Fix integer overflows with
XML_PARSE_HUGE
+ Added patch libxml2-CVE-2022-40303.patch
* [CVE-2022-40304, bsc#1204367] Fix dict corruption caused by
entity reference cycles
+ Added patch libxml2-CVE-2022-40304.patch
- Security fix: [bsc#1201978, CVE-2016-3709]
* Cross-site scripting vulnerability after commit 960f0e2
* Add libxml2-CVE-2016-3709.patch
- libzypp
-
- Resolver: Fix missing --[no]-recommends initialization in
update (fixes #openSUSE/zypper#459, bsc#1201972)
- Log ONLY_NAMESPACE_RECOMMENDED because this is what corresponds
to --[no]-recommends.
- version 17.31.2 (22)
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
(fixes #402)
- Log backtrace on SIGABRT too.
- Need to explicitly enable building experimental code. Otherwise
an old Notcurses++ package which happens to be present in the
buildenv breaks the build (fixes #412).
- Work around libyui/libyui#78 on code 15.4 and older.
- Stop using std::*ary_function; deprecated and removed in c++17.
- Don't expose header files which use types not available in
c++11. In 15.3 and older, YAST and PK compile with -std=c++11.
- Remove no longer needed %post code (bsc#1203649)
- Enable zck support for SLE15-SP4 and newer. On Leap it is enabled
since 15.1 (bsc#1189282)
- version 17.31.1 (22)
- Add PoolItem::statusReinit to reset the status it's initial
state in the ResPool (might help bsc#1199895)
This may either be 'KEEP_STATE bySOLVER' or 'LOCKED byUSER' if
the PoolItem matched a hard lock defined in /etc/zypp/locks.
- Fix building with GCC 13 on i586 (fixes #407, fixes #396)
- Be prepared to receive exceptions from curl_easy_cleanup
(bsc#1201092)
- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
- Remove Medianetwork and dependend code.
This commit removes the MediaNetwork tech preview and all related
code. First reason for this is that MediaNetwork was just meant
as a way to test the new CURL based downloader and second: since
the Provide API is going to completely replace the current media
backend it would be extra work to ensure that changes on the
Downloader do not break MediaNetwork.
- version 17.31.0 (22)
- Fix building with GCC 12.x release (#396)
- version 17.30.3 (22)
- appdata plugin: Pass path to the repodata/ directory inside the
cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending
endOfScriptTag.
- version 17.30.2 (22)
- PluginRepoverification: initial version hooked into
repo::Downloader and repo refresh.
- Immediately start monitoring the download.transfer_timeout.
Do not wait until the first data arrived. (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only.
- Work around cases where sat repo.start points to an invalid
solvable. May happen if (wrong arch) solvables were removed
at the beginning of the repo.
- fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER
(fixes #388)
- version 17.30.1 (22)
- logrotate
-
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
* enforce stricter parsing to avoid CVE-2021-3864
* Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
* Added patch logrotate-dont_warn_on_size=_syntax.patch
- mozilla-nspr
-
- update to version 4.34.1
* add file descriptor sanity checks in the NSPR poll function.
- update to version 4.34
* add an API that returns a preferred loopback IP on hosts that
have two IP stacks available.
- update to 4.33:
* fixes to build system and export of private symbols
- mozilla-nss
-
- Require libjitter only for SLE15-SP4 and greater
- update to NSS 3.79.2 (bsc#1204729)
* bmo#1785846 - Bump minimum NSPR version to 4.34.1.
* bmo#1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
- Add nss-allow-slow-tests.patch, which allows a timed test to run
longer than 1s. This avoids turning slow builds into broken
builds.
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
DSA keys (verification only) (bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to add
sftk_FIPSRepeatIntegrityCheck() to softoken's .def file
(bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to allow the use of
longer symmetric keys via the service level indicator
(bsc#1191546).
- Update nss-fips-constructor-self-tests.patch to hopefully export
sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to prevent sessions
from getting flagged as non-FIPS (bsc#1191546).
- Mark DSA keygen unapproved (bsc#1191546, bsc#1201298).
- Enable nss-fips-drbg-libjitter.patch now that we have a patched
libjitter to build with (bsc#1202870).
- Update nss-fips-approved-crypto-non-ec.patch to prevent keys
from getting flagged as non-FIPS and add remaining TLS mechanisms.
- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for
entropy. This is disabled until we can avoid the inline assembler
in the latter's header file that relies on GNU extensions.
- Update nss-fips-constructor-self-tests.patch to fix an abort()
when both NSS_FIPS and /proc FIPS mode are enabled.
- update to NSS 3.79.1 (bsc#1202645)
* bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
* bmo#1771498 - Uninitialized value in cert_ComputeCertType.
* bmo#1759794 - protect SFTKSlot needLogin with slotLock.
* bmo#1760998 - avoid data race on primary password change.
* bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
rest of the DSA ciphers, keeping signature verification only
(bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
we removed the code to short-circuit broken hashes and moved to
using the SLI.
- Remove upstreamed patches:
* nss-fips-version-indicators.patch
* nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
- bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- bmo#1766907 - Update mercurial in clang-format docker image.
- bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
- bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
- bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- bmo#1764788 - Correct invalid record inner and outer content type alerts.
- bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
- bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
* bmo#1767590 - Initialize pointers passed to
NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
bmo#1763120 - Add ECH Grease Support to tstclnt
bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
* Bug 1762244 - resolve mpitests build failure on Windows.
* bmo#1761779 - Fix link to TLS page on wireshark wiki
* bmo#1754890 - Add two D-TRUST 2020 root certificates.
* bmo#1751298 - Add Telia Root CA v2 root certificate.
* bmo#1751305 - Remove expired explicitly distrusted certificates
from certdata.txt.
* bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
* bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
* bmo#1756271 - Remove token member from NSSSlot struct.
* bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
* bmo#1757279 - Support UTF-8 library path in the module spec string.
* bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
* bmo#1760827 - Add a CI Target for gcc-11.
* bmo#1760828 - Change to makefiles for gcc-4.8.
* bmo#1741688 - Update googletest to 1.11.0
* bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
* bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
* bmo#1755904 - Fix calculation of ECH HRR Transcript.
* bmo#1758741 - Allow ld path to be set as environment variable.
* bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
* bmo#1758478 - Fix DataBuffer Move Assignment.
* bmo#1552254 - internal_error alert on Certificate Request with
sha1+ecdsa in TLS 1.3
* bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
NSS 3.76.1
* bmo#1756271 - Remove token member from NSSSlot struct.
NSS 3.76
* bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
nssTrustDomain_GetActiveSlots.
* bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
* bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
* bmo#1679803 - Add SHA256 fingerprint comments to old
certdata.txt entries.
* bmo#1753505 - Avoid truncating files in nss-release-helper.py.
* bmo#1751157 - Throw illegal_parameter alert for illegal extensions
in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
* bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
* bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
* bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
* bmo#1748386 - Remove redundant key type check.
* bmo#1749869 - Update ABI expectations to match ECH changes.
* bmo#1748386 - Enable CKM_CHACHA20.
* bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
* bmo#1747310 - real move assignment operator.
* bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
* bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
* bmo#1747772 - Allow to build using clang's integrated assembler.
* bmo#1321398 - Allow to override python for the build.
* bmo#1747317 - test HKDF output rather than input.
* bmo#1747316 - Use ASSERT macros to end failed tests early.
* bmo#1747310 - move assignment operator for DataBuffer.
* bmo#1712879 - Add test cases for ECH compression and unexpected
extensions in SH.
* bmo#1725938 - Update tests for ECH-13.
* bmo#1725938 - Tidy up error handling.
* bmo#1728281 - Add tests for ECH HRR Changes.
* bmo#1728281 - Server only sends GREASE HRR extension if enabled
by preference.
* bmo#1725938 - Update generation of the Associated Data for ECH-13.
* bmo#1712879 - When ECH is accepted, reject extensions which were
only advertised in the Outer Client Hello.
* bmo#1712879 - Allow for compressed, non-contiguous, extensions.
* bmo#1712879 - Scramble the PSK extension in CHOuter.
* bmo#1712647 - Split custom extension handling for ECH.
* bmo#1728281 - Add ECH-13 HRR Handling.
* bmo#1677181 - Client side ECH padding.
* bmo#1725938 - Stricter ClientHelloInner Decompression.
* bmo#1725938 - Remove ECH_inner extension, use new enum format.
* bmo#1725938 - Update the version number for ECH-13 and adjust
the ECHConfig size.
- update to NSS 3.74
* bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
OCSP responses
* bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
* bmo#1721426 - NSS does not properly restrict server keys based on policy
* bmo#1733003 - Set nssckbi version number to 2.54
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
* bmo#1735407 - Replace GlobalSign ECC Root CA R4
* bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
* bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
certificates
* bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
CIF A62634068 root certificate
* bmo#1740095 - Add iTrusChina ECC root certificate
* bmo#1740095 - Add iTrusChina RSA root certificate
* bmo#1738805 - Add ISRG Root X2 root certificate
* bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
* bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
* bmo#1735028 - Check for missing signedData field
* bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
* Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
* bmo#1735028 - check for missing signedData field.
* bmo#1737470 - Ensure DER encoded signatures are within size limits.
* bmo#1729550 - NSS needs FiPS 140-3 version indicators.
* bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
* bmo#1738600 - sunset Coverity from NSS
MFSA 2021-51 (bsc#1193170)
* CVE-2021-43527 (bmo#1737470)
Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
* Remove newline at the end of coreconf.dep
* bmo#1731911 - Fix nsinstall parallel failure.
* bmo#1729930 - Increase KDF cache size to mitigate perf
regression in about:logins
- update to NSS 3.71
* bmo#1717716 - Set nssckbi version number to 2.52.
* bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
* bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
* bmo#1717707 - Add HARICA Client ECC Root CA 2021.
* bmo#1717707 - Add HARICA Client RSA Root CA 2021.
* bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
* bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
* bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
* bmo#1726022 - Update test case to verify fix.
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
* bmo#1681975 - Avoid using a lookup table in nssb64d.
* bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
* bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
* bmo#1726022 - Cache additional PBE entries.
* bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
* bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
* bmo#1720226 (Backout) - integrity checks in key4.db not happening
on private components with AES_CBC
NSS 3.69
* bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
* bmo#1720226 - integrity checks in key4.db not happening on private
components with AES_CBC (backed out again)
* bmo#1720235 - SSL handling of signature algorithms ignores
environmental invalid algorithms.
* bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
nss failures.
(removed obsolete nss-btrfs-sqlite.patch)
* bmo#1720230 - Gtest update changed the gtest reports, losing gtest
details in all.sh reports.
* bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
* bmo#1720232 - SQLite calls could timeout in starvation situations.
* bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
* bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
* bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Mozilla NSS 3.68.4 (bsc#1200027)
* Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
(bmo#1767590)
- Update nss-fips-constructor-self-tests.patch to scan
LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
test certificate creation and disables the library checksum
validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
Most of the relevant changes are already upstream since NSS 3.60.
- ncurses
-
- Add patch ncurses-bnc1198627.patch
* Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
- openldap2
-
- bsc#1198341 - Prevent memory reuse which may lead to instability
* 0243-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
- openssl-1_1
-
- Added openssl-1_1-paramgen-default_to_rfc7919.patch
* bsc#1180995
* Default to RFC7919 groups when generating ECDH parameters
using 'genpkey' or 'dhparam' in FIPS mode.
- pam
-
- Update pam_motd to the most current version. This fixes various issues
and adds support for mot.d directories [jsc#PED-1712].
* Added: pam-ped1712-pam_motd-directory-feature.patch
- pciutils
-
- Add "/pciutils-Add-PCIe-5.0-data-rate-32-GT-s-support.patch"/ and
"/pciutils-Add-PCIe-6.0-data-rate-64-GT-s-support.patch"/ to fix
LnkCap speed recognition in lspci for multi PCIe ports such as
the ML110 Gen11. [bsc#1192862]
- pcre2
-
- Added pcre2-bsc1199235-CVE-2022-1587.patch
* CVE-2022-1587 / bsc#1199235
* Fix out-of-bounds read due to bug in recursions
* Sourced from:
- https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0
- Added pcre2-Fix_crash_when_X_is_used_without_UTF_in_JIT.patch
* CVE-2019-20454 / bsc#1164384
* Fix crash when X is used in non-UTF mode on certain inputs.
* Sourced from:
- https://github.com/PCRE2Project/pcre2/commit/342c16ecd31bd12fc350ee31d2dcc041832ebb3f
- https://github.com/PCRE2Project/pcre2/commit/e118e60a68f03f38dd2ff3d16ca2e2e0d800e1d9
- procps
-
- Add the patches
* procps-3.3.17-library-bsc1181475.patch
* procps-3.3.17-top-bsc1181475.patch
which are backports of current newlib tree to solve bug bsc#1181475
* 'free' command reports misleading "/used"/ value
- python-Babel
-
- Add CVE-2021-42771-rel-path-traversal.patch fixing
CVE-2021-42771 by cleaning locale identifiers before loading
from file (bsc#1185768).
- python-M2Crypto
-
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
bsc#1178829), which mitigates the Bleichenbacher timing attacks
in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
- python-azure-agent
-
- Add paa_12_sp5_rdma_no_ext_driver.patch (bsc#1203181)
- Update to version 2.8.0.11 (bsc#1203164)
+ Enabled support for Fast Track (faster processing of extensions)
+ Add telemetry for VM Size
+ Add telemetry for environment variables passed to extensions
+ Enforce CPU quota on the Agent on Red Hat and CentOS 7.4+
+ Restore all firewall rules needed for communication with the WireServer
+ Fix false positives reporting processes in the Agent's cgroup
+ Fix false errors when collecting debug logs
+ Don't report incorrect CPU usage data
+ Fetching a goal state with empty certificates property
+ Silence goal state fetch errors after 3 logs
+ Change fast track timestamp default from None to datetime.min
+ Retry HGAP's extensionsArtifact requests on BAD_REQUEST status
+ Support for Rocky Linux
+ RHEL 8
+ RHEL 9
+ Preliminary work to enforce CPU quota on extensions
+ Preliminary work for management of agent self-updates [GA Versioning]
+ Add CentOS 7.9 to end-to-end-tests
+ Add Mariner to end-to-end-tests
- 2.8.0.11 followed 2.7.3.0, no intermediate releases
- Migration to /usr/etc: Saving user changed configuration files
in /etc and restoring them while an RPM update.
- Update to 2.7.3.0 (jsc#PED-1298)
+ Remove proper_dhcp_config_set.patch included upstream
+ Remove sle_hpc-is-sles.patch included upstream
+ Forward port reset-dhcp-deprovision.patch
+ Retry HGAP's extensionsArtifact requests on BAD_REQUEST status #2622
+ Use 'ip' instead of 'ifdown/ifup' to restart network interface on
RHEL >= 8.6 #2612 #2624
- From 2.7.1.0
+ hotfix for OOM errors on the log collector
- From 2.7.0.6
+ Increase time of autoupdates after updates are available #2403
+ Send telemetry when upgrade available #2421
+ Enable collection of debugging information #2436, #2453, #2510
+ Add support for Python 2.6 to the debug info collection code #2452
+ Enable CPU/memory data collection on RedHat and CentOS #2450
+ Exclude end-to-end tests from Agent setup #2396, #2402
+ Fix log message in cgroups management #2427
+ Fix parsing of malformed error.json files #2433
+ Allow DNS queries over TCP #2429
+ Dont exit extension handler process if unable to fetch
first goal state #2440
+ Improvements for Mariner #2407, #2414
+ Add uos support #2420
+ Add support for VMware PhotonOS #2431
- From 2.6.0.2
+ added cloudlinux support (#2344)
+ Enable extensions cpu monitoring (#2357, #2384, #2391)
+ Support Flatcar Container Linux (#2365)
+ Retrieve VmSettings from HostGAPlugin
(#2378, #2382, #2386, #2394, #2397, #2404)
+ Set Agent's CpuQuota to 75% (#2383)
+ Use handler status if extension status is None when computing
the ExtensionsSummary (#2358) (#2361)
+ fix bug with dependent extensions with no settings (#2285) (#2362)
+ Create events dir for handlers if ETP enabled (#2366)
+ Report status even if goal state cannot be processed (#2370)
+ Define ExtensionsSummary.eq (#2371) (#2373)
+ Implement ExtensionsSummary.ne in terms of eq (#2375)
- From 2.5.0.2
+ Enable Extension Telemetry Pipeline (#2337, #2339)
+ Enable Periodic Log Collection in systemd distros (#2295,#2289)
+ Implement InitialGoalStatePeriod parameter + improvements in logging
goal state processing(#2332)
+ Fix operation name in InitializeHostPlugin event(#2338)
+ Mock systemctl stop cmd (#2335)
+ Report transitioning when status file not found (#2330)
+ Dont create default status file for Single-Config extensions (#2318)
+ Do not create placeholder status file for AKS extensions (#2298)
+ Save waagent_status to history folder and add additional details to
the status file (#2325,#2301,#2270)
+ Rename Debug.FetchVmSettings to Debug.EnableFastTrack (#2324)
+ Update HostGAplugin headers before fetching vmSettings (#2323)
+ Handle HTTP GONE in vmSettings request (#2321)
+ Added log statements to debug issues in vmSettings API(#2317)
+ Remove reference to re.IGNORECASE (#2316)
+ Add and remove extension slice (#2315)
+ FastTrack changes (#2314, #2313,#2306, #2304,#2294, #2293)
+ Helper to handle exception message(#2305)
+ Remove trailing spaces from command name (#2296)
+ Add debug info for systemd-run false positives (#2292)
+ Move Github Actions VMs to Ubuntu 18 (#2291)
+ Onboard redhat82, ubuntu20 (#2290, #2279)
+ Allow systemd-run in the Agent's cgroup (#2287)
+ Use handler status if extension status is None (#2358)
+ Bug Fix :Define ExtensionsSummary.ne (#2371)
- From 2.4.0.2
+ Support for Multi config (#2245, #2261)
+ Support sles 15 sp2 distro (#2272)
+ Cleanup history folder every 30 min (#2258)
+ Updated _read_status_file to include a fragment of status file in
the exception (#2257)
+ Fix telemetry unicode errors (Re-add #1937) (#2278)
+ Match IPoIB interface with any alphanumeric characters (#2239)
+ Fix bug with dependent extensions with no settings (#2285)
+ Do not create placeholder status file for AKS extensions (#2298)
+ Refactoring of Agent's main loop (#2275)
+ Exception for Linux Patch Extension for creating placeholder
status file (#2307)
+ Dont create default status file for Single-Config extensions (#2318)
+ Fix bad logging (#2241)
+ Fixed logging of PeriodicOperation (#2263)
+ Log collector broken pipe fix (#2267)
+ Improved logging for Multi config (#2246)
- From 2.3.1.1
+ revert for reducing the time window where we restart the network
interfaces of the VM
- From 2.3.0.2
+ Enforce CPUQuota on agent #2222, #2226
+ Add support for RequiredFeatures and GoalStateAggregateStatus APIs
[#2190], #2206, #2209, #2216
+ Added fallback locations for extension manifests #2188
+ Add missing call to str.format() when creating exception #2193
+ Remove helper network service on deprovision #2191
+ Use a helper script to start the network service #2225 #2253
+ Initialize published_hostname using /var/lib/cloud/data/set-hostname #2215
+ Fix utf logging for persist firewall rules #2237
+ Replace firewall-setup unit file if changed #2236
- From 2.2.54
+ PA changes to check cloud-init (#2061)
+ log collector (#2066)
+ cgroups CPU percentage py processor count (#2074)
+ Parse InVMGoalStateMetaData from Extension Config (#2081)
+ iscsi disk support for agent configs (#2073)
+ Add support for VMs with multiple IB devices (#2085)
+ Python 3.9 support (#2082)
+ Add support for CBL-Mariner distro (#2099)
+ Enable Provisioning.MonitorHostName for Ubuntu (#1934)
+ Added supportedFeatures flag in status reporting (#2089)
+ Parse ext runtime settings (#2087)
+ GHA merge validation (#2097)
+ Cgroups improvements
+ renamed the eventsFolder variable for preview and enabled ETP (#2140)
+ Agent slice and custom unit files telemetry (#2150)
+ Make IPoIB interface online (#2116)
+ Add option to disable NetworkConfigurationChanges (#2156)
+ Log network configuration on service start (#2157)
+ Setup persistent firewall rules on service restart (#2154)
+ switched to using run_command (#2060)
+ fixes for chained-comparison and dangerous-default-value pylint
warnings (#2072)
+ fixed depends on errors (#2059)
+ WireIp env variable added (#2078)
+ Unstick HGAP channel as default (#2046)
+ shellutil.run_command fixes (#2086, #2098)
+ unit test fixes (#2090, #2091, #2108, #2153)
+ fix distro resolution for RedHat (#2083)
+ Read KVP value in binary mode (#2084)
+ Redact protected settings in goal state debug files (#2130)
+ Modify retry logic for empty goal state (#2140)
+ GS no config fix (#2141)
+ CommandExecution.log logrototate config -> custom log management (#2143)
+ binary file for firewall rules (#2147)
+ Refresh host ga plugin periodically (#2155)
+ Disabled custom service (#2166)
+ update test zips (#2167)
- From 2.2.53.1
+ Extension Telemetry Pipeline as a private-preview feature
- From 2.2.53
+ Start exthandler with the same python interpreter (#2007)
+ Verify that the extension status is an array (#2010)
+ Remove enum _UpdateType and retry fetching goal state (#2018)
+ use dd for ext4 as well as xfs (#2042)
+ Fix path for error.json (#2044)
+ Switch to run command changes, + provisioning changes that need to be
reverted. (#2050)
+ Fix timestamp for goal state archive (#2051)
+ Case insensitive parsing or Plugins and PluginSettings (#2054)
+ Revert "/Fixed delays for HTTP retries rather than exponential
delays (#1967)"/ (#2065)
+ Fixed bug causing "/MAC verified OK"/ message (#2069)
+ Revert unicode fix manually (#1937) (#2070)
+ Recreate handler environment file on service startup (#1960)
+ Add log collection tool and thread (#1987)
+ Thread interface (#1990)
+ Verify that the CPU and Memory cgroups for the agent are properly
initialized; disabled cgroups if they are not active. (#2015)
+ SUSE config: use Btrfs LZO compression for ResourceDisk (#2055)
+ Extension telemetry pipeline (#1918)
+ Reformatted the heartbeat event (#2009)
+ Add LIS version to OSInfo.message (#2011)
+ One thread for telemetry (#2019)
+ Limit description character length sent for health report (#2020)
+ Remove Serial Console Logging (#2028)
+ Echo log to /dev/console during provisioning (#2043)
+ Adding telemetry for logrotate (#2045)
+ Report placeholder extension status as an array (#2068)
+ Fix broken link in readme (#2014)
+ Add log collector flags to README (#2029)
- From 2.2.52
+ Do not retrieve users in each goal state (#1935)
+ Fix check for systemd-run failure when invoking extensions (#1943)
+ Fix telemetry unicode errors (#1937)
+ Uninstall unregistered extensions (#1970)
+ Use run_command to execute iptables (#1944)
+ Use run_command for ip route (#1958)
+ Fix handling of gen2 disks with udev rules (#1954)
+ Add API for uploading logs via host plugin (#1902)
+ Fixed delays for HTTP retries rather than exponential delays (#1967)
+ Resolve undefined variable (#1950)
+ Convert owner uid to string (#1949)
+ Fix Travis special checks for distro and remove useless cgroup tests (#1959)
+ Use tmp_dir instead of data_dir (#1968)
- Removed %config flag for files in /usr directory.
- Cleanup spec file:
- - Removed %{_distconfdir}/logrotate.d from dirlist. It will be
handled by package filelist now.
- - %{_distconfdir}/logrotate.d/* can be changed by vendor only.
So it will be replaced by an RPM update.
- Moved logrotate files from user specific directory /etc/logrotate.d
to vendor specific directory /usr/etc/logrotate.d.
- require python-rpm-macros to fix build for TW
- do not require test dependencies for build, they are not needed
(no testsuite run in %check)
- python-lxml
-
- add CVE-2022-2309.patch (bsc#1201253, CVE-2022-2309)
- With the new update to 4.7.1, the old Bugzilla entries are also
fixed:
- bsc#1118088 (related to CVE-2018-19787)
- bsc#1184177 (related to CVE-2021-28957)
- Update to 4.7.1 (officially released 2021-12-13)
Features added
- Chunked Unicode string parsing via parser.feed() now encodes the input
data to the native UTF-8 encoding directly, instead of going through
Py_UNICODE / wchar_t encoding first, which previously required duplicate
recoding in most cases.
Bugs fixed
- The standard namespace prefixes were mishandled during "/C14N2"/
serialisation
on Python 3.
See
https://mail.python.org/archives/list/lxml@python.org/thread/
6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
- lxml.objectify previously accepted non-XML numbers with underscores
(like "/1_000"/) as integers or float values in Python 3.6 and later.
It now adheres to the number format of the XML spec again.
- LP#1939031: Static wheels of lxml now contain the header files of zlib
and libiconv (in addition to the already provided headers of
libxml2/libxslt/libexslt).
Other changes
- Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
- Update to 4.7.0 (2021-12-13)
- Release retracted due to missing files in lxml/includes/.
- UPdate to 4.6.5 (2021-12-12)
Bugs fixed
- A vulnerability (GHSL-2021-1038) in the HTML cleaner
- allowed sneaking script content through SVG images
- (bnc#1193752, CVE-2021-43818).
- A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed
- sneaking script content through CSS imports and other crafted
- constructs (CVE-2021-43818).
- Update 4.6.4 (2021-11-01)
Features added
- GH#317: A new property system_url was added to DTD entities.
- Patch by Thirdegree.
- GH#314: The STATIC_* variables in setup.py can now be passed
- via env vars.
- Patch by Isaac Jurado.
- Update 4.6.3 (2021-03-21)
Bugs fixed
- A vulnerability (CVE-2021-28957) was discovered in the HTML
- Cleaner by Kevin Chung, which allowed JavaScript to pass through.
- The cleaner now removes the HTML5 formaction attribute.
- Update 4.6.2 (2020-11-26)
Bugs fixed
- A vulnerability (bnc#1179534, CVE-2020-27783) was discovered in the HTML
Cleaner
- by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner
- now removes more sneaky "/style"/ content.
- Update 4.6.1 (2020-10-18)
Bugs fixed
- A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
- which allowed JavaScript to pass through. The cleaner now removes
- more sneaky "/style"/ content.
- Update 4.6.0 (2020-10-17)
Features added
- GH#310: lxml.html.InputGetter supports __len__() to count the number
- of input fields. Patch by Aidan Woolley.
- lxml.html.InputGetter has a new .items() method to ease processing
- all input fields.
- lxml.html.InputGetter.keys() now returns the field names in document
- order.
- GH-309: The API documentation is now generated using sphinx-apidoc.
- Patch by Chris Mayo.
Bugs fixed
- LP#1869455: C14N 2.0 serialisation failed for unprefixed attributes
- when a default namespace was defined.
- TreeBuilder.close() raised AssertionError in some error cases where
- it should have raised XMLSyntaxError. It now raises a combined
- exception to keep up backwards compatibility, while switching to
- XMLSyntaxError as an interface.
- Update 4.5.2 (2020-07-09)
Bugs fixed
- Cleaner() now validates that only known configuration options
- can be set.
- LP#1882606: Cleaner.clean_html() discarded comments and PIs
- regardless of the corresponding configuration option, if
- remove_unknown_tags was set.
- LP#1880251: Instead of globally overwriting the document loader
- in libxml2, lxml now sets it per parser run, which improves the
- interoperability with other users of libxml2 such as libxmlsec.
- LP#1881960: Fix build in CPython 3.10 by using Cython 0.29.21.
- The setup options "/--with-xml2-config"/ and "/--with-xslt-config"/
- were accidentally renamed to "/--xml2-config"/ and "/--xslt-config"/
- in 4.5.1 and are now available again.
- Update 4.5.1 (2020-05-19)
Bugs fixed
- LP#1570388: Fix failures when serialising documents larger than
- 2GB in some cases.
- LP#1865141, GH#298: QName values were not accepted by the
- el.iter() method. Patch by xmo-odoo.
- LP#1863413, GH#297: The build failed to detect libraries on Linux
- that are only configured via pkg-config. Patch by Hugh McMaster.
- Update 4.5.0 (2020-01-29)
Features added
- A new function indent() was added to insert tail whitespace for
- pretty-printing an XML tree.
Bugs fixed
- LP#1857794: Tail text of nodes that get removed from a document
using item deletion disappeared silently instead of sticking with
the node that was removed.
Other changes
- MacOS builds are 64-bit-only by default. Set CFLAGS and LDFLAGS
explicitly to override it.
- Linux/MacOS Binary wheels now use libxml2 2.9.10 and libxslt 1.1.34.
- LP#1840234: The package version number is now available as
lxml.__version__.
- Update 4.4.3 (2020-01-28)
Bugs fixed
- LP#1844674: itertext() was missing tail text of comments and PIs
since 4.4.0.
- Update to 4.4.2:
* LP#1835708: ElementInclude incorrectly rejected repeated
non-recursive includes as recursive.
* Remove patch lxml-libxml-2.9.10.patch which is now upstream
- Add lxml-libxml-2.9.10.patch: Fix build against libxml 2.9.10.
- Update to 4.4.1:
* LP#1838252: The order of an OrderedDict was lost in 4.4.0 when passing it as attrib mapping during element creation.
* LP#1838521: The package metadata now lists the supported Python versions.
- version update to 4.4.0
* ``Element.clear()`` accepts a new keyword argument ``keep_tail=True`` to
clear everything but the tail text. This is helpful in some document-style
use cases.
* When creating attributes or namespaces from a dict in Python 3.6+, lxml now
preserves the original insertion order of that dict, instead of always sorting
the items by name. A similar change was made for ElementTree in CPython 3.8.
See https://bugs.python.org/issue34160
* Integer elements in ``lxml.objectify`` implement the ``__index__()`` special method.
* GH#269: Read-only elements in XSLT were missing the ``nsmap`` property.
Original patch by Jan Pazdziora.
* ElementInclude can now restrict the maximum inclusion depth via a ``max_depth``
argument to prevent content explosion. It is limited to 6 by default.
* The ``target`` object of the XMLParser can have ``start_ns()`` and ``end_ns()``
callback methods to listen to namespace declarations.
* The ``TreeBuilder`` has new arguments ``comment_factory`` and ``pi_factory`` to
pass factories for creating comments and processing instructions, as well as
flag arguments ``insert_comments`` and ``insert_pis`` to discard them from the
tree when set to false.
* A `C14N 2.0 <https://www.w3.org/TR/xml-c14n2/>`_ implementation was added as
``etree.canonicalize()``, a corresponding ``C14NWriterTarget`` class, and
a ``c14n2`` serialisation method.
* bugfixes, see CHANGES.txt
- deleted sources
- lxmldoc-4.3.3.pdf (renamed)
- added sources
+ lxmldoc-4.4.0.pdf
+ world.txt
- Update to 4.3.4
* Rebuilt with Cython 0.29.10 to support Python 3.8.
Note: documentation is not updated
- Remove generated files
- Update to 4.3.3:
* Fix leak of output buffer and unclosed files in ``_XSLTResultTree.write_output()``.
- Update to 4.3.2:
* Crash in 4.3.1 when appending a child subtree with certain text nodes.
- Update to v4.3.1
* Fixed crash when appending a child subtree that contains unsubstituted
entity references
- from v4.3.0
* Features
+ The module ``lxml.sax`` is compiled using Cython in order to speed it up.
+ lxml.sax.ElementTreeProducer now preserves the namespace prefixes.
If two prefixes point to the same URI, the first prefix in alphabetical
order is used.
+ Updated ISO-Schematron implementation to 2013 version (now MIT licensed)
and the corresponding schema to the 2016 version (with optional "/properties"/).
* Other
+ Support for Python 2.6 and 3.3 was removed.
+ The minimum dependency versions were raised to libxml2 2.9.2 and libxslt 1.1.27,
which were released in 2014 and 2012 respectively.
- from v4.2.6
* Fix a DeprecationWarning in Py3.7+.
* Import warnings in Python 3.6+ were resolved.
- Remove no longer needed
0001-Make-test-more-resilient-against-changes-in-latest-l.patch
- Remove superfluous devel dependency for noarch package
- Update to 4.2.5
* Javascript URLs that used URL escaping were not removed by the HTML cleaner.
Security problem found by Omar Eissa.
- Fix threading tests patch for 42.3
* Add 0001-Make-test-more-resilient-against-changes-in-latest-l.patch
* Remove python-lxml-assert.patch
- Update to 4.2.4 (2018-08-03)
+ Features added
* GH#259: Allow using ``pkg-config`` for build configuration.
Patch by Patrick Griffis.
+ Bugs fixed
* LP#1773749, GH#268: Crash when moving an element to another document with
``Element.insert()``.
Patch by Alexander Weggerle.
- Update to 4.2.3
+ Bugs fixed
* Reverted GH#265: lxml links against zlib as a shared library again.
- Update to 4.2.2
+ Bugs fixed
* GH#266: Fix sporadic crash during GC when parse-time schema validation is used
and the parser participates in a reference cycle.
Original patch by Julien Greard.
* GH#265: lxml no longer links against zlib as a shared library, only on static builds.
Patch by Nehal J Wani.
- Version update to 4.2.1:
* LP#1755825: iterwalk() failed to return the 'start' event for the initial
element if a tag selector is used.
* LP#1756314: Failure to import 4.2.0 into PyPy due to a missing library symbol.
* LP#1727864, GH#258: Add "/-isysroot"/ linker option on MacOS as needed by XCode 9.
- Version update to 4.2.0:
* GH#255: ``SelectElement.value`` returns more standard-compliant and
browser-like defaults for non-multi-selects. If no option is selected, the
value of the first option is returned (instead of None). If multiple options
are selected, the value of the last one is returned (instead of that of the
first one). If no options are present (not standard-compliant)
``SelectElement.value`` still returns ``None``.
* GH#261: The ``HTMLParser()`` now supports the ``huge_tree`` option.
Patch by stranac.
* LP#1551797: Some XSLT messages were not captured by the transform error log.
* LP#1737825: Crash at shutdown after an interrupted iterparse run with XMLSchema
validation.
- Add patch python-lxml-assert.patch to pass test fail on threading
- update to 4.1.1
- ElementPath supports text predicates for current node, like "/[.='text']"/.
- ElementPath allows spaces in predicates.
- Custom Element classes and XPath functions can now be registered with
a decorator rather than explicit dict assignments.
- LP#1722776: Requesting non-Element objects like comments from
a document with PythonElementClassLookup could fail with a TypeError.
- python-paramiko
-
- update to 2.4.3
* Fix Ed25519 key handling so certain key comment lengths don't cause
SSHException("/Invalid key"/) (bsc#1200603)
* Add support for the modern (as of Python 3.3) import location of
MutableMapping (used in host key management) to avoid the old location
becoming deprecated in Python 3.8.
- refresh add-support-for-new-OpenSSH-private-key-format.patch
- refresh paramiko-test_extend_timeout.patch
- refresh support-cryptography-25-and-above.patch
* Fix exploit (CVE-2018-1000805) in Paramiko's server mode (not client mode)
(bsc#1111151)
- python-psutil
-
- Add patch mem-used-bsc1181475.patch (bsc#1181475)
* Adopt change of used memory calculation from upstream of procps
- python-py
-
- Update in SLE-15 (bsc#1195916, bsc#1196696, jsc#PM-3356, jsc#SLE-23972)
- Drop CVE-2020-29651.patch, issue fixed upstream in 1.10.0
- Update to 1.10.0
* Fix a regular expression DoS vulnerability in the py.path.svnwc
SVN blame functionality (CVE-2020-29651)
- Devendor apipkg and iniconfig
- Add pr_222.patch to activate test suite
- Update to 1.9.0
* Add type annotation stubs
- python3
-
- Add CVE-2022-37454-sha3-buffer-overflow.patch to fix
bsc#1204577 (CVE-2022-37454, gh#python/cpython#98517) buffer
overflow in hashlib.sha3_* implementations (originally from the
XKCP library).
- Add CVE-2020-10735-DoS-no-limit-int-size.patch to fix
CVE-2020-10735 (bsc#1203125) to limit amount of digits
converting text to int and vice vera (potential for DoS).
Originally by Victor Stinner of Red Hat.
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch,
CRLF_injection_via_host_part.patch, and
CVE-2019-18348-CRLF_injection_via_host_part.patch.
- release-notes-sle_hpc
-
- 15.1.20220831 (tracked in bsc#933411)
- Sync Slurm sections with 15 SP2 (jsc#DOCTEAM-160,jsc#DOCTEAM-161)
- rsync
-
- Add support for --trust-sender parameter (patch by Jie Gong in
bsc#1202970). (related to CVE-2022-29154, bsc#1201840)
* Added patch rsync-CVE-2022-29154-trust-sender-1.patch
* Added patch rsync-CVE-2022-29154-trust-sender-2.patch
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
- ruby2
-
- Update suse.patch to 41adc98ad1:
- Cookie Prefix Spoofing in CGI::Cookie.parse (boo#1193081 CVE-2021-41819)
- add back some lost chunks to the suse.patch
- runc
-
- Update to runc v1.1.4. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.4.
* Fix mounting via wrong proc fd. When the user and mount namespaces are
used, and the bind mount is followed by the cgroup mount in the spec,
the cgroup was mounted using the bind mount's mount fd.
* Switch kill() in libcontainer/nsenter to sane_kill().
* Fix "/permission denied"/ error from runc run on noexec fs.
* Fix failed exec after systemctl daemon-reload. Due to a regression
in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
(boo#1202821)
- Update to runc v1.1.4. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.4.
bsc#1202021
* Fix mounting via wrong proc fd. When the user and mount namespaces are
used, and the bind mount is followed by the cgroup mount in the spec,
the cgroup was mounted using the bind mount's mount fd.
* Switch kill() in libcontainer/nsenter to sane_kill().
* Fix "/permission denied"/ error from runc run on noexec fs.
* Fix failed exec after systemctl daemon-reload. Due to a regression
in v1.1.3, the DeviceAllow=char-pts rwm rule was no longer added and
was causing an error open /dev/pts/0: operation not permitted: unknown when systemd was reloaded.
(boo#1202821)
- salt
-
- Handle non-UTF-8 bytes in core grains generation (bsc#1202165)
- Fix Syndic authentication errors (bsc#1199562)
- Add Amazon EC2 detection for virtual grains (bsc#1195624)
- Fix the regression in schedule module releasded in 3004 (bsc#1202631)
- Fix state.apply in test mode with file state module on user/group checking (bsc#1202167)
- Change the delimeters to prevent possible tracebacks on some packages with dpkg_lowpkg
- Make zypperpkg to retry if RPM lock is temporarily unavailable (bsc#1200596)
- Fix test_ipc unit test
- Added:
* change-the-delimeters-to-prevent-possible-tracebacks.patch
* add-amazon-ec2-detection-for-virtual-grains-bsc-1195.patch
* fix-state.apply-in-test-mode-with-file-state-module-.patch
* fix-the-regression-in-schedule-module-releasded-in-3.patch
* retry-if-rpm-lock-is-temporarily-unavailable-547.patch
* fix-test_ipc-unit-tests.patch
* backport-syndic-auth-fixes.patch
* ignore-non-utf8-characters-while-reading-files-with-.patch
- Add support for gpgautoimport in zypperpkg module
- Update Salt to work with Jinja >= and <= 3.1.0 (bsc#1198744)
- Fix salt.states.file.managed() for follow_symlinks=True and test=True (bsc#1199372)
- Make Salt 3004 compatible with pyzmq >= 23.0.0 (bsc#1201082)
- Add support for name, pkgs and diff_attr parameters to upgrade function for zypper and yum (bsc#1198489)
- Fix ownership of salt thin directory when using the Salt Bundle
- Set default target for pip from VENV_PIP_TARGET environment variable
- Normalize package names once with pkg.installed/removed using yum (bsc#1195895)
- Save log to logfile with docker.build
- Use Salt Bundle in dockermod
- Ignore erros on reading license files with dpkg_lowpkg (bsc#1197288)
- Added:
* fix-salt.states.file.managed-for-follow_symlinks-tru.patch
* fix-62092-catch-zmq.error.zmqerror-to-set-hwm-for-zm.patch
* add-support-for-gpgautoimport-539.patch
* ignore-erros-on-reading-license-files-with-dpkg_lowp.patch
* set-default-target-for-pip-from-venv_pip_target-envi.patch
* fix-ownership-of-salt-thin-directory-when-using-the-.patch
* normalize-package-names-once-with-pkg.installed-remo.patch
* save-log-to-logfile-with-docker.build.patch
* add-support-for-name-pkgs-and-diff_attr-parameters-t.patch
* use-salt-bundle-in-dockermod.patch
* fix-jinja2-contextfuntion-base-on-version-bsc-119874.patch
- Fix PAM auth issue due missing check for PAM_ACCT_MGM return value (CVE-2022-22967) (bsc#1200566)
- samba
-
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
(bsc#1201496).
- sqlite3
-
- update to 3.39.3:
* Use a statement journal on DML statement affecting two or more
database rows if the statement makes use of a SQL functions
that might abort.
* Use a mutex to protect the PRAGMA temp_store_directory and
PRAGMA data_store_directory statements, even though they are
decremented and documented as not being threadsafe.
- update to 3.39.2:
* Fix a performance regression in the query planner associated
with rearranging the order of FROM clause terms in the
presences of a LEFT JOIN.
* Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
1345947, forum post 3607259d3c, and other minor problems
discovered by internal testing. [boo#1201783]
- update to 3.39.1:
* Fix an incorrect result from a query that uses a view that
contains a compound SELECT in which only one arm contains a
RIGHT JOIN and where the view is not the first FROM clause term
of the query that contains the view
* Fix a long-standing problem with ALTER TABLE RENAME that can
only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
to a very small value.
* Fix a long-standing problem in FTS3 that can only arise when
compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
option.
* Fix the initial-prefix optimization for the REGEXP extension so
that it works correctly even if the prefix contains characters
that require a 3-byte UTF8 encoding.
* Enhance the sqlite_stmt virtual table so that it buffers all of
its output.
- update to 3.39.0:
* Add (long overdue) support for RIGHT and FULL OUTER JOIN
* Add new binary comparison operators IS NOT DISTINCT FROM and
IS DISTINCT FROM that are equivalent to IS and IS NOT,
respective, for compatibility with PostgreSQL and SQL standards
* Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
interface that indicates a query that has both DISTINCT and
ORDER BY clauses
* Added the sqlite3_db_name() interface
* The unix os interface resolves all symbolic links in database
filenames to create a canonical name for the database before
the file is opened
* Defer materializing views until the materialization is actually
needed, thus avoiding unnecessary work if the materialization
turns out to never be used
* The HAVING clause of a SELECT statement is now allowed on any
aggregate query, even queries that do not have a GROUP BY
clause
* Many microoptimizations collectively reduce CPU cycles by about
2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
related test failures on 32 bit
- update to 3.38.5:
* Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
* fix a byte-code problem in the Bloom filter pull-down
optimization added by release 3.38.0 in which an error in the
byte code causes the byte code engine to enter an infinite loop
when the pull-down optimization encounters a NULL key
- update to 3.38.3:
* Fix a case of the query planner be overly aggressive with
optimizing automatic-index and Bloom-filter construction,
using inappropriate ON clause terms to restrict the size of the
automatic-index or Bloom filter, and resulting in missing rows
in the output.
* Other minor patches. See the timeline for details.
- update to 3.38.2:
* Fix a problem with the Bloom filter optimization that might
cause an incorrect answer when doing a LEFT JOIN with a WHERE
clause constraint that says that one of the columns on the
right table of the LEFT JOIN is NULL.
* Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
of SQLite (bsc#1195773).
- update to 3.38.1:
* Fix problems with the new Bloom filter optimization that might
cause some obscure queries to get an incorrect answer.
* Fix the localtime modifier of the date and time functions so
that it preserves fractional seconds.
* Fix the sqlite_offset SQL function so that it works correctly
even in corner cases such as when the argument is a virtual
column or the column of a view.
* Fix row value IN operator constraints on virtual tables so that
they work correctly even if the virtual table implementation
relies on bytecode to filter rows that do not satisfy the
constraint.
* Other minor fixes to assert() statements, test cases, and
documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
sqlite-src-3380100-atof1.patch
- update to 3.38.0
* Add the -> and ->> operators for easier processing of JSON
* The JSON functions are now built-ins
* Enhancements to date and time functions
* Rename the printf() SQL function to format() for better
compatibility, with alias for backwards compatibility.
* Add the sqlite3_error_offset() interface for helping localize
an SQL error to a specific character in the input SQL text
* Enhance the interface to virtual tables
* CLI columnar output modes are enhanced to correctly handle tabs
and newlines embedded in text, and add options like "/--wrap N"/,
"/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
* Query planner enhancements using a Bloom filter to speed up
large analytic queries, and a balanced merge tree to evaluate
UNION or UNION ALL compound SELECT statements that have an
ORDER BY clause.
* The ALTER TABLE statement is changed to silently ignores
entries in the sqlite_schema table that do not parse when
PRAGMA writable_schema=ON
- update to 3.37.2:
* Fix a bug introduced in version 3.35.0 (2021-03-12) that can
cause database corruption if a SAVEPOINT is rolled back while
in PRAGMA temp_store=MEMORY mode, and other changes are made,
and then the outer transaction commits
* Fix a long-standing problem with ON DELETE CASCADE and ON
UPDATE CASCADE in which a cache of the bytecode used to
implement the cascading change was not being reset following a
local DDL change
- update to 3.37.1:
* Fix a bug introduced by the UPSERT enhancements of version
3.35.0 that can cause incorrect byte-code to be generated for
some obscure but valid SQL, possibly resulting in a NULL-
pointer dereference.
* Fix an OOB read that can occur in FTS5 when reading corrupt
database files.
* Improved robustness of the --safe option in the CLI.
* Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
* STRICT tables provide a prescriptive style of data type
management, for developers who prefer that kind of thing.
* When adding columns that contain a CHECK constraint or a
generated column containing a NOT NULL constraint, the
ALTER TABLE ADD COLUMN now checks new constraints against
preexisting rows in the database and will only proceed if no
constraints are violated.
* Added the PRAGMA table_list statement.
* Add the .connection command, allowing the CLI to keep multiple
database connections open at the same time.
* Add the --safe command-line option that disables dot-commands
and SQL statements that might cause side-effects that extend
beyond the single database file named on the command-line.
* CLI: Performance improvements when reading SQL statements that
span many lines.
* Added the sqlite3_autovacuum_pages() interface.
* The sqlite3_deserialize() does not and has never worked
for the TEMP database. That limitation is now noted in the
documentation.
* The query planner now omits ORDER BY clauses on subqueries and
views if removing those clauses does not change the semantics
of the query.
* The generate_series table-valued function extension is modified
so that the first parameter ("/START"/) is now required. This is
done as a way to demonstrate how to write table-valued
functions with required parameters. The legacy behavior is
available using the -DZERO_ARGUMENT_GENERATE_SERIES
compile-time option.
* Added new sqlite3_changes64() and sqlite3_total_changes64()
interfaces.
* Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
* Use less memory to hold the database schema.
* bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
extension when a column has no collating sequence.
- sudo
-
- Added sudo-1-8-27-bsc1201462-ignore-no-sudohost.patch
* Ignore entries when converting LDAP to sudoers. Prevents empty
host list being treated as "/ALL"/ wildcard.
* bsc#1201462
* Sourced from https://www.sudo.ws/repos/sudo/rev/484d0d3b892e
- systemd
-
- Import commit 5183646e041a0ac78107bc4e5b06594e3a27657f
8187a5e5f6 Allow control characters in environment variable values (bsc#1200170)
da394cc0b0 test-env-util: Verify that r is disallowed in env var values
da0120492d test-env-util: print function headers
0702ce5b4e basic/env-util: Allow newlines in values of environment variables
6fda9a8c7b udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
52174bfc1a man: tweak description of auto/noauto (bsc#1191502)
8a57b62f90 shared/install: ignore failures for auxiliary files
86079f3522 systemctl: supress enable/disable messages when -q is given (#7067)
aa4b7b7925 shared/install: fix error codes returned by install_context_apply()
ce671cf6e3 shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
- systemd-presets-common-SUSE
-
- enable ignition-delete-config by default (bsc#1199524)
- Modify branding-preset-states to fix systemd-presets-common-SUSE
not enabling new user systemd service preset configuration just
as it handles system service presets. By passing an (optional)
second parameter "/user"/, the save/apply-changes commands now
work with user services instead of system ones (boo#1200485)
- Add the wireplumber user service preset to enable it by default
in SLE15-SP4 where it replaced pipewire-media-session, but keep
pipewire-media-session preset so we don't have to branch the
systemd-presets-common-SUSE package for SP4 (boo#1200485)
- tar
-
- bsc1200657.patch was previously incomplete leading to deadlocks
* bsc#1202436
* bsc1200657.patch updated
- Fix race condition while creating intermediate subdirectories,
bsc#1200657
* bsc1200657.patch
- telnet
-
- Fix CVE-2022-39028, NULL pointer dereference in telnetd
(CVE-2022-39028, bsc#1203759)
CVE-2022-39028.patch
- timezone
-
- Update to reflect new Chile DST change, bsc#1202310
* bsc1202310.patch
- unzip
-
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
to a local string (CVE-2022-0530, bsc#1196177)
* CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
* CVE-2022-0529.patch
- util-linux
-
- su: Change owner and mode for pty (bsc#1200842,
util-linux-login-move-generic-setting-to-ttyutils.patch,
util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
(bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
in utab (bsc#1198731,
util-linux-libmount-moving-mount-point-sub-mounts.patch,
util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
- util-linux-systemd
-
- su: Change owner and mode for pty (bsc#1200842,
util-linux-login-move-generic-setting-to-ttyutils.patch,
util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
(bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
in utab (bsc#1198731,
util-linux-libmount-moving-mount-point-sub-mounts.patch,
util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
- vim
-
- Updated to version 9.0 with patch level 0313, fixes the following problems
* Fixing bsc#1200884 Vim: Error on startup
* Fixing bsc#1200902 VUL-0: CVE-2022-2183: vim: Out-of-bounds Read through get_lisp_indent() Mon 13:32
* Fixing bsc#1200903 VUL-0: CVE-2022-2182: vim: Heap-based Buffer Overflow through parse_cmd_address() Tue 08:37
* Fixing bsc#1200904 VUL-0: CVE-2022-2175: vim: Buffer Over-read through cmdline_insert_reg() Tue 08:37
* Fixing bsc#1201249 VUL-0: CVE-2022-2304: vim: stack buffer overflow in spell_dump_compl()
* Fixing bsc#1201356 VUL-1: CVE-2022-2343: vim: Heap-based Buffer Overflow in GitHub repository vim prior to 9.0.0044
* Fixing bsc#1201359 VUL-1: CVE-2022-2344: vim: Another Heap-based Buffer Overflow vim prior to 9.0.0045
* Fixing bsc#1201363 VUL-1: CVE-2022-2345: vim: Use After Free in GitHub repository vim prior to 9.0.0046.
* Fixing bsc#1201620 PUBLIC SUSE Linux Enterprise Server 15 SP4 Basesystem zbalogh@suse.com NEW --- SLE-15-SP4-Full-x86_64-GM-Media1 and vim-plugin-tlib-1.27-bp154.2.18.noarch issue
* Fixing bsc#1202414 VUL-1: CVE-2022-2819: vim: Heap-based Buffer Overflow in compile_lock_unlock()
* Fixing bsc#1202552 VUL-1: CVE-2022-2874: vim: NULL Pointer Dereference in generate_loadvar()
* Fixing bsc#1200270 VUL-1: CVE-2022-1968: vim: use after free in utf_ptr2char
* Fixing bsc#1200697 VUL-1: CVE-2022-2124: vim: out of bounds read in current_quote()
* Fixing bsc#1200698 VUL-1: CVE-2022-2125: vim: out of bounds read in get_lisp_indent()
* Fixing bsc#1200700 VUL-1: CVE-2022-2126: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1200701 VUL-1: CVE-2022-2129: vim: out of bounds write in vim_regsub_both()
* Fixing bsc#1200732 VUL-1: CVE-2022-1720: vim: out of bounds read in grab_file_name()
* Fixing bsc#1201132 VUL-1: CVE-2022-2264: vim: out of bounds read in inc()
* Fixing bsc#1201133 VUL-1: CVE-2022-2284: vim: out of bounds read in utfc_ptr2len()
* Fixing bsc#1201134 VUL-1: CVE-2022-2285: vim: negative size passed to memmove() due to integer overflow
* Fixing bsc#1201135 VUL-1: CVE-2022-2286: vim: out of bounds read in ins_bytes()
* Fixing bsc#1201136 VUL-1: CVE-2022-2287: vim: out of bounds read in suggest_trie_walk()
* Fixing bsc#1201150 VUL-1: CVE-2022-2231: vim: null pointer dereference skipwhite()
* Fixing bsc#1201151 VUL-1: CVE-2022-2210: vim: out of bounds read in ml_append_int()
* Fixing bsc#1201152 VUL-1: CVE-2022-2208: vim: null pointer dereference in diff_check()
* Fixing bsc#1201153 VUL-1: CVE-2022-2207: vim: out of bounds read in ins_bs()
* Fixing bsc#1201154 VUL-1: CVE-2022-2257: vim: out of bounds read in msg_outtrans_special()
* Fixing bsc#1201155 VUL-1: CVE-2022-2206: vim: out of bounds read in msg_outtrans_attr()
* Fixing bsc#1201863 VUL-1: CVE-2022-2522: vim: out of bounds read via nested autocommand
* Fixing bsc#1202046 VUL-1: CVE-2022-2571: vim: Heap-based Buffer Overflow related to ins_comp_get_next_word_or_line()
* Fixing bsc#1202049 VUL-1: CVE-2022-2580: vim: Heap-based Buffer Overflow related to eval_string()
* Fixing bsc#1202050 VUL-1: CVE-2022-2581: vim: Out-of-bounds Read related to cstrchr()
* Fixing bsc#1202051 VUL-1: CVE-2022-2598: vim: Undefined Behavior for Input to API related to diff_mark_adjust_tp() and ex_diffgetput()
* Fixing bsc#1202420 VUL-1: CVE-2022-2817: vim: Use After Free in f_assert_fails()
* Fixing bsc#1202421 VUL-1: CVE-2022-2816: vim: Out-of-bounds Read in check_vim9_unlet()
* Fixing bsc#1202511 VUL-1: CVE-2022-2862: vim: use-after-free in compile_nested_function()
* Fixing bsc#1202512 VUL-1: CVE-2022-2849: vim: Invalid memory access related to mb_ptr2len()
* Fixing bsc#1202515 VUL-1: CVE-2022-2845: vim: Buffer Over-read related to display_dollar()
* Fixing bsc#1202599 VUL-1: CVE-2022-2889: vim: use-after-free in find_var_also_in_script() in evalvars.c
* Fixing bsc#1202687 VUL-1: CVE-2022-2923: vim: NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240
* Fixing bsc#1202689 VUL-1: CVE-2022-2946: vim: use after free in function vim_vsnprintf_typval
* Fixing bsc#1202862 VUL-1: CVE-2022-3016: vim: Use After Free in vim prior to 9.0.0285 Mon 12:00
- zlib
-
- Fix heap-based buffer over-read or buffer overflow in inflate via
large gzip header extra field (bsc#1202175, CVE-2022-37434,
CVE-2022-37434-extra-header-1.patch,
CVE-2022-37434-extra-header-2.patch).
- zypper
-
- BuildRequires: libzypp-devel >= 17.31.2.
- Fix --[no]-allow-vendor-change feedback in install command
(bsc#1201972)
- version 1.14.57
- UsrEtc: Store logrotate files in %{_distconfdir} if defined
(fixes #441, fixes #444)
- Remove unneeded code to compute the PPP status.
Since libzypp 17.23.0 the PPP status is auto established. No
extra solver run is needed.
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Fix tests to use locale "/C.UTF-8"/ rather than "/en_US"/.
- Fix man page (fixes #451)
- version 1.14.56
- lr: Allow shortening the Name column if table is wider than the
terminal (bsc#1201638)
- Don't accepts install/remove modifier without argument
(bsc#1201576)
- zypper-download: Set correct ExitInfoCode when failing to
resolve argument.
- zypper-download: Handle unresolvable arguments as error.
This commit changes zypper-download such that it behaves more
consistent to zypper-install when an argument can't be resolved.
- version 1.14.55
- Fix building with GCC 13 (fixes #448)
- Put signing key supplying repository name in quotes.
- version 1.14.54
- Basic JobReport for "/cmdout/monitor"/.
- versioncmp: if verbose, also print the edition 'parts' which are
compared.
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally (fixes #433)
- Honor the NO_COLOR environment variable when auto-detecting
whether to use color (fixes #432)
- Define table columns which should be sorted natural [case
insensitive] (fixes #391, closes #396, fixes #424)
- lr/ls: Use highlight color on name and alias as well.
- version 1.14.53