- SAPHanaSR
-
- Version bump to 0.155.0
- Add systemd support for the resource agent to interact with the
new SAP unit files for sapstartsrv.
As the new version of the SAP Startup Framework will use systemd
unit files to control the sapstartsrv process instead of the
previous used SysV init script, we need to adapt the handling of
sapstartsrv inside the resource agents to support both ways.
(bsc#1189530, bsc#1189531)
- The resource start and stop timeout is now configurable by
increasing the timeout for the action 'start' and/or 'stop'.
We will use 95% of this action timeouts to calculate the new
resource start and stop timeout for the 'WaitforStarted' and
'WaitforStopped' functions. If the new, calculated timeout value
is less than '3600', it will be set to '3600', so that we do not
decrease this timeout by accident
(bsc#1182545)
- change promotion scoring during maintenance procedure to prevent
that both sides have an equal promotion scoring after refresh
which might result in a critical promotion of the secondary.
(bsc#1174557)
- update of man page SAPHanaSR.py.7 - correct the supported HANA
version.
(bsc#1182201)
- if the $hdbState command fails to retrieve the current state of
the System Replication, the resource agent now uses the
system_replication/actual_mode attribute (if available) from the
global.ini file as a fallback.
This should prevent some confusing and misleading log messages
during a takeover and solves the problem of a not working
takeover back (after a successful first takeover)
(bsc#1181765)
- add dedicated logging of HANA_CALL problems. So it will be now
possible to identify, if the called hana command or the needed
su command throws the error and for further hints we log the
stderr output.
Additional it is possible to get regular log messages for the
used commands, their return code and their stderr output by
enabling the 'debug' mode of the resource agents.
(bsc#1182774)
- aaa_base
-
- fix (bsc#1194883) - aaa_base: Set net.ipv4.ping_group_range to
allow ICMP ping
- added patches
+ git-40-d004657a244d75b372a107c4f6097b42ba1992d5.patch
- Port change from Thu Sep 30 08:51:55 UTC 2022 forword to
current version which includes a rename of patch
git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
to
git-43-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
as otherwise autopatch macro does not work anymore
- Include all fixes and changes for systemwide inputrc to remove
the 8 bit escape sequence which interfere with UTF-8 multi byte
characters as well as support the vi mode of readline library.
This is done with the patches
* git-41-f00ca2600331602241954533a1b1610d1da57edf.patch
* git-42-f39a8d18719c3b34373e0e36098f0f404121b5c5.patch
before the changed patch
git-13-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
rename it to
git-43-14003c19eaa863ae9d80a0ebb9b5cab6273a5a9e.patch
and also add the patches
* git-44-425f3e9b44ba9ead865d70ff6690d5f2869442dc.patch
* git-45-bf0a31597d0ed3562bfc5e6be0ade2fe5dc1f7a1.patch
- augeas
-
- support new chrony 4.1 options (jsc#SLE-17334)
augeas-new_options_for_chrony.patch
- avahi
-
- Downgrade python3-Twisted to a Recommends. It is not available
on SLED or PackageHub, and it is only needed by avahi-bookmarks
(bsc#1196282).
- Add avahi-bookmarks-import-warning.patch: fix warning when
twisted is not available.
- Replace avahi-0.6.31-systemd-order.patch with
avahi-add-resolv-conf-to-inotify.patch: re-read configuration
when resolv.conf changes, per discussion on the bug
(boo#1194561).
- Have python3-avahi require python3-dbus-python, not the
python 2 dbus-1-python package (bsc#1195614).
- Reinstate avahi-0.6.31-systemd-order.patch (boo#1194561).
This can probably go away if/when gh#lathiat/avahi#118 is fixed.
- Drop avahi-0.6.32-suppress-resolv-conf-warning.patch: we should
no longer need this given the above patch.
- Move sftp-ssh and ssh services to the doc directory. They allow
a host's up/down status to be easily discovered and should not
be enabled by default (boo#1179060).
- bind
-
- When using forwarders, bogus NS records supplied by, or via, those
forwarders may be cached and used by named if it needs to recurse
for any reason, causing it to obtain and pass on potentially
incorrect answers.
[CVE-2021-25220, bsc#1197135, bind-9.16.27-0001-CVE-2021-25220.patch]
- cloud-init
-
- Update to version 21.4 (bsc#1192343, jsc#PM-3181)
+ Also include VMWare functionality for (jsc#PM-3175)
+ Remove patches included upstream:
- cloud-init-purge-cache-py-ver-change.patch
- cloud-init-update-test-characters-in-substitution-unit-test.patch
+ Forward port:
- cloud-init-write-routes.patch
- cloud-init-no-tempnet-oci.patch
+ Add cloud-init-vmware-test.patch
- Test is system dependend, not properly mocked
+ Azure: fallback nic needs to be reevaluated during reprovisioning
(#1094) [Anh Vo]
+ azure: pps imds (#1093) [Anh Vo]
+ testing: Remove calls to 'install_new_cloud_init' (#1092)
+ Add LXD datasource (#1040)
+ Fix unhandled apt_configure case. (#1065) [Brett Holman]
+ Allow libexec for hotplug (#1088)
+ Add necessary mocks to test_ovf unit tests (#1087)
+ Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336)
+ distros: Remove a completed "/TODO"/ comment (#1086)
+ cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083)
[dermotbradley]
+ Add "/install hotplug"/ module (SC-476) (#1069) (LP: #1946003)
+ hosts.alpine.tmpl: rearrange the order of short and long hostnames
(#1084) [dermotbradley]
+ Add max version to docutils
+ cloudinit/dmi.py: Change warning to debug to prevent console display
(#1082) [dermotbradley]
+ remove unnecessary EOF string in
disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele
Giuseppe Esposito]
+ Add module 'write-files-deferred' executed in stage 'final' (#916)
[Lucendio]
+ Bump pycloudlib to fix CI (#1080)
+ Remove pin in dependencies for jsonschema (#1078)
+ Add "/Google"/ as possible system-product-name (#1077) [vteratipally]
+ Update Debian security suite for bullseye (#1076) [Johann Queuniet]
+ Leave the details of service management to the distro (#1074)
[Andy Fiddaman]
+ Fix typos in setup.py (#1059) [Christian Clauss]
+ Update Azure _unpickle (SC-500) (#1067) (LP: #1946644)
+ cc_ssh.py: fix private key group owner and permissions (#1070)
[Emanuele Giuseppe Esposito]
+ VMware: read network-config from ISO (#1066) [Thomas Weißschuh]
+ testing: mock sleep in gce unit tests (#1072)
+ CloudStack: fix data-server DNS resolution (#1004)
[Olivier Lemasle] (LP: #1942232)
+ Fix unit test broken by pyyaml upgrade (#1071)
+ testing: add get_cloud function (SC-461) (#1038)
+ Inhibit sshd-keygen@.service if cloud-init is active (#1028)
[Ryan Harper]
+ VMWARE: search the deployPkg plugin in multiarch dir (#1061)
[xiaofengw-vmware] (LP: #1944946)
+ Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493)
+ Use specified tmp location for growpart (#1046) [jshen28]
+ .gitignore: ignore tags file for ctags users (#1057) [Brett Holman]
+ Allow comments in runcmd and report failed commands correctly (#1049)
[Brett Holman] (LP: #1853146)
+ tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050)
[Paride Legovini]
+ Allow disabling of network activation (SC-307) (#1048) (LP: #1938299)
+ renderer: convert relative imports to absolute (#1052) [Paride Legovini]
+ Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045)
[Vlastimil Holer]
+ integration-requirements: bump the pycloudlib commit (#1047)
[Paride Legovini]
+ Allow Vultr to set MTU and use as-is configs (#1037) [eb3095]
+ pin jsonschema in requirements.txt (#1043)
+ testing: remove cloud_tests (#1020)
+ Add andgein as contributor (#1042) [Andrew Gein]
+ Make wording for module frequency consistent (#1039) [Nicolas Bock]
+ Use ascii code for growpart (#1036) [jshen28]
+ Add jshen28 as contributor (#1035) [jshen28]
+ Skip test_cache_purged_on_version_change on Azure (#1033)
+ Remove invalid ssh_import_id from examples (#1031)
+ Cleanup Vultr support (#987) [eb3095]
+ docs: update cc_disk_setup for fs to raw disk (#1017)
+ HACKING.rst: change contact info to James Falcon (#1030)
+ tox: bump the pinned flake8 and pylint version (#1029)
[Paride Legovini] (LP: #1944414)
+ Add retries to DataSourceGCE.py when connecting to GCE (#1005)
[vteratipally]
+ Set Azure to apply networking config every BOOT (#1023)
+ Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603)
+ docs: fix typo and include sudo for report bugs commands (#1022)
[Renan Rodrigo] (LP: #1940236)
+ VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun]
+ Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798)
+ Integration test upgrades for the 21.3-1 SRU (#1001)
+ Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans]
+ Improve ug_util.py (#1013) [Shreenidhi Shedi]
+ Support openEuler OS (#1012) [zhuzaifangxuele]
+ ssh_utils.py: ignore when sshd_config options are not key/value pairs
(#1007) [Emanuele Giuseppe Esposito]
+ Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006)
+ cc_update_etc_hosts: Use the distribution-defined path for the hosts
file (#983) [Andy Fiddaman]
+ Add CloudLinux OS support (#1003) [Alexandr Kravchenko]
+ puppet config: add the start_agent option (#1002) [Andrew Bogott]
+ Fix `make style-check` errors (#1000) [Shreenidhi Shedi]
+ Make cloud-id copyright year (#991) [Andrii Podanenko]
+ Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi]
+ Update ds-identify to pass shellcheck (#979) [Andrew Kutz]
+ Azure: Retry dhcp on timeouts when polling reprovisiondata (#998)
[aswinrajamannar]
+ testing: Fix ssh keys integration test (#992)
- From 21.3
+ Azure: During primary nic detection, check interface status continuously
before rebinding again (#990) [aswinrajamannar]
+ Fix home permissions modified by ssh module (SC-338) (#984)
(LP: #1940233)
+ Add integration test for sensitive jinja substitution (#986)
+ Ignore hotplug socket when collecting logs (#985) (LP: #1940235)
+ testing: Add missing mocks to test_vmware.py (#982)
+ add Zadara Edge Cloud Platform to the supported clouds list (#963)
[sarahwzadara]
+ testing: skip upgrade tests on LXD VMs (#980)
+ Only invoke hotplug socket when functionality is enabled (#952)
+ Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz]
+ cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi]
+ Replace broken httpretty tests with mock (SC-324) (#973)
+ Azure: Check if interface is up after sleep when trying to bring it up
(#972) [aswinrajamannar]
+ Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi]
+ Azure: Logging the detected interfaces (#968) [Moustafa Moustafa]
+ Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz]
+ Azure: Limit polling network metadata on connection errors (#961)
[aswinrajamannar]
+ Update inconsistent indentation (#962) [Andrew Kutz]
+ cc_puppet: support AIO installations and more (#960) [Gabriel Nagy]
+ Add Puppet contributors to CLA signers (#964) [Noah Fontes]
+ Datasource for VMware (#953) [Andrew Kutz]
+ photon: refactor hostname handling and add networkd activator (#958)
[sshedi]
+ Stop copying ssh system keys and check folder permissions (#956)
[Emanuele Giuseppe Esposito]
+ testing: port remaining cloud tests to integration testing framework
(SC-191) (#955)
+ generate contents for ovf-env.xml when provisioning via IMDS (#959)
[Anh Vo]
+ Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski]
+ Implementing device_aliases as described in docs (#945)
[Mal Graty] (LP: #1867532)
+ testing: fix test_ssh_import_id.py (#954)
+ Add ability to manage fallback network config on PhotonOS (#941) [sshedi]
+ Add VZLinux support (#951) [eb3095]
+ VMware: add network-config support in ovf-env.xml (#947) [PengpengSun]
+ Update pylint to v2.9.3 and fix the new issues it spots (#946)
[Paride Legovini]
+ Azure: mount default provisioning iso before try device listing (#870)
[Anh Vo]
+ Document known hotplug limitations (#950)
+ Initial hotplug support (#936)
+ Fix MIME policy failure on python version upgrade (#934)
+ run-container: fixup the centos repos baseurls when using http_proxy
(#944) [Paride Legovini]
+ tools: add support for building rpms on rocky linux (#940)
+ ssh-util: allow cloudinit to merge all ssh keys into a custom user
file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito]
(LP: #1911680)
+ VMware: new "/allow_raw_data"/ switch (#939) [xiaofengw-vmware]
+ bump pycloudlib version (#935)
+ add renanrodrigo as a contributor (#938) [Renan Rodrigo]
+ testing: simplify test_upgrade.py (#932)
+ freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder]
+ Add new network activators to bring up interfaces (#919)
+ Detect a Python version change and clear the cache (#857)
[Robert Schweikert]
+ cloud_tests: fix the Impish release name (#931) [Paride Legovini]
+ Removed distro specific network code from Photon (#929) [sshedi]
+ Add support for VMware PhotonOS (#909) [sshedi]
+ cloud_tests: add impish release definition (#927) [Paride Legovini]
+ docs: fix stale links rename master branch to main (#926)
+ Fix DNS in NetworkState (SC-133) (#923)
+ tests: Add 'adhoc' mark for integration tests (#925)
+ Fix the spelling of "/DigitalOcean"/ (#924) [Mark Mercado]
+ Small Doc Update for ReportEventStack and Test (#920) [Mike Russell]
+ Replace deprecated collections.Iterable with abc replacement (#922)
(LP: #1932048)
+ testing: OCI availability domain is now required (SC-59) (#910)
+ add DragonFlyBSD support (#904) [Gonéri Le Bouder]
+ Use instance-data-sensitive.json in jinja templates (SC-117) (#917)
(LP: #1931392)
+ doc: Update NoCloud docs stating required files (#918) (LP: #1931577)
+ build-on-netbsd: don't pin a specific py3 version (#913)
[Gonéri Le Bouder]
+ Create the log file with 640 permissions (#858) [Robert Schweikert]
+ Allow braces to appear in dhclient output (#911) [eb3095]
+ Docs: Replace all freenode references with libera (#912)
+ openbsd/net: flush the route table on net restart (#908)
[Gonéri Le Bouder]
+ Add Rocky Linux support to cloud-init (#906) [Louis Abel]
+ Add "/esposem"/ as contributor (#907) [Emanuele Giuseppe Esposito]
+ Add integration test for #868 (#901)
+ Added support for importing keys via primary/security mirror clauses
(#882) [Paul Goins] (LP: #1925395)
+ [examples] config-user-groups expire in the future (#902)
[Geert Stappers]
+ BSD: static network, set the mtu (#894) [Gonéri Le Bouder]
+ Add integration test for lp-1920939 (#891)
+ Fix unit tests breaking from new httpretty version (#903)
+ Allow user control over update events (#834)
+ Update test characters in substitution unit test (#893)
+ cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886)
[dermotbradley]
+ Add AlmaLinux OS support (#872) [Andrew Lukoshko]
- systemctl location (bsc#1193531)
- Add cloud-init-sysctl-not-in-bin.patch
- The sytemctl executable is not necessarily in '/bin'
- Remove unneeded BuildRequires on python3-nose.
+ Still need to consider the "/network"/ configuration option
- cloud-regionsrv-client
-
- Update to version 10.0.3 (bsc#1198389)
- Descend into the extension tree even if top level module is recommended
- Cache license state for AHB support to detect type switch
- Properly clean suse.com credentials when switching from SCC to update
infrastructure
- New log message to indicate base product registration success
- Update to version 10.0.2
+ Fix name of logfile in error message
+ Fix variable scoping to properly detect registration error
+ Cleanup any artifacts on registration failure
+ Fix latent bug with /etc/hosts population
+ Do not throw error when attemting to unregister a system that is not
registered
+ Skip extension registration if the extension is recommended by the
baseproduct as it gets automatically installed
- Update to version 10.0.1 (bsc#1197113)
+ Provide status feedback on registration, success or failure
+ Log warning message if data provider is configured but no data
can be retrieved
- Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564)
+ The repo enablement timer cannot depend on guestregister.service
- Update -addon-azure to 1.0.2 (bsc#1196305)
+ The is-registered() function expects a string of the update server FQDN.
The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
+ Lower case the region hint to reduce issues with Azure region name
case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
+ Refactor removes check_registration() function in utils implementation
+ Only start the registration service for PAYG images
- addon-azure sub-package to version 1.0.1
- containerd
-
- Add patch for CVE-2022-23648. bsc#1196441
+ CVE-2022-23648.patch
- Update to containerd v1.4.12 for Docker 20.10.11-ce. bsc#1192814
bsc#1193273 CVE-2021-41190
- Update to containerd v1.4.11, to fix CVE-2021-41103. bsc#1191355
- Switch to Go 1.16.x compiler, in line with upstream.
- coreutils
-
- coreutils-df-fuse-portal-dummy.patch:
df: Add "/fuse.portal"/ as a dummy file system (used in flatpak
implementations). (bsc#1189152)
- crash
-
- Fix module loading (bsc#1190743 ltc#194414).
+ crash-mod-fix-module-object-file-lookup.patch
- crmsh
-
- Update to version 4.3.1+20220321.bd33abac:
* Dev: Parametrize the log dir
* medium: utils: update detect_cloud pattern for aws (bsc#1197351)
* Fix: utils: Only raise exception when return code of systemctl command over ssh larger than 4 (bsc#1196726)
- Update to version 4.3.1+20220208.73603501:
* Fix: sbd: not overwrite SYSCONFIG_SBD and sbd-disk-metadata if input 'n'(bsc#1194870)
* Fix: crash_test: Adjust help output of 'crm cluster crash_test -h'(bsc#1194615)
* Fix: bootstrap: Change log info when need to change user login shell (bsc#1194026)
- cyrus-sasl
-
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
in plugins/sql.c (bsc#1196036)
o add upstream patch:
0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
- cyrus-sasl-saslauthd
-
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
in plugins/sql.c (bsc#1196036)
o add upstream patch:
0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
- docker
-
- Update to Docker 20.10.12-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201012>.
- Remove CHANGELOG.md. It hasn't been maintained since 2017, and all of the
changelogs are currently only available online.
- Update to Docker 20.10.11-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201011>. bsc#1192814
bsc#1193273 CVE-2021-41190
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
- 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Update to Docker 20.10.9-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#20109>. bsc#1191355
CVE-2021-41089 bsc#1191015 CVE-2021-41091 bsc#1191434
CVE-2021-41092 bsc#1191334 CVE-2021-41103 bsc#1191121
- Update to Docker 20.10.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#20106>. bsc#1184768
- Update to Docker 20.10.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#20105>. bsc#1182947
- dracut
-
- Update to version 049.1+suse.228.g07676562:
* fix(network): consistent use of "/$gw"/ for gateway (bsc#1192685)
* fix(install): handle builtin modules (bsc#1194716)
- expat
-
- Security fixes:
* (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
breaks biboumi, ClairMeta, jxmlease, libwbxml,
openleadr-python, rnv, xmltodict
- Added expat-CVE-2022-25236-relax-fix.patch
- Security fixes:
* (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
attackers to insert namespace-separator characters into
namespace URIs
- Added expat-CVE-2022-25236.patch
* (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
2.4.5 does not check whether a UTF-8 character is valid in a
certain context.
- Added expat-CVE-2022-25235.patch
* (CVE-2022-25313, bsc#1196168) Stack exhaustion in
build_model() via uncontrolled recursion
- Added expat-CVE-2022-25313.patch
- The fix upstream introduced a regression that was later
amended in 2.4.6 version
+ Added expat-CVE-2022-25313-fix-regression.patch
* (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
- Added expat-CVE-2022-25314.patch
* (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
- Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
* Expat (aka libexpat) before 2.4.4 has a signed integer overflow
in XML_GetBuffer, for configurations with a nonzero
XML_CONTEXT_BYTES
* Add tests for CVE-2022-23852.
* Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
* Fix unsigned integer overflow in function doProlog triggered
by large content in element type declarations when there is
an element declaration handler present (from a prior call to
XML_SetElementDeclHandler).
* Add expat-CVE-2022-23990.patch
* Added expat-CVE-2022-22827.patch
- fence-agents
-
- (bsc#1196350) fence_gce updates pull from Clusterlabs repo
- Apply proposed upstream patch
0001-fence_gce-Add-timeouts-and-failure-options-458.patch
- filesystem
-
- Add /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)
- glibc
-
- pthread-rwlock-trylock-stalls.patch: nptl: Fix pthread_rwlock_try*lock
stalls (bsc#1195560, BZ #23844)
- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create
for "/unix"/ (CVE-2022-23219, bsc#1194768, BZ #22542)
- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create
(CVE-2022-23218, bsc#1194770, BZ #28768)
- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1
(CVE-2021-3999, bsc#1194640, BZ #28769)
- pop-fail-stack.patch: Assertion failure in pop_fail_stack when executing
a malformed regexp (CVE-2015-8985, bsc#1193625, BZ #21163)
- gnutls
-
- Security fix: [bsc#1196167, CVE-2021-4209]
* Null pointer dereference in MD_UPDATE
* Add gnutls-CVE-2021-4209.patch
- grub2
-
- Fix grub-install error when efi system partition is created as mdadm software
raid1 device (bsc#1179981) (bsc#1195204)
* 0001-install-fix-software-raid1-on-esp.patch
- Fix error in grub-install when linux root device is on lvm thin volume
(bsc#1192622) (bsc#1191974)
* 0001-grub-install-bailout-root-device-probing.patch
- Fix error not a btrfs filesystem on s390x (bsc#1187645)
* 80_suse_btrfs_snapshot
- Add support for simplefb (boo#1193532).
* grub2-simplefb.patch
- icewm-theme-branding
-
- Add fix-font-configuration.patch:
Fix font configuration after google-droid-fonts update
(boo#1195328 bsc#1196336)
- java-1_8_0-ibm
-
- Update to Java 8.0 Service Refresh 7 Fix Pack 5 [bsc#1197126]
* https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities
[bsc#1194927, CVE-2022-21366] [bsc#1194928, CVE-2022-21365]
[bsc#1194929, CVE-2022-21360] [bsc#1196500, CVE-2022-21349]
[bsc#1194941, CVE-2022-21341] [bsc#1194940, CVE-2022-21340]
[bsc#1194939, CVE-2022-21305] [bsc#1194930, CVE-2022-21277]
[bsc#1194931, CVE-2022-21299] [bsc#1194932, CVE-2022-21296]
[bsc#1194933, CVE-2022-21282] [bsc#1194934, CVE-2022-21294]
[bsc#1194935, CVE-2022-21293] [bsc#1194925, CVE-2022-21291]
[bsc#1194937, CVE-2022-21283] [bsc#1194926, CVE-2022-21248]
[CVE-2022-21271]
- Fix a javaws broken symlink [bsc#1195146]
- kernel-default
-
- drm: drm_file struct kABI compatibility workaround
(bsc#1197914).
- commit dd24982
- drm: use the lookup lock in drm_is_current_master (bsc#1197914).
- drm: protect drm_master pointers in drm_lease.c (bsc#1197914).
- drm: serialize drm_file.master with a new spinlock
(bsc#1197914).
- drm: add a locked version of drm_is_current_master
(bsc#1197914).
- commit 82a498a
- blacklist.conf: Add reverted/reverting swiotlb change (CVE-2022-0854 bsc#1196823 bsc#1197460)
- commit 8d52c36
- Reinstate some of "/swiotlb: rework "/fix info leak with
DMA_FROM_DEVICE"/"/ (CVE-2022-0854 bsc#1196823).
- swiotlb: fix info leak with DMA_FROM_DEVICE (CVE-2022-0854
bsc#1196823).
- commit ff554b5
- netfilter: nf_tables: initialize registers in nft_do_chain()
(CVE-2022-1016 bsc#1197227).
- commit 7111961
- Delete
patches.suse/net-tipc-validate-domain-record-count-on-input.patch.
This was the original work-in-progress patch for CVE-2022-0435 /
bsc#1195254. Later, a proper backport of mainline commit 9aa422ad3266
("/tipc: improve size validations for received domain records"/) was added as
patches.suse/tipc-improve-size-validations-for-received-domain-re.patch but
this patch was left in place. As it adds the check a bit later than
upstream fix, it did not cause a conflict so nobody noticed the duplicity.
- commit ef08708
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit 2237578
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
in error path (CVE-2022-28390 bsc#1198031).
- commit d6e6523
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit db7647d
- net: sched: fix use-after-free in tc_new_tfilter()
(CVE-2022-1055 bsc#1197702).
- commit 4c7dc78
- Add CVE tags to
patches.suse/ext4-fix-kernel-infoleak-via-ext4_extent_header.patch
(bsc#1189562 bsc#1196761 CVE-2022-0850).
- commit f3cb08f
- powerpc/mm/numa: skip NUMA_NO_NODE onlining in
parse_numa_properties() (bsc#1179639 ltc#189002 git-fixes).
- commit 73583c9
- esp: Fix possible buffer overflow in ESP transformation
(bsc#1197131 CVE-2022-0886 CVE-2022-27666).
- commit 39a5891
- cifs: use the correct max-length for dentry_path_raw()
(bsc1196196).
- commit 10cddb2
- quota: check block number when reading the block in quota file
(bsc#1197366 CVE-2021-45868).
- commit a7d4915
- netfilter: conntrack: don't refresh sctp entries in closed state
(bsc#1197389).
- commit c3afd15
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
bsc#1197331).
- commit 12628f8
- ALSA: pcm: Fix races among concurrent prealloc proc writes
(CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
calls (CVE-2022-1048 bsc#1197331).
- commit aee063f
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
(bsc#1196018).
- commit 1580ab2
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
(bsc#1196018).
- commit 1cdc779
- sr9700: sanity check for packet length (bsc#1196836
CVE-2022-26966).
- commit edaafdd
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- aio: fix use-after-free due to missing POLLFREE handling
(CVE-2021-39698 bsc#1196956).
- aio: keep poll requests on waitqueue until completed
(CVE-2021-39698 bsc#1196956).
- signalfd: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- binder: use wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- wait: add wake_up_pollfree() (CVE-2021-39698 bsc#1196956).
- commit b026506
- rpm/kernel-source.spec.in: call fdupes per subpackage
It is a waste of time to do a global fdupes when we have
subpackages.
- commit 1da8439
- af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920
bsc#1193731).
- commit 7040fdd
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 8d867d6
- xen/netfront: react properly to failing
gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
CVE-2022-23042).
- commit fe0a923
- xen/gnttab: fix gnttab_end_foreign_access() without page
specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 58c801b
- xen/pvcalls: use alloc/free_pages_exact() (bsc#1196488,
XSA-396, CVE-2022-23041).
- commit afb2dba
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
CVE-2022-23041).
- commit cee63b9
- xen/usb: don't use gnttab_end_foreign_access() in
xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit b1d434d
- xen/gntalloc: don't use gnttab_query_foreign_access()
(bsc#1196488, XSA-396, CVE-2022-23039).
- commit a4ec4aa
- xen/scsifront: don't use gnttab_query_foreign_access() for
mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit fd9cb30
- xen/netfront: don't use gnttab_query_foreign_access() for
mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 4e33999
- xen/blkfront: don't use gnttab_query_foreign_access() for
mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 4334af7
- xen/grant-table: add gnttab_try_end_foreign_access()
(bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit 19b769a
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 5aacf1f
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
(git-fixes).
- commit daa9ea7
- Refresh
patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit d9066f6
- Refresh
patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 5c41eb3
- rpm/kernel-docs.spec.in: use %%license for license declarations
Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- Hand over the maintainership to SLE15-SP3 maintainers
- commit 0c92742
- SUNRPC: avoid race between mod_timer() and del_timer_sync()
(bnc#1195403).
- commit fffe0fc
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
(CVE-2022-26490 bsc#1196830).
- commit fd10ace
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 1dafeb6
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit 8c8ae13
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
There is a check in OBS that fails when it is included. Also the key is
not reproducible.
Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
(bsc#1196584).
- commit 4f3bbf5
- x86/speculation: Use generic retpoline by default on AMD
(bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit bed48b1
- gve: Recording rx queue before sending to napi (jsc#SLE-23652).
- gve: fix the wrong AdminQ buffer queue index check
(jsc#SLE-23652).
- gve: Fix GFP flags when allocing pages (jsc#SLE-23652).
- gve: Add consumed counts to ethtool stats (jsc#SLE-23652).
- gve: Implement suspend/resume/shutdown (jsc#SLE-23652).
- gve: Add optional metadata descriptor type GVE_TXD_MTD
(jsc#SLE-23652).
- gve: remove memory barrier around seqno (jsc#SLE-23652).
- gve: Update gve_free_queue_page_list signature (jsc#SLE-23652).
- gve: Move the irq db indexes out of the ntfy block struct
(jsc#SLE-23652).
- gve: Correct order of processing device options (jsc#SLE-23652).
- gve: fix for null pointer dereference (jsc#SLE-23652).
- gve: fix unmatched u64_stats_update_end() (jsc#SLE-23652).
- gve: Add a jumbo-frame device option (jsc#SLE-23652).
- gve: Implement packet continuation for RX (jsc#SLE-23652).
- gve: Add RX context (jsc#SLE-23652).
- gve: Use kvcalloc() instead of kvzalloc() (jsc#SLE-23652).
- commit e1a9cfc
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
CVE-2022-0617).
- commit a1deb2a
- udf: Fix NULL ptr deref when converting from inline format
(bsc#1196079 CVE-2022-0617).
- commit 43cd4ed
- x86/speculation: Include unprivileged eBPF status in Spectre v2
mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit d42fa20
- Documentation/hw-vuln: Update spectre doc (bsc#1191580
CVE-2022-0001 CVE-2022-0002).
- commit a48cfcc
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
CVE-2022-0001 CVE-2022-0002).
- commit 1a20a7e
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
(bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 80f47a3
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
(bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 1f9dd65
- usb: gadget: rndis: check size of RNDIS_MSG_SET command
(CVE-2022-25375 bsc#1196235).
- commit 4e7d746
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 900b4f0
- USB: gadget: validate interface OS descriptor requests
(CVE-2022-25258 bsc#1196095).
- commit 4c69367
- scsi: lpfc: Fix pt2pt NVMe PRLI reject LOGO loop (bsc#1189126).
- commit 6aa037a
- powerpc/pseries/ddw: Revert "/Extend upper limit for huge DMA
window for persistent memory"/ (bsc#1195995 ltc#196394).
- commit 7be7563
- f2fs: fix to do sanity check on inode type during garbage
collection (CVE-2021-44879 bsc#1195987).
- commit 139271b
- tipc: improve size validations for received domain records
(bsc#1195254, CVE-2022-0435).
- commit 48911da
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
bsc#1195897).
- commit 60220af
- usb: gadget: clear related members when goto fail
(CVE-2022-24958 bsc#1195905).
- usb: gadget: don't release an existing dev->buf (CVE-2022-24958
bsc#1195905).
- commit 96dda76
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
(bsc#1194516 CVE-2022-0487).
- commit f68f189
- nfsd: don't admin-revoke NSv4.0 state ids (bsc#1192483).
- nfsd: allow delegation state ids to be revoked and then freed
(bsc#1192483).
- nfsd: allow lock state ids to be revoked and then freed
(bsc#1192483).
- nfsd: allow open state ids to be revoked and then freed
(bsc#1192483).
- nfsd: prepare for supporting admin-revocation of state
(bsc#1192483).
- commit 4fab2c0
- kernel-binary: Do not include sourcedir in certificate path.
The certs macro runs before build directory is set up so it creates the
aggregate of supplied certificates in the source directory.
Using this file directly as the certificate in kernel config works but
embeds the source directory path in the kernel config.
To avoid this symlink the certificate to the build directory and use
relative path to refer to it.
Also fabricate a certificate in the same location in build directory
when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- KVM: s390: Return error on SIDA memop on normal guest
(bsc#1195516 CVE-2022-0516).
- commit d46602b
- NFSv4: Handle case where the lookup of a directory fails
(bsc#1195612 CVE-2022-24448).
- commit 1023a28
- btrfs: check for missing device in btrfs_trim_fs (bsc#1195701).
- commit be8e591
- cgroup-v1: Require capabilities to set release_agent
(bsc#1195543 CVE-2022-0492).
- commit 413d689
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
callback (bsc#1193864 CVE-2021-39657).
- commit 5ec67f9
- scsi: target: iscsi: Fix cmd abort fabric stop race
(bsc#1195286).
- commit 79c1016
- Update kabi files.
- update from February 2022 maintenance update submission (commit 49453fa0b26b)
- commit 10d28a1
- kernel-obs-build: include 9p (boo#1195353)
To be able to share files between host and the qemu vm of the build
script, the 9p and 9p_virtio kernel modules need to be included in
the initrd of kernel-obs-build.
- commit 0cfe67a
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 5e4e31e
- series.conf: sort
Fix patch ordering in sorted section.
- commit f4bbbbf
- fix patches metadata
- fix Patch-mainline, mark partial backport, add a note to commit message
- patches.suse/net-xdp-Introduce-xdp_init_buff-utility-routine.patch
- patches.suse/net-xdp-Introduce-xdp_prepare_buff-utility-routine.patch
- commit c8555c7
- Update kabi files.
- update from out of order January 2022 maintenance update (commit 712a8e6dffc3)
- commit d4e500b
- update
- commit 8000467
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
CVE-2021-45095).
- commit 98c27cb
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
which caused a regression (bsc#1194048).
- fix patches.kabi/revert-xfrm-xfrm_state_mtu-should-return-at-least-1280.patch
fixes the resulting KABI change
- Replace with an alternative fix for bsc#1185377
- commit ccdfbb9
- net: tipc: validate domain record count on input (bsc#1195254).
- commit 96de11b
- SLE15-SP2 went to LTSS, hand over to L3
- commit 1e60178
- drm/vmwgfx: Fix stale file descriptors on failed usercopy
(CVE-2022-22942 bsc#1195065).
- commit b93c2a4
- nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
- commit 92fcdfb
- bpf: Verifer, adjust_scalar_min_max_vals to always call
update_reg_bounds() (bsc#1194227).
- commit bf95985
- net/packet: rx_owner_map depends on pg_vec (bsc#1195184
CVE-2021-22600).
- commit ef975a8
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
callback (bsc#1193864 CVE-2021-39657).
- commit a954734
- Update
patches.suse/usb-gadget-configfs-Fix-use-after-free-issue-with-ud.patch
(bsc#1193861 CVE-2021-39648).
updated references for a CVE that became known after the fix
had been applied for other reasons
- commit 2372cca
- net: mana: Add RX fencing (bsc#1193506).
- commit 86ca026
- net: mana: Add XDP support (bsc#1193506).
- commit 8a8d94e
- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
- commit 2ce60c3
- net, xdp: Introduce xdp_prepare_buff utility routine
(bsc#1193506).
- commit f1f2607
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
- commit d81f88a
- btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly (bsc#1195009).
- commit 472ff50
- btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
- commit ac668ff
- btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check (bsc#1195009).
- commit 38bf9aa
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
directory (bsc#1195051).
- commit c80b5de
- drm/i915: Flush TLBs before releasing backing store
(CVE-2022-0330 bsc#1194880).
- commit 34a8919
- net: allow retransmitting a TCP packet if original is still
in queue (bsc#1188605 bsc#1187428).
- commit 07dea3c
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
Using the the default path is broken since Linux 5.17
- commit 68b36f0
- fix rpm build warning
tumbleweed rpm is adding these warnings to the log:
It's not recommended to have unversioned Obsoletes: Obsoletes: microcode_ctl
- commit 3ba8941
- build initrd without systemd
This reduces the size of the initrd by over 25%, which
improves startup time of the virtual machine by 0.5-0.6s on
very fast machines, more on slower ones.
- commit ef4c569
- Revert "/net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)"/
This reverts commit 3aa0c01fad38360cc9cd840d49bdfdc565e2e718.
With the backport of the upstream fix for bsc#1183405 race, this workaround
is no longer needed.
- commit e063337
- net: sched: add barrier to ensure correct ordering for lockless
qdisc (bsc#1183405).
- net: sched: avoid unnecessary seqcount operation for lockless
qdisc (bsc#1183405).
- net: sched: fix tx action reschedule issue with stopped queue
(bsc#1183405).
- net: sched: fix tx action rescheduling issue during deactivation
(bsc#1183405).
- net: sched: fix packet stuck problem for lockless qdisc
(bsc#1183405).
- net: sched: replaced invalid qdisc tree flush helper in
qdisc_replace (bsc#1183405).
- net: sch_generic: aviod concurrent reset and enqueue op for
lockless qdisc (bsc#1183405).
- net_sched: get rid of unnecessary dev_qdisc_reset()
(bsc#1183405).
- net_sched: avoid resetting active qdisc for multiple times
(bsc#1183405).
- net_sched: use qdisc_reset() in qdisc_destroy() (bsc#1183405).
- commit abc4d94
- libqb
-
- IPC: server: avoid temporary channel priority loss, up to deadlock-worth (gh#ClusterLabs/libqb#352, rh#1718773, bsc#1188212)
* bsc#1188212-0001-IPC-server-avoid-temporary-channel-priority-loss-up-.patch
- libqt5-qtbase
-
- Update patch after it was merged to dev upstream and fix another
place missed in the first version (boo#1195386, CVE-2022-23853,
boo#1196501, CVE-2022-25255):
* 0001-QProcess-Unix-ensure-we-don-t-accidentally-execute-s.patch
- Add patch to avoid unintentionally using binaries from CWD
(boo#1195386, CVE-2022-23853, boo#1196501, CVE-2022-25255):
* 0001-QProcess-Unix-ensure-we-don-t-accidentally-execute-s.patch
- libsolv
-
- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code
[bsc#1196514]
- support parsing of Debian's Multi-Arch indicator
- bump version to 0.7.22
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden
vendor change
- support strict repository priorities
new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members
("/requires"/ is a keyword in C++20)
- support setting/reading userdata in solv files
new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime
- bump version to 0.7.21
- libtirpc
-
- fix memory leak in client protocol version 2 code (bsc#1193805)
- update: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- libzypp
-
- ZConfig: Update solver settings if target changes (bsc#1196368)
- version 17.30.0 (22)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- version 17.29.7 (22)
- Fix package signature check (bsc#1184501)
Pay attention that header and payload are secured by a valid
signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
A previously released ISO image may need a bit more time to
release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm
protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- version 17.29.6 (22)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)
- version 17.29.5 (22)
- Fix handling of redirected command in-/output (bsc#1195326)
This fixes delays at the end of zypper operations, where
zypper unintentionally waits for appdata plugin scripts to
complete.
- version 17.29.4 (22)
- Public header files on older distros must use c++11
(bsc#1194597)
- Fix exception handling when reading or writing credentials
(bsc#1194898)
- version 17.29.3 (22)
- Fix Legacy include (bsc#1194597)
- version 17.29.2 (22)
- Fix broken install path for parser compat headers (fixes #372,
bsc#1194597)
- RepoManager: remember exec errors in exception history
(bsc#1193007)
- version 17.29.1 (22)
- Use the default zypp.conf settings if no zypp.conf exists
(bsc#1193488)
- Fix wrong encoding of iso: URL components (bsc#954813)
- Handle armv8l as armv7hl compatible userland.
- Introduce zypp-curl a sublibrary for CURL related code.
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set.
- Save all signatures associated with a public key in its
PublicKeyData.
- version 17.29.0 (22)
- lifecycle-data-sle-module-live-patching
-
- Added data for 5_3_18-150300_59_43, 5_3_18-24_99, 5_3_18-59_40. (bsc#1020320)
- lvm2
-
- udev: create symlinks and watch even in suspended state (bsc#1195231)
+ bug-1195231-udev-create-symlinks-and-watch-even-in-suspended-sta.patch
- mlocate
-
- require apparmor-abstractions, because apparmor.service fails with
Could not open 'tunables/global' error otherwise (bsc#1195144)
- mozilla-nss
-
- Mozilla NSS 3.68.3 (bsc#1197903)
This release improves the stability of NSS when used in a multi-threaded
environment. In particular, it fixes memory safety violations that
can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
We presume that with enough effort these memory safety violations are exploitable.
* Remove token member from NSSSlot struct (bmo#1756271).
* Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
(bmo#1755555).
* Check return value of PK11Slot_GetNSSToken (bmo#1370866).
- net-snmp
-
- Decouple snmp-mibs from net-snmp version to allow major version
upgrade (bsc#1196955).
- nfs-utils
-
- Add 0023-cache.c-removed-a-couple-warning.patch
Fix compilation with new glibc (SLE15-SP4)
(bsc#1197788)
- Add 0021-mount.nfs-insert-sloppy-at-beginning-of-the-options.patch
Add 0022-mount.nfs-Fix-the-sloppy-option-processing.patch
Ensure "/sloppy"/ is added correctly for newer kernels. Particularly
required for kernels since 5.6 (so SLE15-SP4), and safe for all kernels.
(boo#1197297)
- Add 0020-mountd-Initialize-logging-early.patch
If an error or warning message is produced before
closeall() is called, mountd gets confused and doesn't work.
(bsc#1194661)
- openldap2
-
- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression
reporting is bsc#1197004 causing SSSD to have faults.
- jsc#PM-3288 - restore CLDAP functionality in CLI tools
- openssh
-
- Add openssh-dbus.sh, openssh-dbus.csh, openssh-dbus.fish: Make ssh
connections update their dbus environment (bsc#1179465).
- Add openssh-bsc1190975-CVE-2021-41617-authorizedkeyscommand.patch
(bsc#1190975, CVE-2021-41617), backported from upstream by
Ali Abdallah.
- openssl-1_1
-
- Security Fix: [bsc#1196877, CVE-2022-0778]
* Infinite loop in BN_mod_sqrt() reachable when parsing certificates
* Add openssl-CVE-2022-0778.patch openssl-CVE-2022-0778-tests.patch
- Fix PAC pointer authentication in ARM [bsc#1195856]
* PAC pointer authentication signs the return address against the
value of the stack pointer, to prevent stack overrun exploits
from corrupting the control flow. The Poly1305 armv8 code got
this wrong, resulting in crashes on PAC capable hardware.
* Add openssl-1_1-ARM-PAC.patch
- Pull libopenssl-1_1 when updating openssl-1_1 with the same
version. [bsc#1195792]
- FIPS: Fix function and reason error codes [bsc#1182959]
* Add openssl-1_1-FIPS-fix-error-reason-codes.patch
- Enable zlib compression support [bsc#1195149]
* Add openssl-fix-BIO_f_zlib.patch to fix BIO_f_zlib: Properly
handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls.
- pacemaker
-
- attrd: check election status upon loss of a voter to prevent unexpected pending (bsc#1191676)
* bsc#1191676-0001-Fix-attrd-check-election-status-upon-loss-of-a-voter.patch
- stonith-ng's function cannot be blocked with CIB updates forever (bsc#1188212)
- pam
-
- Between allocating the variable "/ai"/ and free'ing them, there are
two "/return NO"/ were we don't free this variable. This patch
inserts freaddrinfo() calls before the "/return NO;"/s.
[bsc#1197024, pam-bsc1197024-free-addrinfo-before-return.patch]
- Define _pam_vendordir as "//%{_sysconfdir}/pam.d"/
The variable is needed by systemd and others.
[bsc#1196093, macros.pam]
- polkit
-
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
added CVE-2021-4115.patch
- procps
-
- Add patch bsc1195468-23da4f40.patch to fix bsc#1195468 that is
ignore SIGURG
- protobuf
-
- Fix incorrect parsing of nullchar in the proto symbol, CVE-2021-22570,
bsc#1195258
* Add protobuf-CVE-2021-22570.patch
- psmisc
-
* Determine the namespace of a process only once to speed
up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
- python-base
-
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
(bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- python-jsonschema
-
- Add patch to fix build with new webcolors:
* webcolors.patch
- update to version 3.2.0 (jsc#SLE-18756):
* Added a format_nongpl setuptools extra, which installs only format
dependencies that are non-GPL (#619).
- specfile:
* be more explicit in %files section
* require python-importlib-metadata
- update to version 3.1.1:
* Temporarily revert the switch to js-regex until #611 and #612 are
resolved.
- changes from version 3.1.0:
* Regular expressions throughout schemas now respect the ECMA 262
dialect, as recommended by the specification (#609).
- Replace %fdupes -s with plain %fdupes; hardlinks are better.
- Activate more of the test suite
- Remove tests and benchmarking from the runtime package
- Update to v3.0.2
* Fixed a bug where 0 and False were considered equal by
const and enum
- from v3.0.1
* Fixed a bug where extending validators did not preserve their
notion of which validator property contains $id information.
- from v3.0.0
* Support for Draft 6 and Draft 7
* Draft 7 is now the default
* New TypeChecker object for more complex type definitions
(and overrides)
* Falling back to isodate for the date-time format checker is
no longer attempted, in accordance with the specification
- Add non-updating note to the SPEC file
- downgrade to < 3.0.0 again to fix all openstack clients
- Update to 3.0.1:
* Support for Draft 6 and Draft 7
* Draft 7 is now the default
* New TypeChecker object for more complex type definitions (and overrides)
* Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification
- Use %license instead of %doc [bsc#1082318]
- python-lxml
-
- With the new update to 4.7.1, the old Bugzilla entries are also
fixed:
- bsc#1118088 (related to CVE-2018-19787)
- bsc#1184177 (related to CVE-2021-28957)
- Update to 4.7.1 (officially released 2021-12-13)
Features added
- Chunked Unicode string parsing via parser.feed() now encodes the input
data to the native UTF-8 encoding directly, instead of going through
Py_UNICODE / wchar_t encoding first, which previously required duplicate
recoding in most cases.
Bugs fixed
- The standard namespace prefixes were mishandled during "/C14N2"/
serialisation
on Python 3.
See
https://mail.python.org/archives/list/lxml@python.org/thread/
6ZFBHFOVHOS5GFDOAMPCT6HM5HZPWQ4Q/
- lxml.objectify previously accepted non-XML numbers with underscores
(like "/1_000"/) as integers or float values in Python 3.6 and later.
It now adheres to the number format of the XML spec again.
- LP#1939031: Static wheels of lxml now contain the header files of zlib
and libiconv (in addition to the already provided headers of
libxml2/libxslt/libexslt).
Other changes
- Wheels include libxml2 2.9.12+ and libxslt 1.1.34 (also on Windows).
- Update to 4.7.0 (2021-12-13)
- Release retracted due to missing files in lxml/includes/.
- UPdate to 4.6.5 (2021-12-12)
Bugs fixed
- A vulnerability (GHSL-2021-1038) in the HTML cleaner
- allowed sneaking script content through SVG images
- (bnc#1193752, CVE-2021-43818).
- A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed
- sneaking script content through CSS imports and other crafted
- constructs (CVE-2021-43818).
- Update 4.6.4 (2021-11-01)
Features added
- GH#317: A new property system_url was added to DTD entities.
- Patch by Thirdegree.
- GH#314: The STATIC_* variables in setup.py can now be passed
- via env vars.
- Patch by Isaac Jurado.
- Update 4.6.3 (2021-03-21)
Bugs fixed
- A vulnerability (CVE-2021-28957) was discovered in the HTML
- Cleaner by Kevin Chung, which allowed JavaScript to pass through.
- The cleaner now removes the HTML5 formaction attribute.
- Update 4.6.2 (2020-11-26)
Bugs fixed
- A vulnerability (bnc#1179534, CVE-2020-27783) was discovered in the HTML
Cleaner
- by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner
- now removes more sneaky "/style"/ content.
- Update 4.6.1 (2020-10-18)
Bugs fixed
- A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
- which allowed JavaScript to pass through. The cleaner now removes
- more sneaky "/style"/ content.
- Update 4.6.0 (2020-10-17)
Features added
- GH#310: lxml.html.InputGetter supports __len__() to count the number
- of input fields. Patch by Aidan Woolley.
- lxml.html.InputGetter has a new .items() method to ease processing
- all input fields.
- lxml.html.InputGetter.keys() now returns the field names in document
- order.
- GH-309: The API documentation is now generated using sphinx-apidoc.
- Patch by Chris Mayo.
Bugs fixed
- LP#1869455: C14N 2.0 serialisation failed for unprefixed attributes
- when a default namespace was defined.
- TreeBuilder.close() raised AssertionError in some error cases where
- it should have raised XMLSyntaxError. It now raises a combined
- exception to keep up backwards compatibility, while switching to
- XMLSyntaxError as an interface.
- Update 4.5.2 (2020-07-09)
Bugs fixed
- Cleaner() now validates that only known configuration options
- can be set.
- LP#1882606: Cleaner.clean_html() discarded comments and PIs
- regardless of the corresponding configuration option, if
- remove_unknown_tags was set.
- LP#1880251: Instead of globally overwriting the document loader
- in libxml2, lxml now sets it per parser run, which improves the
- interoperability with other users of libxml2 such as libxmlsec.
- LP#1881960: Fix build in CPython 3.10 by using Cython 0.29.21.
- The setup options "/--with-xml2-config"/ and "/--with-xslt-config"/
- were accidentally renamed to "/--xml2-config"/ and "/--xslt-config"/
- in 4.5.1 and are now available again.
- Update 4.5.1 (2020-05-19)
Bugs fixed
- LP#1570388: Fix failures when serialising documents larger than
- 2GB in some cases.
- LP#1865141, GH#298: QName values were not accepted by the
- el.iter() method. Patch by xmo-odoo.
- LP#1863413, GH#297: The build failed to detect libraries on Linux
- that are only configured via pkg-config. Patch by Hugh McMaster.
- Update 4.5.0 (2020-01-29)
Features added
- A new function indent() was added to insert tail whitespace for
- pretty-printing an XML tree.
Bugs fixed
- LP#1857794: Tail text of nodes that get removed from a document
using item deletion disappeared silently instead of sticking with
the node that was removed.
Other changes
- MacOS builds are 64-bit-only by default. Set CFLAGS and LDFLAGS
explicitly to override it.
- Linux/MacOS Binary wheels now use libxml2 2.9.10 and libxslt 1.1.34.
- LP#1840234: The package version number is now available as
lxml.__version__.
- Update 4.4.3 (2020-01-28)
Bugs fixed
- LP#1844674: itertext() was missing tail text of comments and PIs
since 4.4.0.
- release-notes-sles-for-sap
-
- 15.2.20220202 (tracked in bsc#933411)
- Added Trento disclaimer (jsc#SLE-22809)
- Updated support length to 3.5 years (bsc#1188003)
- resource-agents
-
- RA reports "/string indices must be integers"/ to stderr after
"/WARNING: Failed to reach the server: Gone"/ (bsc#1194502)
Add upstream patch:
0001-azure-events-report-error-if-jsondata-not-received.patch
- rsyslog
-
- add service dependencies for remote logging (bsc#1194669)
- update config example in remote.conf to match upstream documentation
- samba
-
- CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
module; (bsc#1194859); (bso#14914).
- saptune
-
- update package version of saptune to 3.0.2
- avoid excluding LVM slaves when getting valid block devices
(bsc#1194299)
- fix 'not compliant' state for energy_perf_bias on Power systems
and suppress misleading error message regarding missing 'mokutil'
(bsc#1193435)
- fix wrong behaviour of 'saptune revert all', if the saptune
service was stopped between the two commands 'apply' and
'revert all'
- 'saptune service enablestart|disablestop' now always perform
both actions and does no longer stop working, if the service is
already started|stopped.
(bsc#1193241)
- restrict the sys section of the AWS note 1656250 to the
availability of a nvme block device to support AWS x1e instances
too.
sys section definition of Note 1656250 changed.
(bsc#1192029)
- abandon the dependency to 'mokutil' by relying on sysfs to
detect a secure boot environment.
Related to bsc#1193435
- support /etc/fstab entries with 4 instead of 6 fields as these
are valid entries.
Change error handling from 'panic' to error log messages.
(bsc#1193580)
- enhance man page 'saptune.8'.
Add entry 'configured Note' and some more descriptions of the
entries from 'saptune service status'
(bsc#1192697)
- as the Power systems (hardware architecture 'ppc64le') does not
support files in '/sys/class/dmi' (this directory is not
available on the 'ppc64le' hardware architecture) some of our
section 'tags' will not work.
Add some additional log messages to identify the cause and add
a hint to the man page.
- fix block device settings (e.g. NRREQ) for multipath devices
(bsc#1193576)
- 'saptune verify' will now report a non existing sysctl or sys
parameter as 'not available on the system' (footnote) and this
parameter will not affect the compliance state.
But a warning is displayed to raise attention to may be typos in
the parameter name.
- 'saptune status' now reports the 'real' unit state, no mapping
of not running (inactive) service to simply 'stopped' any more.
(bsc#1194334)
- sle-module-legacy-release
-
- Clear EOL date for modules, as they may cause upgrade problems (bsc#1194653).
- sle-module-python2-release
-
- Clear EOL date for modules, as they may cause upgrade problems (bsc#1194653).
- sudo
-
- Add support in the LDAP filter for negated users, patch taken
from upstream (jsc#20068)
* Adds sudo-feature-negated-LDAP-users.patch
- Restrict use of sudo -U other -l to people who have permission
to run commands as that user (bsc#1181703, jsc#SLE-22569)
* feature-upstream-restrict-sudo-U-other-l.patch
- supportutils
-
- Spec file adjusted for usr-merge
- Changes to version 3.1.20
+ Added command blkid #114
+ Added s390x specific files and output #115
+ Fix for invalid argument during updates (bsc#1193204)
+ Optimized conf_files, conf_files_text and log_cmd functions #118
+ Fixed iscsi initiator name (bsc#1195797)
+ Added rpcinfo -p output #116
+ Included /etc/sssd/conf.d configuration files #100
- Changes to version 3.1.19
+ Made /proc directory and network names spaces configurable (bsc#1193868)
- Changes to version 3.1.19
+ Removed chronyc DNS lookups with -n switch (bsc#1193732)
- Merged Include udev rules in /lib/udev/rules.d/ #113
- Merged Move localmessage/warm logs out of messages.txt to new localwarn.txt #87
- getappcore identifies compressed core files (bsc#1191794)
- Installing to /usr/sbin instead of /sbin (bsc#1191096)
- Added shared memory as a log directory for emergency use (bsc#1190943)
- Fixed cron package for RPM validation (bsc#1190315)
- Updated spec file with correct URL
- Changes to version 3.1.18
+ Added email.txt based on OPTION_EMAIL #108 (bsc#1189028)
+ Include 'multipath -t' output in mpio.txt #105
+ Improved lsblk readability with --ascsi #106
+ Removed duplicate commands in network.txt
+ Remove duplicate firewalld status output #109
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
+ Include cloud-init logs whenever they are present
+ Update the packages we track in AWS, Azure, and Google
+ Include the ecs logs for AWS ECS instances
- suse-build-key
-
- No longer install 1024bit keys by default. (bsc#1197293)
- SLE11 key moved to documentation
- old PTF (pre March 2022) moved to documentation only
- extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
- added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- extended expiry of SUSE SLES11 key (bsc#1194845)
- added SUSE Contaner signing key in PEM format for use e.g. by cosign.
- SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
- sysstat
-
- Fix possible segfault in read_task_stats() [bsc#1194679]
- Add sysstat-fix-segfault-in-read_task_stats.patch
- systemd
-
- Import commit 5e7db68eb43ec3733c56e98262973431f57e2265
4f00efadc7 systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)
- Import commit c46bcb2df93c802f43e240ceb96eaf28027808a8
28e379cc21 systemctl: exit with 1 if no unit files found (bsc#1193841)
* 60-io-scheduler.rules: add rules for virtual devices
(boo#1193759)
* 60-io-scheduler.rules: enforce "/none"/ for loop devices
(boo#1193759)
- tcpdump
-
- Security fix: [bsc#1195825, CVE-2018-16301]
* Fix segfault when handling large files
* Add tcpdump-CVE-2018-16301.patch
- tiff
-
- security update: Fix buffer overwrite
* CVE-2019-17546[bsc#1154365]
+ tiff-CVE-2019-17546.patch
- security update: Fix heap based buffer overflow in pal2rgb
* CVE-2017-17095[bsc#1071031]
+ tiff-CVE-2017-17095.patch
- security update: Fix OOB in _TIFFmemcpy
* CVE-2022-22844[bsc#1194539]
+ tiff-CVE-2022-22844.patch
- security update: Fix memory allocation failure in tif_read.c
* CVE-2020-35521[bsc#1182808] CVE-2020-35522[bsc#1182809]
+ tiff-CVE-2020-35521,CVE-2020-35522.patch
- security update: Fix DOS via invertImage()
* CVE-2020-19131[bsc#1190312]
+ tiff-CVE-2020-19131.patch
- security update: Fix heap-based buffer overflow in TIFF2PDF tool
* CVE-2020-35524[bsc#1182812]
+ tiff-CVE-2020-35524.patch
- security update: Fix integer overflow in tif_getimage
* CVE-2020-35523 [bsc#1182811]
+ tiff-CVE-2020-35523.patch
- timezone
-
- timezone update 2022a (bsc#1177460):
* Palestine will spring forward on 2022-03-27, not -03-26*
* zdump -v now outputs better failure indications
* Bug fixes for code that reads corrupted TZif data
- update-alternatives
-
- break bash <-> update-alternatives cycle by coolo's rewrite
of %post in lua [bsc#1195654]
- util-linux
-
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
util-linux-libuuid-extend-cache.patch).
- Prevent root owning of /var/lib/libuuid/clock.txt
(bsc#1194642, util-linux-uuidd-prevent-root-owning.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
(bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- util-linux-systemd
-
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
util-linux-libuuid-extend-cache.patch).
- Prevent root owning of /var/lib/libuuid/clock.txt
(bsc#1194642, util-linux-uuidd-prevent-root-owning.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
(bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- vim
-
- Minimal fix for Bug 1195004 - (CVE-2022-0318) VUL-0: CVE-2022-0318: vim:
Heap-based Buffer Overflow in vim prior to 8.2.
/ vim-8.0.1568-CVE-2022-0413.patch
- Fixing bsc#1190570 CVE-2021-3796: vim: use-after-free in nv_replace() in
normal.c / vim-8.0.1568-CVE-2021-3796.patch
- Fixing bsc#1191893 CVE-2021-3872: vim: heap-based buffer overflow in
win_redr_status() drawscreen.c / vim-8.0.1568-CVE-2021-3872.patch
- Fixing bsc#1192481 CVE-2021-3927: vim: vim is vulnerable to
Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-3927.patch
- Fixing bsc#1192478 CVE-2021-3928: vim: vim is vulnerable to
Stack-based Buffer Overflow / vim-8.0.1568-CVE-2021-3928.patch
- Fixing bsc#1193294 CVE-2021-4019: vim: vim is vulnerable to
Heap-based Buffer Overflow / vim-8.0.1568-CVE-2021-4019.patch
- Fixing bsc#1193298 CVE-2021-3984: vim: illegal memory access when C-indenting
could lead to Heap Buffer Overflow / vim-8.0.1568-CVE-2021-3984.patch
- Fixing bsc#1190533 CVE-2021-3778: vim: Heap-based Buffer Overflow in regexp_nfa.c
/ vim-8.0.1568-CVE-2021-3778.patch
- Fixing bsc#1194216 CVE-2021-4193: vim: vulnerable to Out-of-bounds Read
/ vim-8.0.1568-CVE-2021-4193.patch
- Fixing bsc#1194556 CVE-2021-46059: vim: A Pointer Dereference vulnerability
exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which
causes a denial of service. / vim-8.0.1568-CVE-2021-46059.patch
- Fixing bsc#1195066 CVE-2022-0319: vim: Out-of-bounds Read in vim/vim
prior to 8.2. / vim-8.0.1568-CVE-2022-0319.patch
- Fixing bsc#1195126 CVE-2022-0351: vim: uncontrolled recursion in eval7()
/ vim-8.0.1568-CVE-2022-0351.patch
- Fixing bsc#1195202 CVE-2022-0361: vim: Heap-based Buffer Overflow in vim
prior to 8.2. / vim-8.0.1568-CVE-2022-0361.patch
- Fixing bsc#1195356 CVE-2022-0413: vim: use after free in src/ex_cmds.c
/ vim-8.0.1568-CVE-2022-0413.patch
- wicked
-
- fsm: fix device rename via yast (bsc#1194392)
Reset worker config instead to reject a NULL/empty config
xml node -- introduced in wicked 0.6.67 by commit c2a0385.
[+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
- support multiple networks configurations per interface
- show connection status and scan-results (bsc#1160654)
- corrected eap-tls,ttls cetificate handling and open vs. shared
wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
- cleanups and several other improvements, see changes
- updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
[- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
[- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- dhcp4: discover on reboot timeout after start-delay (bsc#1181812)
[+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
- dhcp6: request nis options on sle15 by default (bsc#1181812)
[+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- version 0.6.65
- ifconfig: differentiate if to re-trigger dad on address updates (bsc#1177215)
- client: parse sysctl files in the correct order (bsc#1181186)
- ifup: fix for set up with unenslave from unconfigured master (boo#954329)
- rpm: prepare for new builds using usrmerged rpm macro (boo#1029961)
- rpm: Let wicked-service also provide service(network)
- cleanup: remove obsolete use-nanny=false (gh#openSUSE/wicked#815)
- dbus: add variant container, generic object-path and uint32 array macros
- xen
-
- bsc#1194576 - VUL-0: CVE-2022-23033: xen: arm:
guest_physmap_remove_page not removing the p2m mappings (XSA-393)
xsa393.patch
- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS
Xen while unmapping a grant (XSA-394)
xsa394.patch
- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of
passed-through device IRQs (XSA-395)
xsa395.patch
- bsc#1191668 - L3: issue around xl and virsh operation - virsh
list not giving any output
libxl-dont-try-to-free-a-NULL-list-of-vcpus.patch
libxl-dont-touch-nr_vcpus_out-if-listing-vcpus-and-returning-NULL.patch
- Collect active VM config files in the supportconfig plugin
xen-supportconfig
- bsc#1191510 - [UEFI]15sp4 uefi fv guest on 12sp5 host unable to
bootup with sriov pci device plugin
5e15e174-libxl-dont-needlessly-report-highmem-in-use.patch
- Upstream bug fixes (bsc#1027519)
616d66bd-x86-HVM-cleanup-after-failed-viridian_vcpu_init.patch
616e7cfe-x86-paging-restrict-paddr-width-reported.patch
619b7ac9-harden-assign_pages.patch
619b8cb0-x86-PoD-misaligned-GFNs.patch
619b8cb1-x86-PoD-intermediate-page-orders.patch
619b8cb2-x86-P2M-set-partial-success.patch
- Drop xsa patches in favor of upstream versions
xsa385.patch
xsa388-1.patch
xsa388-2.patch
xsa389.patch
- xz
-
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
(ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
* bsc1198062.patch
- yaml-cpp
-
- Fix CVE-2018-20573 The Scanner:EnsureTokensInQueue function in yaml-cpp
allows remote attackers to cause DOS via a crafted YAML file
(CVE-2018-20573, bsc#1121227)
- Fix CVE-2018-20574 The SingleDocParser:HandleFlowMap function in
yaml-cpp allows remote attackers to cause DOS via a crafted YAML file
(CVE-2018-20574, bsc#1121230)
- Fix CVE-2019-6285 The SingleDocParser::HandleFlowSequence function in
cpp allows remote attackers to cause DOS via a crafted YAML file
(CVE-2019-6285, bsc#1122004)
- Fix CVE-2019-6292 An issue was discovered in singledocparser.cpp in
yaml-cpp which cause DOS by stack consumption
(CVE-2019-6292, bsc#1122021)
- Added patch cve-2018-20574.patch
- yast2-add-on
-
- Restore the repo unexpanded URL to get it properly saved in
the /etc/zypp/repos.d file (bsc#972046, bsc#1194851).
- 4.2.19
- zlib
-
- CVE-2018-25032: Fix memory corruption on deflate, bsc#1197459
* bsc1197459.patch
- zsh
-
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
could be exploited through e.g. VCS_Info to execute arbitrary shell
commands (CVE-2021-45444 bsc#1196435)
- zypper
-
- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)
- version 1.14.52
- Singletrans: handle fatal and non-fatal script errors properly.
- Add SingleTransReportReceiver.
- Immediately write out additional rpm output.
- BuildRequires: libzypp-devel >= 17.29.0.
Need SingleTransReport and immediate rpm script output reports.
- version 1.14.51