sles-12-sp5-byos-v20210303 Package Source Changes

avahi

- Update avahi-daemon-check-dns-suse.patch to drop privileges when
  invoking avahi-daemon-check-dns.sh (boo#1180827 CVE-2021-26720).
- Add sudo to requires: used to drop privileges.

crash

- Added crash-xen-increase-__physical_mask_shift_xen-to-52.patch
  (bsc#1177050)

file

- Add patch 0446fadf.patch to fix bsc#1182138
  * Bug in "/echo 8000 | file -"/ gzip

glibc

- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module
  (CVE-2019-25013, bsc#1182117, BZ #24973)
- gconv-assertion-iso-2022-jp.patch: gconv: Fix assertion failure in
  ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- get-nprocs-cpu-online-parsing.patch: Fix parsing of
  /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
- ppc-power10-support.patch: powerpc: Add support for POWER10
  (bsc#1181365)

grub2

- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
  * 0028-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
  * 0029-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
  * 0030-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
  * 0031-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
  * 0032-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
  * 0033-util-mkimage-Improve-data_size-value-calculation.patch
  * 0034-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
  * 0035-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
  * 0036-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
  * 0019-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
  * 0021-kern-parser-Fix-resource-leak-if-argc-0.patch
  * 0022-kern-parser-Fix-a-memory-leak.patch
  * 0023-kern-parser-Introduce-process_char-helper.patch
  * 0024-kern-parser-Introduce-terminate_arg-helper.patch
  * 0025-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
  * 0026-kern-buffer-Add-variable-sized-heap-buffer.patch
  * 0027-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
  * 0020-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
  * 0018-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
  * 0017-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
  * 0001-mkimage-Clarify-file-alignment-in-efi-case.patch
  * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
  * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
  * 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
  * 0005-efi-Add-secure-boot-detection.patch
  * 0006-kern-Add-lockdown-support.patch
  * 0007-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
  * 0008-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
  * 0009-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
  * 0010-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
  * 0011-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
  * 0012-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
  * 0013-commands-setpci-Restrict-setpci-command-when-locked-.patch
  * 0014-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
  * 0015-gdb-Restrict-GDB-access-when-locked-down.patch
  * 0016-loader-xnu-Don-t-allow-loading-extension-and-package.patch
  * 0037-squash-Add-secureboot-support-on-efi-chainloader.patch
  * 0038-squash-grub2-efi-chainload-harder.patch
  * 0039-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
  * 0040-squash-linuxefi-fail-kernel-validation-without-shim-.patch
  * 0041-squash-kern-Add-lockdown-support.patch
- Add SBAT metadata section to grub.efi
  * grub2.spec

open-iscsi

- Cherry-picked 3 commits from upstream/factory, for bsc#1179908
  (which addresses CVE-2020-17437, CVE-2020-17438, CVE-2020-13987,
  and CVE-2020-13988), changes include:
  * check for TCP urgent pointer past end of frame
  * check for u8 overflow when processing TCP options
  * check for header length underflow during checksum calculation

python-Jinja2

- Add patch CVE-2020-28493-ReDOS-vuln.patch (bsc#1181944, CVE-2020-28493)
  * Improve the speed of the ``urlize`` filter by reducing regex
    backtracking. Email matching requires a word character at the start
    of the domain part, and only word characters in the TLD.

python-cryptography

- Add patch CVE-2020-36242-buffer-overflow.patch (bsc#1182066, CVE-2020-36242)
  * Using the Fernet class to symmetrically encrypt multi gigabyte values
    could result in an integer overflow and buffer overflow.

sudo

- Add sudo-1.8.27-ipa_hostname.patch to fix special handling of
  ipa_hostname that was lost in sudo 1.8.24.
  We now include the long and short hostname in sudo parser container
  [bsc#1181371]