- SAPHanaSR
-
- Version bump to 0.155.0
- The resource start and stop timeout is now configurable by
increasing the timeout for the action 'start' and/or 'stop'.
We will use 95% of this action timeouts to calculate the new
resource start and stop timeout for the 'WaitforStarted' and
'WaitforStopped' functions. If the new, calculated timeout value
is less than '3600', it will be set to '3600', so that we do not
decrease this timeout by accident
(bsc#1182545)
- change promotion scoring during maintenance procedure to prevent
that both sides have an equal promotion scoring after refresh
which might result in a critical promotion of the secondary.
(bsc#1174557)
- update of man page SAPHanaSR.py.7 - correct the supported HANA
version.
(bsc#1182201)
- if the $hdbState command fails to retrieve the current state of
the System Replication, the resource agent now uses the
system_replication/actual_mode attribute (if available) from the
global.ini file as a fallback.
This should prevent some confusing and misleading log messages
during a takeover and solves the problem of a not working
takeover back (after a successful first takeover)
(bsc#1181765)
- add dedicated logging of HANA_CALL problems. So it will be now
possible to identify, if the called hana command or the needed
su command throws the error and for further hints we log the
stderr output.
Additional it is possible to get regular log messages for the
used commands, their return code and their stderr output by
enabling the 'debug' mode of the resource agents.
(bsc#1182774)
- bind
-
- When using forwarders, bogus NS records supplied by, or via, those
forwarders may be cached and used by named if it needs to recurse
for any reason, causing it to obtain and pass on potentially
incorrect answers.
[CVE-2021-25220, bsc#1197135, bind-9.11.37-0001-CVE-2021-25220.patch]
- cloud-regionsrv-client
-
- Update to version 10.0.2
+ Fix name of logfile in error message
+ Fix variable scoping to properly detect registration error
+ Cleanup any artifacts on registration failure
+ Fix latent bug with /etc/hosts population
+ Do not throw error when attemting to unregister a system that is not
registered
+ Skip extension registration if the extension is recommended by the
baseproduct as it gets automatically installed
- Update to version 10.0.1 (bsc#1197113)
+ Provide status feedback on registration, success or failure
+ Log warning message if data provider is configured but no data
can be retrieved
- Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564)
+ The repo enablement timer cannot depend on guestregister.service
- cluster-glue
-
- (jsc#SLE-23493) (jsc#SLE-23987) (jsc#SLE-23989)
IMDSv2 support in ec2 stonith agent
* add upstream patch:
0001-Update-external-ec2-to-support-IMDSv2.patch
- compat-openssl098
-
- Security Fix: [bsc#1196877, CVE-2022-0778]
* Infinite loop in BN_mod_sqrt() reachable when parsing certificates
* Add openssl-CVE-2022-0778.patch
- crmsh
-
- Update to version 4.1.1+git.1646015979.1be4546d:
* Fix: parse: Should still be able to show the empty property if it already exists(bsc#1188290)
- expat
-
* (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
breaks biboumi, ClairMeta, jxmlease, libwbxml,
openleadr-python, rnv, xmltodict
- Added expat-CVE-2022-25236-relax-fix.patch
- Security fixes:
- gcc11
-
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
packages provided by older GCC work. Add a requires from that
package to the corresponding libstc++6 package to keep those
at the same version. [bsc#1196107]
- Add gcc11-D-dependence-fix.patch to fix memory corruption when
creating dependences with the D language frontend.
- Sync cross.spec.in to avoid trying to build cross-aarch64-gcc1-bootstrap
on aarch64 which is unresolvable.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
to Recommends.
- glib2
-
- Add glib2-CVE-2021-3800.patch: Fix a flaw due to random charset
alias, pkexec can leak content from files owned by privileged
users to unprivileged ones under the right condition (bsc#1191489,
glgo#GNOME/glib!1369)
- java-1_7_1-ibm
-
- Update to Java 7.1 Service Refresh 7 Fix Pack 5 [bsc#1197126]
* https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
[bsc#1194927, CVE-2022-21366] [bsc#1194928, CVE-2022-21365]
[bsc#1194929, CVE-2022-21360] [bsc#1196500, CVE-2022-21349]
[bsc#1194941, CVE-2022-21341] [bsc#1194940, CVE-2022-21340]
[bsc#1194939, CVE-2022-21305] [bsc#1194930, CVE-2022-21277]
[bsc#1194931, CVE-2022-21299] [bsc#1194932, CVE-2022-21296]
[bsc#1194933, CVE-2022-21282] [bsc#1194934, CVE-2022-21294]
[bsc#1194935, CVE-2022-21293] [bsc#1194925, CVE-2022-21291]
[bsc#1194937, CVE-2022-21283] [bsc#1194926, CVE-2022-21248]
[CVE-2022-21271]
- libtirpc
-
- fix memory leak in client protocol version 2 code (bsc#1193805)
- update: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- mozilla-nss
-
- Mozilla NSS 3.68.3 (bsc#1197903)
This release improves the stability of NSS when used in a multi-threaded
environment. In particular, it fixes memory safety violations that
can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
We presume that with enough effort these memory safety violations are exploitable.
* Remove token member from NSSSlot struct (bmo#1756271).
* Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
(bmo#1755555).
* Check return value of PK11Slot_GetNSSToken (bmo#1370866).
- openssl-1_0_0
-
- Security Fix: [bsc#1196249]
* Allow CRYPTO_THREADID_set_callback to be called with NULL parameter
* Add openssl-CRYPTO_THREADID_set_callback.patch
- Security Fix: [bsc#1196877, CVE-2022-0778]
* Infinite loop in BN_mod_sqrt() reachable when parsing certificates
* Add openssl-CVE-2022-0778.patch
- python
-
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
(bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- python-base
-
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
(bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- python3
-
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- python3-base
-
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- salt
-
- (CVE-2020-22934) (CVE-2020-22935) (CVE-2020-22936) (CVE-2020-22941) (bsc#1197417)
- Added:
* patch_for_cve_bsc1197417.patch
- suse-build-key
-
- extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
- added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- extended expiry of SUSE SLES11 key (bsc#1194845)
- added SUSE Contaner signing key in PEM format for use e.g. by cosign.
- SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
- removed old security key.
- timezone
-
- timezone update 2022a (bsc#1177460):
* Palestine will spring forward on 2022-03-27, not -03-26*
* zdump -v now outputs better failure indications
* Bug fixes for code that reads corrupted TZif data
- util-linux
-
- Apply a simple work-around for root owning of
/var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
(bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- ipcutils: Avoid potential memory allocation overflow
(bsc#1188921, CVE-2021-37600,
util-linux-ipcutils-overflow-CVE-2021-37600.patch).
- Fix ipcs testsuite (bsc#1178236#c19,
util-linux-ipcs-shmall-overflow-ts.patch).
- ipcs: Avoid overflows (bsc#1178236,
util-linux-ipcs-shmall-overflow-1.patch,
util-linux-ipcs-shmall-overflow-2.patch).
- libblkid: Do not trigger CDROM autoclose (bsc#1084671,
util-linux-libblkid-cdrom-autoclose-1.patch,
util-linux-libblkid-cdrom-autoclose-2.patch,
util-linux-libblkid-cdrom-autoclose-3.patch).
- Modernize patch util-linux-sulogin4bsc1175514.patch
* Try to autoconfigure broken serial lines
- Add patch util-linux-sulogin4bsc1175514.patch
Avoid sulogin failing on not existing or not functional console
devices (bsc#1175514)
- Build with libudev support to support non-root users
(boo#1169006).
- lscpu: avoid segfault on PowerPC systems with valid hardware
configurations
(bsc#1175623, bsc#1178554, bsc#1178825,
lscpu-avoid-segfault-on-PowerPC-systems-with-valid-h.patch)
- Fix for SG#57988, bsc#1174942:
libmount-fix-mount-a-EBUSY-for-cifs.patch: Fix warning on mounts
to CIFS with mount –a.
- blockdev: Do not fail --report on kpartx-style partitions on
multipath (bsc#1168235, util-linux-blockdev-report-dm.patch).
- nologin: Add support for -c to prevent error from su -c
(bsc#1151708, util-linux-nologin-su-c.patch).
- Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch:
Avoid triggering autofs in lookup_umount_fs_by_statfs
(boo#1168389)
- Issue a warning for outdated pam files
(bsc#1082293, boo#1081947#c68).
- Do not skip trim of file systems with bind mounts
(boo1089529, util-linux-fstrim-a-bindmount.patch).
- Do not trim read-only volumes
(boo#1106214, util-linux-fstrim-RO.patch).
- libmount: To prevent incorrect behavior, recognize more pseudofs
and netfs (bsc#1122417, util-linux-libmount-pseudofs.patch).
- Fix license of libraries: LGPL-2.1-or-later and BSD-3-Clause for
libuuid (bsc#1135708).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196,
util-linux-agetty-smart-reload-01.patch,
util-linux-agetty-smart-reload-02.patch,
util-linux-agetty-smart-reload-03.patch,
util-linux-agetty-smart-reload-04.patch,
util-linux-agetty-smart-reload-05.patch,
util-linux-agetty-smart-reload-06.patch,
util-linux-agetty-smart-reload-07.patch,
util-linux-agetty-smart-reload-08.patch,
util-linux-agetty-smart-reload-09.patch,
util-linux-agetty-smart-reload-10.patch,
util-linux-agetty-smart-reload-11.patch,
util-linux-agetty-smart-reload-12.patch).
- agetty: Return previous response of agetty for special characters
(bsc#1085196, bsc#1125886,
util-linux-agetty-smart-reload-13.patch,
util-linux-agetty-smart-reload-14.patch).
- agetty BEHAVIOR CHANGE: Terminal switches to character mode when
entering logname; echo is generated by the agetty itself.
(In past, logname echo was generated locally by the terminal,
using the canonical line editing mode.)
- util-linux-systemd
-
- Apply a simple work-around for root owning of
/var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
(bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- ipcutils: Avoid potential memory allocation overflow
(bsc#1188921, CVE-2021-37600,
util-linux-ipcutils-overflow-CVE-2021-37600.patch).
- Fix ipcs testsuite (bsc#1178236#c19,
util-linux-ipcs-shmall-overflow-ts.patch).
- ipcs: Avoid overflows (bsc#1178236,
util-linux-ipcs-shmall-overflow-1.patch,
util-linux-ipcs-shmall-overflow-2.patch).
- libblkid: Do not trigger CDROM autoclose (bsc#1084671,
util-linux-libblkid-cdrom-autoclose-1.patch,
util-linux-libblkid-cdrom-autoclose-2.patch,
util-linux-libblkid-cdrom-autoclose-3.patch).
- Modernize patch util-linux-sulogin4bsc1175514.patch
* Try to autoconfigure broken serial lines
- Add patch util-linux-sulogin4bsc1175514.patch
Avoid sulogin failing on not existing or not functional console
devices (bsc#1175514)
- Build with libudev support to support non-root users
(boo#1169006).
- lscpu: avoid segfault on PowerPC systems with valid hardware
configurations
(bsc#1175623, bsc#1178554, bsc#1178825,
lscpu-avoid-segfault-on-PowerPC-systems-with-valid-h.patch)
- Fix for SG#57988, bsc#1174942:
libmount-fix-mount-a-EBUSY-for-cifs.patch: Fix warning on mounts
to CIFS with mount –a.
- blockdev: Do not fail --report on kpartx-style partitions on
multipath (bsc#1168235, util-linux-blockdev-report-dm.patch).
- nologin: Add support for -c to prevent error from su -c
(bsc#1151708, util-linux-nologin-su-c.patch).
- Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch:
Avoid triggering autofs in lookup_umount_fs_by_statfs
(boo#1168389)
- Issue a warning for outdated pam files
(bsc#1082293, boo#1081947#c68).
- Do not skip trim of file systems with bind mounts
(boo1089529, util-linux-fstrim-a-bindmount.patch).
- Do not trim read-only volumes
(boo#1106214, util-linux-fstrim-RO.patch).
- libmount: To prevent incorrect behavior, recognize more pseudofs
and netfs (bsc#1122417, util-linux-libmount-pseudofs.patch).
- Fix license of libraries: LGPL-2.1-or-later and BSD-3-Clause for
libuuid (bsc#1135708).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196,
util-linux-agetty-smart-reload-01.patch,
util-linux-agetty-smart-reload-02.patch,
util-linux-agetty-smart-reload-03.patch,
util-linux-agetty-smart-reload-04.patch,
util-linux-agetty-smart-reload-05.patch,
util-linux-agetty-smart-reload-06.patch,
util-linux-agetty-smart-reload-07.patch,
util-linux-agetty-smart-reload-08.patch,
util-linux-agetty-smart-reload-09.patch,
util-linux-agetty-smart-reload-10.patch,
util-linux-agetty-smart-reload-11.patch,
util-linux-agetty-smart-reload-12.patch).
- agetty: Return previous response of agetty for special characters
(bsc#1085196, bsc#1125886,
util-linux-agetty-smart-reload-13.patch,
util-linux-agetty-smart-reload-14.patch).
- agetty BEHAVIOR CHANGE: Terminal switches to character mode when
entering logname; echo is generated by the agetty itself.
(In past, logname echo was generated locally by the terminal,
using the canonical line editing mode.)
- zlib
-
- CVE-2018-25032: Fix memory corruption on deflate, bsc#1197459
* zlib-bsc1197459.patch