SUSE-CU-2020:787-1: Security update of caasp/v4/prometheus

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat Dec 12 00:08:40 MST 2020


SUSE Container Update Advisory: caasp/v4/prometheus
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2020:787-1
Container Tags        : caasp/v4/grafana:7.1.5 , caasp/v4/grafana:7.1.5-rev3 , caasp/v4/prometheus:7.1.5-rev3-build1.5.239
Container Release     : 1.5.239
Severity              : important
Type                  : security
References            : 1007715 1010996 1011548 1013125 1071152 1071390 1082318 1084671
                        1084934 1087982 1090047 1092920 1093414 1100369 1102840 1103678
                        1104902 1106383 1107116 1107121 1109160 1111499 1113160 1114592
                        1118367 1118368 1123327 1123919 1125689 1128220 1130873 1130873
                        1133297 1133495 1135114 1135254 1137001 1138793 1138822 1139459
                        1139939 1139959 1141897 1142038 1142649 1142654 1142733 1145231
                        1145231 1146182 1146184 1146991 1148177 1148517 1148788 1148987
                        1149145 1149332 1149911 1149995 1150021 1150021 1150734 1151023
                        1151377 1151582 1151708 1152590 1152692 1152755 1153090 1153277
                        1153943 1153946 1154256 1154295 1154661 1154803 1154803 1154804
                        1154805 1154871 1154871 1154884 1154887 1154935 1154940 1154968
                        1155198 1155199 1155205 1155207 1155271 1155298 1155327 1155337
                        1155338 1155339 1155346 1155372 1155574 1155668 1155678 1155819
                        1156158 1156159 1156205 1156213 1156300 1156482 1156913 1157051
                        1157198 1157278 1157292 1157315 1157377 1157775 1157794 1157893
                        1158095 1158095 1158101 1158336 1158358 1158485 1158499 1158763
                        1158809 1158830 1158830 1158921 1158996 1159003 1159314 1159814
                        1159928 1160039 1160158 1160160 1160571 1160594 1160595 1160735
                        1160764 1160970 1160979 1161168 1161198 1161203 1161215 1161216
                        1161218 1161219 1161220 1161239 1161262 1161335 1161436 1161517
                        1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162698
                        1162930 1163184 1163526 1163569 1163871 1163922 1164126 1164505
                        1164538 1164543 1164543 1164562 1164717 1164718 1164950 1164950
                        1165011 1165281 1165424 1165476 1165476 1165502 1165534 1165539
                        1165573 1165573 1165579 1165580 1165784 1165921 1166106 1166260
                        1166481 1166510 1166510 1166610 1166610 1166748 1166848 1166881
                        1167122 1167122 1167163 1167223 1167471 1167631 1167674 1167898
                        1167907 1168076 1168235 1168310 1168345 1168364 1168389 1168699
                        1168835 1168990 1168990 1169357 1169488 1169512 1169569 1169664
                        1169944 1169947 1169947 1169992 1170231 1170527 1170557 1170667
                        1170713 1170771 1170801 1170801 1170824 1170964 1171145 1171173
                        1171224 1171224 1171313 1171422 1171656 1171687 1171740 1171762
                        1171863 1171864 1171866 1171872 1171878 1171883 1172021 1172072
                        1172085 1172135 1172135 1172195 1172295 1172348 1172461 1172462
                        1172506 1172597 1172695 1172698 1172704 1172798 1172824 1172846
                        1172925 1172925 1172958 1173027 1173106 1173227 1173229 1173273
                        1173307 1173311 1173422 1173422 1173503 1173529 1173539 1173972
                        1173983 1174011 1174079 1174154 1174232 1174240 1174551 1174561
                        1174593 1174673 1174736 1174753 1174817 1174918 1174918 1174918
                        1175109 1175110 1175168 1175342 1175443 1175568 1175592 1175811
                        1175830 1175831 1175847 1176086 1176092 1176123 1176179 1176181
                        1176192 1176192 1176410 1176435 1176435 1176513 1176625 1176671
                        1176674 1176712 1176712 1176740 1176740 1176800 1176902 1176902
                        1177143 1177238 1177238 1177458 1177479 1177490 1177510 1177533
                        1177858 1177864 1178346 1178376 1178387 1178512 1178727 1179398
                        1179399 1179431 1179491 1179593 906079 935885 935885 973042 998893
                        CVE-2017-3136 CVE-2018-16428 CVE-2018-16429 CVE-2018-5741 CVE-2019-10215
                        CVE-2019-12290 CVE-2019-12450 CVE-2019-13012 CVE-2019-13627 CVE-2019-14250
                        CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15043 CVE-2019-1551
                        CVE-2019-15847 CVE-2019-18218 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900
                        CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388
                        CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-5188 CVE-2019-6477
                        CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-10543 CVE-2020-10878
                        CVE-2020-11501 CVE-2020-12243 CVE-2020-12245 CVE-2020-12723 CVE-2020-13379
                        CVE-2020-13777 CVE-2020-13844 CVE-2020-15719 CVE-2020-1712 CVE-2020-1712
                        CVE-2020-1730 CVE-2020-1752 CVE-2020-1971 CVE-2020-24659 CVE-2020-24977
                        CVE-2020-25219 CVE-2020-25692 CVE-2020-26154 CVE-2020-28196 CVE-2020-7595
                        CVE-2020-8013 CVE-2020-8023 CVE-2020-8027 CVE-2020-8177 CVE-2020-8231
                        CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8616 CVE-2020-8617
                        CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622
                        CVE-2020-8623 CVE-2020-8624 SLE-6533 SLE-6536 SLE-8789 
-----------------------------------------------------------------

The container caasp/v4/prometheus was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2780-1
Released:    Mon Nov 26 17:46:10 2018
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429
This update for glib2 fixes the following issues:

Security issues fixed:

- CVE-2018-16428: Do not do a NULL pointer dereference (crash).
  Avoid that, at the cost of introducing a new translatable error
  message (bsc#1107121).
- CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116).

Non-security issue fixed:

- various GVariant parsing issues have been resolved (bsc#1111499)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:251-1
Released:    Wed Feb  6 11:22:43 2019
Summary:     Recommended update for glib2
Type:        recommended
Severity:    moderate
References:  1090047
This update for glib2 provides the following fix:

- Enable systemtap. (fate#326393, bsc#1090047)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1594-1
Released:    Fri Jun 21 10:17:15 2019
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1103678,1137001,CVE-2019-12450
This update for glib2 fixes the following issues:

Security issue fixed:    

- CVE-2019-12450: Fixed an improper file permission when copy operation
  takes place (bsc#1137001).   

Other issue addressed:    

- glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there
  was a connection thus giving false positives to PackageKit (bsc#1103678)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1833-1
Released:    Fri Jul 12 17:53:51 2019
Summary:     Security update for glib2
Type:        security
Severity:    moderate
References:  1139959,CVE-2019-13012
This update for glib2 fixes the following issues:

Security issue fixed:

- CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3040-1
Released:    Fri Nov 22 11:59:52 2019
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1145231
This update for lvm2 fixes the following issues:

- Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3059-1
Released:    Mon Nov 25 17:33:07 2019
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1155199,CVE-2019-14866
This update for cpio fixes the following issues:

- CVE-2019-14866: Fixed an improper validation of the values written 
  in the header of a TAR file through the to_oct() function which could 
  have led to unexpected TAR generation (bsc#1155199).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3061-1
Released:    Mon Nov 25 17:34:22 2019
Summary:     Security update for gcc9
Type:        security
Severity:    moderate
References:  1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536


This update includes the GNU Compiler Collection 9.

A full changelog is provided by the GCC team on:

   https://www.gnu.org/software/gcc/gcc-9/changes.html


The base system compiler libraries libgcc_s1, libstdc++6 and others are
now built by the gcc 9 packages.

To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 /
CXX=g++-9 during configuration for using it.


Security issues fixed:

- CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
- CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

Non-security issues fixed:

- Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
- Fixed miscompilation for vector shift on s390. (bsc#1141897)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3070-1
Released:    Tue Nov 26 12:39:29 2019
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    low
References:  1152755
This update for gpg2 provides the following fix:

- Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3086-1
Released:    Thu Nov 28 10:02:24 2019
Summary:     Security update for libidn2
Type:        security
Severity:    moderate
References:  1154884,1154887,CVE-2019-12290,CVE-2019-18224
This update for libidn2 to version 2.2.0 fixes the following issues:

- CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
- CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3087-1
Released:    Thu Nov 28 10:03:00 2019
Summary:     Security update for libxml2
Type:        security
Severity:    low
References:  1123919
This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect
all CVEs that have been fixed over the past.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3118-1
Released:    Fri Nov 29 14:41:35 2019
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1154295
This update for e2fsprogs fixes the following issues:

- Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3166-1
Released:    Wed Dec  4 11:24:42 2019
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1007715,1084934,1157278
This update for aaa_base fixes the following issues:

- Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934)
- Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715)
- Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3181-1
Released:    Thu Dec  5 11:43:07 2019
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690
This update for permissions fixes the following issues:

- CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid
  which could have allowed a squid user to gain persistence by changing the 
  binary (bsc#1093414).
- CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic 
  links (bsc#1150734).
- Fixed a regression which caused sagmentation fault (bsc#1157198).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3240-1
Released:    Tue Dec 10 10:40:19 2019
Summary:     Recommended update for ca-certificates-mozilla, p11-kit
Type:        recommended
Severity:    moderate
References:  1154871
This update for ca-certificates-mozilla, p11-kit fixes the following issues:

Changes in ca-certificates-mozilla:

- export correct p11kit trust attributes so Firefox detects built in
  certificates (bsc#1154871).

Changes in p11-kit:

- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
  detects built in certificates (bsc#1154871)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3267-1
Released:    Wed Dec 11 11:19:53 2019
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,CVE-2019-14889
This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3343-1
Released:    Thu Dec 19 11:05:27 2019
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1155668
This update for lvm2 fixes the following issues:

- Fix seeing a 90 Second delay during shutdown and reboot. (bsc#1155668)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:3392-1
Released:    Fri Dec 27 13:33:29 2019
Summary:     Security update for libgcrypt
Type:        security
Severity:    moderate
References:  1148987,1155338,1155339,CVE-2019-13627
This update for libgcrypt fixes the following issues:

Security issues fixed:

- CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987).

Bug fixes:

- Added CMAC AES self test (bsc#1155339).
- Added CMAC TDES self test missing (bsc#1155338).
- Fix test dsa-rfc6979 in FIPS mode.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:69-1
Released:    Fri Jan 10 12:33:59 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789
This update for openssl-1_1 fixes the following issues:

Security issue fixed:

- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             

Various FIPS related improvements were done:

- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).
- Port FIPS patches from SLE-12 (bsc#1158101).
- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:129-1
Released:    Mon Jan 20 09:21:13 2020
Summary:     Security update for libssh
Type:        security
Severity:    important
References:  1158095,CVE-2019-14889
This update for libssh fixes the following issues:

- CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:225-1
Released:    Fri Jan 24 06:49:07 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:256-1
Released:    Wed Jan 29 09:39:17 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1157794,1160970
This update for aaa_base fixes the following issues:

- Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794)
- Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:262-1
Released:    Thu Jan 30 11:02:42 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1149332,1151582,1157292,1157893,1158996,CVE-2019-19126
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292).

Bug fixes:

- Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893).
- Fixed Hardware support in toolchain (bsc#1151582).
- Fixed syscalls during early process initialization (SLE-8348).
- Fixed an array overflow in backtrace for PowerPC (bsc#1158996).
- Moved to posix_spawn on popen (bsc#1149332).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:265-1
Released:    Thu Jan 30 14:05:34 2020
Summary:     Security update for e2fsprogs
Type:        security
Severity:    moderate
References:  1160571,CVE-2019-5188
This update for e2fsprogs fixes the following issues:

- CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:279-1
Released:    Fri Jan 31 12:01:39 2020
Summary:     Recommended update for p11-kit
Type:        recommended
Severity:    moderate
References:  1013125
This update for p11-kit fixes the following issues:

- Also build documentation (bsc#1013125)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:335-1
Released:    Thu Feb  6 11:37:24 2020
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712
This update for systemd fixes the following issues:

- CVE-2020-1712 (bsc#bsc#1162108)
  Fix a heap use-after-free vulnerability, when asynchronous
  Polkit queries were performed while handling Dbus messages. A local
  unprivileged attacker could have abused this flaw to crash systemd services or
  potentially execute code and elevate their privileges, by sending specially
  crafted Dbus messages.

- Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683)

- libblkid: open device in nonblock mode. (bsc#1084671)
- udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256)
- bus_open leak sd_event_source when udevadm trigger。 (bsc#1161436 CVE-2019-20386)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814)
- fileio: initialize errno to zero before we do fread()
- fileio: try to read one byte too much in read_full_stream()
- logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485)
- logind: never elect a session that is stopping as display

- journal: include kmsg lines from the systemd process which exec()d us (#8078)
- udevd: don't use monitor after manager_exit()
- udevd: capitalize log messages in on_sigchld()
- udevd: merge conditions to decrease indentation
- Revert 'udevd: fix crash when workers time out after exit is signal caught'
- core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482)
- udevd: fix crash when workers time out after exit is signal caught
- udevd: wait for workers to finish when exiting (bsc#1106383)

- Improve bash completion support (bsc#1155207)
  * shell-completion: systemctl: do not list template units in {re,}start
  * shell-completion: systemctl: pass current word to all list_unit*
  * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207)
  * bash-completion: systemctl: use systemctl --no-pager
  * bash-completion: also suggest template unit files
  * bash-completion: systemctl: add missing options and verbs
  * bash-completion: use the first argument instead of the global variable (#6457)

- networkd: VXLan Make group and remote variable separate (bsc#1156213)
- networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213)
- fs-util: let's avoid unnecessary strerror()
- fs-util: introduce inotify_add_watch_and_warn() helper
- ask-password: improve log message when inotify limit is reached (bsc#1155574)
- shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377)
- man: alias names can't be used with enable command (bsc#1151377)

- Add boot option to not use swap at system start (jsc#SLE-7689)

- Allow YaST to select Iranian (Persian, Farsi) keyboard layout
  (bsc#1092920)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:339-1
Released:    Thu Feb  6 13:03:22 2020
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    low
References:  1158921
This update for openldap2 provides the following fix:

- Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:368-1
Released:    Fri Feb  7 13:49:41 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1150021
This update for lvm2 fixes the following issues:

- Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:432-1
Released:    Fri Feb 21 14:34:16 2020
Summary:     Security update for libsolv, libzypp, zypper
Type:        security
Severity:    moderate
References:  1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900
This update for libsolv, libzypp, zypper fixes the following issues:


Security issue fixed:

- CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763).

Bug fixes

- Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819).
- Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198).
- Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678).                                            
- Load only target resolvables for zypper rm (bsc#1157377).
- Fix broken search by filelist (bsc#1135114).
- Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158).
- Do not sort out requested locales which are not available (bsc#1155678).
- Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805).                                                              
- XML add patch issue-date and issue-list (bsc#1154805).
- Fix zypper lp --cve/bugzilla/issue options (bsc#1155298).
- Always execute commit when adding/removing locales (fixes bsc#1155205).
- Fix description of --table-style,-s in man page (bsc#1154804).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:451-1
Released:    Tue Feb 25 10:50:35 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1155337,1161215,1161216,1161218,1161219,1161220
This update for libgcrypt fixes the following issues:

- ECDSA: Check range of coordinates (bsc#1161216)
- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219]
- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215]
- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220]
- FIPS: keywrap gives incorrect results [bsc#1161218]
- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:476-1
Released:    Tue Feb 25 14:23:14 2020
Summary:     Recommended update for perl
Type:        recommended
Severity:    moderate
References:  1102840,1160039
This update for perl fixes the following issues:

- Some packages make assumptions about the date and time they are built. 
  This update will solve the issues caused by calling the perl function timelocal
  expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:480-1
Released:    Tue Feb 25 17:38:22 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1160735
This update for aaa_base fixes the following issues:

- Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:525-1
Released:    Fri Feb 28 11:49:36 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1164562
This update for pam fixes the following issues:

- Add libdb as build-time dependency to enable pam_userdb module.
  Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:547-1
Released:    Fri Feb 28 16:26:21 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013
This update for permissions fixes the following issues:

Security issues fixed:

- CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788)
- CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922).

Non-security issues fixed:

- Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594).
- Fixed capability handling when doing multiple permission changes at once (bsc#1161779).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:572-1
Released:    Tue Mar  3 13:25:41 2020
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1162518
This update for cyrus-sasl fixes the following issues:

- Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518)
- Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:573-1
Released:    Tue Mar  3 13:37:28 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1160160
This update for ca-certificates-mozilla to 2.40 fixes the following issues:

Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160):

Removed certificates:

- Certplus Class 2 Primary CA
- Deutsche Telekom Root CA 2
- CN=Swisscom Root CA 2
- UTN-USERFirst-Client Authentication and Email

added certificates:

- Entrust Root Certification Authority - G4

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:597-1
Released:    Thu Mar  5 15:24:09 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1164950
This update for libgcrypt fixes the following issues:

- FIPS: Run the self-tests from the constructor [bsc#1164950]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:633-1
Released:    Tue Mar 10 16:23:08 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1139939,1151023
This update for aaa_base fixes the following issues:

- get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939)
- added '-h'/'--help' to the command old
- change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:668-1
Released:    Fri Mar 13 10:48:58 2020
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1163184,1164505,1165784,CVE-2020-10029
This update for glibc fixes the following issues:

- CVE-2020-10029: Fixed a potential overflow in  on-stack buffer 
  during range reduction (bsc#1165784).	  
- Fixed an issue where pthread were not always locked correctly (bsc#1164505).
- Document mprotect and introduce section on memory protection (bsc#1163184).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:689-1
Released:    Fri Mar 13 17:09:01 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510

This update for PAM fixes the following issue:

- The license of libdb linked against pam_userdb is not always wanted,
  so we temporary disabled pam_userdb again. It will be published
  in a different package at a later time. (bsc#1166510)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:475-1
Released:    Thu Mar 19 11:00:46 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1160595
This update for systemd fixes the following issues:

- Remove TasksMax limit for both user and system slices (jsc#SLE-10123)
- Backport IP filtering feature (jsc#SLE-7743 bsc#1160595)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:726-1
Released:    Thu Mar 19 13:23:03 2020
Summary:     Security update for nghttp2
Type:        security
Severity:    moderate
References:  1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513
This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).
- CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003)

Bug fixes and enhancements:

- Fixed mistake in spec file (bsc#1125689)

Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
cilium-proxy (bsc#1166481)

  * lib: Add nghttp2_check_authority as public API
  * lib: Fix the bug that stream is closed with wrong error code
  * lib: Faster huffman encoding and decoding
  * build: Avoid filename collision of static and dynamic lib
  * build: Add new flag ENABLE_STATIC_CRT for Windows
  * build: cmake: Support building nghttpx with systemd
  * third-party: Update neverbleed to fix memory leak
  * nghttpx: Fix bug that mruby is incorrectly shared between
    backends
  * nghttpx: Reconnect h1 backend if it lost connection before
    sending headers
  * nghttpx: Returns 408 if backend timed out before sending
    headers
  * nghttpx: Fix request stal

- Conditionally remove dependecy on jemalloc for SLE-12 
- Require correct library from devel package - boo#1125689

Update to version 1.39.2 (bsc#1146184, bsc#1146182):

* This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
  “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
  frames cause Denial of Service by consuming CPU time. Check out
  https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  for details. For nghttpx, additionally limiting inbound traffic by
  --read-rate and --read-burst options is quite effective against
  this kind of attack.

* Add nghttp2_option_set_max_outbound_ack API function
* nghttpx: Fix request stall

Update to version 1.39.1:

* This release fixes the bug that log-level is not set with
  cmd-line or configuration file. It also fixes FPE with default
  backend.

Changes for version 1.39.0:

* libnghttp2 now ignores content-length in 200 response to
  CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
  or 200 to CONNECT.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:729-1
Released:    Thu Mar 19 14:44:22 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1166106
This update for glibc fixes the following issues:

- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:793-1
Released:    Wed Mar 25 15:16:00 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1139459,1161262,1162108,1164717,1165579,CVE-2020-1712
This update for systemd fixes the following issues:

- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-↑
- %j/%J unit specifiers


Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).

Added the udev 60-ssd-scheduler.rules:

- This rules file which select the default IO scheduler for SSDs is
  being moved out from the git repo since this is not related to
  systemd or udev at all and is maintained by the kernel team.

- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:814-1
Released:    Mon Mar 30 16:23:42 2020
Summary:     Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1
Type:        recommended
Severity:    moderate
References:  1161816,1162152,1167223
This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:

libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):

Full Release Notes can be found on:

	https://wiki.documentfoundation.org/ReleaseNotes/6.4

- Fixed broken handling of non-ASCII characters in the KDE filedialog
  (bsc#1161816)
- Move the animation library to core package bsc#1162152

xmlsec1 was updated to 1.2.28:

* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).

- Make sure to recommend at least one backend when you install
  just xmlsec1

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

Version update to 1.2.27:

* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).

myspell-dictionaries was updated to 20191219:

* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5


boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice

The QR-Code-generator is shipped:

- Initial commit, needed by libreoffice 6.4


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:820-1
Released:    Tue Mar 31 13:02:22 2020
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1167631,CVE-2020-1752
This update for glibc fixes the following issues:

- CVE-2020-1752: Fixed a use after free in glob which could have allowed
  a local attacker to create a specially crafted path that, when processed 
  by the glob function, could potentially have led to arbitrary code execution
  (bsc#1167631).
 
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:834-1
Released:    Tue Mar 31 17:21:34 2020
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1167163
This update for permissions fixes the following issue:

- whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:846-1
Released:    Thu Apr  2 07:24:07 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1164950,1166748,1167674
This update for libgcrypt fixes the following issues:

- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]

  * Set up global_init as the constructor function:
  * Relax the entropy requirements on selftest. This is especially
    important for virtual machines to boot properly before the RNG
    is available:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released:    Fri Apr  3 15:02:25 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510
This update for pam fixes the following issues:

- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:948-1
Released:    Wed Apr  8 07:44:21 2020
Summary:     Security update for gmp, gnutls, libnettle
Type:        security
Severity:    moderate
References:  1152692,1155327,1166881,1168345,CVE-2020-11501
This update for gmp, gnutls, libnettle fixes the following issues:

Security issue fixed:

- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

FIPS related bugfixes:

- FIPS: Install checksums for binary integrity verification which are
  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
  input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:961-1
Released:    Wed Apr  8 13:34:06 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1160979
This update for e2fsprogs fixes the following issues:

- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:967-1
Released:    Thu Apr  9 11:41:53 2020
Summary:     Security update for libssh
Type:        security
Severity:    moderate
References:  1168699,CVE-2020-1730
This update for libssh fixes the following issues:

- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:969-1
Released:    Thu Apr  9 11:43:17 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1168364
This update for permissions fixes the following issues:

- Fixed spelling of icinga group (bsc#1168364)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:981-1
Released:    Mon Apr 13 15:43:44 2020
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1156300
This update for rpm fixes the following issues:

- Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1026-1
Released:    Fri Apr 17 16:14:43 2020
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    moderate
References:  1159314
This update for libsolv fixes the following issues:

libsolv was updated to version 0.7.11:

- fix solv_zchunk decoding error if large chunks are used (bsc#1159314)
- treat retracted pathes as irrelevant
- made add_update_target work with multiversion installs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1047-1
Released:    Tue Apr 21 10:33:06 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1168835
This update for gnutls fixes the following issues:

- Backport AES XTS support (bsc#1168835)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1063-1
Released:    Wed Apr 22 10:46:50 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1165539,1169569
This update for libgcrypt fixes the following issues:

This update for libgcrypt fixes the following issues:
    
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1108-1
Released:    Fri Apr 24 16:31:01 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1169992
This update for gnutls fixes the following issues:

- FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1175-1
Released:    Tue May  5 08:33:43 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1165011,1168076
This update for systemd fixes the following issues:

- Fix check for address to keep interface names stable. (bsc#1168076)
- Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
- Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1214-1
Released:    Thu May  7 11:20:34 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1169944
This update for libgcrypt fixes the following issues:

- FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1219-1
Released:    Thu May  7 17:10:42 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1170771,CVE-2020-12243
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1226-1
Released:    Fri May  8 10:51:05 2020
Summary:     Recommended update for gcc9
Type:        recommended
Severity:    moderate
References:  1149995,1152590,1167898
This update for gcc9 fixes the following issues:

This update ships the GCC 9.3 release.

- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
  with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1271-1
Released:    Wed May 13 13:17:59 2020
Summary:     Recommended update for permissions
Type:        recommended
Severity:    important
References:  1171173
This update for permissions fixes the following issues:

- Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1290-1
Released:    Fri May 15 16:39:59 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1171422
This update for gnutls fixes the following issues:

- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1294-1
Released:    Mon May 18 07:38:36 2020
Summary:     Security update for file
Type:        security
Severity:    moderate
References:  1154661,1169512,CVE-2019-18218
This update for file fixes the following issues:

Security issues fixed:

- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

Non-security issue fixed:

- Fixed broken '--help' output (bsc#1169512).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1299-1
Released:    Mon May 18 07:43:21 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595
This update for libxml2 fixes the following issues:

- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2019-19956: Fixed a memory leak (bsc#1159928).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1328-1
Released:    Mon May 18 17:16:04 2020
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1155271
This update for grep fixes the following issues:

- Update testsuite expectations, no functional changes (bsc#1155271)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1361-1
Released:    Thu May 21 09:31:18 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1171872
This update for libgcrypt fixes the following issues:

- FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1370-1
Released:    Thu May 21 19:06:00 2020
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    moderate
References:  1171656
This update for systemd-presets-branding-SLE fixes the following issues:

Cleanup of outdated autostart services (bsc#1171656):
- Remove acpid.service. acpid is only available on SLE via openSUSE
  backports.  In openSUSE acpid.service is *not* autostarted. I see no
  reason why it should be on SLE.
- Remove spamassassin.timer. This timer never seems to have existed.
  Instead spamassassin ships a 'sa-update.timer'. But it is not
  default-enabled and nobody ever complained about this.
- Remove snapd.apparmor.service: This service was proactively added a year
  ago, but snapd didn't even make it into openSUSE yet. There's no reason
  to keep this entry unless snapd actually enters SLE which is not
  foreseeable.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1400-1
Released:    Mon May 25 14:09:02 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1162930
This update for glibc fixes the following issues:

- nptl: wait for pending setxid request also in detached thread. (bsc#1162930)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1404-1
Released:    Mon May 25 15:32:34 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1138793,1166260
This update for zlib fixes the following issues:

- Including the latest fixes from IBM (bsc#1166260)
  IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
  deflate algorithm in hardware with estimated compression and decompression performance
  orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
  The fix will avoid to test if the app was linked with exactly same version of zlib
  like the one that is present on the runtime.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1506-1
Released:    Fri May 29 17:22:11 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1087982,1170527
This update for aaa_base fixes the following issues:

- Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
- Better support of Midnight Commander. (bsc#1170527)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1532-1
Released:    Thu Jun  4 10:16:12 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1172021,CVE-2019-19956
This update for libxml2 fixes the following issues:

- CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1562-1
Released:    Mon Jun  8 12:39:15 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1145231,1150021,1158358,1163526,1164126,1164718
This update for lvm2 fixes the following issues:

- Fix heap memory leak in lvmetad. (bsc#1164126)
- lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526)
  This config item global_filter_compat is a SUSE special. 
  The default value is 1, which means the devices/global_filter behaviour is same as before.
  When the value is 0, user should use global_filter to control system-wide software, 
  e.g. udev and lvmetad global_filter_compat are not opened by LVM.
- Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408)
- Fix for LVM metadata when an error occurs writing device. (bsc#1150021)
- Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358)
- Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231)
- Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1579-1
Released:    Tue Jun  9 17:05:23 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    important
References:  1156159,1172295
This update for audit fixes the following issues:

- Fix hang on startup. (bsc#1156159)
- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1584-1
Released:    Tue Jun  9 18:39:15 2020
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1172461,1172506,CVE-2020-13777
This update for gnutls fixes the following issues:

- CVE-2020-13777: Fixed an insecure session ticket key construction which could 
  have made the TLS server to not bind the session ticket encryption key with a
  value supplied by the application until the initial key rotation, allowing
  an attacker to bypass authentication in TLS 1.3 and recover previous
  conversations in TLS 1.2 (bsc#1172506).
- Fixed an  improper handling of certificate chain with cross-signed intermediate
  CA certificates (bsc#1172461).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1611-1
Released:    Fri Jun 12 09:38:03 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.13 to fix:

- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.4 to fix:

- Get retracted patch status from updateinfo data (jsc#SLE-8770)
  libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
  (fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
  HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
  zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
  and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
  wants to be able to get rid of the nginx/FastCGI-devel build
  requirement. Use 'rpmbuild --without mediabackend_tests' or
  'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- update translations
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
  libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
  supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
  packages are available. Avoid using retracted items as candidate
  (jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
  It's actually not needed and for this to work also libsolv needs
  to support it. You can sill use a librpmDb::db_const_iterator to
  access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Reformat manpages to workaround asciidoctor shortcomings
  (bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
  (jsc#SLE-5116)

zypper was updated to  version 1.14.36:

- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
  legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
  supplementing zypper means zypper-aptitude gets installed by
  default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1637-1
Released:    Wed Jun 17 15:07:58 2020
Summary:     Recommended update for zypper
Type:        recommended
Severity:    important
References:  1169947,1172925
This update for zypper fixes the following issues:

- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1682-1
Released:    Fri Jun 19 09:44:54 2020
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have 
  allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of 
  instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a 
  compiled regular expression (bsc#1171866).
- Fixed a bad warning in features.ph (bsc#1172348).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1759-1
Released:    Thu Jun 25 18:44:37 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1169357
This update for krb5 fixes the following issue:

- Call systemd to reload the services instead of init-scripts. (bsc#1169357)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1760-1
Released:    Thu Jun 25 18:46:13 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1157315,1162698,1164538,1169488,1171145,1172072
This update for systemd fixes the following issues:

- Merge branch 'SUSE/v234' into SLE15 
  units: starting suspend.target should not fail when suspend is successful (bsc#1172072)
  core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set
  mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488)
  mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too
  udev: rename the persistent link for ATA devices (bsc#1164538)
  shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
  tmpfiles: remove unnecessary assert (bsc#1171145)
  test-engine: manager_free() was called too early
  pid1: by default make user units inherit their umask from the user manager (bsc#1162698)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1773-1
Released:    Fri Jun 26 08:05:59 2020
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1173027,CVE-2020-8177
This update for curl fixes the following issues:

- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious 
  server to overwrite a local file when using the -J option (bsc#1173027).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1396-1
Released:    Fri Jul  3 12:33:05 2020
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1082318,1133297
This update for zstd fixes the following issues:

- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1856-1
Released:    Mon Jul  6 17:05:51 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1860-1
Released:    Mon Jul  6 17:09:44 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1171883
This update for permissions fixes the following issues:

- Removed conflicting entries which might expose pcp to security issues (bsc#1171883) 	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1869-1
Released:    Tue Jul  7 15:08:12 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.14:

- Enable zstd compression support
- Support blacklisted packages in solver_findproblemrule()
  (bnc#1172135)
- Support rules with multiple negative literals in choice rule
  generation
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.7:

- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
  libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
  (fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
  HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
  zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
  and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
  wants to be able to get rid of the nginx/FastCGI-devel build
  requirement. Use 'rpmbuild --without mediabackend_tests' or
  'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
  libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
  supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
  packages are available. Avoid using retracted items as candidate
  (jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
  It's actually not needed and for this to work also libsolv needs
  to support it. You can sill use a librpmDb::db_const_iterator to
  access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Fix core dump with corrupted history file (bsc#1170801)

zypper was updated to 1.14.37:

- Reformat manpages to workaround asciidoctor shortcomings
  (bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
  (jsc#SLE-5116)
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
  legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
  supplementing zypper means zypper-aptitude gets installed by
  default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1972-1
Released:    Tue Jul 21 02:39:24 2020
Summary:     Security update for SUSE Manager Client Tools
Type:        security
Severity:    moderate
References:  1113160,1138822,1142038,1148177,1153090,1153277,1154940,1154968,1155372,1163871,1165921,1168310,1170231,1170557,1170824,1171687,1172462,CVE-2019-10215,CVE-2019-15043,CVE-2020-12245,CVE-2020-13379

This update fixes the following issues:

dracut-saltboot:

- Print a list of available disk devices (bsc#1170824)
- Install wipefs to initrd
- Force install crypt modules

golang-github-prometheus-prometheus:

- Update change log and spec file
  + Modified spec file: default to golang 1.14 to avoid 'have choice' build issues in OBS. 
  + Rebase and update patches for version 2.18.0
- Update to 2.18.0 
  + Features 
    * Tracing: Added experimental Jaeger support #7148
  + Changes
    * Federation: Only use local TSDB for federation (ignore remote read). #7096
    * Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094
  + Enhancements
    * TSDB: Significantly reduce WAL size kept around after a block cut. #7098
    * Discovery: Add `architecture` meta label for EC2. #7000
  + Bug fixes
    * UI: Fixed wrong MinTime reported by /status. #7182
    * React UI: Fixed multiselect legend on OSX. #6880
    * Remote Write: Fixed blocked resharding edge case. #7122
    * Remote Write: Fixed remote write not updating on relabel configs change. #7073
- Changes from 2.17.2
  + Bug fixes
    * Federation: Register federation metrics #7081
    * PromQL: Fix panic in parser error handling #7132
    * Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138
    * TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135
    * TSDB: Make isolation more robust to panics in web handlers #7129 #7136
- Changes from 2.17.1
  + Bug fixes
    * TSDB: Fix query performance regression that increased memory and CPU usage #7051
- Changes from 2.17.0
  + Features 
    * TSDB: Support isolation #6841
    * This release implements isolation in TSDB. API queries and recording rules are
      guaranteed to only see full scrapes and full recording rules. This comes with a
      certain overhead in resource usage. Depending on the situation, there might be
      some increase in memory usage, CPU usage, or query latency.
  + Enhancements
    * PromQL: Allow more keywords as metric names #6933
    * React UI: Add normalization of localhost URLs in targets page #6794
    * Remote read: Read from remote storage concurrently #6770
    * Rules: Mark deleted rule series as stale after a reload #6745
    * Scrape: Log scrape append failures as debug rather than warn #6852
    * TSDB: Improve query performance for queries that partially hit the head #6676
    * Consul SD: Expose service health as meta label #5313
    * EC2 SD: Expose EC2 instance lifecycle as meta label #6914
    * Kubernetes SD: Expose service type as meta label for K8s service role #6684
    * Kubernetes SD: Expose label_selector and field_selector #6807
    * Openstack SD: Expose hypervisor id as meta label #6962
  + Bug fixes
    * PromQL: Do not escape HTML-like chars in query log #6834 #6795
    * React UI: Fix data table matrix values #6896
    * React UI: Fix new targets page not loading when using non-ASCII characters #6892
    * Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018
    * Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998
    * Scrape: Prevent removal of metric names upon relabeling #6891
    * Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986
    * Scrape: Fix crash when reloads are separated by two scrape intervals #7011
- Changes from 2.16.0
  + Features 
    * React UI: Support local timezone on /graph #6692
    * PromQL: add absent_over_time query function #6490
    * Adding optional logging of queries to their own file #6520
  + Enhancements
    * React UI: Add support for rules page and 'Xs ago' duration displays #6503
    * React UI: alerts page, replace filtering togglers tabs with checkboxes #6543
    * TSDB: Export metric for WAL write errors #6647
    * TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651
    * PromQL: Refactoring in parser errors to improve error messages #6634
    * PromQL: Support trailing commas in grouping opts #6480
    * Scrape: Reduce memory usage on reloads by reusing scrape cache #6670
    * Scrape: Add metrics to track bytes and entries in the metadata cache #6675
    * promtool: Add support for line-column numbers for invalid rules output #6533
    * Avoid restarting rule groups when it is unnecessary #6450
  + Bug fixes
    * React UI: Send cookies on fetch() on older browsers #6553
    * React UI: adopt grafana flot fix for stacked graphs #6603
    * React UI: broken graph page browser history so that back button works as expected #6659
    * TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616
    * TSDB: return an error on ingesting series with duplicate labels #6664
    * PromQL: Fix unary operator precedence #6579
    * PromQL: Respect query.timeout even when we reach query.max-concurrency #6712
    * PromQL: Fix string and parentheses handling in engine, which affected React UI #6612
    * PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493
    * Scrape: Validate that OpenMetrics input ends with `# EOF` #6505
    * Remote read: return the correct error if configs can't be marshal'd to JSON #6622
    * Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673
    * Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511
    * Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693
- Changes from 2.15.2
  + Bug fixes
    * TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564
    * TSDB: Fixed block compaction issues on Windows. #6547
- Changes from 2.15.1
  + Bug fixes
    * TSDB: Fixed race on concurrent queries against same data. #6512
- Changes from 2.15.0
  + Features 
    * API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442
  + Changes
    * Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393
    * Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043
  + Enhancements
    * TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461
    * TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475
    * TSDB: Improve replay latency. #6230
    * TSDB: WAL size is now used for size based retention calculation. #5886
    * Remote read: Added query grouping and range hints to the remote read request #6401
    * Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344
    * promql: Improved PromQL parser performance. #6356
    * React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements.
    * promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065  
  + Bug fixes
    * Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455
    * Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378
    * Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469
    * API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303
- Changes from 2.14.0
  + Features 
    * API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243
    * React UI: implement the new experimental React based UI. #5694 and many more
      * Can be found by under `/new`.
      * Not all pages are implemented yet.
    * Status: Cardinality statistics added to the Runtime & Build Information page. #6125
  + Enhancements
    * Remote write: fix delays in remote write after a compaction. #6021
    * UI: Alerts can be filtered by state. #5758
  + Bug fixes
    * Ensure warnings from the API are escaped. #6279
    * API: lifecycle endpoints return 403 when not enabled. #6057
    * Build: Fix Solaris build. #6149
    * Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270
    * Remote write: restore use of deduplicating logger in remote write. #6113
    * Remote write: do not reshard when unable to send samples. #6111
    * Service discovery: errors are no longer logged on context cancellation. #6116, #6133
    * UI: handle null response from API properly. #6071
- Changes from 2.13.1
  + Bug fixes
    * Fix panic in ARM builds of Prometheus. #6110
    * promql: fix potential panic in the query logger. #6094
    * Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145
- Changes from 2.13.0
  + Enhancements
    * Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254
    * Include the tsdb tool in builds. #6089
    * Service discovery: add new node address types for kubernetes. #5902
    * UI: show warnings if query have returned some warnings. #5964
    * Remote write: reduce memory usage of the series cache. #5849
    * Remote read: use remote read streaming to reduce memory usage. #5703
    * Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787
    * Promtool: show the warnings during label query. #5924
    * Promtool: improve error messages when parsing bad rules. #5965
    * Promtool: more promlint rules. #5515
  + Bug fixes
    * UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10215). #6098
    * Promtool: fix recording inconsistency due to duplicate labels. #6026
    * UI: fixes service-discovery view when accessed from unhealthy targets. #5915
    * Metrics format: OpenMetrics parser crashes on short input. #5939
    * UI: avoid truncated Y-axis values. #6014
- Changes from 2.12.0
  + Features 
    * Track currently active PromQL queries in a log file. #5794
    * Enable and provide binaries for `mips64` / `mips64le` architectures. #5792
  + Enhancements
    * Improve responsiveness of targets web UI and API endpoint. #5740
    * Improve remote write desired shards calculation. #5763
    * Flush TSDB pages more precisely. tsdb#660
    * Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667
    * Add logging during TSDB WAL replay on startup. tsdb#662
    * Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627
  + Bug fixes
    * Check for duplicate label names in remote read. #5829
    * Mark deleted rules' series as stale on next evaluation. #5759
    * Fix JavaScript error when showing warning about out-of-sync server time. #5833
    * Fix `promtool test rules` panic when providing empty `exp_labels`. #5774
    * Only check last directory when discovering checkpoint number. #5756
    * Fix error propagation in WAL watcher helper functions. #5741
    * Correctly handle empty labels from alert templates. #5845
- Update Uyuni/SUSE Manager service discovery patch
  + Adapt service discovery to the new Uyuni API endpoints
  + Modified spec file: force golang 1.12 to fix build issues in SLE15SP2
- Update to Prometheus 2.11.2

grafana:

- Update to version 7.0.3
  * Features / Enhancements
    - Stats: include all fields. #24829, @ryantxu
    - Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff
  * Bug fixes
    - Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian
    - Configuration: Fix env var override of sections containing hyphen. #25178, @marefr
    - Dashboard: Get panels in collapsed rows. #25079, @peterholmberg
    - Do not show alerts tab when alerting is disabled. #25285, @dprokop
    - Jaeger: fixes cascader option label duration value. #25129, @Estrax
    - Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo
- Update to version 7.0.2
  * Bug fixes
    - Security: Urgent security patch release to fix CVE-2020-13379
- Update to version 7.0.1
  * Features / Enhancements
    - Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney
    - Download CSV: Add date and time formatting. #24992, @ryantxu
    - Table: Make last cell value visible when right aligned. #24921, @peterholmberg
    - TablePanel: Adding sort order persistance. #24705, @torkelo
    - Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg
    - Transformations: Allow custom number input for binary operations. #24752, @ryantxu
  * Bug fixes
    - Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani
    - Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani
    - Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark
    - DataLinks: Bring back variables interpolation in title. #24970, @dprokop
    - Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney
    - Explore/Table: Keep existing field types if possible. #24944, @kaydelaney
    - Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova
    - Explore: fix undo in query editor. #24797, @zoltanbedi
    - Explore: fix word break in type head info. #25014, @zoltanbedi
    - Graph: Legend decimals now work as expected. #24931, @torkelo
    - LoginPage: Fix hover color for service buttons. #25009, @tskarhed
    - LogsPanel: Fix scrollbar. #24850, @ivanahuckova
    - MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo
    - Organize transformer: Use display name in field order comparer. #24984, @dprokop
    - Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark
    - PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop
    - PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo
    - PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark
    - PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark
    - PanelMenu: Make menu disappear on button press. #25015, @tskarhed
    - Postgres: Fix add button. #25087, @phemmer
    - Prometheus: Fix recording rules expansion. #24977, @ivanahuckova
    - Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian
- Update to version 7.0.0 
  * Breaking changes
    - Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin.
    - Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds.
    - Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10.
    - Datasource/Loki: Support for deprecated Loki endpoints has been removed.
    - Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information.
    - @grafana/ui: Forms migration notice, see @grafana/ui changelog
    - @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog
    + Deprecation warnings
      - Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059
      - The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins.
  * Features / Enhancements
    - Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr
    - Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal
    - Loki: Allow multiple derived fields with the same name. #24437, @aocenas
    - Orgs: Add future deprecation notice. #24502, @torkelo
  * Bug Fixes
    - @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi
    - Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark
    - Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop
    - Dashboard: Fix for strange 'dashboard not found' errors when opening links in dashboard settings. #24416, @torkelo
    - Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn
    - Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo
    - Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg
    - Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop
    - Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet
    - Data source: Fixes async mount errors. #24579, @Estrax
    - Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1
    - Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova
    - Explore: Fix rendering of react query editors. #24593, @ivanahuckova
    - Explore: Fixes loading more logs in logs context view. #24135, @Estrax
    - Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo
    - Graphite: Makes query annotations work again. #24556, @hugohaggmark
    - Logs: Clicking 'Load more' from context overlay doesn't expand log row. #24299, @kaydelaney
    - Logs: Fix total bytes process calculation. #24691, @davkal
    - Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet
    - Plugins: Fix manifest validation. #24573, @aknuds1
    - Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist
    - Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed
    - Search: Save folder expanded state. #24496, @Clarity-89
    - Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss
    - Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo
    - Table: Fixed persisting column resize for time series fields. #24505, @torkelo
    - Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark
    - Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn
    - Transformations: Make transform dropdowns not cropped. #24615, @dprokop
    - Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark
    - Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark
    - Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark
    - Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark
    - Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas
    - SAML: Switch from email to login for user login attribute mapping (Enterprise)
- Update Makefile and spec file
  * Remove phantomJS patch from Makefile 
  * Fix multiline strings in Makefile
  * Exclude s390 from SLE12 builds, golang 1.14 is not built for s390
- Add instructions for patching the Grafana javascript frontend.
- BuildRequires golang(API) instead of go metapackage version range
  * BuildRequires:  golang(API) >= 1.14   from
    BuildRequires:  ( go >= 1.14 with go < 1.15 )
- Update to version 6.7.3
  - This version fixes bsc#1170557 and its corresponding CVE-2020-12245
  - Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin
  - Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark
  - AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken
  - Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg
  - Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan
  - DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo
  - Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh
  - Security: Fix annotation popup XSS vulnerability. #23813, @torkelo
  - Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1
  - TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo
  - Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark
- Update to version 6.7.2:
  (see installed changelog for the full list of changes)
  -  BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo
  -  Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop
  -  DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn
  -  Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn
  -  Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo
  -  Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo
  -  Plugins: Expose promiseToDigest. #23249, @torkelo
  -  Reporting (Enterprise): Fixes issue updating a report created by someone else
- Update to 6.7.1:
  (see installed changelog for the full list of changes)
  Bug Fixes
  - Azure: Fixed dropdowns not showing current value. #22914, @torkelo
  - BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark
  - Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo
  - Reporting: fixes migrations compatibility with mysql (Enterprise)
  - Reporting: Reduce default concurrency limit to 4 (Enterprise)
- Update to 6.7.0:
  (see installed changelog for the full list of changes)
  Bug Fixes
  - AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo
  - BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark
  - Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo
  - Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo
  - Rich History: UX adjustments and fixes. #22729, @ivanahuckova
- Update to 6.7.0-beta1:
  Breaking changes
  -  Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked.
  -  Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338
  - Notice about changes in backendSrv for plugin authors
    In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv.
    Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI.
    To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv.
  Bug Fixes
    API: Fix redirect issues. #22285, @papagian
    Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1
    Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal
    Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal
    Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek
    BackendSrv: Fixes POST body for form data. #21714, @hugohaggmark
    CloudWatch: Credentials cache invalidation fix. #22473, @sunker
    CloudWatch: Expand alias variables when query yields no result. #22695, @sunker
    Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk
    Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing
    Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d
    Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo
    StatPanel: Fixes base color is being used for null values .
    #22646, @torkelo
- Update to version 6.6.2:
  (see installed changelog for the full list of changes)
- Update to version 6.6.1:
  (see installed changelog for the full list of changes)
- Update to version 6.6.0:
  (see installed changelog for the full list of changes)
- Update to version 6.5.3:
  (see installed changelog for the full list of changes)
- Update to version 6.5.2:
  (see installed changelog for the full list of changes)
- Update to version 6.5.1:
  (see installed changelog for the full list of changes)
- Update to version 6.5.0
  (see installed changelog for the full list of changes)
- Update to version 6.4.5:
  * Create version 6.4.5
  * CloudWatch: Fix high CPU load (#20579)
- Add obs-service-go_modules to download required modules into vendor.tar.gz
- Adjusted spec file to use vendor.tar.gz
- Adjusted Makefile to work with new filenames
- BuildRequire go1.14
- Update to version 6.4.4:
  * DataLinks: Fix blur issues. #19883, @aocenas
  * Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson
  * LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen
  * LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson
  * Singlestat: Fix no data / null value mapping . #19951, @ryantxu
- Revert the spec file and make script
- Remove PhantomJS dependency
- Update to 6.4.3
  * Bug Fixes
    - Alerting: All notification channels should send even if one fails to send. #19807, @jan25
    - AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas
    - ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal
    - DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop
    - DataLinks: Fix url field not releasing focus. #19804, @aocenas
    - Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas
    - Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark
    - Singlestat: Fixed issue with mapping null to text. #19689, @torkelo
    - @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop
    - @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang
- Update to 6.4.2
  * Bug Fixes
    - CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron
    - Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark
    - Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo
    - Graph: Switching to series mode should re-render graph. #19623, @torkelo
    - Loki: Fix autocomplete on label values. #19579, @aocenas
    - Loki: Removes live option for logs panel. #19533, @davkal
    - Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha
    - Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark
    - ShareQuery: Fixed issue when using -- Dashboard -- datasource (to share query result) when dashboard had rows. #19610, @torkelo
    - Show SAML login button if SAML is enabled. #19591, @papagian
    - SingleStat: Fixes  postfix/prefix usage. #19687, @hugohaggmark
    - Table: Proper handling of json data with dataframes. #19596, @marefr
    - Units: Fixed wrong id for Terabits/sec. #19611, @andreaslangnevyjel
- Changes from 6.4.1
  * Bug Fixes
    - Provisioning: Fixed issue where empty nested keys in YAML provisioning caused a server crash, #19547
    - ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise)
    - Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise).
- Changes from 6.4.0
  * Features / Enhancements
    - Build: Upgrade go to 1.12.10. #19499, @marefr
    - DataLinks: Suggestions menu improvements. #19396, @dprokop
    - Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova
    - Explore: Update broken link to logql docs. #19510, @ivanahuckova
    - Logs: Adds Logs Panel as a visualization. #19504, @davkal
  * Bug Fixes
    - CLI: Fix version selection for plugin install. #19498, @aocenas
    - Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo
- Changes from 6.4.0 Beta 2
  * Features / Enhancements
    - Azure Monitor: Remove support for cross resource queries (#19115)'. #19346, @sunker
    - Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr
    - Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo
    - grafana/toolkit: Add plugin creation task. #19207, @dprokop
  * Bug Fixes
    - Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark
    - Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm
    - Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz
    - Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo
    - Database: Rewrite system statistics query to perform better. #19178, @papagian
    - Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu
    - MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr
    - Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh
    - MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr
    - MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr
    - MySQL: Limit datasource error details returned from the backend. #19373, @marefr
- Changes from 6.4.0 Beta 1
  * Features / Enhancements
    - API: Readonly datasources should not be created via the API. #19006, @papagian
    - Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar
    - Annotations: Add annotations support to Loki. #18949, @aocenas
    - Annotations: Use a single row to represent a region. #17673, @ryantxu
    - Auth: Allow inviting existing users when login form is disabled. #19048, @548017
    - Azure Monitor: Add support for cross resource queries. #19115, @sunker
    - CLI: Allow installing custom binary plugins. #17551, @aocenas
    - Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark
    - Dashboard: Reuse query results between panels . #16660, @ryantxu
    - Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod
    - DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu
    - DataLinks: Enable access to labels & field names. #18918, @torkelo
    - DataLinks: Enable multiple data links per panel. #18434, @dprokop
    - Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech
    - Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery
    - Explore: Add throttling when doing live queries. #19085, @aocenas
    - Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney
    - Explore: Reduce default time range to last hour. #18212, @davkal
    - Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu
    - Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal
    - Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian
    - InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code
    - LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh
    - Ldap: Add ldap debug page. #18759, @peterholmberg
    - Loki: Remove prefetching of default label values. #18213, @davkal
    - Metrics: Add failed alert notifications metric. #18089, @koorgoo
    - OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon
    - OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin
    - Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh
    - Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati
    - Plugins: better warning when plugins fail to load. #18671, @ryantxu
    - Postgres: Add support for scram sha 256 authentication. #18397, @nonamef
    - RemoteCache: Support SSL with Redis. #18511, @kylebrandt
    - SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu
    - Stackdriver: Add extra alignment period options. #18909, @sunker
    - Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon
    - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar
  * Bug Fixes
    - Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian
    - Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt
    - Alerting: fix response popover prompt when add notification channels. #18967, @lzdw
    - CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger
    - Explore: Fix auto completion on label values for Loki. #18988, @aocenas
    - Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark
    - Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark
    - MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold
    - MSSQL: Fix memory leak when debug enabled. #19049, @briangann
    - Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt
    - TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark
  * Breaking changes
    + Annotations
      There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented
      using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details.
    + Docker
      Grafana is now using Alpine 3.10 as docker base image.
    + HTTP API
      - GET /api/alert-notifications now requires at least editor access.
        New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user.
      - GET /api/alert-notifiers now requires at least editor access
      - GET /api/org/users now requires org admin role.
        New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins,
        admin in any folder or admin of any team.
      - GET /api/annotations no longer returns regionId property.
      - POST /api/annotations no longer supports isRegion property.
      - PUT /api/annotations/:id no longer supports isRegion property.
      - PATCH /api/annotations/:id no longer supports isRegion property.
      - DELETE /api/annotations/region/:id has been removed.
  * Deprecation notes
    + PhantomJS
      - PhantomJS, which is used for rendering images of dashboards and panels,
        is deprecated and will be removed in a future Grafana release.
        A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use.
        Please consider migrating from PhantomJS to the Grafana Image Renderer plugin.
- Changes from 6.3.6
  * Features / Enhancements
    - Metrics: Adds setting for turning off total stats metrics. #19142, @marefr
  * Bug Fixes
    - Database: Rewrite system statistics query to perform better. #19178, @papagian
    - Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney
- Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors.
- Add missing directories provisioning/datasources and provisioning/notifiers
  and sample.yaml as described in packaging/rpm/control from upstream.
  Missing directories are shown in logfiles.
- Version 6.3.5
  * Upgrades
    + Build: Upgrade to go 1.12.9.
  * Bug Fixes
    + Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties.
    + Editor: Fixes issue where only entire lines were being copied.
    + Explore: Fixes query field layout in splitted view for Safari browsers.
    + LDAP: multildap + ldap integration.
    + Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds.
    + Prometheus: Prevents panel editor crash when switching to Prometheus datasource.
    + Prometheus: Changes brace-insertion behavior to be less annoying.
- Version 6.3.4
  * Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use.
- Version 6.3.3
  * Bug Fixes
    + Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1
    + Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3
    + DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1
    + DataLinks: Respect timezone when displaying datapoint’s timestamp in graph context menu. #18461 2, @dprokop 1
    + DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1
    + Explore: Fix loading error for empty queries. #18488 1, @davkal
    + Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2
    + Graphite: Avoid glob of single-value array variables . #18420, @gotjosh
    + Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3
    + Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2
    + TimeSeries: Assume values are all numbers. #18540 4, @ryantxu
- Version 6.3.2
  * Bug Fixes
    + Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12
- Version 6.3.1
  * Bug Fixes
    + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2
- Version 6.3.0
  * Features / Enhancements
    + OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3
    + Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh
    + Build grafana images consistently. #18224 12, @hassanfarid
    + Docs: SAML. #18069 11, @gotjosh
    + Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas
    + TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2
    + Alerting: Add tags to alert rules. #10989 13, @Thib17 1
    + Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng
    + Alerting: Improve alert rule testing. #16286 2, @marefr
    + Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25
    + Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1
    + Auth: Allow expiration of API keys. #17678, @papagian 3
    + Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1
    + Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1
    + AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1
    + CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu
    + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu
    + Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax
    + Data links. #17267 11, @torkelo 2
    + Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues… #17066 5, @bergquist 1
    + Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr
    + Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3
    + Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2
    + Explore: Adds support for new loki ‘start’ and ‘end’ params for labels endpoint. #17512, @kaydelaney 2
    + Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2
    + Explore: Allow switching between metrics and logs . #16959 2, @marefr
    + Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3
    + Explore: Display log lines context . #17097, @dprokop 1
    + Explore: Don’t parse log levels if provided by field or label. #17180 1, @marefr
    + Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2
    + Explore: Support for new LogQL filtering syntax. #16674 4, @davkal
    + Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3
    + Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1
    + Graph: Added new fill gradient option. #17528 3, @torkelo 2
    + GraphPanel: Don’t sort series when legend table & sort column is not visible . #17095, @shavonn 1
    + InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3
    + Logging: Login and Logout actions (#17760). #17883 1, @ATTron
    + Logging: Move log package to pkg/infra. #17023, @zhulongcheng
    + Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1
    + MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd
    + MySQL: Add support for periodically reloading client certs. #14892, @tpetr
    + Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu
    + Prometheus: Take timezone into account for step alignment. #17477, @fxmiii
    + Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246
    + Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA
    + Provisioning: Support folder that doesn’t exist yet in dashboard provisioning. #17407 1, @Nexucis
    + Refresh picker: Handle empty intervals. #17585 1, @dehrax
    + Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr
    + Snapshot: use given key and deleteKey. #16876, @zhulongcheng
    + Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev
    + Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad
    + Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway
    + Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin
  * Bug Fixes
    + PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax
    + OAuth: Fix “missing saved state” OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3
    + cli: fix for recognizing when in dev mode… #18334, @xlson
    + DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2
    + Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2
    + PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson
    + TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2
    + Timerange: Fixes a bug where custom time ranges didn’t respect UTC. #18248 1, @kaydelaney 2
    + remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke
    + AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax
    + CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr
    + Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr
    + Explore: Fix browsing back to dashboard panel. #17061, @jschill
    + Explore: Fix filter by series level in logs graph. #17798, @marefr
    + Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr
    + Explore: Fix selection/copy of log lines. #17121, @marefr
    + Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas
    + Frontend: Fix for Json tree component not working. #17608, @srid12
    + Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2
    + Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2
    + Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3
    + HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25
    + InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki
    + Prometheus: Correctly escape ‘|’ literals in interpolated PromQL variables. #16932, @Limess
    + Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi
    + SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri
- Make phantomjs dependency configurable
- Create plugin directory and clean up (create in %install,
  add to %files) handling of /var/lib/grafana/* and

koan:

- Calculate relative path for kernel and inited when generating
  grub entry (bsc#1170231)
- Fix os-release version detection for SUSE

mgr-cfg:

- Remove commented code in test files
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Add mgr manpage links

mgr-custom-info:

- Bump version to 4.1.0 (bsc#1154940)

mgr-daemon:

- Bump version to 4.1.0 (bsc#1154940)
- Fix systemd timer configuration on SLE12 (bsc#1142038)

mgr-osad:

- Separate osa-dispatcher and jabberd so it can be disabled independently
- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Move /usr/share/rhn/config-defaults to uyuni-base-common
- Require uyuni-base-common for /etc/rhn (for osa-dispatcher)
- Ensure bytes type when using hashlib to avoid traceback (bsc#1138822)

mgr-push:

- Replace spacewalk-usix and spacewalk-backend-libs with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)

mgr-virtualization:

- Replace spacewalk-usix with uyuni-common-libs
- Bump version to 4.1.0 (bsc#1154940)
- Fix mgr-virtualization timer

rhnlib:

- Fix building
- Fix malformed XML response when data contains non-ASCII chars (bsc#1154968)
- Bump version to 4.1.0 (bsc#1154940)
- Fix bootstrapping SLE11SP4 trad client with SSL enabled (bsc#1148177)

spacecmd:

- Only report real error, not result (bsc#1171687)
- Use defined return values for spacecmd methods so scripts can
  check for failure (bsc#1171687)
- Disable globbing for api subcommand to allow wildcards in filter
  settings (bsc#1163871)
- Bugfix: attempt to purge SSM when it is empty (bsc#1155372)
- Bump version to 4.1.0 (bsc#1154940)
- Prevent error when piping stdout in Python 2 (bsc#1153090)
- Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277)
- Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04
- Add unit test for schedule, errata, user, utils, misc, configchannel
  and kickstart modules
- Multiple minor bugfixes alongside the unit tests
- Bugfix: referenced variable before assignment.
- Add unit test for report, package, org, repo and group

spacewalk-client-tools:

- Add workaround for uptime overflow to spacewalk-update-status as well (bsc#1165921)
- Spell correctly 'successful' and 'successfully'
- Skip dmidecode data on aarch64 to prevent coredump (bsc#1113160)
- Replace spacewalk-usix with uyuni-common-libs
- Return a non-zero exit status on errors in rhn_check
- Bump version to 4.1.0 (bsc#1154940)
- Make a explicit requirement to systemd for spacewalk-client-tools
  when rhnsd timer is installed

spacewalk-koan:

- Bump version to 4.1.0 (bsc#1154940)
- Require commands we use in merge-rd.sh

spacewalk-oscap:

- Bump version to 4.1.0 (bsc#1154940)

spacewalk-remote-utils:

- Update spacewalk-create-channel with RHEL 7.7 channel definitions
- Bump version to 4.1.0 (bsc#1154940)

supportutils-plugin-susemanager-client:

- Bump version to 4.1.0 (bsc#1154940)

suseRegisterInfo:

- SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310)
- Bump version to 4.1.0 (bsc#1154940)

zypp-plugin-spacewalk:

- 1.0.7
- Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2040-1
Released:    Fri Jul 24 13:58:53 2020
Summary:     Recommended update for libsolv, libzypp
Type:        recommended
Severity:    moderate
References:  1170801,1171224,1172135,1173106,1174011
This update for libsolv, libzypp fixes the following issues:

libsolv was updated to version 0.7.14:

- Enable zstd compression support for sle15
- Support blacklisted packages in solver_findproblemrule() (bsc#1172135)
- Support rules with multiple negative literals in choice rule
  generation

libzypp was updated to version 17.24.0:

- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Fix core dump with corrupted history file (bsc#1170801)
- Better handling of the purge-kernels algorithm. (bsc#1173106)
- Proactively send credentials if the URL specifes '?auth=basic' and a username.
  (bsc#1174011)
- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2083-1
Released:    Thu Jul 30 10:27:59 2020
Summary:     Recommended update for diffutils
Type:        recommended
Severity:    moderate
References:  1156913
This update for diffutils fixes the following issue:

- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2099-1
Released:    Fri Jul 31 08:06:40 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1173227,1173229,1173422
This update for systemd fixes the following issues:

- migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229)

  The marker is used to make sure the script is run only once. Instead
  of storing it in /usr, use /var which is more appropriate for such
  file.
  Also make it owned by systemd package.

- Fix inconsistent file modes for some ghost files (bsc#1173227)

  Ghost files are assumed by rpm to have mode 000 by default which is
  not consistent with file permissions set at runtime.
  Also /var/lib/systemd/random-seed was tracked wrongly as a
  directory.

  Also don't track (ghost) /etc/systemd/system/runlevel*.target
  aliases since we're not supposed to track units or aliases user
  might define/override.

- Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2124-1
Released:    Wed Aug  5 09:24:47 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1172597
This update for lvm2 fixes the following issues:

- Fixed an issue where the system hangs for 90 seconds before it actually shuts down (bsc#1172597)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2224-1
Released:    Thu Aug 13 09:15:47 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1171878,1172085
This update for glibc fixes the following issues:

- Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178)
- Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2278-1
Released:    Wed Aug 19 21:26:08 2020
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1149911,1151708,1168235,1168389
This update for util-linux fixes the following issues:

- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2284-1
Released:    Thu Aug 20 16:04:17 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    important
References:  1010996,1071152,1071390,1154871,1174673,973042
This update for ca-certificates-mozilla fixes the following issues:

update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

  * AddTrust External CA Root
  * AddTrust Class 1 CA Root
  * LuxTrust Global Root 2
  * Staat der Nederlanden Root CA - G2
  * Symantec Class 1 Public Primary Certification Authority - G4
  * Symantec Class 2 Public Primary Certification Authority - G4
  * VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

  * certSIGN Root CA G2
  * e-Szigno Root CA 2017
  * Microsoft ECC Root Certificate Authority 2017
  * Microsoft RSA Root Certificate Authority 2017

- reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2384-1
Released:    Sat Aug 29 00:57:13 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    low
References:  1170964
This update for e2fsprogs fixes the following issues:

- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released:    Tue Sep  1 13:28:47 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:

- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
  'Exec*='. (bsc#1172824, bsc#1142733)
  
  pid1: improve message when setting up namespace fails.
  
  execute: let's close glibc syslog channels too.
  
  execute: normalize logging in *execute.c*.
  
  execute: fix typo in error message.
  
  execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
  
  execute: make use of the new logging mode in *execute.c*
  
  log: add a mode where we open the log fds for every single log message.
  
  log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
  
  execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result.
  
  execute: rework logging in *setup_keyring()* to include unit info.
  
  execute: improve and augment execution log messages.
  
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released:    Tue Sep  1 13:48:35 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1174551,1174736
This update for zlib provides the following fixes:

- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2446-1
Released:    Wed Sep  2 09:33:22 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1175109,CVE-2020-8231
This update for curl fixes the following issues:

- An application that performs multiple requests with libcurl's
  multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
  rare circumstances experience that when subsequently using the
  setup connect-only transfer, libcurl will pick and use the wrong
  connection and instead pick another one the application has
  created since then. [bsc#1175109, CVE-2020-8231]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released:    Wed Sep  9 13:07:07 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:

- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
  SAN's falling back to CN validation in violation of rfc6125.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released:    Fri Sep 11 11:18:01 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:

- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2638-1
Released:    Tue Sep 15 15:41:32 2020
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1165580
This update for cryptsetup fixes the following issues:

Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)

- Fix support of larger metadata areas in *LUKS2* header.

  This release properly supports all specified metadata areas, as documented
  in *LUKS2* format description.
  Currently, only default metadata area size is used (in format or convert).
  Later cryptsetup versions will allow increasing this metadata area size.

- If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check
  if the requested *AEAD* algorithm with specified key size is available in kernel crypto API.
  This change avoids formatting a device that cannot be later activated.

  For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. 
  Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) 
  are already mandatory for LUKS2.

- Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option.

- Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt.

- Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested 
  sector size. Previously it was possible, and the device was rejected to activate by kernel later.

- Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash 
  algorithm with invalid keyslot preventing the device from activation.

- Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used
  both for data encryption and keyslot encryption in *LUKS1/2* devices.

  For benchmark, use:
    
      # cryptsetup benchmark -c xchacha12,aes-adiantum
      # cryptsetup benchmark -c xchacha20,aes-adiantum

  For LUKS format:
  
      # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 <device>

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released:    Wed Sep 16 14:42:55 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1175811,1175830,1175831
This update for zlib fixes the following issues:

- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released:    Tue Sep 22 15:06:36 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1174079
This update for krb5 fixes the following issue:

- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released:    Tue Sep 22 17:08:03 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:

- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2818-1
Released:    Thu Oct  1 10:38:55 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:

Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
  a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.

Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
  (bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2830-1
Released:    Fri Oct  2 10:34:26 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1161335,1176625
This update for permissions fixes the following issues:

- whitelist WMP (bsc#1161335, bsc#1176625)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released:    Tue Oct  6 16:13:20 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:

- DIR_COLORS (bug#1006973):
  
  - add screen.xterm-256color
  - add TERM rxvt-unicode-256color
  - sort and merge TERM entries in etc/DIR_COLORS
  
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released:    Tue Oct 13 14:22:43 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released:    Tue Oct 13 17:25:20 2020
Summary:     Security update for bind
Type:        security
Severity:    moderate
References:  1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver
  forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
  a request.  Root and TLD servers are no longer exempt
  from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
  Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
  the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
  whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
  lib/dns/rbtdb.c:new_reference() with a particular zone content
  and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
  incorrectly treated as 'zonesub' rules, which allowed
  keys used in 'subdomain' rules to update names outside
  of the specified subdomains. The problem was fixed by
  making sure 'subdomain' rules are again processed as
  described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
  was possible to trigger an assertion failure in code
  determining the number of bits in the PKCS#11 RSA public
  key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
  where QNAME minimization and forwarding were both
  enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
  sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
  verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created 
  chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll <value>' did not limit the number of saved files to <value>.
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
  so that named, being a/the only member of the 'named' group
  has full r/w access yet cannot change directories owned by root
  in the case of a compromized named.
  [bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
  (init/named system/lwresd.init system/named.init in vendor-files)
  as this option is deprecated and causes rndc-confgen to fail.
  (bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
  of /usr/sbin/dnssec-keygen as BIND now uses the random number
  functions provided by the crypto library (i.e., OpenSSL or a
  PKCS#11 provider) as a source of randomness rather than /dev/random.
  Therefore the -r command line option no longer has any effect on
  dnssec-keygen. Leaving the option in genDDNSkey as to not break
  compatibility. Patch provided by Stefan Eisenwiener.
  [bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
  in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
  systemd context as well as legacy sysv, make use of start_daemon.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released:    Fri Oct 16 15:23:07 2020
Summary:     Security update for gcc10, nvptx-tools
Type:        security
Severity:    moderate
References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:

This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

	CC=gcc-10
	CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

Changes in nvptx-tools:

- Enable build on aarch64
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2988-1
Released:    Wed Oct 21 17:35:34 2020
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:

- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}=<version> to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '<p>' are richtext
  (bsc#935885)
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
  searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos
  [bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released:    Tue Nov  3 12:14:03 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when  NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471) 
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3234-1
Released:    Fri Nov  6 16:01:36 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    moderate
References:  1177864
This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

  - EE Certification Centre Root CA
  - Taiwan GRCA

- Added CAs:

  - Trustwave Global Certification Authority
  - Trustwave Global ECC P256 Certification Authority
  - Trustwave Global ECC P384 Certification Authority

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3248-1
Released:    Fri Nov  6 17:02:05 2020
Summary:     Recommended update for SUSE Manager Client Tools
Type:        recommended
Severity:    moderate
References:  1167907,1169664

This update fixes the following issues:

dracut-saltboot:

- Support autosign grains in saltboot intrd

grafana:

- Update to version 7.1.5:
  * Features / Enhancements
    - Stats: Stop counting the same user multiple times.
    - Field overrides: Filter by field name using regex.
    - AzureMonitor: map more units.
    - Explore: Don't run queries on datasource change.
    - Graph: Support setting field unit & override data source (automatic) unit.
    - Explore: Unification of logs/metrics/traces user interface
    - Table: JSON Cell should try to convert strings to JSON
    - Variables: enables cancel for slow query variables queries. 
    - TimeZone: unify the time zone pickers to one that can rule them all.
    - Search: support URL query params.
    - Grafana-UI: Add FileUpload.
    - TablePanel: Sort numbers correctly.
  * Bug fixes
    - Alerting: remove LongToWide call in alerting.
    - AzureMonitor: fix panic introduced in 7.1.4 when unit was unspecified and alias was used. 
    - Variables: Fixes issue with All variable not being resolved.
    - Templating: Fixes so texts show in picker not the values.
    - Templating: Templating: Fix undefined result when using raw interpolation format
    - TextPanel: Fix content overflowing panel boundaries. 
    - StatPanel: Fix stat panel display name not showing when explicitly set.
    - Query history: Fix search filtering if null value.
    - Flux: Ensure connections to InfluxDB are closed.
    - Dashboard: Fix for viewer can enter panel edit mode by modifying url (but cannot not save anything).
    - Prometheus: Fix prom links in mixed mode.
    - Sign In Use correct url for the Sign In button.
    - StatPanel: Fixes issue with name showing for single series / field results
    - BarGauge: Fix space bug in single series mode.
    - Auth: Fix POST request failures with anonymous access
    - Templating: Fix recursive loop of template variable queries when changing ad-hoc-variable
    - Templating: Fixed recursive queries triggered when switching dashboard settings view
    - GraphPanel: Fix annotations overflowing panels.
    - Prometheus: Fix performance issue in processing of histogram labels.
    - Datasources: Handle URL parsing error.
    - Security: Use Header.Set and Header.Del for X-Grafana-User header.
  * Changes in spec file
    - Fix golang version = 1.14 to avoid dependency conflicts on some OBS projects

grafana-ha-cluster-dashboards:

- Add the package to the SUSE Manager Client Tools 12 channels.

grafana-sap-hana-dashboards:

- Add the package to the SUSE Manager Client Tools 12 channels.

grafana-sap-netweaver-dashboards:

- Add the package to the SUSE Manager Client Tools 12 channels.

grafana-sap-providers:

- Add the package to the SUSE Manager Client Tools 12 channels.

mgr-daemon:

- Update translation strings

spacecmd:

- Python3 fixes for errata in spacecmd (bsc#1169664)
- Added support for i18n of user-facing strings
- Python3 fix for sorted usage (bsc#1167907)

spacewalk-client-tools:

- Remove RH references in Python/Ruby localization and use the product name instead


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3285-1
Released:    Wed Nov 11 11:22:14 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, zypper fixes the following issues:

libzypp was updated to version 17.25.1:

- Fix bsc#1176902: When kernel-rt has been installed, the
  purge-kernels service fails during boot.
- Use package name provides as group key in purge-kernel
  (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}=<version> to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- New solver testcase format.
- Link against libzsd to close libsolvs open references
  (as we link statically)

zypper was updated to version 1.14.40.

- info: Assume descriptions starting with '<p>' are richtext
  (bsc#935885)
- Use new testcase API in libzypp.
- BuildRequires:  libzypp-devel >= 17.25.0.
- help: prevent 'whatis' from writing to stderr (bsc#1176712)
- wp: point out that command is aliased to a search command and
  searches case-insensitive (jsc#SLE-16271)

libsolv was updated to version 0.7.16:

- do not ask the namespace callback for splitprovides when writing
  a testcase
- fix add_complex_recommends() selecting conflicted packages in
  rare cases leading to crashes
- improve choicerule generation so that package updates are
  prefered in more cases
- make testcase_mangle_repo_names deal correctly with freed repos
  [bsc#1177238]
- fix deduceq2addedmap clearing bits outside of the map
- conda: feature depriorization first
- conda: fix startswith implementation
- move find_update_seeds() call in cleandeps calculation
- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers
- new testcase_mangle_repo_names() function
- new solv_fmemopen() function

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3485-1
Released:    Mon Nov 23 13:10:36 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1123327,1173503,1175110,998893
This update for lvm2 fixes the following issues:
  
- Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110)
- Fixed an issue when lvm produces a large number of luns with error message 'Too many open files'. (bsc#1173503)
- Fixes an issue when LVM initialization failed during reboot. (bsc#998893)
- Fixed a misplaced parameter in the lvm configuration. (bsc#1123327)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3546-1
Released:    Fri Nov 27 11:21:09 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1172695
This update for gnutls fixes the following issue:

- Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3560-1
Released:    Mon Nov 30 12:21:34 2020
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1158499,1160158,1161198,1161203,1163569,1165281,1165534,1166848,1175847,1177479
This update for openssl-1_1 fixes the following issues:

This update backports various bugfixes for FIPS:

- Restore private key check in EC_KEY_check_key [bsc#1177479]
- Add shared secret KAT to FIPS DH selftest [bsc#1175847]
- Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847]
- Fix locking issue uncovered by python testsuite (bsc#1166848)
- Fix the sequence of locking operations in FIPS mode [bsc#1165534]
- Fix deadlock in FIPS rand code (bsc#1165281)
- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
- Fix FIPS DRBG without derivation function (bsc#1161198)
- Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203)
- Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12
  (bsc#1158499)

- Restore the EVP_PBE_scrypt() behavior from before the KDF patch
  by treating salt=NULL as salt='' (bsc#1160158)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3572-1
Released:    Mon Nov 30 18:12:34 2020
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1177533
This update for lvm2 fixes the following issues:

- Fixed an issue where /boot logical volume was accidentally unmounted (bsc#1177533)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3579-1
Released:    Tue Dec  1 14:24:31 2020
Summary:     Recommended update for glib2
Type:        recommended
Severity:    moderate
References:  1178346
This update for glib2 fixes the following issues:

- Add support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3581-1
Released:    Tue Dec  1 14:40:22 2020
Summary:     Recommended update for libusb-1_0
Type:        recommended
Severity:    moderate
References:  1178376
This update for libusb-1_0 fixes the following issues:

- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released:    Thu Dec  3 17:03:55 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
  - Check whether the password contains a substring of of the user's name of at least `<N>` characters length in 
  some form. This is enabled by the new parameter `usersubstr=<N>`

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released:    Mon Dec  7 20:17:32 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1179431
This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3720-1
Released:    Wed Dec  9 13:36:26 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:

- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3733-1
Released:    Wed Dec  9 18:18:35 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  



More information about the sle-security-updates mailing list