n/a

- Upgrade to release 9.16.50
  Bug Fixes:
  * A regression in cache-cleaning code enabled memory use to grow
    significantly more quickly than before, until the configured
    max-cache-size limit was reached. This has been fixed.
  * Using rndc flush inadvertently caused cache cleaning to become
    less effective. This could ultimately lead to the configured
    max-cache-size limit being exceeded and has now been fixed.
  * The logic for cleaning up expired cached DNS records was
    tweaked to be more aggressive. This change helps with enforcing
    max-cache-ttl and max-ncache-ttl in a timely manner.
  * It was possible to trigger a use-after-free assertion when the
    overmem cache cleaning was initiated. This has been fixed.
  New Features:
  * Added RESOLVER.ARPA to the built in empty zones.
- Security Fixes:
  * It is possible to craft excessively large numbers of resource
    record types for a given owner name, which has the effect of
    slowing down database processing. This has been addressed by
    adding a configurable limit to the number of records that can
    be stored per name and type in a cache or zone database. The
    default is 100, which can be tuned with the new
    max-types-per-name option. (CVE-2024-1737)
    [bsc#1228256, bind-9.16-CVE-2024-1737.patch]
  * Validating DNS messages signed using the SIG(0) protocol (RFC
    2931) could cause excessive CPU load, leading to a
    denial-of-service condition. Support for SIG(0) message
    validation was removed from this version of named.
    (CVE-2024-1975)
    [bsc#1228257, bind-9.16-CVE-2024-1975.patch]
  * When looking up the NS records of parent zones as part of
    looking up DS records, it was possible for named to trigger an
    assertion failure if serve-stale was enabled. This has been
    fixed. (CVE-2024-4076)
    [bsc#1228258, bind-9.16-CVE-2024-4076.patch]

- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
  - Added: FIRMAPROFESIONAL CA ROOT-A WEB
  - Distrust: GLOBALTRUST 2020

- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
  Added:
  - CommScope Public Trust ECC Root-01
  - CommScope Public Trust ECC Root-02
  - CommScope Public Trust RSA Root-01
  - CommScope Public Trust RSA Root-02
  - D-Trust SBR Root CA 1 2022
  - D-Trust SBR Root CA 2 2022
  - Telekom Security SMIME ECC Root 2021
  - Telekom Security SMIME RSA Root 2023
  - Telekom Security TLS ECC Root 2020
  - Telekom Security TLS RSA Root 2023
  - TrustAsia Global Root CA G3
  - TrustAsia Global Root CA G4
  Removed:
  - Autoridad de Certificacion Firmaprofesional CIF A62634068
  - Chambers of Commerce Root - 2008
  - Global Chambersign Root - 2008
  - Security Communication Root CA
  - Symantec Class 1 Public Primary Certification Authority - G6
  - Symantec Class 2 Public Primary Certification Authority - G6
  - TrustCor ECA-1
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - VeriSign Class 1 Public Primary Certification Authority - G3
  - VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".

- Add rebased upstream patch to delay any HTTP2 communication until
  encrypted() can be responded to (bsc#1227426, CVE-2024-39936):
  * 0001-HTTP2-Delay-any-communication-until-encrypted-can-be.patch
- Add upstream patch to fix a NULL pointer dereference via the
  function QXcbConnection::initializeAllAtoms() when there is
  anomalous behavior from the X server (bsc#1222120,
  CVE-2023-45935):
  * 0001-xcb-guard-a-pointer-before-usage.patch

- Update CVE-2024-35195.patch to allow the usage of "verify" parameter
  as a directory, bsc#1225912

- Fix stomp header regex to include '-' (bsc#1227793)
- version 0.6.4

- singlespec in Tumbleweed must support multiple python3 flavors
  in the future gh#openSUSE/python-rpm-macros#66

- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)

- Provide python3-zypp-plugin in SLE12-SP3 (bsc#1081596)

- Add a couple of upstream patches to fix http process information
  disclosure (CVE-2024-41671, bsc#1228549) and XSS via html injection
  (CVE-2024-41810, bsc#1228552):
  * CVE-2024-41671.patch gh#twisted/twisted@4a930de12fb6
  * CVE-2024-41810.patch gh#twisted/twisted@046a164f89a0

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a