- 000release-packages:SUSE-MicroOS-release
-
n/a
- containerd
-
- Update to containerd v1.7.8. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.8> bsc#1200528
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- curl
-
- Security fixes:
* [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
* Add patches:
- curl-http-lowercase-headernames-for-HTTP-2-and-HTTP-3.patch
- curl-CVE-2023-46218.patch
- dracut
-
- Update to version 049.1+suse.257.gf94c3fd1:
* fix(udev-rules): Correct network device naming (bsc#1192986)
- gpg2
-
- Suppress error message on trial reading as PEM format when using
dirmngr to validate broken DER encoded files (bsc#1217212)
* Add patches:
- gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch
- gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch
- kernel-default
-
- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- net: mana: Fix MANA VF unload when hardware is unresponsive
(bsc#1214764).
- commit b006ee9
- Call flush_delayed_fput() from nfsd main-loop (bsc#1217408).
- commit f407bf4
- powerpc: Don't clobber f0/vs0 during fp|altivec register save
(bsc#1217780).
- commit 96932d7
- netfilter: conntrack: dccp: copy entire header to stack buffer,
not just basic one (CVE-2023-39197 bsc#1216976).
- commit 5e51ad1
- kernel-binary: suse-module-tools is also required when installed
Requires(pre) adds dependency for the specific sciptlet.
However, suse-module-tools also ships modprobe.d files which may be
needed at posttrans time or any time the kernel is on the system for
generating ramdisk. Add plain Requires as well.
- commit 8c12816
- net/tls: do not free tls_rec on async operation in
bpf_exec_tx_verdict() (bsc#1217332 CVE-2023-6176).
- commit 20678d9
- ALSA: hda: Disable power-save on KONTRON SinglePC (bsc#1217140).
- commit ad1e507
- README.SUSE: fix patches.addon use
It's series, not series.conf in there.
And make it more precise on when the patches are applied.
- commit cb8969c
- Do not store build host name in initrd
Without this patch, kernel-obs-build stored the build host name
in its .build.initrd.kvm
This patch allows for reproducible builds of kernel-obs-build and thus
avoids re-publishing the kernel-obs-build.rpm when nothing changed.
Note that this has no influence on the /etc/hosts file
that is used during other OBS builds.
https://bugzilla.opensuse.org/show_bug.cgi?id=1084909
- commit fd3a75e
- Ensure ia32_emulation is always enabled for kernel-obs-build
If ia32_emulation is disabled by default, ensure it is enabled
back for OBS kernel to allow building 32bit binaries (jsc#PED-3184)
[ms: Always pass the parameter, no need to grep through the config which
may not be very reliable]
- commit 56a2c2f
- kobject: Fix slab-out-of-bounds in fill_kobj_path() (bsc#1216058
CVE-2023-45863).
- commit 1b6a097
- rpm: Define git commit as macro
- commit bcc92c8
- kernel-source: Move provides after sources
- commit dbbf742
- patches.suse/0003-btrfs-tree-checker-Refactor-prev_key-check-for-ino-i.patch:
(bsc#1215371).
- commit 39aefaa
- patches.suse/0002-btrfs-tree-checker-Add-check-for-INODE_REF.patch:
(bsc#1215371).
- commit d3fc74a
- patches.suse/0001-btrfs-tree-checker-Try-to-detect-missing-INODE_ITEM.patch:
(bsc#1215371).
- commit b772e7a
- rpm/check-for-config-changes: add HAVE_SHADOW_CALL_STACK to IGNORED_CONFIGS_RE
Not supported by our compiler.
- commit eb32b5a
- igb: set max size RX buffer when store bad packet is enabled
(bsc#1216259 CVE-2023-45871).
- commit 9445d70
- drm/qxl: fix UAF on handle creation (CVE-2023-39198
bsc#1216965).
- commit a0819bc
- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in
HCIUARTGETPROTO (bsc#1210780 CVE-2023-31083).
- commit 7f7eb62
- perf/core: Fix potential NULL deref (bsc#1216584 CVE-2023-5717).
- commit dbf3f79
- perf: Disallow mis-matched inherited group reads (bsc#1216584 CVE-2023-5717).
Implement KABI fix for above
- commit c397b9e
- rpm/check-for-config-changes: add AS_WRUSS to IGNORED_CONFIGS_RE
Add AS_WRUSS as an IGNORED_CONFIGS_RE entry in check-for-config-changes
to fix build on x86_32.
There was a fix submitted to upstream but it was not accepted:
https://lore.kernel.org/all/20231031140504.GCZUEJkMPXSrEDh3MA@fat_crate.local/
So carry this in IGNORED_CONFIGS_RE instead.
- commit 7acca37
- Fix patches.suse/io_uring-used-cached-copies-of-sq-dropped-and-cq-ove.patch. (bsc#1214344)
To protect itself against userspace corrupting the counter of io_uring
dropped submission entries, the kernel relies on a cache of the counter
instead of reading the counter directly. But, the stable patch that was
brought to SP3 implementing the this mechanism was done incorrectly, and
let's the kernel read from the userspace value instead of the cache in
one situation. This allows userspace to subvert the counter, hanging the
application forever. Fix the backport to read from the cached value.
5.3 stable is long dead, so there is nothing to fix upstream or in
- stable.
- commit 2f88408
- gcc13
-
- Add gcc13-bsc1216664.patch, works around SAP ASE DB crash during
C++ standard library initialization. [bsc#1216664]
- add pr111411.patch (bsc#1215427)
- openssl-1_1
-
- Security fix: [bsc#1216922, CVE-2023-5678]
* Fix excessive time spent in DH check / generation with large Q
parameter value.
* Applications that use the functions DH_generate_key() to generate
an X9.42 DH key may experience long delays. Likewise,
applications that use DH_check_pub_key(), DH_check_pub_key_ex
() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an
untrusted source this may lead to a Denial of Service.
* Add openssl-CVE-2023-5678.patch
- sqlite3
-
- Sync version 3.44.0 from Factory
* Fixes bsc#1210660, CVE-2023-2137: Heap buffer overflow
* sqlite3-rtree-i686.patch: temporary build fix for 32-bit x86.
* Obsoletes sqlite-CVE-2022-46908.patch
* Obsoletes sqlite-src-3390000-func7-pg-181.patch
- libtirpc
-
- fix sed parsing for libtirpc.pc.in in specfile (boo#1216862)
- libxml2
-
- Security update:
* [CVE-2023-45322, bsc#1216129] use-after-free in xmlUnlinkNode()
in tree.c
- Added file libxml2-CVE-2023-45322.patch
- libzypp
-
- Preliminary disable 'rpm --runposttrans' usage for chrooted
systems (bsc#1216091)
This limits the %transfiletrigger(postun|in) support in the
default installer if --root is used (as described in bsc#1041742).
The chrooted execution of the scripts in 'rpm --runposttrans'
broke in rpm-4.18. It's expected to be fixed in rpm-4.19.
Then we'll enable the feature again.
- fix comment typo on zypp.conf (boo#1215979)
- version 17.31.22 (22)
- Attempt to delay %transfiletrigger(postun|in) execution if rpm
supports it (bsc#1041742)
Decide during installation whether rpm is capable of delayed
%posttrans %transfiletrigger(postun|in) execution or whether we
can just handle the packages %posttrans. On TW a delayed
%transfiletrigger handling is possible since rpm-4.17.
- Make sure the old target is deleted before a new one is created
(bsc#1203760)
- version 17.31.21 (22)
- psmisc
-
- Fix version at configure time as there was no .tarball-version
- python-psutil
-
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)
- Fix tests: setuptools changed the builddir library path and does
not find the module from it. Use the installed platlib instead
and exclude psutil.tests only later.
- Refresh skip-obs.patch
- salt
-
- Randomize pre_flight_script path (CVE-2023-34049 bsc#1215157)
- Allow all primitive grain types for autosign_grains (bsc#1214477)
- Added:
* allow-all-primitive-grain-types-for-autosign_grains-.patch
* fix-cve-2023-34049-bsc-1215157.patch
- Fix optimization_order opt to prevent testsuite fails
- Improve salt.utils.json.find_json to avoid fails (bsc#1213293)
- Use salt-call from salt bundle with transactional_update
- Only call native_str on curl_debug message in tornado when needed
- Implement the calling for batch async from the salt CLI
- Fix calculation of SLS context vars when trailing dots
on targetted sls/state (bsc#1213518)
- Rename salt-tests to python3-salt-testsuite
- Added:
* only-call-native_str-on-curl_debug-message-in-tornad.patch
* fix-calculation-of-sls-context-vars-when-trailing-do.patch
* use-salt-call-from-salt-bundle-with-transactional_up.patch
* implement-the-calling-for-batch-async-from-the-salt-.patch
* improve-salt.utils.json.find_json-bsc-1213293.patch
* fix-optimization_order-opt-to-prevent-test-fails.patch
- python-urllib3
-
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
gh#urllib3/urllib3@4e98d57809da
- rsyslog
-
- fix rsyslog crash in imrelp (bsc#1210286)
* add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
- runc
-
- Update to runc v1.1.10. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.10>.
- suse-build-key
-
- replace libzypp-post-script based installation with a systemd timer
and service.
- suse-build-key-import.service
- suse-build-key-import.timer
- vim
-
- Updated to version 9.0 with patch level 2103, fixes the following security problems
* Fixing bsc#1215940 (CVE-2023-5344) - VUL-0: CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969.
* Fixing bsc#1216001 (CVE-2023-5441) - VUL-0: CVE-2023-5441: vim: segfault in exmode when redrawing
* Fixing bsc#1216167 (CVE-2023-5535) - VUL-0: CVE-2023-5535: vim: use-after-free from buf_contents_changed()
* Fixing bsc#1216696 (CVE-2023-46246) - VUL-0: CVE-2023-46246: vim: Integer Overflow in :history command
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1894...v9.0.2103
- xen
-
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
fully effective (XSA-446)
xsa446.patch
- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
IOMMU quarantine page table levels (XSA-445)
xsa445.patch
- zypper
-
- Return 104 also if info suggests near matches (fixes #504)
- Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
- Fix typo (fixes #484)
- version 1.14.66
- Fix some typos and spelling errors found by Lintian (fixes #501)
- Prefer unaliased `grep` to avoid unexpected/wrong completions.
(#503)
- commit: Insert a headline to separate output of different rpm
scripts (bsc#1041742)
- Fix typo in changes file.
- version 1.14.65