000release-packages:SUSE-MicroOS-release
n/a
containerd
- Update to containerd v1.7.8. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.8> bsc#1200528
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
curl
- Security fixes:
  * [bsc#1217573, CVE-2023-46218] cookie mixed case PSL bypass
  * Add patches:
  - curl-http-lowercase-headernames-for-HTTP-2-and-HTTP-3.patch
  - curl-CVE-2023-46218.patch
dracut
- Update to version 049.1+suse.257.gf94c3fd1:
  * fix(udev-rules): Correct network device naming (bsc#1192986)
gpg2
- Suppress error message on trial reading as PEM format when using
  dirmngr to validate broken DER encoded files (bsc#1217212)
  * Add patches:
  - gnupg-dirmngr-Suppress-error-message-on-trial-reading-as-PEM.patch
  - gnupg-dirmngr-Clear-the-error-count-to-try-certificate-as-binary.patch
kernel-default
- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- net: mana: Fix MANA VF unload when hardware is unresponsive
  (bsc#1214764).
- commit b006ee9

- Call flush_delayed_fput() from nfsd main-loop (bsc#1217408).
- commit f407bf4

- powerpc: Don't clobber f0/vs0 during fp|altivec register save
  (bsc#1217780).
- commit 96932d7

- netfilter: conntrack: dccp: copy entire header to stack buffer,
  not just basic one (CVE-2023-39197 bsc#1216976).
- commit 5e51ad1

- kernel-binary: suse-module-tools is also required when installed
  Requires(pre) adds dependency for the specific sciptlet.
  However, suse-module-tools also ships modprobe.d files which may be
  needed at posttrans time or any time the kernel is on the system for
  generating ramdisk. Add plain Requires as well.
- commit 8c12816

- net/tls: do not free tls_rec on async operation in
  bpf_exec_tx_verdict() (bsc#1217332 CVE-2023-6176).
- commit 20678d9

- ALSA: hda: Disable power-save on KONTRON SinglePC (bsc#1217140).
- commit ad1e507

- README.SUSE: fix patches.addon use
  It's series, not series.conf in there.
  And make it more precise on when the patches are applied.
- commit cb8969c

- Do not store build host name in initrd
  Without this patch, kernel-obs-build stored the build host name
  in its .build.initrd.kvm
  This patch allows for reproducible builds of kernel-obs-build and thus
  avoids re-publishing the kernel-obs-build.rpm when nothing changed.
  Note that this has no influence on the /etc/hosts file
  that is used during other OBS builds.
  https://bugzilla.opensuse.org/show_bug.cgi?id=1084909
- commit fd3a75e

- Ensure ia32_emulation is always enabled for kernel-obs-build
  If ia32_emulation is disabled by default, ensure it is enabled
  back for OBS kernel to allow building 32bit binaries (jsc#PED-3184)
  [ms: Always pass the parameter, no need to grep through the config which
  may not be very reliable]
- commit 56a2c2f

- kobject: Fix slab-out-of-bounds in fill_kobj_path() (bsc#1216058
  CVE-2023-45863).
- commit 1b6a097

- rpm: Define git commit as macro
- commit bcc92c8

- kernel-source: Move provides after sources
- commit dbbf742

- patches.suse/0003-btrfs-tree-checker-Refactor-prev_key-check-for-ino-i.patch:
  (bsc#1215371).
- commit 39aefaa

- patches.suse/0002-btrfs-tree-checker-Add-check-for-INODE_REF.patch:
  (bsc#1215371).
- commit d3fc74a

- patches.suse/0001-btrfs-tree-checker-Try-to-detect-missing-INODE_ITEM.patch:
  (bsc#1215371).
- commit b772e7a

- rpm/check-for-config-changes: add HAVE_SHADOW_CALL_STACK to IGNORED_CONFIGS_RE
  Not supported by our compiler.
- commit eb32b5a

- igb: set max size RX buffer when store bad packet is enabled
  (bsc#1216259 CVE-2023-45871).
- commit 9445d70

- drm/qxl: fix UAF on handle creation (CVE-2023-39198
  bsc#1216965).
- commit a0819bc

- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in
  HCIUARTGETPROTO (bsc#1210780 CVE-2023-31083).
- commit 7f7eb62

- perf/core: Fix potential NULL deref (bsc#1216584 CVE-2023-5717).
- commit dbf3f79

- perf: Disallow mis-matched inherited group reads (bsc#1216584 CVE-2023-5717).
  Implement KABI fix for above
- commit c397b9e

- rpm/check-for-config-changes: add AS_WRUSS to IGNORED_CONFIGS_RE
  Add AS_WRUSS as an IGNORED_CONFIGS_RE entry in check-for-config-changes
  to fix build on x86_32.
  There was a fix submitted to upstream but it was not accepted:
  https://lore.kernel.org/all/20231031140504.GCZUEJkMPXSrEDh3MA@fat_crate.local/
  So carry this in IGNORED_CONFIGS_RE instead.
- commit 7acca37

- Fix patches.suse/io_uring-used-cached-copies-of-sq-dropped-and-cq-ove.patch. (bsc#1214344)
  To protect itself against userspace corrupting the counter of io_uring
  dropped submission entries, the kernel relies on a cache of the counter
  instead of reading the counter directly.  But, the stable patch that was
  brought to SP3 implementing the this mechanism was done incorrectly, and
  let's the kernel read from the userspace value instead of the cache in
  one situation. This allows userspace to subvert the counter, hanging the
  application forever. Fix the backport to read from the cached value.
  5.3 stable is long dead, so there is nothing to fix upstream or in
  - stable.
- commit 2f88408
gcc13
- Add gcc13-bsc1216664.patch, works around SAP ASE DB crash during
  C++ standard library initialization.  [bsc#1216664]

- add pr111411.patch (bsc#1215427)
openssl-1_1
- Security fix: [bsc#1216922, CVE-2023-5678]
  * Fix excessive time spent in DH check / generation with large Q
    parameter value.
  * Applications that use the functions DH_generate_key() to generate
    an X9.42 DH key may experience long delays. Likewise,
    applications that use DH_check_pub_key(), DH_check_pub_key_ex
    () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
    DH parameters may experience long delays. Where the key or
    parameters that are being checked have been obtained from an
    untrusted source this may lead to a Denial of Service.
  * Add openssl-CVE-2023-5678.patch
sqlite3
- Sync version 3.44.0 from Factory
  * Fixes bsc#1210660, CVE-2023-2137: Heap buffer overflow
  * sqlite3-rtree-i686.patch: temporary build fix for 32-bit x86.
  * Obsoletes sqlite-CVE-2022-46908.patch
  * Obsoletes sqlite-src-3390000-func7-pg-181.patch
libtirpc
- fix sed parsing for libtirpc.pc.in in specfile (boo#1216862)
libxml2
- Security update:
  * [CVE-2023-45322, bsc#1216129] use-after-free in xmlUnlinkNode()
    in tree.c
  - Added file libxml2-CVE-2023-45322.patch
libzypp
- Preliminary disable 'rpm --runposttrans' usage for chrooted
  systems (bsc#1216091)
  This limits the %transfiletrigger(postun|in) support in the
  default installer if --root is used (as described in bsc#1041742).
  The chrooted execution of the scripts in 'rpm --runposttrans'
  broke in rpm-4.18. It's expected to be fixed in rpm-4.19.
  Then we'll enable the feature again.
- fix comment typo on zypp.conf (boo#1215979)
- version 17.31.22 (22)

- Attempt to delay %transfiletrigger(postun|in) execution if rpm
  supports it (bsc#1041742)
  Decide during installation whether rpm is capable of delayed
  %posttrans %transfiletrigger(postun|in) execution or whether we
  can just handle the packages %posttrans. On TW a delayed
  %transfiletrigger handling is possible since rpm-4.17.
- Make sure the old target is deleted before a new one is created
  (bsc#1203760)
- version 17.31.21 (22)
psmisc
- Fix version at configure time as there was no .tarball-version
python-psutil
- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- Fix tests: setuptools changed the builddir library path and does
  not find the module from it. Use the installed platlib instead
  and exclude psutil.tests only later.
- Refresh skip-obs.patch
salt
- Randomize pre_flight_script path (CVE-2023-34049 bsc#1215157)
- Allow all primitive grain types for autosign_grains (bsc#1214477)
- Added:
  * allow-all-primitive-grain-types-for-autosign_grains-.patch
  * fix-cve-2023-34049-bsc-1215157.patch

- Fix optimization_order opt to prevent testsuite fails
- Improve salt.utils.json.find_json to avoid fails (bsc#1213293)
- Use salt-call from salt bundle with transactional_update
- Only call native_str on curl_debug message in tornado when needed
- Implement the calling for batch async from the salt CLI
- Fix calculation of SLS context vars when trailing dots
  on targetted sls/state (bsc#1213518)
- Rename salt-tests to python3-salt-testsuite
- Added:
  * only-call-native_str-on-curl_debug-message-in-tornad.patch
  * fix-calculation-of-sls-context-vars-when-trailing-do.patch
  * use-salt-call-from-salt-bundle-with-transactional_up.patch
  * implement-the-calling-for-batch-async-from-the-salt-.patch
  * improve-salt.utils.json.find_json-bsc-1213293.patch
  * fix-optimization_order-opt-to-prevent-test-fails.patch
python-urllib3
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
  gh#urllib3/urllib3@4e98d57809da
rsyslog
- fix rsyslog crash in imrelp (bsc#1210286)
  * add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
runc
- Update to runc v1.1.10. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.1.10>.
suse-build-key
- replace libzypp-post-script based installation with a systemd timer
  and service.
  - suse-build-key-import.service
  - suse-build-key-import.timer
vim
- Updated to version 9.0 with patch level 2103, fixes the following security problems
  * Fixing bsc#1215940 (CVE-2023-5344) - VUL-0: CVE-2023-5344: vim: Heap-based Buffer Overflow in vim prior to 9.0.1969.
  * Fixing bsc#1216001 (CVE-2023-5441) - VUL-0: CVE-2023-5441: vim: segfault in exmode when redrawing
  * Fixing bsc#1216167 (CVE-2023-5535) - VUL-0: CVE-2023-5535: vim: use-after-free from buf_contents_changed()
  * Fixing bsc#1216696 (CVE-2023-46246) - VUL-0: CVE-2023-46246: vim: Integer Overflow in :history command
- for the complete list of changes see
  https://github.com/vim/vim/compare/v9.0.1894...v9.0.2103
xen
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
  fully effective (XSA-446)
  xsa446.patch

- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
  IOMMU quarantine page table levels (XSA-445)
  xsa445.patch
zypper
- Return 104 also if info suggests near matches (fixes #504)
- Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
- Fix typo (fixes #484)
- version 1.14.66

- Fix some typos and spelling errors found by Lintian (fixes #501)
- Prefer unaliased `grep` to avoid unexpected/wrong completions.
  (#503)
- commit: Insert a headline to separate output of different rpm
  scripts (bsc#1041742)
- Fix typo in changes file.
- version 1.14.65