- avahi
-
- Update avahi-daemon-check-dns-suse.patch to drop privileges when
invoking avahi-daemon-check-dns.sh (boo#1180827 CVE-2021-26720).
- Add sudo to requires: used to drop privileges.
- csync2
-
- VUL-1: csync2: bad TLS key generation on installation (bsc#1145032)
Adapt suggested changes in %post section.
Do not hide output on standard error during generating the keys.
- file
-
- Add patch 0446fadf.patch to fix bsc#1182138
* Bug in "/echo 8000 | file -"/ gzip
- grub2
-
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
* 0028-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
* 0029-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
* 0030-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
* 0031-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
* 0032-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
* 0033-util-mkimage-Improve-data_size-value-calculation.patch
* 0034-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
* 0035-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
* 0036-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
* 0019-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
* 0021-kern-parser-Fix-resource-leak-if-argc-0.patch
* 0022-kern-parser-Fix-a-memory-leak.patch
* 0023-kern-parser-Introduce-process_char-helper.patch
* 0024-kern-parser-Introduce-terminate_arg-helper.patch
* 0025-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
* 0026-kern-buffer-Add-variable-sized-heap-buffer.patch
* 0027-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
* 0020-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
* 0018-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
* 0017-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
* 0001-mkimage-Clarify-file-alignment-in-efi-case.patch
* 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
* 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
* 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
* 0005-efi-Add-secure-boot-detection.patch
* 0006-kern-Add-lockdown-support.patch
* 0007-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
* 0008-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
* 0009-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
* 0010-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
* 0011-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
* 0012-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
* 0013-commands-setpci-Restrict-setpci-command-when-locked-.patch
* 0014-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
* 0015-gdb-Restrict-GDB-access-when-locked-down.patch
* 0016-loader-xnu-Don-t-allow-loading-extension-and-package.patch
* 0037-squash-Add-secureboot-support-on-efi-chainloader.patch
* 0038-squash-grub2-efi-chainload-harder.patch
* 0039-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
* 0040-squash-linuxefi-fail-kernel-validation-without-shim-.patch
* 0041-squash-kern-Add-lockdown-support.patch
- Add SBAT metadata section to grub.efi
* grub2.spec
- hawk2
-
- Update to version 2.6.0:
* Use fullpath of binary (bsc#1181436)
* remove %x (bsc#1182163)
- openldap2-client
-
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
* 0218-ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
* 0220-ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
* 0221-ITS-9427-fix-issuerAndThisUpdateCheck.patch
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
* 0222-ITS-9428-fix-cancel-exop.patch
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
* 0216-ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
* 0215-ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
* 0214-ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
* 0217-ITS-9413-fix-slap_parse_user.patch
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
* 0211-ITS-9406-9407-remove-saslauthz-asserts.patch
* 0212-ITS-9406-fix-debug-msg.patch
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
* 0210-ITS-9404-fix-serialNumberAndIssuerCheck.patch
* 0219-ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
* 0213-ITS-9408-fix-vrfilter-double-free.patch
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
* patch: 0209-ITS-9454-fix-issuerAndThisUpdateCheck.patch
- python-Jinja2
-
- Add patch CVE-2020-28493-ReDOS-vuln.patch (bsc#1181944, CVE-2020-28493)
* Improve the speed of the ``urlize`` filter by reducing regex
backtracking. Email matching requires a word character at the start
of the domain part, and only word characters in the TLD.
- python-cryptography
-
- Add patch CVE-2020-36242-buffer-overflow.patch (bsc#1182066, CVE-2020-36242)
* Using the Fernet class to symmetrically encrypt multi gigabyte values
could result in an integer overflow and buffer overflow.