suse-sle-micro-5-2-byos-v20250130-x86_64 Package Source Changes

000release-packages:SUSE-MicroOS-release

n/a

aaa_base

- Add patch git-50-845b509c9a005340a0455cb8a7fe084d1b8f1946.patch
  * Add mc helpers for both tcsh and bash resources (boo#1203617)

containerd

- Update to containerd v1.7.23. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.23>
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

- Update to containerd v1.7.22. Upstream release notes:
  <https://github.com/containerd/containerd/releases/tag/v1.7.22>
- Bump minimum Go version to 1.22.
- Rebase patches:
  * 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch

docker

- Update docker-buildx to v0.19.2. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.19.2>.
  Some notable changelogs from the last update:
  * <https://github.com/docker/buildx/releases/tag/v0.19.0>
  * <https://github.com/docker/buildx/releases/tag/v0.18.0>
- Update to Go 1.22.

- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
  disable the SUSEConnect integration with Docker (which creates special mounts
  in /run/secrets to allow container-suseconnect to authenticate containers
  with registries on registered hosts). bsc#1231348 bsc#1232999
  In order to disable these mounts, just do
    echo 0 > /etc/docker/suse-secrets-enable
  and restart Docker. In order to re-enable them, just do
    echo 1 > /etc/docker/suse-secrets-enable
  and restart Docker. Docker will output information on startup to tell you
  whether the SUSE secrets feature is enabled or not.
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

- Disable docker-buildx builds for SLES. It turns out that build containers
  with docker-buildx don't currently get the SUSE secrets mounts applied,
  meaning that container-suseconnect doesn't work when building images.
  bsc#1233819

- Add docker-integration-tests-devel subpackage for building and running the
  upstream Docker integration tests on machines to test that Docker works
  properly. Users should not install this package.
- docker-rpmlintrc updated to include allow-list for all of the integration
  tests package, since it contains a bunch of stuff that wouldn't normally be
  allowed.

- Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from
  sysconfig a long time ago, and apparently this causes issues with systemd in
  some cases.

- Further merge docker and docker-stable specfiles to minimise the differences.
  The main thing is that we now include both halves of the
  Conflicts/Provides/Obsoletes dance in both specfiles.

- Update to docker-buildx v0.17.1 to match standalone docker-buildx package we
  are replacing. See upstream changelog online at
  <https://github.com/docker/buildx/releases/tag/v0.17.1>

- Allow users to disable SUSE secrets support by setting
  DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. bsc#1231348
  bsc#1232999

- Add %{_sysconfdir}/audit/rules.d to filelist.

- Mark docker-buildx as required since classic "docker build" has been
  deprecated since Docker 23.0. bsc#1230331
- Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate
  package, but with docker-stable it will be necessary to maintain the packages
  together and it makes more sense to have them live in the same OBS package.
  bsc#1230333
- Make some minor name macro updates to help with the docker-stable package
  fork.

- Update to Docker 26.1.5-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/26.1/#2615>
  bsc#1230294
- This update includes fixes for:
  * CVE-2024-41110. bsc#1228324
  * CVE-2023-47108. bsc#1217070
  * CVE-2023-45142. bsc#1228553
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
  * 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
  * cli-0001-docs-include-required-tools-in-source-tree.patch

kernel-default

- smb: client: fix use-after-free of signing key (bsc#1234921,
  CVE-2024-53179).
- commit 3b35702

- smb: client: fix use-after-free of signing key (bsc#1234921,
  CVE-2024-53179).
- commit c3470ed

- scsi: sg: Fix slab-use-after-free read in sg_release()
  (CVE-2024-56631 bsc#1235480).
- commit 39e048d

- 9p/xen: fix release of IRQ (CVE-2024-56704 bsc#1235584).
- commit 19bad6c

- NFSv4.0: Fix a use-after-free problem in the asynchronous open()
  (CVE-2024-53173 bsc#1234891).
- commit a94e553

- Bluetooth: L2CAP: do not leave dangling sk pointer on error
  in l2cap_sock_create() (CVE-2024-56605 bsc#1235061).
- commit 20f98a1

- media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE
  (CVE-2022-49035 bsc#1215304).
- commit da4fde6

- net: mana: Increase the DEF_RX_BUFFERS_PER_QUEUE to 1024
  (bsc#1235246).
- commit 4fbdfe2

- wifi: mwifiex: Fix memcpy() field-spanning write warning in
  mwifiex_config_scan() (CVE-2024-56539 bsc#1234963).
- commit ee60ab9

- vfio/pci: Properly hide first-in-list PCIe extended capability
  (bsc#1235004 CVE-2024-53214).
- commit bf247b6

- Bluetooth: RFCOMM: avoid leaving dangling sk pointer in
  rfcomm_sock_alloc() (bsc#1235056 CVE-2024-56604).
- commit 59e9445

- Bluetooth: Consolidate code around sk_alloc into a helper
  function (bsc#1235056 CVE-2024-56604).
  Refresh
  patches.suse/Bluetooth-SCO-Fix-UAF-on-sco_sock_timeout.patch.
- commit 8ac1fe3

- Bluetooth: hci_sock: purge socket queues in the destruct()
  callback (bsc#1235056 CVE-2024-56604).
- commit 5fdf3eb

- hfsplus: don't query the device logical block size multiple
  times (bsc#1235073 CVE-2024-56548).
- commit 14dfa57

- wifi: ath9k: add range check for conn_rsp_epid in
  htc_connect_service() (CVE-2024-53156 bsc#1234846).
- commit 4be0730

- ALSA: 6fire: Release resources at card release (CVE-2024-53239
  bsc#1235054).
- commit 21c90ac

- NFSD: Prevent a potential integer overflow (CVE-2024-53146
  bsc#1234853).
- commit eb512aa

- Update
  patches.suse/Bluetooth-hci_event-Align-BR-EDR-JUST_WORKS-paring-w.patch
  (git-fixes bsc#1230697 CVE-2024-8805 CVE-2024-53144
  bsc#1234690).
- commit 192af19

- Update
  patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch
  (CVE-2023-52524 bsc#1220937 bsc#1220927).
- commit 6f47795

- xen/netfront: fix crash when removing device (XSA-465
  CVE-2024-53240 bsc#1234281).
- commit b0ad117

- Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
  (git-fixes, bsc#1230697, CVE-2024-8805).
- commit da492aa

- Update
  patches.suse/initramfs-avoid-filename-buffer-overrun.patch
  (CVE-2024-53142 bsc#1232436).
- commit 160662b

cryptsetup

- luksFormat succeeds despite creating corrupt device [bsc#1234273]
  * Add a better warning if luksFormat ends with image without any space for data.
  * Print warning early if LUKS container is too small for activation.
  * Add patches:
  - cryptsetup-Add-a-better-warning-if-luksFormat-no-space-for-data.patch
  - cryptsetup-Print-warning-early-if-LUKS-container-is-too-small-for-activation.patch

libzypp

- Url: queryparams without value should not have a trailing "=".
- version 17.35.16 (35)

- Url query part: `=` is a safe char in value (bsc#1234304)
- RpmDb: Recognize rpmdb.sqlite as database file (#593)
- Fix typo (fixes #592)
- cmake: check location of fcgi header and adjust include
  accordingly. On Debian and derivatives the fcgi headers
  are not stored in a fastcgi/ subdirectory.(#590)
- version 17.35.15 (35)

python-Jinja2

- Add security patch CVE-2024-56326.patch (bsc#1234809)

rsync

- Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
  * Added rsync-fix-FLAG_GOT_DIR_FLIST.patch

- Security update,CVE-2024-12747, bsc#1235475 race condition in handling symbolic links
  * Added rsync-CVE-2024-12747.patch

- Security update, fix multiple vulnerabilities:
  * CVE-2024-12085, bsc#1234101 - Info Leak via uninitialized Stack contents defeats ASLR
  * CVE-2024-12086, bsc#1234102 - Server leaks arbitrary client files
  * CVE-2024-12087, bsc#1234103 - Server can make client write files outside of destination directory
  using symbolic links
  * CVE-2024-12088, bsc#1234104 - --safe-links Bypass
  * Added rsync-CVE-2024-12085.patch
  * Added rsync-CVE-2024-12086_01.patch
  * Added rsync-CVE-2024-12086_02.patch
  * Added rsync-CVE-2024-12086_03.patch
  * Added rsync-CVE-2024-12086_04.patch
  * Added rsync-CVE-2024-12087_01.patch
  * Added rsync-CVE-2024-12087_02.patch
  * Added rsync-CVE-2024-12088.patch
  * Added rsync-fix-compile-missing-my_alloc_ref.patch

zypper

- info: Allow to query a specific version (jsc#PED-11268)
  To query for a specific version simply append "-<version>" or
  "-<version>-<release>" to the "<name>" pattern. Note that the
  edition part must always match exactly.
- version 1.14.79