From sle-container-updates at lists.suse.com Fri Nov 3 08:02:03 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 3 Nov 2023 09:02:03 +0100 (CET) Subject: SUSE-CU-2023:3686-1: Recommended update of suse/manager/4.3/proxy-httpd Message-ID: <20231103080203.08351F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3686-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.8 , suse/manager/4.3/proxy-httpd:4.3.8.9.37.30 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.8 , suse/manager/4.3/proxy-httpd:susemanager-4.3.8.9.37.30 Container Release : 9.37.30 Severity : moderate Type : recommended References : 1196647 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated From sle-container-updates at lists.suse.com Fri Nov 3 08:02:07 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 3 Nov 2023 09:02:07 +0100 (CET) Subject: SUSE-CU-2023:3687-1: Recommended update of suse/manager/4.3/proxy-salt-broker Message-ID: <20231103080207.5D5FCF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3687-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.8 , suse/manager/4.3/proxy-salt-broker:4.3.8.9.27.29 , suse/manager/4.3/proxy-salt-broker:latest , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.8 , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.8.9.27.29 Container Release : 9.27.29 Severity : moderate Type : recommended References : 1196647 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated From sle-container-updates at lists.suse.com Fri Nov 3 08:02:12 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 3 Nov 2023 09:02:12 +0100 (CET) Subject: SUSE-CU-2023:3688-1: Recommended update of suse/manager/4.3/proxy-squid Message-ID: <20231103080212.CDD71F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3688-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.8 , suse/manager/4.3/proxy-squid:4.3.8.9.36.26 , suse/manager/4.3/proxy-squid:latest , suse/manager/4.3/proxy-squid:susemanager-4.3.8 , suse/manager/4.3/proxy-squid:susemanager-4.3.8.9.36.26 Container Release : 9.36.26 Severity : moderate Type : recommended References : 1196647 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated From sle-container-updates at lists.suse.com Fri Nov 3 08:02:17 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 3 Nov 2023 09:02:17 +0100 (CET) Subject: SUSE-CU-2023:3689-1: Recommended update of suse/manager/4.3/proxy-ssh Message-ID: <20231103080217.3836FF78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3689-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.8 , suse/manager/4.3/proxy-ssh:4.3.8.9.27.26 , suse/manager/4.3/proxy-ssh:latest , suse/manager/4.3/proxy-ssh:susemanager-4.3.8 , suse/manager/4.3/proxy-ssh:susemanager-4.3.8.9.27.26 Container Release : 9.27.26 Severity : moderate Type : recommended References : 1196647 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated From sle-container-updates at lists.suse.com Fri Nov 3 08:02:21 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 3 Nov 2023 09:02:21 +0100 (CET) Subject: SUSE-CU-2023:3690-1: Recommended update of suse/manager/4.3/proxy-tftpd Message-ID: <20231103080221.91253F78C@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3690-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.8 , suse/manager/4.3/proxy-tftpd:4.3.8.9.27.26 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.8 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.8.9.27.26 Container Release : 9.27.26 Severity : moderate Type : recommended References : 1196647 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated From sle-container-updates at lists.suse.com Tue Nov 7 08:03:24 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 7 Nov 2023 09:03:24 +0100 (CET) Subject: SUSE-CU-2023:3695-1: Security update of suse/nginx Message-ID: <20231107080324.CA73DFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3695-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-5.29 , suse/nginx:latest Container Release : 5.29 Severity : moderate Type : security References : 1212535 1212881 1212883 1212888 1213273 1213274 1213589 1213590 1214574 CVE-2020-18768 CVE-2023-25433 CVE-2023-26966 CVE-2023-2908 CVE-2023-3316 CVE-2023-3576 CVE-2023-3618 CVE-2023-38288 CVE-2023-38289 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4370-1 Released: Mon Nov 6 09:51:10 2023 Summary: Security update for tiff Type: security Severity: moderate References: 1212535,1212881,1212883,1212888,1213273,1213274,1213589,1213590,1214574,CVE-2020-18768,CVE-2023-25433,CVE-2023-26966,CVE-2023-2908,CVE-2023-3316,CVE-2023-3576,CVE-2023-3618,CVE-2023-38288,CVE-2023-38289 This update for tiff fixes the following issues: - CVE-2023-38289: Fixed a NULL pointer dereference in raw2tiff (bsc#1213589). - CVE-2023-38288: Fixed an integer overflow in raw2tiff (bsc#1213590). - CVE-2023-3576: Fixed a memory leak in tiffcrop (bsc#1213273). - CVE-2020-18768: Fixed an out of bounds read in tiffcp (bsc#1214574). - CVE-2023-26966: Fixed an out of bounds read when transforming a little-endian file to a big-endian output (bsc#1212881) - CVE-2023-3618: Fixed a NULL pointer dereference while encoding FAX3 files (bsc#1213274). - CVE-2023-2908: Fixed an undefined behavior issue when doing pointer arithmetic on a NULL pointer (bsc#1212888). - CVE-2023-3316: Fixed a NULL pointer dereference while opening a file in an inaccessible path (bsc#1212535). - CVE-2023-25433: Fixed a buffer overflow in tiffcrop (bsc#1212883). The following package changes have been done: - libtiff5-4.0.9-150000.45.32.1 updated From sle-container-updates at lists.suse.com Fri Nov 10 10:08:01 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 10 Nov 2023 11:08:01 +0100 (CET) Subject: SUSE-CU-2023:3696-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20231110100801.C4B28FBAF@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3696-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.9 , suse/manager/4.3/proxy-httpd:4.3.9.9.40.2 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.9 , suse/manager/4.3/proxy-httpd:susemanager-4.3.9.9.40.2 Container Release : 9.40.2 Severity : important Type : security References : 1204270 1204270 1211047 1211047 1211145 1211145 1211270 1211270 1211912 1211912 1212168 1212168 1212507 1212507 1213132 1213132 1213376 1213376 1213469 1213469 1213680 1213680 1213689 1213689 1214041 1214041 1214121 1214121 1214463 1214463 1214553 1214553 1214746 1214746 1215027 1215027 1215120 1215120 1215157 1215412 1215412 1215514 1215514 1216411 1216411 1216661 1216661 CVE-2023-34049 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4385-1 Released: Thu Nov 9 03:30:32 2023 Summary: Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server Type: recommended Severity: important References: 1204270,1211047,1211145,1211270,1211912,1212168,1212507,1213132,1213376,1213469,1213680,1213689,1214041,1214121,1214463,1214553,1214746,1215027,1215120,1215412,1215514,1216411,1216661 Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server This is a codestream only update ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4412-1 Released: Thu Nov 9 03:49:51 2023 Summary: Maintenance update for SUSE Manager 4.3.9 Release Notes Type: security Severity: moderate References: 1204270,1211047,1211145,1211270,1211912,1212168,1212507,1213132,1213376,1213469,1213680,1213689,1214041,1214121,1214463,1214553,1214746,1215027,1215120,1215157,1215412,1215514,1216411,1216661,CVE-2023-34049 Maintenance update for SUSE Manager 4.3.9 Release Notes: This is a codestream only update The following package changes have been done: - release-notes-susemanager-proxy-4.3.9-150400.3.69.1 updated - apache2-mod_wsgi-4.7.1-150400.3.7.7 updated - spacewalk-backend-4.3.24-150400.3.30.16 updated - python3-spacewalk-client-tools-4.3.16-150400.3.18.13 updated - spacewalk-client-tools-4.3.16-150400.3.18.13 updated From sle-container-updates at lists.suse.com Tue Nov 14 08:02:04 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 14 Nov 2023 09:02:04 +0100 (CET) Subject: SUSE-CU-2023:3702-1: Security update of suse/registry Message-ID: <20231114080204.4DD96FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3702-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-15.12 , suse/registry:latest Container Release : 15.12 Severity : important Type : security References : 1207399 1214357 1216424 CVE-2023-31122 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4430-1 Released: Mon Nov 13 17:55:09 2023 Summary: Security update for apache2 Type: security Severity: important References: 1207399,1214357,1216424,CVE-2023-31122 This update for apache2 fixes the following issues: - CVE-2023-31122: Fixed an out of bounds read in mod_macro (bsc#1216424). Non-security fixes: - Fixed the content type handling in mod_proxy_http2 (bsc#1214357). - Fixed a floating point exception crash (bsc#1207399). The following package changes have been done: - apache2-utils-2.4.51-150400.6.14.1 updated From sle-container-updates at lists.suse.com Tue Nov 14 08:02:23 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 14 Nov 2023 09:02:23 +0100 (CET) Subject: SUSE-CU-2023:3704-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20231114080223.E46AFFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3704-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.9 , suse/manager/4.3/proxy-httpd:4.3.9.9.40.5 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.9 , suse/manager/4.3/proxy-httpd:susemanager-4.3.9.9.40.5 Container Release : 9.40.5 Severity : important Type : security References : 1207399 1214357 1216424 CVE-2023-31122 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4430-1 Released: Mon Nov 13 17:55:09 2023 Summary: Security update for apache2 Type: security Severity: important References: 1207399,1214357,1216424,CVE-2023-31122 This update for apache2 fixes the following issues: - CVE-2023-31122: Fixed an out of bounds read in mod_macro (bsc#1216424). Non-security fixes: - Fixed the content type handling in mod_proxy_http2 (bsc#1214357). - Fixed a floating point exception crash (bsc#1207399). The following package changes have been done: - apache2-utils-2.4.51-150400.6.14.1 updated - apache2-2.4.51-150400.6.14.1 updated - apache2-prefork-2.4.51-150400.6.14.1 updated From sle-container-updates at lists.suse.com Wed Nov 15 08:01:02 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 15 Nov 2023 09:01:02 +0100 (CET) Subject: SUSE-IU-2023:822-1: Security update of suse-sles-15-sp5-chost-byos-v20231113-x86_64-gen2 Message-ID: <20231115080102.535C2FBA9@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20231113-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:822-1 Image Tags : suse-sles-15-sp5-chost-byos-v20231113-x86_64-gen2:20231113 Image Release : Severity : important Type : security References : 1107342 1196647 1201300 1205767 1206480 1206684 1210335 1210557 1211427 1212101 1213915 1214052 1214460 1215215 1215265 1215286 1215313 1215323 1215434 1215891 1215935 1215936 1215968 1216123 1216174 1216268 1216378 CVE-2023-1829 CVE-2023-23559 CVE-2023-4039 CVE-2023-43804 CVE-2023-44487 CVE-2023-45853 CVE-2023-46228 CVE-2023-4692 CVE-2023-4693 CVE-2023-4813 ----------------------------------------------------------------- The container suse-sles-15-sp5-chost-byos-v20231113-x86_64-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4105-1 Released: Wed Oct 18 08:15:40 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1215215 This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4108-1 Released: Wed Oct 18 11:51:12 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1215968,CVE-2023-43804 This update for python-urllib3 fixes the following issues: - CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if the user manually set the corresponding header (bsc#1215968). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4110-1 Released: Wed Oct 18 12:35:26 2023 Summary: Security update for glibc Type: security Severity: important References: 1215286,1215891,CVE-2023-4813 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Also a regression from a previous update was fixed: - elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4136-1 Released: Thu Oct 19 14:15:02 2023 Summary: Security update for suse-module-tools Type: security Severity: important References: 1205767,1210335,CVE-2023-1829,CVE-2023-23559 This update for suse-module-tools fixes the following issues: - Update to version 15.5.3: - CVE-2023-1829: Blacklisted the Linux kernel tcindex classifier module (bsc#1210335). - CVE-2023-23559: Blacklisted the Linux kernel RNDIS modules (bsc#1205767, jsc#PED-5731). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4138-1 Released: Thu Oct 19 17:15:38 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: This update for systemd-rpm-macros fixes the following issues: - Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4139-1 Released: Fri Oct 20 10:06:58 2023 Summary: Recommended update for containerd, runc Type: recommended Severity: moderate References: 1215323 This update for containerd, runc fixes the following issues: runc was updated to v1.1.9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.9 containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes: - https://github.com/containerd/containerd/releases/tag/v1.7.7 - https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4141-1 Released: Fri Oct 20 11:34:44 2023 Summary: Security update for grub2 Type: security Severity: important References: 1201300,1215935,1215936,CVE-2023-4692,CVE-2023-4693 This update for grub2 fixes the following issues: Security fixes: - CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935) - CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936) Other fixes: - Fix a boot delay issue in PowerPC PXE boot (bsc#1201300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4153-1 Released: Fri Oct 20 19:27:58 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1215313 This update for systemd fixes the following issues: - Fix mismatch of nss-resolve version in Package Hub (no source code changes) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4154-1 Released: Fri Oct 20 19:33:25 2023 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1107342,1215434 This update for aaa_base fixes the following issues: - Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4194-1 Released: Wed Oct 25 11:01:41 2023 Summary: Feature update for python3 Type: feature Severity: low References: This feature update for python3 packages adds the following: - First batch of python3.11 modules (jsc#PED-68) - Rename sources of python3-kubernetes, python3-cryptography and python3-cryptography-vectors to accommodate the new 3.11 versions, this 3 packages have no code changes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4200-1 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4225-1 Released: Fri Oct 27 11:02:14 2023 Summary: Security update for zchunk Type: security Severity: important References: 1216268,CVE-2023-46228 This update for zchunk fixes the following issues: - CVE-2023-46228: Fixed a handle overflow errors in malformed zchunk files. (bsc#1216268) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated - containerd-ctr-1.7.7-150000.100.1 updated - containerd-1.7.7-150000.100.1 updated - glibc-locale-base-2.31-150300.63.1 updated - glibc-locale-2.31-150300.63.1 updated - glibc-2.31-150300.63.1 updated - grub2-i386-pc-2.06-150500.29.8.1 updated - grub2-x86_64-efi-2.06-150500.29.8.1 updated - grub2-2.06-150500.29.8.1 updated - kernel-default-5.14.21-150500.55.36.1 updated - libgcc_s1-13.2.1+git7813-150000.1.3.3 updated - libnghttp2-14-1.40.0-150200.12.1 updated - libopenssl1_1-1.1.1l-150500.17.19.1 updated - libpci3-3.5.6-150300.13.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.3.3 updated - libsystemd0-249.16-150400.8.35.5 updated - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated - libudev1-249.16-150400.8.35.5 updated - libz1-1.2.13-150500.4.3.1 updated - libzck1-1.1.16-150400.3.7.1 updated - openssl-1_1-1.1.1l-150500.17.19.1 updated - pciutils-3.5.6-150300.13.6.1 updated - python3-cryptography-3.3.2-150400.20.3 updated - python3-urllib3-1.25.10-150300.4.6.1 updated - runc-1.1.9-150000.52.2 updated - suse-module-tools-15.5.3-150500.3.6.1 updated - systemd-rpm-macros-14-150000.7.36.1 updated - systemd-sysvinit-249.16-150400.8.35.5 updated - systemd-249.16-150400.8.35.5 updated - udev-249.16-150400.8.35.5 updated From sle-container-updates at lists.suse.com Wed Nov 15 08:01:05 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 15 Nov 2023 09:01:05 +0100 (CET) Subject: SUSE-IU-2023:823-1: Security update of suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64 Message-ID: <20231115080105.F3CCFFBA9@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:823-1 Image Tags : suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64:20231113 Image Release : Severity : important Type : security References : 1107342 1196647 1201300 1205767 1206480 1206684 1210335 1210557 1211427 1212101 1213915 1214052 1214460 1215215 1215265 1215286 1215313 1215323 1215434 1215891 1215935 1215936 1215968 1216123 1216174 1216268 1216378 CVE-2023-1829 CVE-2023-23559 CVE-2023-4039 CVE-2023-43804 CVE-2023-44487 CVE-2023-45853 CVE-2023-46228 CVE-2023-4692 CVE-2023-4693 CVE-2023-4813 ----------------------------------------------------------------- The container suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4105-1 Released: Wed Oct 18 08:15:40 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1215215 This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4108-1 Released: Wed Oct 18 11:51:12 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1215968,CVE-2023-43804 This update for python-urllib3 fixes the following issues: - CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if the user manually set the corresponding header (bsc#1215968). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4110-1 Released: Wed Oct 18 12:35:26 2023 Summary: Security update for glibc Type: security Severity: important References: 1215286,1215891,CVE-2023-4813 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Also a regression from a previous update was fixed: - elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4136-1 Released: Thu Oct 19 14:15:02 2023 Summary: Security update for suse-module-tools Type: security Severity: important References: 1205767,1210335,CVE-2023-1829,CVE-2023-23559 This update for suse-module-tools fixes the following issues: - Update to version 15.5.3: - CVE-2023-1829: Blacklisted the Linux kernel tcindex classifier module (bsc#1210335). - CVE-2023-23559: Blacklisted the Linux kernel RNDIS modules (bsc#1205767, jsc#PED-5731). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4138-1 Released: Thu Oct 19 17:15:38 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: This update for systemd-rpm-macros fixes the following issues: - Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4139-1 Released: Fri Oct 20 10:06:58 2023 Summary: Recommended update for containerd, runc Type: recommended Severity: moderate References: 1215323 This update for containerd, runc fixes the following issues: runc was updated to v1.1.9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.9 containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes: - https://github.com/containerd/containerd/releases/tag/v1.7.7 - https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4141-1 Released: Fri Oct 20 11:34:44 2023 Summary: Security update for grub2 Type: security Severity: important References: 1201300,1215935,1215936,CVE-2023-4692,CVE-2023-4693 This update for grub2 fixes the following issues: Security fixes: - CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935) - CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936) Other fixes: - Fix a boot delay issue in PowerPC PXE boot (bsc#1201300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4153-1 Released: Fri Oct 20 19:27:58 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1215313 This update for systemd fixes the following issues: - Fix mismatch of nss-resolve version in Package Hub (no source code changes) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4154-1 Released: Fri Oct 20 19:33:25 2023 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1107342,1215434 This update for aaa_base fixes the following issues: - Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4194-1 Released: Wed Oct 25 11:01:41 2023 Summary: Feature update for python3 Type: feature Severity: low References: This feature update for python3 packages adds the following: - First batch of python3.11 modules (jsc#PED-68) - Rename sources of python3-kubernetes, python3-cryptography and python3-cryptography-vectors to accommodate the new 3.11 versions, this 3 packages have no code changes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4200-1 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4225-1 Released: Fri Oct 27 11:02:14 2023 Summary: Security update for zchunk Type: security Severity: important References: 1216268,CVE-2023-46228 This update for zchunk fixes the following issues: - CVE-2023-46228: Fixed a handle overflow errors in malformed zchunk files. (bsc#1216268) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated - containerd-ctr-1.7.7-150000.100.1 updated - containerd-1.7.7-150000.100.1 updated - glibc-locale-base-2.31-150300.63.1 updated - glibc-locale-2.31-150300.63.1 updated - glibc-2.31-150300.63.1 updated - grub2-i386-pc-2.06-150500.29.8.1 updated - grub2-x86_64-efi-2.06-150500.29.8.1 updated - grub2-x86_64-xen-2.06-150500.29.8.1 updated - grub2-2.06-150500.29.8.1 updated - kernel-default-5.14.21-150500.55.36.1 updated - libgcc_s1-13.2.1+git7813-150000.1.3.3 updated - libnghttp2-14-1.40.0-150200.12.1 updated - libopenssl1_1-1.1.1l-150500.17.19.1 updated - libpci3-3.5.6-150300.13.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.3.3 updated - libsystemd0-249.16-150400.8.35.5 updated - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated - libudev1-249.16-150400.8.35.5 updated - libz1-1.2.13-150500.4.3.1 updated - libzck1-1.1.16-150400.3.7.1 updated - openssl-1_1-1.1.1l-150500.17.19.1 updated - pciutils-3.5.6-150300.13.6.1 updated - python3-cryptography-3.3.2-150400.20.3 updated - python3-urllib3-1.25.10-150300.4.6.1 updated - runc-1.1.9-150000.52.2 updated - suse-module-tools-15.5.3-150500.3.6.1 updated - systemd-rpm-macros-14-150000.7.36.1 updated - systemd-sysvinit-249.16-150400.8.35.5 updated - systemd-249.16-150400.8.35.5 updated - udev-249.16-150400.8.35.5 updated From sle-container-updates at lists.suse.com Wed Nov 15 08:01:12 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 15 Nov 2023 09:01:12 +0100 (CET) Subject: SUSE-IU-2023:824-1: Security update of sles-15-sp5-chost-byos-v20231113-arm64 Message-ID: <20231115080112.42DBFFBA9@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp5-chost-byos-v20231113-arm64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:824-1 Image Tags : sles-15-sp5-chost-byos-v20231113-arm64:20231113 Image Release : Severity : important Type : security References : 1107342 1196647 1201300 1205767 1206480 1206684 1210335 1210557 1211427 1212101 1213915 1214052 1214460 1215215 1215265 1215286 1215313 1215323 1215434 1215891 1215935 1215936 1215968 1216123 1216174 1216268 1216378 CVE-2023-1829 CVE-2023-23559 CVE-2023-4039 CVE-2023-43804 CVE-2023-44487 CVE-2023-45853 CVE-2023-46228 CVE-2023-4692 CVE-2023-4693 CVE-2023-4813 ----------------------------------------------------------------- The container sles-15-sp5-chost-byos-v20231113-arm64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4105-1 Released: Wed Oct 18 08:15:40 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1215215 This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4108-1 Released: Wed Oct 18 11:51:12 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1215968,CVE-2023-43804 This update for python-urllib3 fixes the following issues: - CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if the user manually set the corresponding header (bsc#1215968). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4110-1 Released: Wed Oct 18 12:35:26 2023 Summary: Security update for glibc Type: security Severity: important References: 1215286,1215891,CVE-2023-4813 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Also a regression from a previous update was fixed: - elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4136-1 Released: Thu Oct 19 14:15:02 2023 Summary: Security update for suse-module-tools Type: security Severity: important References: 1205767,1210335,CVE-2023-1829,CVE-2023-23559 This update for suse-module-tools fixes the following issues: - Update to version 15.5.3: - CVE-2023-1829: Blacklisted the Linux kernel tcindex classifier module (bsc#1210335). - CVE-2023-23559: Blacklisted the Linux kernel RNDIS modules (bsc#1205767, jsc#PED-5731). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4138-1 Released: Thu Oct 19 17:15:38 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: This update for systemd-rpm-macros fixes the following issues: - Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4139-1 Released: Fri Oct 20 10:06:58 2023 Summary: Recommended update for containerd, runc Type: recommended Severity: moderate References: 1215323 This update for containerd, runc fixes the following issues: runc was updated to v1.1.9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.9 containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes: - https://github.com/containerd/containerd/releases/tag/v1.7.7 - https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4141-1 Released: Fri Oct 20 11:34:44 2023 Summary: Security update for grub2 Type: security Severity: important References: 1201300,1215935,1215936,CVE-2023-4692,CVE-2023-4693 This update for grub2 fixes the following issues: Security fixes: - CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935) - CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936) Other fixes: - Fix a boot delay issue in PowerPC PXE boot (bsc#1201300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4153-1 Released: Fri Oct 20 19:27:58 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1215313 This update for systemd fixes the following issues: - Fix mismatch of nss-resolve version in Package Hub (no source code changes) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4154-1 Released: Fri Oct 20 19:33:25 2023 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1107342,1215434 This update for aaa_base fixes the following issues: - Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4194-1 Released: Wed Oct 25 11:01:41 2023 Summary: Feature update for python3 Type: feature Severity: low References: This feature update for python3 packages adds the following: - First batch of python3.11 modules (jsc#PED-68) - Rename sources of python3-kubernetes, python3-cryptography and python3-cryptography-vectors to accommodate the new 3.11 versions, this 3 packages have no code changes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4200-1 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4225-1 Released: Fri Oct 27 11:02:14 2023 Summary: Security update for zchunk Type: security Severity: important References: 1216268,CVE-2023-46228 This update for zchunk fixes the following issues: - CVE-2023-46228: Fixed a handle overflow errors in malformed zchunk files. (bsc#1216268) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated - containerd-ctr-1.7.7-150000.100.1 updated - containerd-1.7.7-150000.100.1 updated - glibc-locale-base-2.31-150300.63.1 updated - glibc-locale-2.31-150300.63.1 updated - glibc-2.31-150300.63.1 updated - grub2-i386-pc-2.06-150500.29.8.1 updated - grub2-x86_64-efi-2.06-150500.29.8.1 updated - grub2-2.06-150500.29.8.1 updated - kernel-default-5.14.21-150500.55.36.1 updated - libgcc_s1-13.2.1+git7813-150000.1.3.3 updated - libnghttp2-14-1.40.0-150200.12.1 updated - libopenssl1_1-1.1.1l-150500.17.19.1 updated - libpci3-3.5.6-150300.13.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.3.3 updated - libsystemd0-249.16-150400.8.35.5 updated - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated - libudev1-249.16-150400.8.35.5 updated - libz1-1.2.13-150500.4.3.1 updated - libzck1-1.1.16-150400.3.7.1 updated - openssl-1_1-1.1.1l-150500.17.19.1 updated - pciutils-3.5.6-150300.13.6.1 updated - python3-cryptography-3.3.2-150400.20.3 updated - python3-urllib3-1.25.10-150300.4.6.1 updated - runc-1.1.9-150000.52.2 updated - suse-module-tools-15.5.3-150500.3.6.1 updated - systemd-rpm-macros-14-150000.7.36.1 updated - systemd-sysvinit-249.16-150400.8.35.5 updated - systemd-249.16-150400.8.35.5 updated - udev-249.16-150400.8.35.5 updated From sle-container-updates at lists.suse.com Thu Nov 16 08:03:28 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 16 Nov 2023 09:03:28 +0100 (CET) Subject: SUSE-CU-2023:3707-1: Recommended update of suse/389-ds Message-ID: <20231116080328.42540FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3707-1 Container Tags : suse/389-ds:2.2 , suse/389-ds:2.2-16.38 , suse/389-ds:latest Container Release : 16.38 Severity : moderate Type : recommended References : 1209998 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.53 updated From sle-container-updates at lists.suse.com Thu Nov 16 08:03:36 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 16 Nov 2023 09:03:36 +0100 (CET) Subject: SUSE-CU-2023:3708-1: Recommended update of suse/registry Message-ID: <20231116080336.07969FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3708-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-15.13 , suse/registry:latest Container Release : 15.13 Severity : moderate Type : recommended References : 1209998 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated From sle-container-updates at lists.suse.com Thu Nov 16 08:03:38 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 16 Nov 2023 09:03:38 +0100 (CET) Subject: SUSE-CU-2023:3709-1: Recommended update of suse/helm Message-ID: <20231116080338.99117FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3709-1 Container Tags : suse/helm:3.13 , suse/helm:3.13-3.11 , suse/helm:latest Container Release : 3.11 Severity : moderate Type : recommended References : 1209998 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated From sle-container-updates at lists.suse.com Fri Nov 17 08:03:34 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 09:03:34 +0100 (CET) Subject: SUSE-CU-2023:3717-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20231117080334.BBECCFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3717-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.9 , suse/manager/4.3/proxy-tftpd:4.3.9.9.30.5 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9.9.30.5 Container Release : 9.30.5 Severity : moderate Type : security References : 1216377 CVE-2023-45803 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4467-1 Released: Thu Nov 16 17:57:51 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1216377,CVE-2023-45803 This update for python-urllib3 fixes the following issues: - CVE-2023-45803: Fix a request body leak that could occur when receiving a 303 HTTP response (bsc#1216377). The following package changes have been done: - python3-urllib3-1.25.10-150300.4.9.1 updated From sle-container-updates at lists.suse.com Fri Nov 17 08:50:41 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 09:50:41 +0100 (CET) Subject: SUSE-CU-2023:3719-1: Security update of suse/rmt-server Message-ID: <20231117085041.1BD33FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/rmt-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3719-1 Container Tags : suse/rmt-server:2.14 , suse/rmt-server:2.14-11.32 , suse/rmt-server:latest Container Release : 11.32 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/rmt-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:31:52 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:31:52 +0100 (CET) Subject: SUSE-CU-2023:3720-1: Security update of suse/sle15 Message-ID: <20231117123152.60A11FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3720-1 Container Tags : bci/bci-base:15.3 , bci/bci-base:15.3.17.20.212 , suse/sle15:15.3 , suse/sle15:15.3.17.20.212 Container Release : 17.20.212 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216129 1216664 CVE-2023-4039 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libxml2-2-2.9.7-150000.3.63.1 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:32:43 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:32:43 +0100 (CET) Subject: SUSE-CU-2023:3721-1: Security update of bci/bci-init Message-ID: <20231117123243.2C224FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3721-1 Container Tags : bci/bci-init:15.4 , bci/bci-init:15.4.30.25 Container Release : 30.25 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-27.14.118 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:32:58 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:32:58 +0100 (CET) Subject: SUSE-CU-2023:3722-1: Security update of bci/bci-micro Message-ID: <20231117123258.69BE2FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3722-1 Container Tags : bci/bci-micro:15.4 , bci/bci-micro:15.4.23.4 Container Release : 23.4 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/bci-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:33:14 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:33:14 +0100 (CET) Subject: SUSE-CU-2023:3723-1: Security update of bci/bci-minimal Message-ID: <20231117123314.7293CFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-minimal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3723-1 Container Tags : bci/bci-minimal:15.4 , bci/bci-minimal:15.4.24.13 Container Release : 24.13 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/bci-minimal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:micro-image-15.4.0-23.4 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:33:50 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:33:50 +0100 (CET) Subject: SUSE-CU-2023:3724-1: Security update of bci/nodejs Message-ID: <20231117123350.9A456FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3724-1 Container Tags : bci/node:16 , bci/node:16-18.21 , bci/nodejs:16 , bci/nodejs:16-18.21 Container Release : 18.21 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-27.14.118 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:34:57 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:34:57 +0100 (CET) Subject: SUSE-CU-2023:3725-1: Security update of suse/pcp Message-ID: <20231117123457.98867FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3725-1 Container Tags : suse/pcp:5 , suse/pcp:5-17.185 , suse/pcp:5.2 , suse/pcp:5.2-17.185 , suse/pcp:5.2.5 , suse/pcp:5.2.5-17.185 Container Release : 17.185 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:bci-bci-init-15.4-15.4-30.25 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:35:15 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:35:15 +0100 (CET) Subject: SUSE-CU-2023:3726-1: Security update of suse/postgres Message-ID: <20231117123515.64C99FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3726-1 Container Tags : suse/postgres:14 , suse/postgres:14-24.9 , suse/postgres:14.9 , suse/postgres:14.9-24.9 Container Release : 24.9 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-27.14.118 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:36:06 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:36:06 +0100 (CET) Subject: SUSE-CU-2023:3727-1: Security update of bci/python Message-ID: <20231117123606.9FEC6FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3727-1 Container Tags : bci/python:3 , bci/python:3-16.23 , bci/python:3.10 , bci/python:3.10-16.23 Container Release : 16.23 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-27.14.118 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:36:47 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:36:47 +0100 (CET) Subject: SUSE-CU-2023:3728-1: Security update of suse/sle15 Message-ID: <20231117123647.9A6C9FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3728-1 Container Tags : bci/bci-base:15.4 , bci/bci-base:15.4.27.14.118 , suse/sle15:15.4 , suse/sle15:15.4.27.14.118 Container Release : 27.14.118 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:37:04 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:37:04 +0100 (CET) Subject: SUSE-CU-2023:3729-1: Security update of suse/389-ds Message-ID: <20231117123704.63867FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3729-1 Container Tags : suse/389-ds:2.2 , suse/389-ds:2.2-16.40 , suse/389-ds:latest Container Release : 16.40 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:37:22 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:37:22 +0100 (CET) Subject: SUSE-CU-2023:3730-1: Security update of bci/dotnet-aspnet Message-ID: <20231117123722.5B2ACFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3730-1 Container Tags : bci/dotnet-aspnet:6.0 , bci/dotnet-aspnet:6.0-17.11 , bci/dotnet-aspnet:6.0.24 , bci/dotnet-aspnet:6.0.24-17.11 Container Release : 17.11 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:37:42 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:37:42 +0100 (CET) Subject: SUSE-CU-2023:3731-1: Security update of bci/dotnet-aspnet Message-ID: <20231117123742.39408FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-aspnet ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3731-1 Container Tags : bci/dotnet-aspnet:7.0 , bci/dotnet-aspnet:7.0-17.11 , bci/dotnet-aspnet:7.0.13 , bci/dotnet-aspnet:7.0.13-17.11 , bci/dotnet-aspnet:latest Container Release : 17.11 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/dotnet-aspnet was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:38:05 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:38:05 +0100 (CET) Subject: SUSE-CU-2023:3732-1: Security update of bci/dotnet-sdk Message-ID: <20231117123805.03C01FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3732-1 Container Tags : bci/dotnet-sdk:6.0 , bci/dotnet-sdk:6.0-16.11 , bci/dotnet-sdk:6.0.24 , bci/dotnet-sdk:6.0.24-16.11 Container Release : 16.11 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:38:29 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:38:29 +0100 (CET) Subject: SUSE-CU-2023:3733-1: Security update of bci/dotnet-sdk Message-ID: <20231117123829.492C1FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-sdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3733-1 Container Tags : bci/dotnet-sdk:7.0 , bci/dotnet-sdk:7.0-18.10 , bci/dotnet-sdk:7.0.13 , bci/dotnet-sdk:7.0.13-18.10 , bci/dotnet-sdk:latest Container Release : 18.10 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/dotnet-sdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:38:50 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:38:50 +0100 (CET) Subject: SUSE-CU-2023:3734-1: Security update of bci/dotnet-runtime Message-ID: <20231117123850.651ADFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3734-1 Container Tags : bci/dotnet-runtime:7.0 , bci/dotnet-runtime:7.0-18.11 , bci/dotnet-runtime:7.0.13 , bci/dotnet-runtime:7.0.13-18.11 , bci/dotnet-runtime:latest Container Release : 18.11 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:38:57 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:38:57 +0100 (CET) Subject: SUSE-CU-2023:3735-1: Security update of suse/git Message-ID: <20231117123857.2267FFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/git ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3735-1 Container Tags : suse/git:2.35 , suse/git:2.35-4.14 , suse/git:latest Container Release : 4.14 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/git was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:micro-image-15.5.0-12.4 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:39:12 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:39:12 +0100 (CET) Subject: SUSE-CU-2023:3736-1: Security update of bci/golang Message-ID: <20231117123912.31E0EFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3736-1 Container Tags : bci/golang:1.20 , bci/golang:1.20-2.4.41 , bci/golang:oldstable , bci/golang:oldstable-2.4.41 Container Release : 4.41 Severity : important Type : security References : 1206346 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 1216943 1216944 CVE-2023-4039 CVE-2023-45283 CVE-2023-45284 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4470-1 Released: Thu Nov 16 19:00:15 2023 Summary: Security update for go1.20 Type: security Severity: moderate References: 1206346,1216943,1216944,CVE-2023-45283,CVE-2023-45284 This update for go1.20 fixes the following issues: go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker and the net/http package. * security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944) * cmd/link: split text sections for arm 32-bit * net/http: http2 page fails on firefox/safari if pushing resources The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - go1.20-doc-1.20.11-150000.1.32.1 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - go1.20-1.20.11-150000.1.32.1 updated - go1.20-race-1.20.11-150000.1.32.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:39:21 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:39:21 +0100 (CET) Subject: SUSE-CU-2023:3737-1: Security update of bci/golang Message-ID: <20231117123921.20A58FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3737-1 Container Tags : bci/golang:1.19-openssl , bci/golang:1.19-openssl-7.40 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-7.40 Container Release : 7.40 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:39:39 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:39:39 +0100 (CET) Subject: SUSE-CU-2023:3738-1: Security update of bci/golang Message-ID: <20231117123939.8AB96FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3738-1 Container Tags : bci/golang:1.21 , bci/golang:1.21-1.4.39 , bci/golang:latest , bci/golang:stable , bci/golang:stable-1.4.39 Container Release : 4.39 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1212475 1213915 1214052 1214460 1215427 1216664 1216943 1216944 CVE-2023-4039 CVE-2023-45283 CVE-2023-45284 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4471-1 Released: Thu Nov 16 19:00:52 2023 Summary: Security update for go1.21 Type: security Severity: moderate References: 1212475,1216943,1216944,CVE-2023-45283,CVE-2023-45284 This update for go1.21 fixes the following issues: go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker, the runtime, the compiler, and the go/types, net/http, and runtime/cgo packages. * security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944) * spec: update unification rules * cmd/compile: internal compiler error: expected struct value to have type struct * cmd/link: split text sections for arm 32-bit * runtime: MADV_COLLAPSE causes production performance issues on Linux * go/types, x/tools/go/ssa: panic: type param without replacement encountered * cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64 * net/http: http2 page fails on firefox/safari if pushing resources The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - go1.21-doc-1.21.4-150000.1.15.1 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - go1.21-1.21.4-150000.1.15.1 updated - go1.21-race-1.21.4-150000.1.15.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:39:47 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:39:47 +0100 (CET) Subject: SUSE-CU-2023:3739-1: Security update of bci/golang Message-ID: <20231117123947.8A3A2FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3739-1 Container Tags : bci/golang:1.20-openssl , bci/golang:1.20-openssl-7.36 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-7.36 Container Release : 7.36 Severity : important Type : security References : 1206346 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1215985 1216109 1216664 1216943 1216944 CVE-2023-39323 CVE-2023-39325 CVE-2023-4039 CVE-2023-44487 CVE-2023-45283 CVE-2023-45284 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4472-1 Released: Thu Nov 16 19:01:27 2023 Summary: Security update for go1.20-openssl Type: security Severity: important References: 1206346,1215985,1216109,1216943,1216944,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284 This update for go1.20-openssl fixes the following issues: Update to version 1.20.11.1 cut from the go1.20-openssl-fips branch at the revision tagged go1.20.11-1-openssl-fips. * Update to go1.20.11 go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker and the net/http package. * security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944) * cmd/link: split text sections for arm 32-bit * net/http: http2 page fails on firefox/safari if pushing resources Update to version 1.20.10.1 cut from the go1.20-openssl-fips branch at the revision tagged go1.20.10-1-openssl-fips. * Update to go1.20.10 go1.20.10 (released 2023-10-10) includes a security fix to the net/http package. * security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work (bsc#1216109) go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package, as well as bug fixes to the go command and the linker. * security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build (bsc#1215985) * cmd/link: issues with Apple's new linker in Xcode 15 beta The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - go1.20-openssl-doc-1.20.11.1-150000.1.14.1 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - go1.20-openssl-1.20.11.1-150000.1.14.1 updated - go1.20-openssl-race-1.20.11.1-150000.1.14.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:39:53 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:39:53 +0100 (CET) Subject: SUSE-CU-2023:3740-1: Security update of suse/helm Message-ID: <20231117123953.D3F8BFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3740-1 Container Tags : suse/helm:3.13 , suse/helm:3.13-3.13 , suse/helm:latest Container Release : 3.13 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:micro-image-15.5.0-12.4 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:42:03 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:42:03 +0100 (CET) Subject: SUSE-CU-2023:3740-1: Security update of suse/helm Message-ID: <20231117124203.4138FFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3740-1 Container Tags : suse/helm:3.13 , suse/helm:3.13-3.13 , suse/helm:latest Container Release : 3.13 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:micro-image-15.5.0-12.4 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:42:16 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:42:16 +0100 (CET) Subject: SUSE-CU-2023:3741-1: Security update of bci/bci-init Message-ID: <20231117124216.4093FFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3741-1 Container Tags : bci/bci-init:15.5 , bci/bci-init:15.5.10.33 , bci/bci-init:latest Container Release : 10.33 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:42:21 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:42:21 +0100 (CET) Subject: SUSE-CU-2023:3742-1: Security update of bci/bci-micro Message-ID: <20231117124221.3D24CFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-micro ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3742-1 Container Tags : bci/bci-micro:15.5 , bci/bci-micro:15.5.12.4 , bci/bci-micro:latest Container Release : 12.4 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/bci-micro was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:42:27 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:42:27 +0100 (CET) Subject: SUSE-CU-2023:3743-1: Security update of bci/bci-minimal Message-ID: <20231117124227.63BDFFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-minimal ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3743-1 Container Tags : bci/bci-minimal:15.5 , bci/bci-minimal:15.5.13.12 , bci/bci-minimal:latest Container Release : 13.12 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/bci-minimal was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:micro-image-15.5.0-12.4 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:42:37 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:42:37 +0100 (CET) Subject: SUSE-CU-2023:3744-1: Security update of suse/nginx Message-ID: <20231117124237.3E716FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/nginx ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3744-1 Container Tags : suse/nginx:1.21 , suse/nginx:1.21-5.33 , suse/nginx:latest Container Release : 5.33 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/nginx was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:42:53 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:42:53 +0100 (CET) Subject: SUSE-CU-2023:3745-1: Security update of bci/nodejs Message-ID: <20231117124253.8BBC7FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3745-1 Container Tags : bci/node:18 , bci/node:18-11.35 , bci/node:latest , bci/nodejs:18 , bci/nodejs:18-11.35 , bci/nodejs:latest Container Release : 11.35 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:43:12 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:43:12 +0100 (CET) Subject: SUSE-CU-2023:3746-1: Security update of bci/openjdk-devel Message-ID: <20231117124312.63C8EFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3746-1 Container Tags : bci/openjdk-devel:11 , bci/openjdk-devel:11-10.75 Container Release : 10.75 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:bci-openjdk-11-15.5.11-11.36 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:43:26 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:43:26 +0100 (CET) Subject: SUSE-CU-2023:3747-1: Security update of bci/openjdk Message-ID: <20231117124326.BDA46FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3747-1 Container Tags : bci/openjdk:11 , bci/openjdk:11-11.36 Container Release : 11.36 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:43:43 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:43:43 +0100 (CET) Subject: SUSE-CU-2023:3748-1: Security update of bci/openjdk-devel Message-ID: <20231117124343.8ECE5FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3748-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17-12.69 , bci/openjdk-devel:latest Container Release : 12.69 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:bci-openjdk-17-15.5.17-12.34 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:43:59 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:43:59 +0100 (CET) Subject: SUSE-CU-2023:3749-1: Security update of bci/openjdk Message-ID: <20231117124359.7517DFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3749-1 Container Tags : bci/openjdk:17 , bci/openjdk:17-12.34 , bci/openjdk:latest Container Release : 12.34 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/openjdk was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:44:15 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:44:15 +0100 (CET) Subject: SUSE-CU-2023:3750-1: Security update of suse/pcp Message-ID: <20231117124415.A4A35FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3750-1 Container Tags : suse/pcp:5 , suse/pcp:5-15.58 , suse/pcp:5.2 , suse/pcp:5.2-15.58 , suse/pcp:5.2.5 , suse/pcp:5.2.5-15.58 , suse/pcp:latest Container Release : 15.58 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:bci-bci-init-15.5-15.5-10.33 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:44:29 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:44:29 +0100 (CET) Subject: SUSE-CU-2023:3751-1: Security update of bci/php-apache Message-ID: <20231117124429.382E7FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/php-apache ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3751-1 Container Tags : bci/php-apache:8 , bci/php-apache:8-8.32 Container Release : 8.32 Severity : important Type : security References : 1206480 1206684 1207399 1209998 1210557 1211427 1212101 1213915 1214052 1214357 1214460 1215427 1216424 1216664 CVE-2023-31122 CVE-2023-4039 ----------------------------------------------------------------- The container bci/php-apache was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4430-1 Released: Mon Nov 13 17:55:09 2023 Summary: Security update for apache2 Type: security Severity: important References: 1207399,1214357,1216424,CVE-2023-31122 This update for apache2 fixes the following issues: - CVE-2023-31122: Fixed an out of bounds read in mod_macro (bsc#1216424). Non-security fixes: - Fixed the content type handling in mod_proxy_http2 (bsc#1214357). - Fixed a floating point exception crash (bsc#1207399). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - apache2-utils-2.4.51-150400.6.14.1 updated - apache2-2.4.51-150400.6.14.1 updated - apache2-prefork-2.4.51-150400.6.14.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:44:43 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:44:43 +0100 (CET) Subject: SUSE-CU-2023:3752-1: Security update of bci/php-fpm Message-ID: <20231117124443.F2DF8FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/php-fpm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3752-1 Container Tags : bci/php-fpm:8 , bci/php-fpm:8-8.34 Container Release : 8.34 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/php-fpm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:44:56 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:44:56 +0100 (CET) Subject: SUSE-CU-2023:3753-1: Security update of bci/php Message-ID: <20231117124456.4742EFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/php ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3753-1 Container Tags : bci/php:8 , bci/php:8-8.30 Container Release : 8.30 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/php was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:45:08 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:45:08 +0100 (CET) Subject: SUSE-CU-2023:3754-1: Security update of suse/postgres Message-ID: <20231117124508.86EBDFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3754-1 Container Tags : suse/postgres:15 , suse/postgres:15-12.11 , suse/postgres:15.4 , suse/postgres:15.4-12.11 , suse/postgres:latest Container Release : 12.11 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:45:22 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:45:22 +0100 (CET) Subject: SUSE-CU-2023:3755-1: Security update of bci/python Message-ID: <20231117124522.E2253FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3755-1 Container Tags : bci/python:3 , bci/python:3-12.27 , bci/python:3.11 , bci/python:3.11-12.27 , bci/python:latest Container Release : 12.27 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:45:39 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:45:39 +0100 (CET) Subject: SUSE-CU-2023:3756-1: Security update of bci/python Message-ID: <20231117124539.13F9DFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3756-1 Container Tags : bci/python:3 , bci/python:3-14.27 , bci/python:3.6 , bci/python:3.6-14.27 Container Release : 14.27 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:45:49 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:45:49 +0100 (CET) Subject: SUSE-CU-2023:3757-1: Security update of bci/ruby Message-ID: <20231117124549.C3CE8FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/ruby ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3757-1 Container Tags : bci/ruby:2 , bci/ruby:2-12.31 , bci/ruby:2.5 , bci/ruby:2.5-12.31 , bci/ruby:latest Container Release : 12.31 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/ruby was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:46:05 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:46:05 +0100 (CET) Subject: SUSE-CU-2023:3758-1: Security update of bci/rust Message-ID: <20231117124605.1642EFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3758-1 Container Tags : bci/rust:1.72 , bci/rust:1.72-2.2.23 , bci/rust:oldstable , bci/rust:oldstable-2.2.23 Container Release : 2.23 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libasan8-13.2.1+git7813-150000.1.6.1 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - libtsan2-13.2.1+git7813-150000.1.6.1 updated - libubsan1-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:46:19 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:46:19 +0100 (CET) Subject: SUSE-CU-2023:3759-1: Security update of bci/rust Message-ID: <20231117124619.6357BFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/rust ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3759-1 Container Tags : bci/rust:1.73 , bci/rust:1.73-1.2.22 , bci/rust:latest , bci/rust:stable , bci/rust:stable-1.2.22 Container Release : 2.22 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/rust was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libasan8-13.2.1+git7813-150000.1.6.1 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - libtsan2-13.2.1+git7813-150000.1.6.1 updated - libubsan1-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Fri Nov 17 12:46:31 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 13:46:31 +0100 (CET) Subject: SUSE-CU-2023:3760-1: Security update of suse/sle15 Message-ID: <20231117124631.5BCD6FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3760-1 Container Tags : bci/bci-base:15.5 , bci/bci-base:15.5.36.5.54 , suse/sle15:15.5 , suse/sle15:15.5.36.5.54 Container Release : 36.5.54 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Fri Nov 17 13:01:33 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 17 Nov 2023 14:01:33 +0100 (CET) Subject: SUSE-CU-2023:3760-1: Security update of suse/sle15 Message-ID: <20231117130133.F0970FBAC@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3760-1 Container Tags : bci/bci-base:15.5 , bci/bci-base:15.5.36.5.54 , suse/sle15:15.5 , suse/sle15:15.5.36.5.54 Container Release : 36.5.54 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:02:47 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:02:47 +0100 (CET) Subject: SUSE-CU-2023:3762-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20231118080247.D281BFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3762-1 Container Tags : suse/sle-micro/5.3/toolbox:12.1 , suse/sle-micro/5.3/toolbox:12.1-5.2.255 , suse/sle-micro/5.3/toolbox:latest Container Release : 5.2.255 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-27.14.118 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:03:42 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:03:42 +0100 (CET) Subject: SUSE-CU-2023:3764-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20231118080342.3171CFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3764-1 Container Tags : suse/sle-micro/5.4/toolbox:12.1 , suse/sle-micro/5.4/toolbox:12.1-4.2.152 , suse/sle-micro/5.4/toolbox:latest Container Release : 4.2.152 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-27.14.118 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:03:51 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:03:51 +0100 (CET) Subject: SUSE-CU-2023:3765-1: Security update of suse/sle-micro/5.5/toolbox Message-ID: <20231118080351.A988CFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3765-1 Container Tags : suse/sle-micro/5.5/toolbox:12.1 , suse/sle-micro/5.5/toolbox:12.1-2.2.97 , suse/sle-micro/5.5/toolbox:latest Container Release : 2.2.97 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:04:24 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:04:24 +0100 (CET) Subject: SUSE-CU-2023:3766-1: Security update of suse/registry Message-ID: <20231118080424.0C1B1FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/registry ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3766-1 Container Tags : suse/registry:2.8 , suse/registry:2.8-15.16 , suse/registry:latest Container Release : 15.16 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/registry was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:micro-image-15.5.0-12.4 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:04:34 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:04:34 +0100 (CET) Subject: SUSE-CU-2023:3767-1: Security update of bci/dotnet-runtime Message-ID: <20231118080434.5A7F3FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3767-1 Container Tags : bci/dotnet-runtime:6.0 , bci/dotnet-runtime:6.0-16.10 , bci/dotnet-runtime:6.0.24 , bci/dotnet-runtime:6.0.24-16.10 Container Release : 16.10 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:sles15-image-15.0.0-36.5.54 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:04:43 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:04:43 +0100 (CET) Subject: SUSE-CU-2023:3768-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20231118080443.82A52FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3768-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.9 , suse/manager/4.3/proxy-httpd:4.3.9.9.40.7 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.9 , suse/manager/4.3/proxy-httpd:susemanager-4.3.9.9.40.7 Container Release : 9.40.7 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:04:48 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:04:48 +0100 (CET) Subject: SUSE-CU-2023:3769-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20231118080448.9DC80FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3769-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.9 , suse/manager/4.3/proxy-salt-broker:4.3.9.9.30.7 , suse/manager/4.3/proxy-salt-broker:latest , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.9 , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.9.9.30.7 Container Release : 9.30.7 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:04:55 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:04:55 +0100 (CET) Subject: SUSE-CU-2023:3770-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20231118080455.03171FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3770-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.9 , suse/manager/4.3/proxy-squid:4.3.9.9.39.5 , suse/manager/4.3/proxy-squid:latest , suse/manager/4.3/proxy-squid:susemanager-4.3.9 , suse/manager/4.3/proxy-squid:susemanager-4.3.9.9.39.5 Container Release : 9.39.5 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:05:00 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:05:00 +0100 (CET) Subject: SUSE-CU-2023:3771-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20231118080500.637D7FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3771-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.9 , suse/manager/4.3/proxy-ssh:4.3.9.9.30.5 , suse/manager/4.3/proxy-ssh:latest , suse/manager/4.3/proxy-ssh:susemanager-4.3.9 , suse/manager/4.3/proxy-ssh:susemanager-4.3.9.9.30.5 Container Release : 9.30.5 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:05:06 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:05:06 +0100 (CET) Subject: SUSE-CU-2023:3772-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20231118080506.1BF3EFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3772-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.9 , suse/manager/4.3/proxy-tftpd:4.3.9.9.30.6 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9.9.30.6 Container Release : 9.30.6 Severity : important Type : security References : 1206480 1206684 1209998 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated From sle-container-updates at lists.suse.com Sat Nov 18 08:05:31 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sat, 18 Nov 2023 09:05:31 +0100 (CET) Subject: SUSE-CU-2023:3773-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20231118080531.342E0FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3773-1 Container Tags : suse/sle-micro/5.2/toolbox:12.1 , suse/sle-micro/5.2/toolbox:12.1-6.2.315 , suse/sle-micro/5.2/toolbox:latest Container Release : 6.2.315 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216129 1216664 CVE-2023-4039 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libxml2-2-2.9.7-150000.3.63.1 updated - container:sles15-image-15.0.0-17.20.212 updated From sle-container-updates at lists.suse.com Sun Nov 19 08:04:19 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 19 Nov 2023 09:04:19 +0100 (CET) Subject: SUSE-CU-2023:3774-1: Security update of suse/sle15 Message-ID: <20231119080419.DE86DFBAC@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3774-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.843 Container Release : 6.2.843 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216129 1216664 CVE-2023-4039 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libxml2-2-2.9.7-150000.3.63.1 updated From sle-container-updates at lists.suse.com Sun Nov 19 08:06:06 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 19 Nov 2023 09:06:06 +0100 (CET) Subject: SUSE-CU-2023:3775-1: Security update of suse/sle15 Message-ID: <20231119080606.02DCCFBAC@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3775-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.370 Container Release : 9.5.370 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216129 1216664 CVE-2023-4039 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libxml2-2-2.9.7-150000.3.63.1 updated From sle-container-updates at lists.suse.com Sun Nov 19 08:06:54 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Sun, 19 Nov 2023 09:06:54 +0100 (CET) Subject: SUSE-CU-2023:3776-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20231119080654.32811FBAC@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3776-1 Container Tags : suse/sle-micro/5.1/toolbox:12.1 , suse/sle-micro/5.1/toolbox:12.1-2.2.493 , suse/sle-micro/5.1/toolbox:latest Container Release : 2.2.493 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216129 1216664 CVE-2023-4039 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libxml2-2-2.9.7-150000.3.63.1 updated - container:sles15-image-15.0.0-17.20.212 updated From sle-container-updates at lists.suse.com Tue Nov 21 16:14:31 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 21 Nov 2023 17:14:31 +0100 (CET) Subject: SUSE-CU-2023:3777-1: Security update of suse/sle15 Message-ID: <20231121161431.1E2C0FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3777-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.844 Container Release : 6.2.844 Severity : important Type : security References : 1216123 1216174 CVE-2023-44487 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4492-1 Released: Mon Nov 20 18:59:17 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) The following package changes have been done: - libnghttp2-14-1.40.0-150000.3.17.1 updated From sle-container-updates at lists.suse.com Tue Nov 21 16:17:42 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 21 Nov 2023 17:17:42 +0100 (CET) Subject: SUSE-CU-2023:3785-1: Security update of bci/golang Message-ID: <20231121161742.A9652FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3785-1 Container Tags : bci/golang:1.20-openssl , bci/golang:1.20-openssl-8.2 , bci/golang:oldstable-openssl , bci/golang:oldstable-openssl-8.2 Container Release : 8.2 Severity : important Type : security References : 1206346 1206346 1206346 1213229 1213880 1215084 1215085 1215090 1215985 1216109 1216943 1216944 CVE-2023-29406 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39323 CVE-2023-39325 CVE-2023-44487 CVE-2023-45283 CVE-2023-45284 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2023:2601-1 Released: Wed Jun 21 15:42:34 2023 Summary: Optional update for go1.20-openssl Type: optional Severity: moderate References: This update for go1.20-openssl fixes the following issues: This update delivers a go1.20 1.20.5.2 package built with its cryptography using the system openssl library. (jsc#SLE-18320 jsc#PED-1962) This allows GO binaries built with go1.20-openssl to be operating in FIPS 140-2/3 mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3002-1 Released: Thu Jul 27 12:38:13 2023 Summary: Security update for go1.20-openssl Type: security Severity: moderate References: 1206346,1213229,CVE-2023-29406 This update for go1.20-openssl fixes the following issues: Update to version 1.20.6.1 (bsc#1206346): - CVE-2023-29406: Fixed insufficient sanitization of Host header (bsc#1213229). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3840-1 Released: Wed Sep 27 19:34:42 2023 Summary: Security update for go1.20-openssl Type: security Severity: important References: 1206346,1213880,1215084,1215085,1215090,CVE-2023-29409,CVE-2023-39318,CVE-2023-39319 This update for go1.20-openssl fixes the following issues: Update to version 1.20.8 (bsc#1206346). - CVE-2023-29409: Fixed unrestricted RSA keys in certificates (bsc#1213880). - CVE-2023-39319: Fixed improper handling of special tags within script contexts in html/template (bsc#1215085). - CVE-2023-39318: Fixed improper handling of HTML-like comments within script contexts (bsc#1215084). The following non-security bug was fixed: - Add missing directory pprof html asset directory to package (bsc#1215090). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4472-1 Released: Thu Nov 16 19:01:27 2023 Summary: Security update for go1.20-openssl Type: security Severity: important References: 1206346,1215985,1216109,1216943,1216944,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284 This update for go1.20-openssl fixes the following issues: Update to version 1.20.11.1 cut from the go1.20-openssl-fips branch at the revision tagged go1.20.11-1-openssl-fips. * Update to go1.20.11 go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker and the net/http package. * security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944) * cmd/link: split text sections for arm 32-bit * net/http: http2 page fails on firefox/safari if pushing resources Update to version 1.20.10.1 cut from the go1.20-openssl-fips branch at the revision tagged go1.20.10-1-openssl-fips. * Update to go1.20.10 go1.20.10 (released 2023-10-10) includes a security fix to the net/http package. * security: fix CVE-2023-39325 CVE-2023-44487 net/http: rapid stream resets can cause excessive work (bsc#1216109) go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package, as well as bug fixes to the go command and the linker. * security: fix CVE-2023-39323 cmd/go: line directives allows arbitrary execution during build (bsc#1215985) * cmd/link: issues with Apple's new linker in Xcode 15 beta The following package changes have been done: - go1.20-openssl-doc-1.20.11.1-150000.1.14.1 added - go1.20-openssl-1.20.11.1-150000.1.14.1 added - go1.20-openssl-race-1.20.11.1-150000.1.14.1 added - go1.19-openssl-1.19.13.1-150000.1.8.1 removed - go1.19-openssl-doc-1.19.13.1-150000.1.8.1 removed - go1.19-openssl-race-1.19.13.1-150000.1.8.1 removed From sle-container-updates at lists.suse.com Tue Nov 21 16:17:47 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 21 Nov 2023 17:17:47 +0100 (CET) Subject: SUSE-CU-2023:3786-1: Security update of bci/golang Message-ID: <20231121161747.6CE1AFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3786-1 Container Tags : bci/golang:1.21-openssl , bci/golang:1.21-openssl-8.2 , bci/golang:latest , bci/golang:stable-openssl , bci/golang:stable-openssl-8.2 Container Release : 8.2 Severity : moderate Type : security References : 1212475 1212667 1212669 1215084 1215085 1215086 1215087 1215090 1215985 1216109 1216943 1216944 CVE-2023-39318 CVE-2023-39319 CVE-2023-39320 CVE-2023-39321 CVE-2023-39322 CVE-2023-39323 CVE-2023-39325 CVE-2023-44487 CVE-2023-45283 CVE-2023-45284 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4469-1 Released: Thu Nov 16 18:59:45 2023 Summary: Security update for go1.21-openssl Type: security Severity: moderate References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109,1216943,1216944,CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487,CVE-2023-45283,CVE-2023-45284 This update for go1.21-openssl fixes the following issues: Update to version 1.21.4.1 cut from the go1.21-openssl-fips branch at the revision tagged go1.21.4-1-openssl-fips. * Update to go1.21.4 go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker, the runtime, the compiler, and the go/types, net/http, and runtime/cgo packages. * security: fix CVE-2023-45283 CVE-2023-45284 path/filepath: insecure parsing of Windows paths (bsc#1216943, bsc#1216944) * spec: update unification rules * cmd/compile: internal compiler error: expected struct value to have type struct * cmd/link: split text sections for arm 32-bit * runtime: MADV_COLLAPSE causes production performance issues on Linux * go/types, x/tools/go/ssa: panic: type param without replacement encountered * cmd/compile: -buildmode=c-archive produces code not suitable for use in a shared object on arm64 * net/http: http2 page fails on firefox/safari if pushing resources Initial package go1.21-openssl version 1.21.3.1 cut from the go1.21-openssl-fips branch at the revision tagged go1.21.3-1-openssl-fips. (jsc#SLE-18320) * Go upstream merged branch dev.boringcrypto in go1.19+. * In go1.x enable BoringCrypto via GOEXPERIMENT=boringcrypto. * In go1.x-openssl enable FIPS mode (or boring mode as the package is named) either via an environment variable GOLANG_FIPS=1 or by virtue of booting the host in FIPS mode. * When the operating system is operating in FIPS mode, Go applications which import crypto/tls/fipsonly limit operations to the FIPS ciphersuite. * go1.x-openssl is delivered as two large patches to go1.x applying necessary modifications from the golang-fips/go GitHub project for the Go crypto library to use OpenSSL as the external cryptographic library in a FIPS compliant way. * go1.x-openssl modifies the crypto/* packages to use OpenSSL for cryptographic operations. * go1.x-openssl uses dlopen() to call into OpenSSL. * SUSE RPM packaging introduces a fourth version digit go1.x.y.z corresponding to the golang-fips/go patchset tagged revision. * Patchset improvements can be updated independently of upstream Go maintenance releases. The following package changes have been done: - go1.21-openssl-doc-1.21.4.1-150000.1.5.1 added - go1.21-openssl-1.21.4.1-150000.1.5.1 added - go1.21-openssl-race-1.21.4.1-150000.1.5.1 added - go1.20-openssl-1.20.11.1-150000.1.14.1 removed - go1.20-openssl-doc-1.20.11.1-150000.1.14.1 removed - go1.20-openssl-race-1.20.11.1-150000.1.14.1 removed From sle-container-updates at lists.suse.com Wed Nov 22 08:42:56 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 09:42:56 +0100 (CET) Subject: SUSE-CU-2023:3791-1: Security update of suse/sle15 Message-ID: <20231122084256.6B816FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3791-1 Container Tags : bci/bci-base:15.4 , bci/bci-base:15.4.27.14.120 , suse/sle15:15.4 , suse/sle15:15.4.27.14.120 Container Release : 27.14.120 Severity : important Type : security References : 1212475 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4511-1 Released: Tue Nov 21 16:43:08 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - container-suseconnect-2.4.0-150000.4.44.1 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - libopenssl1_1-1.1.1l-150400.7.60.2 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated From sle-container-updates at lists.suse.com Wed Nov 22 08:44:41 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 09:44:41 +0100 (CET) Subject: SUSE-CU-2023:3798-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20231122084441.69F2CFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3798-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.9 , suse/manager/4.3/proxy-httpd:4.3.9.9.40.9 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.9 , suse/manager/4.3/proxy-httpd:susemanager-4.3.9.9.40.9 Container Release : 9.40.9 Severity : moderate Type : security References : 1206667 CVE-2022-40897 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). The following package changes have been done: - python3-setuptools-44.1.1-150400.9.6.1 updated From sle-container-updates at lists.suse.com Wed Nov 22 08:44:49 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 09:44:49 +0100 (CET) Subject: SUSE-CU-2023:3799-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20231122084449.28B69FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3799-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.9 , suse/manager/4.3/proxy-tftpd:4.3.9.9.30.8 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9.9.30.8 Container Release : 9.30.8 Severity : moderate Type : security References : 1206667 CVE-2022-40897 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). The following package changes have been done: - python3-setuptools-44.1.1-150400.9.6.1 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:12:27 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:12:27 +0100 (CET) Subject: SUSE-CU-2023:3801-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20231122191227.8835BFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3801-1 Container Tags : suse/sle-micro/5.3/toolbox:12.1 , suse/sle-micro/5.3/toolbox:12.1-5.2.258 , suse/sle-micro/5.3/toolbox:latest Container Release : 5.2.258 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - libopenssl1_1-1.1.1l-150400.7.60.2 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated - container:sles15-image-15.0.0-27.14.120 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:12:59 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:12:59 +0100 (CET) Subject: SUSE-CU-2023:3802-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20231122191259.1B79AFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3802-1 Container Tags : suse/sle-micro/5.4/toolbox:12.1 , suse/sle-micro/5.4/toolbox:12.1-4.2.155 , suse/sle-micro/5.4/toolbox:latest Container Release : 4.2.155 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - libopenssl1_1-1.1.1l-150400.7.60.2 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated - container:sles15-image-15.0.0-27.14.120 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:14:27 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:14:27 +0100 (CET) Subject: SUSE-CU-2023:3803-1: Security update of suse/sle15 Message-ID: <20231122191427.372C8FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3803-1 Container Tags : bci/bci-base:15.3 , bci/bci-base:15.3.17.20.215 , suse/sle15:15.3 , suse/sle15:15.3.17.20.215 Container Release : 17.20.215 Severity : important Type : security References : 1212475 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4511-1 Released: Tue Nov 21 16:43:08 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4519-1 Released: Tue Nov 21 17:39:58 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - container-suseconnect-2.4.0-150000.4.44.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.82.1 updated - libopenssl1_1-1.1.1d-150200.11.82.1 updated - openssl-1_1-1.1.1d-150200.11.82.1 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:15:15 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:15:15 +0100 (CET) Subject: SUSE-CU-2023:3804-1: Security update of bci/bci-init Message-ID: <20231122191515.EC0ACFBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3804-1 Container Tags : bci/bci-init:15.4 , bci/bci-init:15.4.30.29 Container Release : 30.29 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - container:sles15-image-15.0.0-27.14.120 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:15:48 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:15:48 +0100 (CET) Subject: SUSE-CU-2023:3805-1: Security update of bci/nodejs Message-ID: <20231122191548.AE5F5FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3805-1 Container Tags : bci/node:16 , bci/node:16-18.24 , bci/nodejs:16 , bci/nodejs:16-18.24 Container Release : 18.24 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - container:sles15-image-15.0.0-27.14.119 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:16:50 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:16:50 +0100 (CET) Subject: SUSE-CU-2023:3806-1: Security update of suse/pcp Message-ID: <20231122191650.4C31BFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3806-1 Container Tags : suse/pcp:5 , suse/pcp:5-17.194 , suse/pcp:5.2 , suse/pcp:5.2-17.194 , suse/pcp:5.2.5 , suse/pcp:5.2.5-17.194 Container Release : 17.194 Severity : important Type : security References : 1215947 1216419 1216922 CVE-2023-38470 CVE-2023-38473 CVE-2023-5678 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4503-1 Released: Tue Nov 21 13:25:12 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1215947,1216419,CVE-2023-38470,CVE-2023-38473 This update for avahi fixes the following issues: - CVE-2023-38470: Ensure each label is at least one byte long (bsc#1215947). - CVE-2023-38473: Fixed a reachable assertion when parsing a host name (bsc#1216419). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - libavahi-common3-0.8-150400.7.10.1 updated - libavahi-client3-0.8-150400.7.10.1 updated - container:bci-bci-init-15.4-15.4-30.29 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:17:02 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:17:02 +0100 (CET) Subject: SUSE-CU-2023:3807-1: Security update of suse/postgres Message-ID: <20231122191702.6C8D5FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3807-1 Container Tags : suse/postgres:14 , suse/postgres:14-24.14 , suse/postgres:14.10 , suse/postgres:14.10-24.14 Container Release : 24.14 Severity : important Type : security References : 1122892 1179231 1206796 1209208 1216022 1216022 1216734 1216734 1216922 1216960 1216960 1216961 1216961 1216962 1216962 CVE-2023-5678 CVE-2023-5868 CVE-2023-5868 CVE-2023-5869 CVE-2023-5869 CVE-2023-5870 CVE-2023-5870 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4479-1 Released: Mon Nov 20 10:09:03 2023 Summary: Security update for postgresql14 Type: security Severity: important References: 1216022,1216734,1216960,1216961,1216962,CVE-2023-5868,CVE-2023-5869,CVE-2023-5870 This update for postgresql14 fixes the following issues: Security issues fixed: * CVE-2023-5868: Fix handling of unknown-type arguments in DISTINCT 'any' aggregate functions. This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value. (bsc#1216962) * CVE-2023-5869: Detect integer overflow while computing new array dimensions. When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory. (bsc#1216961) * CVE-2023-5870: Prevent the pg_signal_backend role from signalling background workers and autovacuum processes. The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable. Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions. (bsc#1216960) - update to 14.10: https://www.postgresql.org/docs/14/release-14-10.html - Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. - Change the unix domain socket location from /var/run to /run. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4495-1 Released: Tue Nov 21 08:39:58 2023 Summary: Security update for postgresql, postgresql15, postgresql16 Type: security Severity: important References: 1122892,1179231,1206796,1209208,1216022,1216734,1216960,1216961,1216962,CVE-2023-5868,CVE-2023-5869,CVE-2023-5870 This update for postgresql, postgresql15, postgresql16 fixes the following issues: This update ships postgresql 16. Security issues fixed: * CVE-2023-5868: Fix handling of unknown-type arguments in DISTINCT 'any' aggregate functions. This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value. (bsc#1216962) * CVE-2023-5869: Detect integer overflow while computing new array dimensions. When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory. (bsc#1216961) * CVE-2023-5870: Prevent the pg_signal_backend role from signalling background workers and autovacuum processes. The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable. Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions. (bsc#1216960) Changes in postgresql16: - Upgrade to 16.1: * https://www.postgresql.org/about/news/2715 * https://www.postgresql.org/docs/16/release-16.html * https://www.postgresql.org/docs/16/release-16-1.html - Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. - Change the unix domain socket location from /var/run to /run. Changes in postgresql15: - Update to 15.5 https://www.postgresql.org/docs/15/release-15-5.html - The libs and mini package are now provided by postgresql16. - Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. - Change the unix domain socket location from /var/run to /run. Changes in postgresql: - Interlock version and release of all noarch packages except for the postgresql-docs. - bsc#1122892: Add a sysconfig variable for initdb. - Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. - bsc#1179231: Add an explanation for the /tmp -> /run/postgresql move and permission change. - Add postgresql-README as a separate source file. - bsc#1209208: Drop hard dependency on systemd - bsc#1206796: Refine the distinction of where to use sysusers and use bcond to have the expression only in one place. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - libpq5-16.1-150200.5.7.1 updated - postgresql-16-150400.4.9.2 updated - postgresql14-14.10-150200.5.36.1 updated - postgresql-server-16-150400.4.9.2 updated - postgresql14-server-14.10-150200.5.36.1 updated - container:sles15-image-15.0.0-27.14.119 updated - dbus-1-1.12.2-150400.18.8.1 removed - kbd-2.4.0-150400.5.6.1 removed - kbd-legacy-2.4.0-150400.5.6.1 removed - libapparmor1-3.0.4-150400.5.9.1 removed - libargon2-1-0.0+git20171227.670229c-2.14 removed - libcryptsetup12-2.4.3-150400.3.3.1 removed - libcryptsetup12-hmac-2.4.3-150400.3.3.1 removed - libdbus-1-3-1.12.2-150400.18.8.1 removed - libdevmapper1_03-2.03.05_1.02.163-150400.188.1 removed - libexpat1-2.4.4-150400.3.12.1 removed - libffi7-3.2.1.git259-10.8 removed - libip4tc2-1.8.7-1.1 removed - libjson-c3-0.13-3.3.1 removed - libkmod2-29-4.15.1 removed - libp11-kit0-0.23.22-150400.1.10 removed - libseccomp2-2.5.3-150400.2.4 removed - libudev1-249.16-150400.8.35.5 removed - netcfg-11.6-3.3.1 removed - pam-config-1.1-3.3.1 removed - pkg-config-0.29.2-1.436 removed - systemd-249.16-150400.8.35.5 removed - systemd-default-settings-0.7-3.2.1 removed - systemd-default-settings-branding-SLE-0.7-3.2.1 removed - systemd-presets-branding-SLE-15.1-150100.20.11.1 removed - systemd-presets-common-SUSE-15-150100.8.20.1 removed From sle-container-updates at lists.suse.com Wed Nov 22 19:17:45 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:17:45 +0100 (CET) Subject: SUSE-CU-2023:3808-1: Security update of bci/python Message-ID: <20231122191745.DAC28FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3808-1 Container Tags : bci/python:3 , bci/python:3-16.26 , bci/python:3.10 , bci/python:3.10-16.26 Container Release : 16.26 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated - container:sles15-image-15.0.0-27.14.119 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:17:59 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:17:59 +0100 (CET) Subject: SUSE-CU-2023:3809-1: Security update of suse/389-ds Message-ID: <20231122191759.DF673FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3809-1 Container Tags : suse/389-ds:2.2 , suse/389-ds:2.2-16.47 , suse/389-ds:latest Container Release : 16.47 Severity : moderate Type : security References : 1206667 CVE-2022-40897 ----------------------------------------------------------------- The container suse/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). The following package changes have been done: - libxml2-2-2.10.3-150500.5.11.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - openssl-1_1-1.1.1l-150500.17.22.1 updated - python3-setuptools-44.1.1-150400.9.6.1 updated - container:sles15-image-15.0.0-36.5.57 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:18:46 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:18:46 +0100 (CET) Subject: SUSE-CU-2023:3815-1: Recommended update of suse/helm Message-ID: <20231122191846.511F0FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/helm ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3815-1 Container Tags : suse/helm:3.13 , suse/helm:3.13-3.15 , suse/helm:latest Container Release : 3.15 Severity : important Type : recommended References : 1217013 ----------------------------------------------------------------- The container suse/helm was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4509-1 Released: Tue Nov 21 13:36:00 2023 Summary: Recommended update for helm Type: recommended Severity: important References: 1217013 This update for helm fixes the following issues: - Update to version 3.13.2 (bsc#1217013) - Fixes a regression when helm can't be pulled anonymously from registries. (bsc#1217013) - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. The following package changes have been done: - helm-3.13.2-150000.1.29.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - openssl-1_1-1.1.1l-150500.17.22.1 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:19:54 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:19:54 +0100 (CET) Subject: SUSE-CU-2023:3821-1: Security update of suse/pcp Message-ID: <20231122191954.72FCFFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3821-1 Container Tags : suse/pcp:5 , suse/pcp:5-15.68 , suse/pcp:5.2 , suse/pcp:5.2-15.68 , suse/pcp:5.2.5 , suse/pcp:5.2.5-15.68 , suse/pcp:latest Container Release : 15.68 Severity : moderate Type : security References : 1215947 1216419 CVE-2023-38470 CVE-2023-38473 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4503-1 Released: Tue Nov 21 13:25:12 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1215947,1216419,CVE-2023-38470,CVE-2023-38473 This update for avahi fixes the following issues: - CVE-2023-38470: Ensure each label is at least one byte long (bsc#1215947). - CVE-2023-38473: Fixed a reachable assertion when parsing a host name (bsc#1216419). The following package changes have been done: - libxml2-2-2.10.3-150500.5.11.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - libavahi-common3-0.8-150400.7.10.1 updated - libavahi-client3-0.8-150400.7.10.1 updated - container:bci-bci-init-15.5-15.5-10.39 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:20:20 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:20:20 +0100 (CET) Subject: SUSE-CU-2023:3823-1: Security update of suse/postgres Message-ID: <20231122192020.A3E82FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3823-1 Container Tags : suse/postgres:15 , suse/postgres:15-12.17 , suse/postgres:15.5 , suse/postgres:15.5-12.17 , suse/postgres:latest Container Release : 12.17 Severity : important Type : security References : 1122892 1179231 1206796 1209208 1216022 1216734 1216960 1216961 1216962 CVE-2023-5868 CVE-2023-5869 CVE-2023-5870 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4495-1 Released: Tue Nov 21 08:39:58 2023 Summary: Security update for postgresql, postgresql15, postgresql16 Type: security Severity: important References: 1122892,1179231,1206796,1209208,1216022,1216734,1216960,1216961,1216962,CVE-2023-5868,CVE-2023-5869,CVE-2023-5870 This update for postgresql, postgresql15, postgresql16 fixes the following issues: This update ships postgresql 16. Security issues fixed: * CVE-2023-5868: Fix handling of unknown-type arguments in DISTINCT 'any' aggregate functions. This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value. (bsc#1216962) * CVE-2023-5869: Detect integer overflow while computing new array dimensions. When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory. (bsc#1216961) * CVE-2023-5870: Prevent the pg_signal_backend role from signalling background workers and autovacuum processes. The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable. Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions. (bsc#1216960) Changes in postgresql16: - Upgrade to 16.1: * https://www.postgresql.org/about/news/2715 * https://www.postgresql.org/docs/16/release-16.html * https://www.postgresql.org/docs/16/release-16-1.html - Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. - Change the unix domain socket location from /var/run to /run. Changes in postgresql15: - Update to 15.5 https://www.postgresql.org/docs/15/release-15-5.html - The libs and mini package are now provided by postgresql16. - Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. - Change the unix domain socket location from /var/run to /run. Changes in postgresql: - Interlock version and release of all noarch packages except for the postgresql-docs. - bsc#1122892: Add a sysconfig variable for initdb. - Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. - bsc#1179231: Add an explanation for the /tmp -> /run/postgresql move and permission change. - Add postgresql-README as a separate source file. - bsc#1209208: Drop hard dependency on systemd - bsc#1206796: Refine the distinction of where to use sysusers and use bcond to have the expression only in one place. The following package changes have been done: - libxml2-2-2.10.3-150500.5.11.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - libpq5-16.1-150200.5.7.1 updated - postgresql-16-150500.10.3.2 updated - postgresql15-15.5-150200.5.19.1 updated - postgresql-server-16-150500.10.3.2 updated - postgresql15-server-15.5-150200.5.19.1 updated - container:sles15-image-15.0.0-36.5.57 updated - dbus-1-1.12.2-150400.18.8.1 removed - kbd-2.4.0-150400.5.6.1 removed - kbd-legacy-2.4.0-150400.5.6.1 removed - libapparmor1-3.0.4-150500.11.9.1 removed - libargon2-1-0.0+git20171227.670229c-2.14 removed - libcryptsetup12-2.4.3-150400.3.3.1 removed - libcryptsetup12-hmac-2.4.3-150400.3.3.1 removed - libdbus-1-3-1.12.2-150400.18.8.1 removed - libdevmapper1_03-2.03.16_1.02.185-150500.7.6.1 removed - libexpat1-2.4.4-150400.3.12.1 removed - libffi7-3.2.1.git259-10.8 removed - libip4tc2-1.8.7-1.1 removed - libjson-c3-0.13-3.3.1 removed - libkmod2-29-4.15.1 removed - libp11-kit0-0.23.22-150500.6.1 removed - libseccomp2-2.5.3-150400.2.4 removed - libudev1-249.16-150400.8.35.5 removed - netcfg-11.6-3.3.1 removed - pam-config-1.1-3.3.1 removed - pkg-config-0.29.2-1.436 removed - systemd-249.16-150400.8.35.5 removed - systemd-default-settings-0.7-3.2.1 removed - systemd-default-settings-branding-SLE-0.7-3.2.1 removed - systemd-presets-branding-SLE-15.1-150100.20.11.1 removed - systemd-presets-common-SUSE-15-150500.20.3.1 removed From sle-container-updates at lists.suse.com Wed Nov 22 19:21:04 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:21:04 +0100 (CET) Subject: SUSE-CU-2023:3827-1: Security update of suse/sle15 Message-ID: <20231122192104.6F482FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3827-1 Container Tags : bci/bci-base:15.5 , bci/bci-base:15.5.36.5.57 , suse/sle15:15.5 , suse/sle15:15.5.36.5.57 Container Release : 36.5.57 Severity : important Type : security References : 1212475 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4511-1 Released: Tue Nov 21 16:43:08 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). The following package changes have been done: - container-suseconnect-2.4.0-150000.4.44.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libxml2-2-2.10.3-150500.5.11.1 updated - openssl-1_1-1.1.1l-150500.17.22.1 updated From sle-container-updates at lists.suse.com Wed Nov 22 19:21:13 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 22 Nov 2023 20:21:13 +0100 (CET) Subject: SUSE-CU-2023:3828-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20231122192113.E1A47FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3828-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.9 , suse/manager/4.3/proxy-ssh:4.3.9.9.30.8 , suse/manager/4.3/proxy-ssh:latest , suse/manager/4.3/proxy-ssh:susemanager-4.3.9 , suse/manager/4.3/proxy-ssh:susemanager-4.3.9.9.30.8 Container Release : 9.30.8 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:02:38 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:02:38 +0100 (CET) Subject: SUSE-CU-2023:3830-1: Security update of bci/openjdk-devel Message-ID: <20231123080238.2840EF3CA@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3830-1 Container Tags : bci/openjdk-devel:11 , bci/openjdk-devel:11-10.84 Container Release : 10.84 Severity : moderate Type : security References : 1162112 1216529 CVE-2023-46122 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4527-1 Released: Wed Nov 22 14:38:50 2023 Summary: Security update for maven, maven-resolver, sbt, xmvn Type: security Severity: moderate References: 1162112,1216529,CVE-2023-46122 This update for maven, maven-resolver, sbt, xmvn fixes the following issues: - CVE-2023-46122: Fixed an arbitrary file write when extracting a crafted zip file with sbt (bsc#1216529). - Upgraded maven to version 3.9.4 - Upgraded maven-resolver to version 1.9.15. The following package changes have been done: - libxml2-2-2.10.3-150500.5.11.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - openssl-1_1-1.1.1l-150500.17.22.1 updated - maven-resolver-api-1.9.15-150200.3.14.2 updated - maven-resolver-util-1.9.15-150200.3.14.2 updated - maven-resolver-spi-1.9.15-150200.3.14.2 updated - maven-resolver-named-locks-1.9.15-150200.3.14.2 updated - maven-resolver-transport-file-1.9.15-150200.3.14.2 updated - maven-resolver-connector-basic-1.9.15-150200.3.14.2 updated - maven-resolver-transport-wagon-1.9.15-150200.3.14.2 updated - maven-resolver-impl-1.9.15-150200.3.14.2 updated - maven-resolver-transport-http-1.9.15-150200.3.14.2 updated - maven-lib-3.9.4-150200.4.18.1 updated - maven-3.9.4-150200.4.18.1 updated - container:bci-openjdk-11-15.5.11-11.41 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:02:57 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:02:57 +0100 (CET) Subject: SUSE-CU-2023:3831-1: Security update of bci/openjdk-devel Message-ID: <20231123080257.23FC9F3CA@maintenance.suse.de> SUSE Container Update Advisory: bci/openjdk-devel ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3831-1 Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17-12.79 , bci/openjdk-devel:latest Container Release : 12.79 Severity : moderate Type : security References : 1162112 1216529 CVE-2023-46122 ----------------------------------------------------------------- The container bci/openjdk-devel was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4527-1 Released: Wed Nov 22 14:38:50 2023 Summary: Security update for maven, maven-resolver, sbt, xmvn Type: security Severity: moderate References: 1162112,1216529,CVE-2023-46122 This update for maven, maven-resolver, sbt, xmvn fixes the following issues: - CVE-2023-46122: Fixed an arbitrary file write when extracting a crafted zip file with sbt (bsc#1216529). - Upgraded maven to version 3.9.4 - Upgraded maven-resolver to version 1.9.15. The following package changes have been done: - libxml2-2-2.10.3-150500.5.11.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - openssl-1_1-1.1.1l-150500.17.22.1 updated - maven-resolver-api-1.9.15-150200.3.14.2 updated - maven-resolver-util-1.9.15-150200.3.14.2 updated - maven-resolver-spi-1.9.15-150200.3.14.2 updated - maven-resolver-named-locks-1.9.15-150200.3.14.2 updated - maven-resolver-transport-file-1.9.15-150200.3.14.2 updated - maven-resolver-connector-basic-1.9.15-150200.3.14.2 updated - maven-resolver-transport-wagon-1.9.15-150200.3.14.2 updated - maven-resolver-impl-1.9.15-150200.3.14.2 updated - maven-resolver-transport-http-1.9.15-150200.3.14.2 updated - maven-lib-3.9.4-150200.4.18.1 updated - maven-3.9.4-150200.4.18.1 updated - container:bci-openjdk-17-15.5.17-12.39 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:03:56 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:03:56 +0100 (CET) Subject: SUSE-CU-2023:3835-1: Security update of bci/python Message-ID: <20231123080356.1EBD2FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3835-1 Container Tags : bci/python:3 , bci/python:3-14.33 , bci/python:3.6 , bci/python:3.6-14.33 Container Release : 14.33 Severity : moderate Type : security References : 1206667 CVE-2022-40897 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). The following package changes have been done: - libxml2-2-2.10.3-150500.5.11.1 updated - libopenssl1_1-1.1.1l-150500.17.22.1 updated - libopenssl1_1-hmac-1.1.1l-150500.17.22.1 updated - openssl-1_1-1.1.1l-150500.17.22.1 updated - python3-setuptools-44.1.1-150400.9.6.1 updated - container:sles15-image-15.0.0-36.5.57 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:04:33 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:04:33 +0100 (CET) Subject: SUSE-CU-2023:3838-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20231123080433.956B4F3CA@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3838-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.9 , suse/manager/4.3/proxy-httpd:4.3.9.9.40.10 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.9 , suse/manager/4.3/proxy-httpd:susemanager-4.3.9.9.40.10 Container Release : 9.40.10 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:04:39 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:04:39 +0100 (CET) Subject: SUSE-CU-2023:3839-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20231123080439.77CB7FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3839-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.9 , suse/manager/4.3/proxy-salt-broker:4.3.9.9.30.10 , suse/manager/4.3/proxy-salt-broker:latest , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.9 , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.9.9.30.10 Container Release : 9.30.10 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:04:46 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:04:46 +0100 (CET) Subject: SUSE-CU-2023:3840-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20231123080446.D1A98FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3840-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.9 , suse/manager/4.3/proxy-squid:4.3.9.9.39.8 , suse/manager/4.3/proxy-squid:latest , suse/manager/4.3/proxy-squid:susemanager-4.3.9 , suse/manager/4.3/proxy-squid:susemanager-4.3.9.9.39.8 Container Release : 9.39.8 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:04:53 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:04:53 +0100 (CET) Subject: SUSE-CU-2023:3841-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20231123080453.47AEDFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3841-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.9 , suse/manager/4.3/proxy-tftpd:4.3.9.9.30.9 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9.9.30.9 Container Release : 9.30.9 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libopenssl1_1-hmac-1.1.1l-150400.7.60.2 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:05:29 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:05:29 +0100 (CET) Subject: SUSE-CU-2023:3842-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20231123080529.7B75FFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3842-1 Container Tags : suse/sle-micro/5.1/toolbox:12.1 , suse/sle-micro/5.1/toolbox:12.1-2.2.496 , suse/sle-micro/5.1/toolbox:latest Container Release : 2.2.496 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4519-1 Released: Tue Nov 21 17:39:58 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-hmac-1.1.1d-150200.11.82.1 updated - libopenssl1_1-1.1.1d-150200.11.82.1 updated - openssl-1_1-1.1.1d-150200.11.82.1 updated - container:sles15-image-15.0.0-17.20.215 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:06:00 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:06:00 +0100 (CET) Subject: SUSE-CU-2023:3843-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20231123080600.D8EBAFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3843-1 Container Tags : suse/sle-micro/5.2/toolbox:12.1 , suse/sle-micro/5.2/toolbox:12.1-6.2.318 , suse/sle-micro/5.2/toolbox:latest Container Release : 6.2.318 Severity : important Type : security References : 1216922 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4519-1 Released: Tue Nov 21 17:39:58 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libopenssl1_1-hmac-1.1.1d-150200.11.82.1 updated - libopenssl1_1-1.1.1d-150200.11.82.1 updated - openssl-1_1-1.1.1d-150200.11.82.1 updated - container:sles15-image-15.0.0-17.20.215 updated From sle-container-updates at lists.suse.com Thu Nov 23 09:00:36 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 10:00:36 +0100 (CET) Subject: SUSE-CU-2023:3846-1: Security update of suse/sle15 Message-ID: <20231123090036.3CB19FDD9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3846-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.373 Container Release : 9.5.373 Severity : important Type : security References : 1212475 1213865 1216922 CVE-2018-7738 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4511-1 Released: Tue Nov 21 16:43:08 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4512-1 Released: Tue Nov 21 17:25:02 2023 Summary: Security update for util-linux Type: security Severity: important References: 1213865,CVE-2018-7738 This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4519-1 Released: Tue Nov 21 17:39:58 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - container-suseconnect-2.4.0-150000.4.44.1 updated - libblkid1-2.33.2-150100.4.40.1 updated - libfdisk1-2.33.2-150100.4.40.1 updated - libmount1-2.33.2-150100.4.40.1 updated - libopenssl1_1-hmac-1.1.1d-150200.11.82.1 updated - libopenssl1_1-1.1.1d-150200.11.82.1 updated - libsmartcols1-2.33.2-150100.4.40.1 updated - libuuid1-2.33.2-150100.4.40.1 updated - openssl-1_1-1.1.1d-150200.11.82.1 updated - util-linux-2.33.2-150100.4.40.1 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:59:13 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:59:13 +0100 (CET) Subject: SUSE-CU-2023:3845-1: Security update of suse/sle15 Message-ID: <20231123085913.2886CFDCC@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3845-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.846 Container Release : 6.2.846 Severity : important Type : security References : 1212475 1213865 1216922 CVE-2018-7738 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4511-1 Released: Tue Nov 21 16:43:08 2023 Summary: Security update for container-suseconnect Type: security Severity: important References: 1212475 This update of container-suseconnect fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4512-1 Released: Tue Nov 21 17:25:02 2023 Summary: Security update for util-linux Type: security Severity: important References: 1213865,CVE-2018-7738 This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4520-1 Released: Tue Nov 21 17:42:13 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - container-suseconnect-2.4.0-150000.4.44.1 updated - libblkid1-2.33.2-150100.4.40.1 updated - libfdisk1-2.33.2-150100.4.40.1 updated - libmount1-2.33.2-150100.4.40.1 updated - libopenssl1_1-1.1.0i-150100.14.68.1 updated - libsmartcols1-2.33.2-150100.4.40.1 updated - libuuid1-2.33.2-150100.4.40.1 updated - openssl-1_1-1.1.0i-150100.14.68.1 updated - util-linux-2.33.2-150100.4.40.1 updated From sle-container-updates at lists.suse.com Thu Nov 23 08:57:11 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 09:57:11 +0100 (CET) Subject: SUSE-CU-2023:3844-1: Security update of suse/sles12sp5 Message-ID: <20231123085711.C66ECFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3844-1 Container Tags : suse/sles12sp5:6.5.537 , suse/sles12sp5:latest Container Release : 6.5.537 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216129 1216664 1216922 CVE-2023-4039 CVE-2023-45322 CVE-2023-5678 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4480-1 Released: Mon Nov 20 10:15:33 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4505-1 Released: Tue Nov 21 13:30:43 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4523-1 Released: Tue Nov 21 17:50:16 2023 Summary: Security update for openssl-1_0_0 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_0_0 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). The following package changes have been done: - libgcc_s1-13.2.1+git7813-1.10.1 updated - libopenssl1_0_0-1.0.2p-3.87.1 updated - libstdc++6-13.2.1+git7813-1.10.1 updated - libxml2-2-2.9.4-46.68.2 updated - openssl-1_0_0-1.0.2p-3.87.1 updated From sle-container-updates at lists.suse.com Thu Nov 23 16:19:06 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Thu, 23 Nov 2023 17:19:06 +0100 (CET) Subject: SUSE-CU-2023:3849-1: Recommended update of suse/sle15 Message-ID: <20231123161906.98201FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3849-1 Container Tags : bci/bci-base:15.5 , bci/bci-base:15.5.36.5.58 , suse/sle15:15.5 , suse/sle15:15.5.36.5.58 Container Release : 36.5.58 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libzypp-17.31.22-150400.3.43.1 updated - zypper-1.14.66-150400.3.35.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:03:14 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:03:14 +0100 (CET) Subject: SUSE-CU-2023:3852-1: Recommended update of suse/sle-micro/5.5/toolbox Message-ID: <20231124080314.57335FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.5/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3852-1 Container Tags : suse/sle-micro/5.5/toolbox:12.1 , suse/sle-micro/5.5/toolbox:12.1-2.2.103 , suse/sle-micro/5.5/toolbox:latest Container Release : 2.2.103 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/sle-micro/5.5/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libzypp-17.31.22-150400.3.43.1 updated - zypper-1.14.66-150400.3.35.1 updated - container:sles15-image-15.0.0-36.5.58 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:04:44 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:04:44 +0100 (CET) Subject: SUSE-CU-2023:3853-1: Recommended update of suse/sle15 Message-ID: <20231124080444.165B7FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3853-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.847 Container Release : 6.2.847 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4536-1 Released: Thu Nov 23 08:19:05 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libzypp-17.31.22-150100.3.120.1 updated - zypper-1.14.66-150100.3.90.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:05:51 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:05:51 +0100 (CET) Subject: SUSE-CU-2023:3854-1: Recommended update of suse/sle15 Message-ID: <20231124080551.2F9B7FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3854-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.374 Container Release : 9.5.374 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4535-1 Released: Thu Nov 23 08:17:40 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libzypp-17.31.22-150200.78.1 updated - zypper-1.14.66-150200.65.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:06:48 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:06:48 +0100 (CET) Subject: SUSE-CU-2023:3855-1: Recommended update of suse/sle15 Message-ID: <20231124080648.AB784FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3855-1 Container Tags : bci/bci-base:15.3 , bci/bci-base:15.3.17.20.216 , suse/sle15:15.3 , suse/sle15:15.3.17.20.216 Container Release : 17.20.216 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4535-1 Released: Thu Nov 23 08:17:40 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libzypp-17.31.22-150200.78.1 updated - zypper-1.14.66-150200.65.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:07:25 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:07:25 +0100 (CET) Subject: SUSE-CU-2023:3856-1: Security update of bci/bci-init Message-ID: <20231124080725.90F43FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/bci-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3856-1 Container Tags : bci/bci-init:15.4 , bci/bci-init:15.4.30.31 Container Release : 30.31 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container bci/bci-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - container:sles15-image-15.0.0-27.14.122 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:07:49 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:07:49 +0100 (CET) Subject: SUSE-CU-2023:3857-1: Security update of bci/nodejs Message-ID: <20231124080749.91F33FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/nodejs ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3857-1 Container Tags : bci/node:16 , bci/node:16-18.26 , bci/nodejs:16 , bci/nodejs:16-18.26 Container Release : 18.26 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container bci/nodejs was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - container:sles15-image-15.0.0-27.14.122 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:08:35 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:08:35 +0100 (CET) Subject: SUSE-CU-2023:3858-1: Security update of suse/pcp Message-ID: <20231124080835.9A86FFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3858-1 Container Tags : suse/pcp:5 , suse/pcp:5-17.197 , suse/pcp:5.2 , suse/pcp:5.2-17.197 , suse/pcp:5.2.5 , suse/pcp:5.2.5-17.197 Container Release : 17.197 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - container:bci-bci-init-15.4-15.4-30.31 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:09:08 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:09:08 +0100 (CET) Subject: SUSE-CU-2023:3859-1: Security update of bci/python Message-ID: <20231124080908.E63F6FBA9@maintenance.suse.de> SUSE Container Update Advisory: bci/python ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3859-1 Container Tags : bci/python:3 , bci/python:3-16.28 , bci/python:3.10 , bci/python:3.10-16.28 Container Release : 16.28 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container bci/python was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - container:sles15-image-15.0.0-27.14.122 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:09:39 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:09:39 +0100 (CET) Subject: SUSE-CU-2023:3860-1: Security update of suse/sle15 Message-ID: <20231124080939.7D9CDFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3860-1 Container Tags : bci/bci-base:15.4 , bci/bci-base:15.4.27.14.122 , suse/sle15:15.4 , suse/sle15:15.4.27.14.122 Container Release : 27.14.122 Severity : moderate Type : security References : 1041742 1203760 1212422 1215979 1216091 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - zypper-1.14.66-150400.3.35.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:14:20 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:14:20 +0100 (CET) Subject: SUSE-CU-2023:3886-1: Security update of suse/manager/4.3/proxy-httpd Message-ID: <20231124081420.95EF6FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3886-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.9 , suse/manager/4.3/proxy-httpd:4.3.9.9.40.12 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.9 , suse/manager/4.3/proxy-httpd:susemanager-4.3.9.9.40.12 Container Release : 9.40.12 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - python3-libxml2-2.9.14-150400.5.25.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:14:26 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:14:26 +0100 (CET) Subject: SUSE-CU-2023:3887-1: Security update of suse/manager/4.3/proxy-ssh Message-ID: <20231124081426.89761FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-ssh ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3887-1 Container Tags : suse/manager/4.3/proxy-ssh:4.3.9 , suse/manager/4.3/proxy-ssh:4.3.9.9.30.10 , suse/manager/4.3/proxy-ssh:latest , suse/manager/4.3/proxy-ssh:susemanager-4.3.9 , suse/manager/4.3/proxy-ssh:susemanager-4.3.9.9.30.10 Container Release : 9.30.10 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-ssh was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:14:53 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:14:53 +0100 (CET) Subject: SUSE-CU-2023:3888-1: Recommended update of suse/sle-micro/5.1/toolbox Message-ID: <20231124081453.6DB22FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3888-1 Container Tags : suse/sle-micro/5.1/toolbox:12.1 , suse/sle-micro/5.1/toolbox:12.1-2.2.498 , suse/sle-micro/5.1/toolbox:latest Container Release : 2.2.498 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4535-1 Released: Thu Nov 23 08:17:40 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libzypp-17.31.22-150200.78.1 updated - zypper-1.14.66-150200.65.1 updated - container:sles15-image-15.0.0-17.20.216 updated From sle-container-updates at lists.suse.com Fri Nov 24 08:16:14 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 09:16:14 +0100 (CET) Subject: SUSE-CU-2023:3890-1: Recommended update of suse/sle-micro/5.2/toolbox Message-ID: <20231124081614.40DA5FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3890-1 Container Tags : suse/sle-micro/5.2/toolbox:12.1 , suse/sle-micro/5.2/toolbox:12.1-6.2.320 , suse/sle-micro/5.2/toolbox:latest Container Release : 6.2.320 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4535-1 Released: Thu Nov 23 08:17:40 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libzypp-17.31.22-150200.78.1 updated - zypper-1.14.66-150200.65.1 updated - container:sles15-image-15.0.0-17.20.216 updated From sle-container-updates at lists.suse.com Fri Nov 24 15:55:59 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 16:55:59 +0100 (CET) Subject: SUSE-CU-2023:3891-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20231124155559.9F47AFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3891-1 Container Tags : suse/sle-micro/5.3/toolbox:12.1 , suse/sle-micro/5.3/toolbox:12.1-5.2.261 , suse/sle-micro/5.3/toolbox:latest Container Release : 5.2.261 Severity : moderate Type : security References : 1041742 1203760 1212422 1215979 1216091 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - zypper-1.14.66-150400.3.35.1 updated - container:sles15-image-15.0.0-27.14.122 updated From sle-container-updates at lists.suse.com Fri Nov 24 15:56:26 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 16:56:26 +0100 (CET) Subject: SUSE-CU-2023:3892-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20231124155626.7CDFBFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3892-1 Container Tags : suse/sle-micro/5.4/toolbox:12.1 , suse/sle-micro/5.4/toolbox:12.1-4.2.158 , suse/sle-micro/5.4/toolbox:latest Container Release : 4.2.158 Severity : moderate Type : security References : 1041742 1203760 1212422 1215979 1216091 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - zypper-1.14.66-150400.3.35.1 updated - container:sles15-image-15.0.0-27.14.122 updated From sle-container-updates at lists.suse.com Fri Nov 24 15:57:05 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 16:57:05 +0100 (CET) Subject: SUSE-CU-2023:3893-1: Security update of suse/postgres Message-ID: <20231124155705.80CA1FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/postgres ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3893-1 Container Tags : suse/postgres:14 , suse/postgres:14-24.16 , suse/postgres:14.10 , suse/postgres:14.10-24.16 Container Release : 24.16 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/postgres was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - container:sles15-image-15.0.0-27.14.122 updated From sle-container-updates at lists.suse.com Fri Nov 24 15:57:37 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 16:57:37 +0100 (CET) Subject: SUSE-CU-2023:3896-1: Recommended update of suse/manager/4.3/proxy-httpd Message-ID: <20231124155737.627FBFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3896-1 Container Tags : suse/manager/4.3/proxy-httpd:4.3.9 , suse/manager/4.3/proxy-httpd:4.3.9.9.40.13 , suse/manager/4.3/proxy-httpd:latest , suse/manager/4.3/proxy-httpd:susemanager-4.3.9 , suse/manager/4.3/proxy-httpd:susemanager-4.3.9.9.40.13 Container Release : 9.40.13 Severity : moderate Type : recommended References : 1041742 1203760 1212422 1215979 1216091 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - zypper-1.14.66-150400.3.35.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 15:57:43 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 16:57:43 +0100 (CET) Subject: SUSE-CU-2023:3897-1: Security update of suse/manager/4.3/proxy-salt-broker Message-ID: <20231124155743.D0A20FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-salt-broker ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3897-1 Container Tags : suse/manager/4.3/proxy-salt-broker:4.3.9 , suse/manager/4.3/proxy-salt-broker:4.3.9.9.30.13 , suse/manager/4.3/proxy-salt-broker:latest , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.9 , suse/manager/4.3/proxy-salt-broker:susemanager-4.3.9.9.30.13 Container Release : 9.30.13 Severity : moderate Type : security References : 1041742 1203760 1212422 1215979 1216091 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-salt-broker was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - zypper-1.14.66-150400.3.35.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 15:57:52 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 16:57:52 +0100 (CET) Subject: SUSE-CU-2023:3898-1: Security update of suse/manager/4.3/proxy-squid Message-ID: <20231124155752.1421BFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-squid ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3898-1 Container Tags : suse/manager/4.3/proxy-squid:4.3.9 , suse/manager/4.3/proxy-squid:4.3.9.9.39.10 , suse/manager/4.3/proxy-squid:latest , suse/manager/4.3/proxy-squid:susemanager-4.3.9 , suse/manager/4.3/proxy-squid:susemanager-4.3.9.9.39.10 Container Release : 9.39.10 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-squid was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated From sle-container-updates at lists.suse.com Fri Nov 24 15:57:58 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Fri, 24 Nov 2023 16:57:58 +0100 (CET) Subject: SUSE-CU-2023:3899-1: Security update of suse/manager/4.3/proxy-tftpd Message-ID: <20231124155758.5A52CFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3899-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.9 , suse/manager/4.3/proxy-tftpd:4.3.9.9.30.11 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9.9.30.11 Container Release : 9.30.11 Severity : moderate Type : security References : 1216129 CVE-2023-45322 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). The following package changes have been done: - libxml2-2-2.9.14-150400.5.25.1 updated From sle-container-updates at lists.suse.com Tue Nov 28 08:03:47 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 28 Nov 2023 09:03:47 +0100 (CET) Subject: SUSE-CU-2023:3902-1: Security update of suse/sle-micro/5.3/toolbox Message-ID: <20231128080347.6E89FFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.3/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3902-1 Container Tags : suse/sle-micro/5.3/toolbox:12.1 , suse/sle-micro/5.3/toolbox:12.1-5.2.262 , suse/sle-micro/5.3/toolbox:latest Container Release : 5.2.262 Severity : important Type : security References : 1215940 1216001 1216167 1216696 CVE-2023-46246 CVE-2023-5344 CVE-2023-5441 CVE-2023-5535 ----------------------------------------------------------------- The container suse/sle-micro/5.3/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4587-1 Released: Mon Nov 27 14:25:52 2023 Summary: Security update for vim Type: security Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) The following package changes have been done: - vim-data-common-9.0.2103-150000.5.57.1 updated - vim-9.0.2103-150000.5.57.1 updated From sle-container-updates at lists.suse.com Tue Nov 28 08:04:56 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 28 Nov 2023 09:04:56 +0100 (CET) Subject: SUSE-CU-2023:3904-1: Security update of suse/sle-micro/5.4/toolbox Message-ID: <20231128080456.A275BFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.4/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3904-1 Container Tags : suse/sle-micro/5.4/toolbox:12.1 , suse/sle-micro/5.4/toolbox:12.1-4.2.160 , suse/sle-micro/5.4/toolbox:latest Container Release : 4.2.160 Severity : important Type : security References : 1215940 1216001 1216167 1216696 CVE-2023-46246 CVE-2023-5344 CVE-2023-5441 CVE-2023-5535 ----------------------------------------------------------------- The container suse/sle-micro/5.4/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4587-1 Released: Mon Nov 27 14:25:52 2023 Summary: Security update for vim Type: security Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) The following package changes have been done: - vim-data-common-9.0.2103-150000.5.57.1 updated - vim-9.0.2103-150000.5.57.1 updated From sle-container-updates at lists.suse.com Tue Nov 28 08:07:47 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 28 Nov 2023 09:07:47 +0100 (CET) Subject: SUSE-CU-2023:3910-1: Recommended update of suse/manager/4.3/proxy-tftpd Message-ID: <20231128080747.A65C1FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/manager/4.3/proxy-tftpd ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3910-1 Container Tags : suse/manager/4.3/proxy-tftpd:4.3.9 , suse/manager/4.3/proxy-tftpd:4.3.9.9.30.13 , suse/manager/4.3/proxy-tftpd:latest , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9 , suse/manager/4.3/proxy-tftpd:susemanager-4.3.9.9.30.13 Container Release : 9.30.13 Severity : moderate Type : recommended References : 1111622 1170175 1176785 1184753 1199282 ----------------------------------------------------------------- The container suse/manager/4.3/proxy-tftpd was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4583-1 Released: Mon Nov 27 10:16:11 2023 Summary: Feature update for python-psutil Type: feature Severity: moderate References: 1111622,1170175,1176785,1184753,1199282 This update for python-psutil, python-requests fixes the following issues: - update python-psutil to 5.9.1 (bsc#1199282, bsc#1184753, jsc#SLE-24629, jsc#PM-3243, gh#giampaolo/psutil#2043) - Fix tests: setuptools changed the builddir library path and does not find the module from it. Use the installed platlib instead and exclude psutil.tests only later. - remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS - Update python-requests to 2.25.1 (bsc#1176785, bsc#1170175, jsc#ECO-3105, jsc#PM-2352, jsc#PED-7192) - Fixed bug with unintended Authorization header stripping for redirects using default ports (bsc#1111622). The following package changes have been done: - python3-requests-2.25.1-150300.3.6.1 updated From sle-container-updates at lists.suse.com Tue Nov 28 08:08:15 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 28 Nov 2023 09:08:15 +0100 (CET) Subject: SUSE-CU-2023:3911-1: Security update of suse/sle-micro/5.1/toolbox Message-ID: <20231128080815.C8F3BFBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.1/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3911-1 Container Tags : suse/sle-micro/5.1/toolbox:12.1 , suse/sle-micro/5.1/toolbox:12.1-2.2.499 , suse/sle-micro/5.1/toolbox:latest Container Release : 2.2.499 Severity : important Type : security References : 1215940 1216001 1216167 1216696 CVE-2023-46246 CVE-2023-5344 CVE-2023-5441 CVE-2023-5535 ----------------------------------------------------------------- The container suse/sle-micro/5.1/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4587-1 Released: Mon Nov 27 14:25:52 2023 Summary: Security update for vim Type: security Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) The following package changes have been done: - vim-data-common-9.0.2103-150000.5.57.1 updated - vim-9.0.2103-150000.5.57.1 updated From sle-container-updates at lists.suse.com Tue Nov 28 08:09:56 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 28 Nov 2023 09:09:56 +0100 (CET) Subject: SUSE-CU-2023:3913-1: Security update of suse/sle-micro/5.2/toolbox Message-ID: <20231128080956.254F0FBA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.2/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3913-1 Container Tags : suse/sle-micro/5.2/toolbox:12.1 , suse/sle-micro/5.2/toolbox:12.1-6.2.321 , suse/sle-micro/5.2/toolbox:latest Container Release : 6.2.321 Severity : important Type : security References : 1215940 1216001 1216167 1216696 CVE-2023-46246 CVE-2023-5344 CVE-2023-5441 CVE-2023-5535 ----------------------------------------------------------------- The container suse/sle-micro/5.2/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4587-1 Released: Mon Nov 27 14:25:52 2023 Summary: Security update for vim Type: security Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) The following package changes have been done: - vim-data-common-9.0.2103-150000.5.57.1 updated - vim-9.0.2103-150000.5.57.1 updated From sle-container-updates at lists.suse.com Tue Nov 28 13:35:38 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Tue, 28 Nov 2023 14:35:38 +0100 (CET) Subject: SUSE-IU-2023:843-1: Security update of sles-15-sp4-chost-byos-v20231127-arm64 Message-ID: <20231128133538.104A2FBA9@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp4-chost-byos-v20231127-arm64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:843-1 Image Tags : sles-15-sp4-chost-byos-v20231127-arm64:20231127 Image Release : Severity : important Type : security References : 1027519 1041742 1111622 1170175 1176785 1184753 1196647 1199282 1203760 1206480 1206667 1206684 1208788 1209998 1210286 1210557 1210778 1211307 1211427 1212101 1212422 1212423 1212649 1213705 1213772 1213915 1214052 1214460 1214842 1215095 1215104 1215145 1215265 1215427 1215474 1215518 1215746 1215747 1215748 1215940 1215947 1215955 1215956 1215957 1215979 1215986 1216001 1216010 1216062 1216075 1216091 1216129 1216167 1216253 1216345 1216377 1216419 1216510 1216511 1216512 1216541 1216621 1216654 1216664 1216696 1216807 1216922 CVE-2022-40897 CVE-2023-20588 CVE-2023-2163 CVE-2023-31085 CVE-2023-34322 CVE-2023-34324 CVE-2023-34325 CVE-2023-34326 CVE-2023-34327 CVE-2023-34328 CVE-2023-3777 CVE-2023-38470 CVE-2023-38473 CVE-2023-39189 CVE-2023-39193 CVE-2023-4039 CVE-2023-45322 CVE-2023-45803 CVE-2023-46246 CVE-2023-46835 CVE-2023-46836 CVE-2023-5178 CVE-2023-5344 CVE-2023-5441 CVE-2023-5535 CVE-2023-5678 ----------------------------------------------------------------- The container sles-15-sp4-chost-byos-v20231127-arm64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4378-1 Released: Mon Nov 6 14:54:59 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1208788,1210778,1211307,1212423,1212649,1213705,1213772,1214842,1215095,1215104,1215518,1215955,1215956,1215957,1215986,1216062,1216345,1216510,1216511,1216512,1216621,CVE-2023-2163,CVE-2023-31085,CVE-2023-34324,CVE-2023-3777,CVE-2023-39189,CVE-2023-39193,CVE-2023-5178 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518) - CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745). - CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046) - CVE-2023-5178: Fixed an UAF in queue intialization setup. (bsc#1215768) - CVE-2023-31085: Fixed a divide-by-zero error in do_div(sz,mtd->erasesize) that could cause a local DoS. (bsc#1210778) - CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860). - CVE-2023-3777: Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. (bsc#1215095) The following non-security bugs were fixed: - 9p: virtio: make sure 'offs' is initialized in zc_request (git-fixes). - ACPI: irq: Fix incorrect return value in acpi_register_gsi() (git-fixes). - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA (git-fixes). - ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q (git-fixes). - ALSA: hda/realtek: Change model for Intel RVP board (git-fixes). - ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset (git-fixes). - ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors (git-fixes). - ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind (git-fixes). - ASoC: codecs: wcd938x: drop bogus bind error handling (git-fixes). - ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes). - ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag (git-fixes). - ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link (git-fixes). - ASoC: pxa: fix a memory leak in probe() (git-fixes). - ata: libata-core: Do not register PM operations for SAS ports (git-fixes). - ata: libata-core: Fix ata_port_request_pm() locking (git-fixes). - ata: libata-core: Fix port and device removal (git-fixes). - ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes). - ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES (git-fixes). - blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init (bsc#1216062). - blk-cgroup: support to track if policy is online (bsc#1216062). - Bluetooth: avoid memcmp() out of bounds warning (git-fixes). - Bluetooth: Avoid redundant authentication (git-fixes). - Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes). - Bluetooth: Fix a refcnt underflow problem for hci_conn (git-fixes). - Bluetooth: hci_event: Fix coding style (git-fixes). - Bluetooth: hci_event: Fix using memcmp when comparing keys (git-fixes). - Bluetooth: hci_event: Ignore NULL link key (git-fixes). - Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name (git-fixes). - Bluetooth: hci_sock: fix slab oob read in create_monitor_event (git-fixes). - Bluetooth: Reject connection with the device which has same BD_ADDR (git-fixes). - Bluetooth: vhci: Fix race when opening vhci device (git-fixes). - bpf: propagate precision in ALU/ALU64 operations (git-fixes). - bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes). - bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() (git-fixes). - cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307). - cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (bsc#1215955). - clk: tegra: fix error return case for recalc_rate (git-fixes). - counter: microchip-tcb-capture: Fix the use of internal GCLK logic (git-fixes). - crypto: qat - add fw_counters debugfs file (PED-6401). - crypto: qat - add heartbeat counters check (PED-6401). - crypto: qat - add heartbeat feature (PED-6401). - crypto: qat - add internal timer for qat 4xxx (PED-6401). - crypto: qat - add measure clock frequency (PED-6401). - crypto: qat - add missing function declaration in adf_dbgfs.h (PED-6401). - crypto: qat - add qat_zlib_deflate (PED-6401). - crypto: qat - add support for 402xx devices (PED-6401). - crypto: qat - change value of default idle filter (PED-6401). - crypto: qat - delay sysfs initialization (PED-6401). - crypto: qat - do not export adf_init_admin_pm() (PED-6401). - crypto: qat - drop log level of msg in get_instance_node() (PED-6401). - crypto: qat - drop obsolete heartbeat interface (PED-6401). - crypto: qat - drop redundant adf_enable_aer() (PED-6401). - crypto: qat - expose pm_idle_enabled through sysfs (PED-6401). - crypto: qat - extend buffer list logic interface (PED-6401). - crypto: qat - extend configuration for 4xxx (PED-6401). - crypto: qat - fix apply custom thread-service mapping for dc service (PED-6401). - crypto: qat - fix concurrency issue when device state changes (PED-6401). - crypto: qat - fix crypto capability detection for 4xxx (PED-6401). - crypto: qat - fix spelling mistakes from 'bufer' to 'buffer' (PED-6401). - crypto: qat - Include algapi.h for low-level Crypto API (PED-6401). - crypto: qat - make fw images name constant (PED-6401). - crypto: qat - make state machine functions static (PED-6401). - crypto: qat - move dbgfs init to separate file (PED-6401). - crypto: qat - move returns to default case (PED-6401). - crypto: qat - refactor device restart logic (PED-6401). - crypto: qat - refactor fw config logic for 4xxx (PED-6401). - crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe (PED-6401). - crypto: qat - Remove unused function declarations (PED-6401). - crypto: qat - replace state machine calls (PED-6401). - crypto: qat - replace the if statement with min() (PED-6401). - crypto: qat - set deprecated capabilities as reserved (PED-6401). - crypto: qat - unmap buffer before free for DH (PED-6401). - crypto: qat - unmap buffers before free for RSA (PED-6401). - crypto: qat - update slice mask for 4xxx devices (PED-6401). - crypto: qat - use kfree_sensitive instead of memset/kfree() (PED-6401). - dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq (git-fixes). - dmaengine: mediatek: Fix deadlock caused by synchronize_irq() (git-fixes). - dmaengine: stm32-mdma: abort resume if no ongoing transfer (git-fixes). - Documentation: qat: change kernel version (PED-6401). - Documentation: qat: rewrite description (PED-6401). - Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails (git-fixes). - Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs (git-fixes). - drm: panel-orientation-quirks: Add quirk for One Mix 2S (git-fixes). - drm/amd/display: Do not check registers, if using AUX BL control (git-fixes). - drm/amd/display: Do not set dpms_off for seamless boot (git-fixes). - drm/amdgpu: add missing NULL check (git-fixes). - drm/amdgpu: Handle null atom context in VBIOS info ioctl (git-fixes). - drm/i915: Retry gtt fault when out of fence registers (git-fixes). - drm/msm/dp: do not reinitialize phy unless retry during link training (git-fixes). - drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow (git-fixes). - drm/msm/dsi: fix irq_of_parse_and_map() error checking (git-fixes). - drm/msm/dsi: skip the wait for video mode done if not applicable (git-fixes). - drm/vmwgfx: fix typo of sizeof argument (git-fixes). - firmware: arm_ffa: Do not set the memory region attributes for MEM_LEND (git-fixes). - firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() (git-fixes). - gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() (git-fixes). - gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip (git-fixes). - gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes). - gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() (git-fixes). - gpio: timberdale: Fix potential deadlock on &tgpio->lock (git-fixes). - gpio: vf610: set value before the direction to avoid a glitch (git-fixes). - gve: Do not fully free QPL pages on prefill errors (git-fixes). - HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event (git-fixes). - HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit (git-fixes). - HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (git-fixes). - HID: multitouch: Add required quirk for Synaptics 0xcd7e device (git-fixes). - HID: sony: Fix a potential memory leak in sony_probe() (git-fixes). - HID: sony: remove duplicate NULL check before calling usb_free_urb() (git-fixes). - i2c: i801: unregister tco_pdev in i801_probe() error path (git-fixes). - i2c: mux: Avoid potential false error message in i2c_mux_add_adapter (git-fixes). - i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() (git-fixes). - i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes). - i2c: mux: gpio:?Replace custom acpi_get_local_address() (git-fixes). - i2c: npcm7xx: Fix callback completion ordering (git-fixes). - IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes) - ieee802154: ca8210: Fix a potential UAF in ca8210_probe (git-fixes). - iio: pressure: bmp280: Fix NULL pointer exception (git-fixes). - iio: pressure: dps310: Adjust Timeout Settings (git-fixes). - iio: pressure: ms5611: ms5611_prom_is_valid false negative bug (git-fixes). - Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case (git-fixes). - Input: powermate - fix use-after-free in powermate_config_complete (git-fixes). - Input: psmouse - fix fast_reconnect function for PS/2 mode (git-fixes). - Input: xpad - add PXN V900 support (git-fixes). - iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support (bsc#1212423). - iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops callback (bsc#1212423). - iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops callback (bsc#1212423). - kabi: blkcg_policy_data fix KABI (bsc#1216062). - kabi: workaround for enum nft_trans_phase (bsc#1215104). - kprobes: Prohibit probing on CFI preamble symbol (git-fixes). - KVM: s390: fix gisa destroy operation might lead to cpu stalls (git-fixes bsc#1216512). - KVM: SVM: Do not kill SEV guest if SMAP erratum triggers in usermode (git-fixes). - KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772). - KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes). - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772). - KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772). - KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772). - KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). - KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs is changed (git-fixes). - leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes). - mm, memcg: reconsider kmem.limit_in_bytes deprecation (bsc#1208788 bsc#1213705). - mmc: core: Capture correct oemid-bits for eMMC cards (git-fixes). - mmc: core: sdio: hold retuning if sdio in 1-bit mode (git-fixes). - mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw (git-fixes). - mtd: physmap-core: Restore map_rom fallback (git-fixes). - mtd: rawnand: arasan: Ensure program page operations are successful (git-fixes). - mtd: rawnand: marvell: Ensure program page operations are successful (git-fixes). - mtd: rawnand: pl353: Ensure program page operations are successful (git-fixes). - mtd: rawnand: qcom: Unmap the right resource upon probe failure (git-fixes). - mtd: spinand: micron: correct bitmask for ecc status (git-fixes). - net: mana: Fix oversized sge0 for GSO packets (bsc#1215986). - net: mana: Fix TX CQE error handling (bsc#1215986). - net: nfc: llcp: Add lock when modifying device list (git-fixes). - net: rfkill: gpio: prevent value glitch during probe (git-fixes). - net: sched: add barrier to fix packet stuck problem for lockless qdisc (bsc#1216345). - net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog (bsc#1216345). - net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read (git-fixes). - net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git-fixes). - net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git-fixes). - net: usb: smsc95xx: Fix an error code in smsc95xx_reset() (git-fixes). - net/sched: fix netdevice reference leaks in attach_default_qdiscs() (git-fixes). - netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain (git-fixes). - netfilter: nf_tables: unbind non-anonymous set if rule construction fails (git-fixes). - nfc: nci: assert requested protocol is valid (git-fixes). - nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (git-fixes). - nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() (git-fixes). - nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842). - phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins (git-fixes). - phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes). - phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes). - pinctrl: avoid unsafe code pattern in find_pinctrl() (git-fixes). - pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes). - platform/surface: platform_profile: Propagate error if profile registration fails (git-fixes). - platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e (git-fixes). - platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events (git-fixes). - platform/x86: think-lmi: Fix reference leak (git-fixes). - platform/x86: touchscreen_dmi: Add info for the Positivo C4128B (git-fixes). - power: supply: ucs1002: fix error code in ucs1002_get_property() (git-fixes). - r8152: check budget for r8152_poll() (git-fixes). - RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes) - RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes) - RDMA/core: Require admin capabilities to set system parameters (git-fixes) - RDMA/cxgb4: Check skb value for failure to allocate (git-fixes) - RDMA/mlx5: Fix NULL string error (git-fixes) - RDMA/siw: Fix connection failure handling (git-fixes) - RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes) - RDMA/uverbs: Fix typo of sizeof argument (git-fixes) - regmap: fix NULL deref on lookup (git-fixes). - regmap: rbtree: Fix wrong register marked as in-cache when creating new node (git-fixes). - ring-buffer: Avoid softlockup in ring_buffer_resize() (git-fixes). - ring-buffer: Do not attempt to read past 'commit' (git-fixes). - ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes). - ring-buffer: Update 'shortest_full' in polling (git-fixes). - s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956 LTC#203788 bsc#1215957). - s390/cio: fix a memleak in css_alloc_subchannel (git-fixes bsc#1216510). - s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511). - sched/cpuset: Bring back cpuset_mutex (bsc#1215955). - sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity() (git fixes (sched)). - sched/rt: Fix live lock between select_fallback_rq() and RT push (git fixes (sched)). - sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes (sched)). - serial: 8250_port: Check IRQ data before use (git-fixes). - soc: imx8m: Enable OCOTP clock for imx8mm before reading registers (git-fixes). - spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes). - spi: stm32: add a delay before SPI disable (git-fixes). - spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain (git-fixes). - spi: sun6i: reduce DMA RX transfer width to single byte (git-fixes). - thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding (git-fixes). - thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge (git-fixes). - tracing: Have current_trace inc the trace array ref count (git-fixes). - tracing: Have event inject files inc the trace array ref count (git-fixes). - tracing: Have option files inc the trace array ref count (git-fixes). - tracing: Have tracing_max_latency inc the trace array ref count (git-fixes). - tracing: Increase trace array ref count on enable and filter files (git-fixes). - tracing: Make trace_marker{,_raw} stream-like (git-fixes). - usb: cdnsp: Fixes issue with dequeuing not queued requests (git-fixes). - usb: dwc3: Soft reset phy on probe for host (git-fixes). - usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call (git-fixes). - usb: gadget: udc-xilinx: replace memcpy with memcpy_toio (git-fixes). - usb: musb: Get the musb_qh poniter after musb_giveback (git-fixes). - usb: musb: Modify the 'HWVers' register address (git-fixes). - usb: serial: option: add entry for Sierra EM9191 with new firmware (git-fixes). - usb: serial: option: add Fibocom to DELL custom modem FM101R-GL (git-fixes). - usb: serial: option: add Telit LE910C4-WWX 0x1035 composition (git-fixes). - usb: typec: altmodes/displayport: Signal hpd low when exiting mode (git-fixes). - usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer (git-fixes). - vmbus_testing: fix wrong python syntax for integer value comparison (git-fixes). - vringh: do not use vringh_kiov_advance() in vringh_iov_xfer() (git-fixes). - watchdog: iTCO_wdt: No need to stop the timer in probe (git-fixes). - watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running (git-fixes). - wifi: cfg80211: avoid leaking stack data into trace (git-fixes). - wifi: cfg80211: Fix 6GHz scan configuration (git-fixes). - wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes). - wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes). - wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes). - wifi: mac80211: allow transmitting EAPOL frames with tainted key (git-fixes). - wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling (git-fixes). - wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet (git-fixes). - wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes). - wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len (git-fixes). - x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772). - x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772). - x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772). - x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772). - x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772). - x86/cpu: Support AMD Automatic IBRS (bsc#1213772). - x86/sev: Check for user-space IOIO pointing to kernel space (bsc#1212649). - x86/sev: Check IOBM for IOIO exceptions from user-space (bsc#1212649). - x86/sev: Disable MMIO emulation from user mode (bsc#1212649). - xen-netback: use default TX queue size for vifs (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4453-1 Released: Wed Nov 15 14:24:58 2023 Summary: Recommended update for libjansson Type: recommended Severity: moderate References: 1216541 This update for libjansson ships the missing 32bit library to the Basesystem module of 15 SP5. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4460-1 Released: Thu Nov 16 15:00:20 2023 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1210286 This update for rsyslog fixes the following issue: - fix rsyslog crash in imrelp (bsc#1210286) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4467-1 Released: Thu Nov 16 17:57:51 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1216377,CVE-2023-45803 This update for python-urllib3 fixes the following issues: - CVE-2023-45803: Fix a request body leak that could occur when receiving a 303 HTTP response (bsc#1216377). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4476-1 Released: Fri Nov 17 08:05:43 2023 Summary: Security update for xen Type: security Severity: important References: 1027519,1215145,1215474,1215746,1215747,1215748,1216654,1216807,CVE-2023-20588,CVE-2023-34322,CVE-2023-34325,CVE-2023-34326,CVE-2023-34327,CVE-2023-34328,CVE-2023-46835,CVE-2023-46836 This update for xen fixes the following issues: - CVE-2023-20588: AMD CPU transitional execution leak via division by zero (XSA-439) (bsc#1215474). - CVE-2023-34322: top-level shadow reference dropped too early for 64-bit PV guests (XSA-438) (bsc#1215145). - CVE-2023-34325: Multiple vulnerabilities in libfsimage disk handling (XSA-443) (bsc#1215747). - CVE-2023-34326: x86/AMD: missing IOMMU TLB flushing (XSA-442) (bsc#1215746). - CVE-2023-34327,CVE-2023-34328: x86/AMD: Debug Mask handling (XSA-444) (bsc#1215748). - CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654). - CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807). - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4477-1 Released: Fri Nov 17 10:21:21 2023 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1216010,1216075,1216253 This update for grub2 fixes the following issues: - Fix failure to identify recent ext4 filesystem (bsc#1216010) - Fix reading files from btrfs with 'implicit' holes - Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253) - Fix detection of encrypted disk's uuid in powerpc (bsc#1216075) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4503-1 Released: Tue Nov 21 13:25:12 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1215947,1216419,CVE-2023-38470,CVE-2023-38473 This update for avahi fixes the following issues: - CVE-2023-38470: Ensure each label is at least one byte long (bsc#1215947). - CVE-2023-38473: Fixed a reachable assertion when parsing a host name (bsc#1216419). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4583-1 Released: Mon Nov 27 10:16:11 2023 Summary: Feature update for python-psutil Type: feature Severity: moderate References: 1111622,1170175,1176785,1184753,1199282 This update for python-psutil, python-requests fixes the following issues: - update python-psutil to 5.9.1 (bsc#1199282, bsc#1184753, jsc#SLE-24629, jsc#PM-3243, gh#giampaolo/psutil#2043) - Fix tests: setuptools changed the builddir library path and does not find the module from it. Use the installed platlib instead and exclude psutil.tests only later. - remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS - Update python-requests to 2.25.1 (bsc#1176785, bsc#1170175, jsc#ECO-3105, jsc#PM-2352, jsc#PED-7192) - Fixed bug with unintended Authorization header stripping for redirects using default ports (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4587-1 Released: Mon Nov 27 14:25:52 2023 Summary: Security update for vim Type: security Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - grub2-i386-pc-2.06-150400.11.41.1 updated - grub2-x86_64-efi-2.06-150400.11.41.1 updated - grub2-2.06-150400.11.41.1 updated - kernel-default-5.14.21-150400.24.97.1 updated - libavahi-client3-0.8-150400.7.10.1 updated - libavahi-common3-0.8-150400.7.10.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libjansson4-2.14-150000.3.5.1 updated - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libpci3-3.5.6-150300.13.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated - pciutils-3.5.6-150300.13.6.1 updated - python-instance-billing-flavor-check-0.0.4-150400.1.1 updated - python3-requests-2.25.1-150300.3.6.1 updated - python3-setuptools-44.1.1-150400.9.6.1 updated - python3-urllib3-1.25.10-150300.4.9.1 updated - rsyslog-module-relp-8.2306.0-150400.5.21.1 updated - rsyslog-8.2306.0-150400.5.21.1 updated - vim-data-common-9.0.2103-150000.5.57.1 updated - vim-9.0.2103-150000.5.57.1 updated - xen-libs-4.16.5_08-150400.4.40.1 updated - zypper-1.14.66-150400.3.35.1 updated From sle-container-updates at lists.suse.com Wed Nov 29 08:01:07 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 29 Nov 2023 09:01:07 +0100 (CET) Subject: SUSE-IU-2023:846-1: Security update of suse-sles-15-sp4-chost-byos-v20231127-x86_64-gen2 Message-ID: <20231129080107.6F1D6FBA9@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20231127-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:846-1 Image Tags : suse-sles-15-sp4-chost-byos-v20231127-x86_64-gen2:20231127 Image Release : Severity : important Type : security References : 1027519 1041742 1111622 1170175 1176785 1184753 1196647 1199282 1203760 1206480 1206667 1206684 1208788 1209998 1210286 1210557 1210778 1211307 1211427 1212101 1212422 1212423 1212649 1213705 1213772 1213915 1214052 1214460 1214842 1215095 1215104 1215145 1215265 1215427 1215474 1215518 1215746 1215747 1215748 1215940 1215947 1215955 1215956 1215957 1215979 1215986 1216001 1216010 1216062 1216075 1216091 1216129 1216167 1216253 1216345 1216377 1216419 1216510 1216511 1216512 1216541 1216621 1216654 1216664 1216696 1216807 1216922 CVE-2022-40897 CVE-2023-20588 CVE-2023-2163 CVE-2023-31085 CVE-2023-34322 CVE-2023-34324 CVE-2023-34325 CVE-2023-34326 CVE-2023-34327 CVE-2023-34328 CVE-2023-3777 CVE-2023-38470 CVE-2023-38473 CVE-2023-39189 CVE-2023-39193 CVE-2023-4039 CVE-2023-45322 CVE-2023-45803 CVE-2023-46246 CVE-2023-46835 CVE-2023-46836 CVE-2023-5178 CVE-2023-5344 CVE-2023-5441 CVE-2023-5535 CVE-2023-5678 ----------------------------------------------------------------- The container suse-sles-15-sp4-chost-byos-v20231127-x86_64-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4378-1 Released: Mon Nov 6 14:54:59 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1208788,1210778,1211307,1212423,1212649,1213705,1213772,1214842,1215095,1215104,1215518,1215955,1215956,1215957,1215986,1216062,1216345,1216510,1216511,1216512,1216621,CVE-2023-2163,CVE-2023-31085,CVE-2023-34324,CVE-2023-3777,CVE-2023-39189,CVE-2023-39193,CVE-2023-5178 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518) - CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745). - CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046) - CVE-2023-5178: Fixed an UAF in queue intialization setup. (bsc#1215768) - CVE-2023-31085: Fixed a divide-by-zero error in do_div(sz,mtd->erasesize) that could cause a local DoS. (bsc#1210778) - CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860). - CVE-2023-3777: Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. (bsc#1215095) The following non-security bugs were fixed: - 9p: virtio: make sure 'offs' is initialized in zc_request (git-fixes). - ACPI: irq: Fix incorrect return value in acpi_register_gsi() (git-fixes). - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA (git-fixes). - ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q (git-fixes). - ALSA: hda/realtek: Change model for Intel RVP board (git-fixes). - ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset (git-fixes). - ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors (git-fixes). - ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind (git-fixes). - ASoC: codecs: wcd938x: drop bogus bind error handling (git-fixes). - ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes). - ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag (git-fixes). - ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link (git-fixes). - ASoC: pxa: fix a memory leak in probe() (git-fixes). - ata: libata-core: Do not register PM operations for SAS ports (git-fixes). - ata: libata-core: Fix ata_port_request_pm() locking (git-fixes). - ata: libata-core: Fix port and device removal (git-fixes). - ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes). - ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES (git-fixes). - blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init (bsc#1216062). - blk-cgroup: support to track if policy is online (bsc#1216062). - Bluetooth: avoid memcmp() out of bounds warning (git-fixes). - Bluetooth: Avoid redundant authentication (git-fixes). - Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes). - Bluetooth: Fix a refcnt underflow problem for hci_conn (git-fixes). - Bluetooth: hci_event: Fix coding style (git-fixes). - Bluetooth: hci_event: Fix using memcmp when comparing keys (git-fixes). - Bluetooth: hci_event: Ignore NULL link key (git-fixes). - Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name (git-fixes). - Bluetooth: hci_sock: fix slab oob read in create_monitor_event (git-fixes). - Bluetooth: Reject connection with the device which has same BD_ADDR (git-fixes). - Bluetooth: vhci: Fix race when opening vhci device (git-fixes). - bpf: propagate precision in ALU/ALU64 operations (git-fixes). - bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes). - bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() (git-fixes). - cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307). - cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (bsc#1215955). - clk: tegra: fix error return case for recalc_rate (git-fixes). - counter: microchip-tcb-capture: Fix the use of internal GCLK logic (git-fixes). - crypto: qat - add fw_counters debugfs file (PED-6401). - crypto: qat - add heartbeat counters check (PED-6401). - crypto: qat - add heartbeat feature (PED-6401). - crypto: qat - add internal timer for qat 4xxx (PED-6401). - crypto: qat - add measure clock frequency (PED-6401). - crypto: qat - add missing function declaration in adf_dbgfs.h (PED-6401). - crypto: qat - add qat_zlib_deflate (PED-6401). - crypto: qat - add support for 402xx devices (PED-6401). - crypto: qat - change value of default idle filter (PED-6401). - crypto: qat - delay sysfs initialization (PED-6401). - crypto: qat - do not export adf_init_admin_pm() (PED-6401). - crypto: qat - drop log level of msg in get_instance_node() (PED-6401). - crypto: qat - drop obsolete heartbeat interface (PED-6401). - crypto: qat - drop redundant adf_enable_aer() (PED-6401). - crypto: qat - expose pm_idle_enabled through sysfs (PED-6401). - crypto: qat - extend buffer list logic interface (PED-6401). - crypto: qat - extend configuration for 4xxx (PED-6401). - crypto: qat - fix apply custom thread-service mapping for dc service (PED-6401). - crypto: qat - fix concurrency issue when device state changes (PED-6401). - crypto: qat - fix crypto capability detection for 4xxx (PED-6401). - crypto: qat - fix spelling mistakes from 'bufer' to 'buffer' (PED-6401). - crypto: qat - Include algapi.h for low-level Crypto API (PED-6401). - crypto: qat - make fw images name constant (PED-6401). - crypto: qat - make state machine functions static (PED-6401). - crypto: qat - move dbgfs init to separate file (PED-6401). - crypto: qat - move returns to default case (PED-6401). - crypto: qat - refactor device restart logic (PED-6401). - crypto: qat - refactor fw config logic for 4xxx (PED-6401). - crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe (PED-6401). - crypto: qat - Remove unused function declarations (PED-6401). - crypto: qat - replace state machine calls (PED-6401). - crypto: qat - replace the if statement with min() (PED-6401). - crypto: qat - set deprecated capabilities as reserved (PED-6401). - crypto: qat - unmap buffer before free for DH (PED-6401). - crypto: qat - unmap buffers before free for RSA (PED-6401). - crypto: qat - update slice mask for 4xxx devices (PED-6401). - crypto: qat - use kfree_sensitive instead of memset/kfree() (PED-6401). - dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq (git-fixes). - dmaengine: mediatek: Fix deadlock caused by synchronize_irq() (git-fixes). - dmaengine: stm32-mdma: abort resume if no ongoing transfer (git-fixes). - Documentation: qat: change kernel version (PED-6401). - Documentation: qat: rewrite description (PED-6401). - Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails (git-fixes). - Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs (git-fixes). - drm: panel-orientation-quirks: Add quirk for One Mix 2S (git-fixes). - drm/amd/display: Do not check registers, if using AUX BL control (git-fixes). - drm/amd/display: Do not set dpms_off for seamless boot (git-fixes). - drm/amdgpu: add missing NULL check (git-fixes). - drm/amdgpu: Handle null atom context in VBIOS info ioctl (git-fixes). - drm/i915: Retry gtt fault when out of fence registers (git-fixes). - drm/msm/dp: do not reinitialize phy unless retry during link training (git-fixes). - drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow (git-fixes). - drm/msm/dsi: fix irq_of_parse_and_map() error checking (git-fixes). - drm/msm/dsi: skip the wait for video mode done if not applicable (git-fixes). - drm/vmwgfx: fix typo of sizeof argument (git-fixes). - firmware: arm_ffa: Do not set the memory region attributes for MEM_LEND (git-fixes). - firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() (git-fixes). - gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() (git-fixes). - gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip (git-fixes). - gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes). - gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() (git-fixes). - gpio: timberdale: Fix potential deadlock on &tgpio->lock (git-fixes). - gpio: vf610: set value before the direction to avoid a glitch (git-fixes). - gve: Do not fully free QPL pages on prefill errors (git-fixes). - HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event (git-fixes). - HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit (git-fixes). - HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (git-fixes). - HID: multitouch: Add required quirk for Synaptics 0xcd7e device (git-fixes). - HID: sony: Fix a potential memory leak in sony_probe() (git-fixes). - HID: sony: remove duplicate NULL check before calling usb_free_urb() (git-fixes). - i2c: i801: unregister tco_pdev in i801_probe() error path (git-fixes). - i2c: mux: Avoid potential false error message in i2c_mux_add_adapter (git-fixes). - i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() (git-fixes). - i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes). - i2c: mux: gpio:?Replace custom acpi_get_local_address() (git-fixes). - i2c: npcm7xx: Fix callback completion ordering (git-fixes). - IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes) - ieee802154: ca8210: Fix a potential UAF in ca8210_probe (git-fixes). - iio: pressure: bmp280: Fix NULL pointer exception (git-fixes). - iio: pressure: dps310: Adjust Timeout Settings (git-fixes). - iio: pressure: ms5611: ms5611_prom_is_valid false negative bug (git-fixes). - Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case (git-fixes). - Input: powermate - fix use-after-free in powermate_config_complete (git-fixes). - Input: psmouse - fix fast_reconnect function for PS/2 mode (git-fixes). - Input: xpad - add PXN V900 support (git-fixes). - iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support (bsc#1212423). - iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops callback (bsc#1212423). - iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops callback (bsc#1212423). - kabi: blkcg_policy_data fix KABI (bsc#1216062). - kabi: workaround for enum nft_trans_phase (bsc#1215104). - kprobes: Prohibit probing on CFI preamble symbol (git-fixes). - KVM: s390: fix gisa destroy operation might lead to cpu stalls (git-fixes bsc#1216512). - KVM: SVM: Do not kill SEV guest if SMAP erratum triggers in usermode (git-fixes). - KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772). - KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes). - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772). - KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772). - KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772). - KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). - KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs is changed (git-fixes). - leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes). - mm, memcg: reconsider kmem.limit_in_bytes deprecation (bsc#1208788 bsc#1213705). - mmc: core: Capture correct oemid-bits for eMMC cards (git-fixes). - mmc: core: sdio: hold retuning if sdio in 1-bit mode (git-fixes). - mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw (git-fixes). - mtd: physmap-core: Restore map_rom fallback (git-fixes). - mtd: rawnand: arasan: Ensure program page operations are successful (git-fixes). - mtd: rawnand: marvell: Ensure program page operations are successful (git-fixes). - mtd: rawnand: pl353: Ensure program page operations are successful (git-fixes). - mtd: rawnand: qcom: Unmap the right resource upon probe failure (git-fixes). - mtd: spinand: micron: correct bitmask for ecc status (git-fixes). - net: mana: Fix oversized sge0 for GSO packets (bsc#1215986). - net: mana: Fix TX CQE error handling (bsc#1215986). - net: nfc: llcp: Add lock when modifying device list (git-fixes). - net: rfkill: gpio: prevent value glitch during probe (git-fixes). - net: sched: add barrier to fix packet stuck problem for lockless qdisc (bsc#1216345). - net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog (bsc#1216345). - net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read (git-fixes). - net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git-fixes). - net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git-fixes). - net: usb: smsc95xx: Fix an error code in smsc95xx_reset() (git-fixes). - net/sched: fix netdevice reference leaks in attach_default_qdiscs() (git-fixes). - netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain (git-fixes). - netfilter: nf_tables: unbind non-anonymous set if rule construction fails (git-fixes). - nfc: nci: assert requested protocol is valid (git-fixes). - nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (git-fixes). - nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() (git-fixes). - nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842). - phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins (git-fixes). - phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes). - phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes). - pinctrl: avoid unsafe code pattern in find_pinctrl() (git-fixes). - pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes). - platform/surface: platform_profile: Propagate error if profile registration fails (git-fixes). - platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e (git-fixes). - platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events (git-fixes). - platform/x86: think-lmi: Fix reference leak (git-fixes). - platform/x86: touchscreen_dmi: Add info for the Positivo C4128B (git-fixes). - power: supply: ucs1002: fix error code in ucs1002_get_property() (git-fixes). - r8152: check budget for r8152_poll() (git-fixes). - RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes) - RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes) - RDMA/core: Require admin capabilities to set system parameters (git-fixes) - RDMA/cxgb4: Check skb value for failure to allocate (git-fixes) - RDMA/mlx5: Fix NULL string error (git-fixes) - RDMA/siw: Fix connection failure handling (git-fixes) - RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes) - RDMA/uverbs: Fix typo of sizeof argument (git-fixes) - regmap: fix NULL deref on lookup (git-fixes). - regmap: rbtree: Fix wrong register marked as in-cache when creating new node (git-fixes). - ring-buffer: Avoid softlockup in ring_buffer_resize() (git-fixes). - ring-buffer: Do not attempt to read past 'commit' (git-fixes). - ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes). - ring-buffer: Update 'shortest_full' in polling (git-fixes). - s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956 LTC#203788 bsc#1215957). - s390/cio: fix a memleak in css_alloc_subchannel (git-fixes bsc#1216510). - s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511). - sched/cpuset: Bring back cpuset_mutex (bsc#1215955). - sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity() (git fixes (sched)). - sched/rt: Fix live lock between select_fallback_rq() and RT push (git fixes (sched)). - sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes (sched)). - serial: 8250_port: Check IRQ data before use (git-fixes). - soc: imx8m: Enable OCOTP clock for imx8mm before reading registers (git-fixes). - spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes). - spi: stm32: add a delay before SPI disable (git-fixes). - spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain (git-fixes). - spi: sun6i: reduce DMA RX transfer width to single byte (git-fixes). - thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding (git-fixes). - thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge (git-fixes). - tracing: Have current_trace inc the trace array ref count (git-fixes). - tracing: Have event inject files inc the trace array ref count (git-fixes). - tracing: Have option files inc the trace array ref count (git-fixes). - tracing: Have tracing_max_latency inc the trace array ref count (git-fixes). - tracing: Increase trace array ref count on enable and filter files (git-fixes). - tracing: Make trace_marker{,_raw} stream-like (git-fixes). - usb: cdnsp: Fixes issue with dequeuing not queued requests (git-fixes). - usb: dwc3: Soft reset phy on probe for host (git-fixes). - usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call (git-fixes). - usb: gadget: udc-xilinx: replace memcpy with memcpy_toio (git-fixes). - usb: musb: Get the musb_qh poniter after musb_giveback (git-fixes). - usb: musb: Modify the 'HWVers' register address (git-fixes). - usb: serial: option: add entry for Sierra EM9191 with new firmware (git-fixes). - usb: serial: option: add Fibocom to DELL custom modem FM101R-GL (git-fixes). - usb: serial: option: add Telit LE910C4-WWX 0x1035 composition (git-fixes). - usb: typec: altmodes/displayport: Signal hpd low when exiting mode (git-fixes). - usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer (git-fixes). - vmbus_testing: fix wrong python syntax for integer value comparison (git-fixes). - vringh: do not use vringh_kiov_advance() in vringh_iov_xfer() (git-fixes). - watchdog: iTCO_wdt: No need to stop the timer in probe (git-fixes). - watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running (git-fixes). - wifi: cfg80211: avoid leaking stack data into trace (git-fixes). - wifi: cfg80211: Fix 6GHz scan configuration (git-fixes). - wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes). - wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes). - wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes). - wifi: mac80211: allow transmitting EAPOL frames with tainted key (git-fixes). - wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling (git-fixes). - wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet (git-fixes). - wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes). - wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len (git-fixes). - x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772). - x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772). - x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772). - x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772). - x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772). - x86/cpu: Support AMD Automatic IBRS (bsc#1213772). - x86/sev: Check for user-space IOIO pointing to kernel space (bsc#1212649). - x86/sev: Check IOBM for IOIO exceptions from user-space (bsc#1212649). - x86/sev: Disable MMIO emulation from user mode (bsc#1212649). - xen-netback: use default TX queue size for vifs (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4453-1 Released: Wed Nov 15 14:24:58 2023 Summary: Recommended update for libjansson Type: recommended Severity: moderate References: 1216541 This update for libjansson ships the missing 32bit library to the Basesystem module of 15 SP5. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4460-1 Released: Thu Nov 16 15:00:20 2023 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1210286 This update for rsyslog fixes the following issue: - fix rsyslog crash in imrelp (bsc#1210286) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4467-1 Released: Thu Nov 16 17:57:51 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1216377,CVE-2023-45803 This update for python-urllib3 fixes the following issues: - CVE-2023-45803: Fix a request body leak that could occur when receiving a 303 HTTP response (bsc#1216377). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4476-1 Released: Fri Nov 17 08:05:43 2023 Summary: Security update for xen Type: security Severity: important References: 1027519,1215145,1215474,1215746,1215747,1215748,1216654,1216807,CVE-2023-20588,CVE-2023-34322,CVE-2023-34325,CVE-2023-34326,CVE-2023-34327,CVE-2023-34328,CVE-2023-46835,CVE-2023-46836 This update for xen fixes the following issues: - CVE-2023-20588: AMD CPU transitional execution leak via division by zero (XSA-439) (bsc#1215474). - CVE-2023-34322: top-level shadow reference dropped too early for 64-bit PV guests (XSA-438) (bsc#1215145). - CVE-2023-34325: Multiple vulnerabilities in libfsimage disk handling (XSA-443) (bsc#1215747). - CVE-2023-34326: x86/AMD: missing IOMMU TLB flushing (XSA-442) (bsc#1215746). - CVE-2023-34327,CVE-2023-34328: x86/AMD: Debug Mask handling (XSA-444) (bsc#1215748). - CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654). - CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807). - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4477-1 Released: Fri Nov 17 10:21:21 2023 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1216010,1216075,1216253 This update for grub2 fixes the following issues: - Fix failure to identify recent ext4 filesystem (bsc#1216010) - Fix reading files from btrfs with 'implicit' holes - Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253) - Fix detection of encrypted disk's uuid in powerpc (bsc#1216075) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4503-1 Released: Tue Nov 21 13:25:12 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1215947,1216419,CVE-2023-38470,CVE-2023-38473 This update for avahi fixes the following issues: - CVE-2023-38470: Ensure each label is at least one byte long (bsc#1215947). - CVE-2023-38473: Fixed a reachable assertion when parsing a host name (bsc#1216419). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4583-1 Released: Mon Nov 27 10:16:11 2023 Summary: Feature update for python-psutil Type: feature Severity: moderate References: 1111622,1170175,1176785,1184753,1199282 This update for python-psutil, python-requests fixes the following issues: - update python-psutil to 5.9.1 (bsc#1199282, bsc#1184753, jsc#SLE-24629, jsc#PM-3243, gh#giampaolo/psutil#2043) - Fix tests: setuptools changed the builddir library path and does not find the module from it. Use the installed platlib instead and exclude psutil.tests only later. - remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS - Update python-requests to 2.25.1 (bsc#1176785, bsc#1170175, jsc#ECO-3105, jsc#PM-2352, jsc#PED-7192) - Fixed bug with unintended Authorization header stripping for redirects using default ports (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4587-1 Released: Mon Nov 27 14:25:52 2023 Summary: Security update for vim Type: security Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - grub2-i386-pc-2.06-150400.11.41.1 updated - grub2-x86_64-efi-2.06-150400.11.41.1 updated - grub2-2.06-150400.11.41.1 updated - kernel-default-5.14.21-150400.24.97.1 updated - libavahi-client3-0.8-150400.7.10.1 updated - libavahi-common3-0.8-150400.7.10.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libjansson4-2.14-150000.3.5.1 updated - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libpci3-3.5.6-150300.13.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated - pciutils-3.5.6-150300.13.6.1 updated - python-instance-billing-flavor-check-0.0.4-150400.1.1 updated - python3-requests-2.25.1-150300.3.6.1 updated - python3-setuptools-44.1.1-150400.9.6.1 updated - python3-urllib3-1.25.10-150300.4.9.1 updated - rsyslog-module-relp-8.2306.0-150400.5.21.1 updated - rsyslog-8.2306.0-150400.5.21.1 updated - vim-data-common-9.0.2103-150000.5.57.1 updated - vim-9.0.2103-150000.5.57.1 updated - xen-libs-4.16.5_08-150400.4.40.1 updated - zypper-1.14.66-150400.3.35.1 updated From sle-container-updates at lists.suse.com Wed Nov 29 08:01:14 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 29 Nov 2023 09:01:14 +0100 (CET) Subject: SUSE-IU-2023:847-1: Security update of suse-sles-15-sp4-chost-byos-v20231127-hvm-ssd-x86_64 Message-ID: <20231129080114.AC625FBA9@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20231127-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:847-1 Image Tags : suse-sles-15-sp4-chost-byos-v20231127-hvm-ssd-x86_64:20231127 Image Release : Severity : important Type : security References : 1027519 1041742 1111622 1170175 1176785 1184753 1196647 1199282 1203760 1206480 1206667 1206684 1208788 1209998 1210286 1210557 1210778 1211307 1211427 1212101 1212422 1212423 1212649 1213705 1213772 1213915 1214052 1214460 1214842 1215095 1215104 1215145 1215265 1215427 1215474 1215518 1215746 1215747 1215748 1215940 1215947 1215955 1215956 1215957 1215979 1215986 1216001 1216010 1216062 1216075 1216091 1216129 1216167 1216253 1216345 1216377 1216419 1216510 1216511 1216512 1216541 1216621 1216654 1216664 1216696 1216807 1216922 CVE-2022-40897 CVE-2023-20588 CVE-2023-2163 CVE-2023-31085 CVE-2023-34322 CVE-2023-34324 CVE-2023-34325 CVE-2023-34326 CVE-2023-34327 CVE-2023-34328 CVE-2023-3777 CVE-2023-38470 CVE-2023-38473 CVE-2023-39189 CVE-2023-39193 CVE-2023-4039 CVE-2023-45322 CVE-2023-45803 CVE-2023-46246 CVE-2023-46835 CVE-2023-46836 CVE-2023-5178 CVE-2023-5344 CVE-2023-5441 CVE-2023-5535 CVE-2023-5678 ----------------------------------------------------------------- The container suse-sles-15-sp4-chost-byos-v20231127-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4378-1 Released: Mon Nov 6 14:54:59 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1208788,1210778,1211307,1212423,1212649,1213705,1213772,1214842,1215095,1215104,1215518,1215955,1215956,1215957,1215986,1216062,1216345,1216510,1216511,1216512,1216621,CVE-2023-2163,CVE-2023-31085,CVE-2023-34324,CVE-2023-3777,CVE-2023-39189,CVE-2023-39193,CVE-2023-5178 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518) - CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745). - CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046) - CVE-2023-5178: Fixed an UAF in queue intialization setup. (bsc#1215768) - CVE-2023-31085: Fixed a divide-by-zero error in do_div(sz,mtd->erasesize) that could cause a local DoS. (bsc#1210778) - CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860). - CVE-2023-3777: Fixed a use-after-free vulnerability in netfilter: nf_tables component can be exploited to achieve local privilege escalation. (bsc#1215095) The following non-security bugs were fixed: - 9p: virtio: make sure 'offs' is initialized in zc_request (git-fixes). - ACPI: irq: Fix incorrect return value in acpi_register_gsi() (git-fixes). - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA (git-fixes). - ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q (git-fixes). - ALSA: hda/realtek: Change model for Intel RVP board (git-fixes). - ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset (git-fixes). - ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors (git-fixes). - ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind (git-fixes). - ASoC: codecs: wcd938x: drop bogus bind error handling (git-fixes). - ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes). - ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag (git-fixes). - ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link (git-fixes). - ASoC: pxa: fix a memory leak in probe() (git-fixes). - ata: libata-core: Do not register PM operations for SAS ports (git-fixes). - ata: libata-core: Fix ata_port_request_pm() locking (git-fixes). - ata: libata-core: Fix port and device removal (git-fixes). - ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes). - ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES (git-fixes). - blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init (bsc#1216062). - blk-cgroup: support to track if policy is online (bsc#1216062). - Bluetooth: avoid memcmp() out of bounds warning (git-fixes). - Bluetooth: Avoid redundant authentication (git-fixes). - Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes). - Bluetooth: Fix a refcnt underflow problem for hci_conn (git-fixes). - Bluetooth: hci_event: Fix coding style (git-fixes). - Bluetooth: hci_event: Fix using memcmp when comparing keys (git-fixes). - Bluetooth: hci_event: Ignore NULL link key (git-fixes). - Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name (git-fixes). - Bluetooth: hci_sock: fix slab oob read in create_monitor_event (git-fixes). - Bluetooth: Reject connection with the device which has same BD_ADDR (git-fixes). - Bluetooth: vhci: Fix race when opening vhci device (git-fixes). - bpf: propagate precision in ALU/ALU64 operations (git-fixes). - bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes). - bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() (git-fixes). - cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307). - cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem (bsc#1215955). - clk: tegra: fix error return case for recalc_rate (git-fixes). - counter: microchip-tcb-capture: Fix the use of internal GCLK logic (git-fixes). - crypto: qat - add fw_counters debugfs file (PED-6401). - crypto: qat - add heartbeat counters check (PED-6401). - crypto: qat - add heartbeat feature (PED-6401). - crypto: qat - add internal timer for qat 4xxx (PED-6401). - crypto: qat - add measure clock frequency (PED-6401). - crypto: qat - add missing function declaration in adf_dbgfs.h (PED-6401). - crypto: qat - add qat_zlib_deflate (PED-6401). - crypto: qat - add support for 402xx devices (PED-6401). - crypto: qat - change value of default idle filter (PED-6401). - crypto: qat - delay sysfs initialization (PED-6401). - crypto: qat - do not export adf_init_admin_pm() (PED-6401). - crypto: qat - drop log level of msg in get_instance_node() (PED-6401). - crypto: qat - drop obsolete heartbeat interface (PED-6401). - crypto: qat - drop redundant adf_enable_aer() (PED-6401). - crypto: qat - expose pm_idle_enabled through sysfs (PED-6401). - crypto: qat - extend buffer list logic interface (PED-6401). - crypto: qat - extend configuration for 4xxx (PED-6401). - crypto: qat - fix apply custom thread-service mapping for dc service (PED-6401). - crypto: qat - fix concurrency issue when device state changes (PED-6401). - crypto: qat - fix crypto capability detection for 4xxx (PED-6401). - crypto: qat - fix spelling mistakes from 'bufer' to 'buffer' (PED-6401). - crypto: qat - Include algapi.h for low-level Crypto API (PED-6401). - crypto: qat - make fw images name constant (PED-6401). - crypto: qat - make state machine functions static (PED-6401). - crypto: qat - move dbgfs init to separate file (PED-6401). - crypto: qat - move returns to default case (PED-6401). - crypto: qat - refactor device restart logic (PED-6401). - crypto: qat - refactor fw config logic for 4xxx (PED-6401). - crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe (PED-6401). - crypto: qat - Remove unused function declarations (PED-6401). - crypto: qat - replace state machine calls (PED-6401). - crypto: qat - replace the if statement with min() (PED-6401). - crypto: qat - set deprecated capabilities as reserved (PED-6401). - crypto: qat - unmap buffer before free for DH (PED-6401). - crypto: qat - unmap buffers before free for RSA (PED-6401). - crypto: qat - update slice mask for 4xxx devices (PED-6401). - crypto: qat - use kfree_sensitive instead of memset/kfree() (PED-6401). - dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq (git-fixes). - dmaengine: mediatek: Fix deadlock caused by synchronize_irq() (git-fixes). - dmaengine: stm32-mdma: abort resume if no ongoing transfer (git-fixes). - Documentation: qat: change kernel version (PED-6401). - Documentation: qat: rewrite description (PED-6401). - Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails (git-fixes). - Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs (git-fixes). - drm: panel-orientation-quirks: Add quirk for One Mix 2S (git-fixes). - drm/amd/display: Do not check registers, if using AUX BL control (git-fixes). - drm/amd/display: Do not set dpms_off for seamless boot (git-fixes). - drm/amdgpu: add missing NULL check (git-fixes). - drm/amdgpu: Handle null atom context in VBIOS info ioctl (git-fixes). - drm/i915: Retry gtt fault when out of fence registers (git-fixes). - drm/msm/dp: do not reinitialize phy unless retry during link training (git-fixes). - drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow (git-fixes). - drm/msm/dsi: fix irq_of_parse_and_map() error checking (git-fixes). - drm/msm/dsi: skip the wait for video mode done if not applicable (git-fixes). - drm/vmwgfx: fix typo of sizeof argument (git-fixes). - firmware: arm_ffa: Do not set the memory region attributes for MEM_LEND (git-fixes). - firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() (git-fixes). - gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() (git-fixes). - gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip (git-fixes). - gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes). - gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() (git-fixes). - gpio: timberdale: Fix potential deadlock on &tgpio->lock (git-fixes). - gpio: vf610: set value before the direction to avoid a glitch (git-fixes). - gve: Do not fully free QPL pages on prefill errors (git-fixes). - HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event (git-fixes). - HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit (git-fixes). - HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect (git-fixes). - HID: multitouch: Add required quirk for Synaptics 0xcd7e device (git-fixes). - HID: sony: Fix a potential memory leak in sony_probe() (git-fixes). - HID: sony: remove duplicate NULL check before calling usb_free_urb() (git-fixes). - i2c: i801: unregister tco_pdev in i801_probe() error path (git-fixes). - i2c: mux: Avoid potential false error message in i2c_mux_add_adapter (git-fixes). - i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() (git-fixes). - i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes). - i2c: mux: gpio:?Replace custom acpi_get_local_address() (git-fixes). - i2c: npcm7xx: Fix callback completion ordering (git-fixes). - IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes) - ieee802154: ca8210: Fix a potential UAF in ca8210_probe (git-fixes). - iio: pressure: bmp280: Fix NULL pointer exception (git-fixes). - iio: pressure: dps310: Adjust Timeout Settings (git-fixes). - iio: pressure: ms5611: ms5611_prom_is_valid false negative bug (git-fixes). - Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case (git-fixes). - Input: powermate - fix use-after-free in powermate_config_complete (git-fixes). - Input: psmouse - fix fast_reconnect function for PS/2 mode (git-fixes). - Input: xpad - add PXN V900 support (git-fixes). - iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support (bsc#1212423). - iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops callback (bsc#1212423). - iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops callback (bsc#1212423). - kabi: blkcg_policy_data fix KABI (bsc#1216062). - kabi: workaround for enum nft_trans_phase (bsc#1215104). - kprobes: Prohibit probing on CFI preamble symbol (git-fixes). - KVM: s390: fix gisa destroy operation might lead to cpu stalls (git-fixes bsc#1216512). - KVM: SVM: Do not kill SEV guest if SMAP erratum triggers in usermode (git-fixes). - KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772). - KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes). - KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772). - KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772). - KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772). - KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes). - KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs is changed (git-fixes). - leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes). - mm, memcg: reconsider kmem.limit_in_bytes deprecation (bsc#1208788 bsc#1213705). - mmc: core: Capture correct oemid-bits for eMMC cards (git-fixes). - mmc: core: sdio: hold retuning if sdio in 1-bit mode (git-fixes). - mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw (git-fixes). - mtd: physmap-core: Restore map_rom fallback (git-fixes). - mtd: rawnand: arasan: Ensure program page operations are successful (git-fixes). - mtd: rawnand: marvell: Ensure program page operations are successful (git-fixes). - mtd: rawnand: pl353: Ensure program page operations are successful (git-fixes). - mtd: rawnand: qcom: Unmap the right resource upon probe failure (git-fixes). - mtd: spinand: micron: correct bitmask for ecc status (git-fixes). - net: mana: Fix oversized sge0 for GSO packets (bsc#1215986). - net: mana: Fix TX CQE error handling (bsc#1215986). - net: nfc: llcp: Add lock when modifying device list (git-fixes). - net: rfkill: gpio: prevent value glitch during probe (git-fixes). - net: sched: add barrier to fix packet stuck problem for lockless qdisc (bsc#1216345). - net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog (bsc#1216345). - net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read (git-fixes). - net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git-fixes). - net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg (git-fixes). - net: usb: smsc95xx: Fix an error code in smsc95xx_reset() (git-fixes). - net/sched: fix netdevice reference leaks in attach_default_qdiscs() (git-fixes). - netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain (git-fixes). - netfilter: nf_tables: unbind non-anonymous set if rule construction fails (git-fixes). - nfc: nci: assert requested protocol is valid (git-fixes). - nfc: nci: fix possible NULL pointer dereference in send_acknowledge() (git-fixes). - nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() (git-fixes). - nvme-fc: Prevent null pointer dereference in nvme_fc_io_getuuid() (bsc#1214842). - phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins (git-fixes). - phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes). - phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes). - pinctrl: avoid unsafe code pattern in find_pinctrl() (git-fixes). - pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes). - platform/surface: platform_profile: Propagate error if profile registration fails (git-fixes). - platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e (git-fixes). - platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events (git-fixes). - platform/x86: think-lmi: Fix reference leak (git-fixes). - platform/x86: touchscreen_dmi: Add info for the Positivo C4128B (git-fixes). - power: supply: ucs1002: fix error code in ucs1002_get_property() (git-fixes). - r8152: check budget for r8152_poll() (git-fixes). - RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes) - RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes) - RDMA/core: Require admin capabilities to set system parameters (git-fixes) - RDMA/cxgb4: Check skb value for failure to allocate (git-fixes) - RDMA/mlx5: Fix NULL string error (git-fixes) - RDMA/siw: Fix connection failure handling (git-fixes) - RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes) - RDMA/uverbs: Fix typo of sizeof argument (git-fixes) - regmap: fix NULL deref on lookup (git-fixes). - regmap: rbtree: Fix wrong register marked as in-cache when creating new node (git-fixes). - ring-buffer: Avoid softlockup in ring_buffer_resize() (git-fixes). - ring-buffer: Do not attempt to read past 'commit' (git-fixes). - ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes). - ring-buffer: Update 'shortest_full' in polling (git-fixes). - s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956 LTC#203788 bsc#1215957). - s390/cio: fix a memleak in css_alloc_subchannel (git-fixes bsc#1216510). - s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511). - sched/cpuset: Bring back cpuset_mutex (bsc#1215955). - sched/deadline,rt: Remove unused parameter from pick_next_[rt|dl]_entity() (git fixes (sched)). - sched/rt: Fix live lock between select_fallback_rq() and RT push (git fixes (sched)). - sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes (sched)). - serial: 8250_port: Check IRQ data before use (git-fixes). - soc: imx8m: Enable OCOTP clock for imx8mm before reading registers (git-fixes). - spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes). - spi: stm32: add a delay before SPI disable (git-fixes). - spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain (git-fixes). - spi: sun6i: reduce DMA RX transfer width to single byte (git-fixes). - thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding (git-fixes). - thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge (git-fixes). - tracing: Have current_trace inc the trace array ref count (git-fixes). - tracing: Have event inject files inc the trace array ref count (git-fixes). - tracing: Have option files inc the trace array ref count (git-fixes). - tracing: Have tracing_max_latency inc the trace array ref count (git-fixes). - tracing: Increase trace array ref count on enable and filter files (git-fixes). - tracing: Make trace_marker{,_raw} stream-like (git-fixes). - usb: cdnsp: Fixes issue with dequeuing not queued requests (git-fixes). - usb: dwc3: Soft reset phy on probe for host (git-fixes). - usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call (git-fixes). - usb: gadget: udc-xilinx: replace memcpy with memcpy_toio (git-fixes). - usb: musb: Get the musb_qh poniter after musb_giveback (git-fixes). - usb: musb: Modify the 'HWVers' register address (git-fixes). - usb: serial: option: add entry for Sierra EM9191 with new firmware (git-fixes). - usb: serial: option: add Fibocom to DELL custom modem FM101R-GL (git-fixes). - usb: serial: option: add Telit LE910C4-WWX 0x1035 composition (git-fixes). - usb: typec: altmodes/displayport: Signal hpd low when exiting mode (git-fixes). - usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer (git-fixes). - vmbus_testing: fix wrong python syntax for integer value comparison (git-fixes). - vringh: do not use vringh_kiov_advance() in vringh_iov_xfer() (git-fixes). - watchdog: iTCO_wdt: No need to stop the timer in probe (git-fixes). - watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running (git-fixes). - wifi: cfg80211: avoid leaking stack data into trace (git-fixes). - wifi: cfg80211: Fix 6GHz scan configuration (git-fixes). - wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes). - wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes). - wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes). - wifi: mac80211: allow transmitting EAPOL frames with tainted key (git-fixes). - wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling (git-fixes). - wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet (git-fixes). - wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes). - wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len (git-fixes). - x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772). - x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772). - x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772). - x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772). - x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772). - x86/cpu: Support AMD Automatic IBRS (bsc#1213772). - x86/sev: Check for user-space IOIO pointing to kernel space (bsc#1212649). - x86/sev: Check IOBM for IOIO exceptions from user-space (bsc#1212649). - x86/sev: Disable MMIO emulation from user mode (bsc#1212649). - xen-netback: use default TX queue size for vifs (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4450-1 Released: Wed Nov 15 10:55:20 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: moderate References: 1209998 This update for crypto-policies fixes the following issues: - Enable setting the kernel FIPS mode with the fips-mode-setup and fips-finish-install commands (jsc#PED-5041) - Adapt fips-mode-setup to use the pbl command from the perl-Bootloader package instead of grubby and add a note for transactional systems - Ship the man pages for fips-mode-setup and fips-finish-install - Make the supported versions change in the update-crypto-policies(8) man page persistent (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4453-1 Released: Wed Nov 15 14:24:58 2023 Summary: Recommended update for libjansson Type: recommended Severity: moderate References: 1216541 This update for libjansson ships the missing 32bit library to the Basesystem module of 15 SP5. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4460-1 Released: Thu Nov 16 15:00:20 2023 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1210286 This update for rsyslog fixes the following issue: - fix rsyslog crash in imrelp (bsc#1210286) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4467-1 Released: Thu Nov 16 17:57:51 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1216377,CVE-2023-45803 This update for python-urllib3 fixes the following issues: - CVE-2023-45803: Fix a request body leak that could occur when receiving a 303 HTTP response (bsc#1216377). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4476-1 Released: Fri Nov 17 08:05:43 2023 Summary: Security update for xen Type: security Severity: important References: 1027519,1215145,1215474,1215746,1215747,1215748,1216654,1216807,CVE-2023-20588,CVE-2023-34322,CVE-2023-34325,CVE-2023-34326,CVE-2023-34327,CVE-2023-34328,CVE-2023-46835,CVE-2023-46836 This update for xen fixes the following issues: - CVE-2023-20588: AMD CPU transitional execution leak via division by zero (XSA-439) (bsc#1215474). - CVE-2023-34322: top-level shadow reference dropped too early for 64-bit PV guests (XSA-438) (bsc#1215145). - CVE-2023-34325: Multiple vulnerabilities in libfsimage disk handling (XSA-443) (bsc#1215747). - CVE-2023-34326: x86/AMD: missing IOMMU TLB flushing (XSA-442) (bsc#1215746). - CVE-2023-34327,CVE-2023-34328: x86/AMD: Debug Mask handling (XSA-444) (bsc#1215748). - CVE-2023-46835: x86/AMD: mismatch in IOMMU quarantine page table levels (XSA-445) (bsc#1216654). - CVE-2023-46836: x86: BTC/SRSO fixes not fully effective (XSA-446) (bsc#1216807). - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4477-1 Released: Fri Nov 17 10:21:21 2023 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1216010,1216075,1216253 This update for grub2 fixes the following issues: - Fix failure to identify recent ext4 filesystem (bsc#1216010) - Fix reading files from btrfs with 'implicit' holes - Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253) - Fix detection of encrypted disk's uuid in powerpc (bsc#1216075) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4503-1 Released: Tue Nov 21 13:25:12 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1215947,1216419,CVE-2023-38470,CVE-2023-38473 This update for avahi fixes the following issues: - CVE-2023-38470: Ensure each label is at least one byte long (bsc#1215947). - CVE-2023-38473: Fixed a reachable assertion when parsing a host name (bsc#1216419). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4517-1 Released: Tue Nov 21 17:30:27 2023 Summary: Security update for python3-setuptools Type: security Severity: moderate References: 1206667,CVE-2022-40897 This update for python3-setuptools fixes the following issues: - CVE-2022-40897: Fixed Regular Expression Denial of Service (ReDoS) in package_index.py (bsc#1206667). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4524-1 Released: Tue Nov 21 17:51:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4534-1 Released: Thu Nov 23 08:13:57 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4537-1 Released: Thu Nov 23 09:34:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4583-1 Released: Mon Nov 27 10:16:11 2023 Summary: Feature update for python-psutil Type: feature Severity: moderate References: 1111622,1170175,1176785,1184753,1199282 This update for python-psutil, python-requests fixes the following issues: - update python-psutil to 5.9.1 (bsc#1199282, bsc#1184753, jsc#SLE-24629, jsc#PM-3243, gh#giampaolo/psutil#2043) - Fix tests: setuptools changed the builddir library path and does not find the module from it. Use the installed platlib instead and exclude psutil.tests only later. - remove the dependency on net-tools, since it conflicts with busybox-hostnmame which is default on MicroOS - Update python-requests to 2.25.1 (bsc#1176785, bsc#1170175, jsc#ECO-3105, jsc#PM-2352, jsc#PED-7192) - Fixed bug with unintended Authorization header stripping for redirects using default ports (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4587-1 Released: Mon Nov 27 14:25:52 2023 Summary: Security update for vim Type: security Severity: important References: 1215940,1216001,1216167,1216696,CVE-2023-46246,CVE-2023-5344,CVE-2023-5441,CVE-2023-5535 This update for vim fixes the following issues: - CVE-2023-5344: Heap-based Buffer Overflow in vim prior to 9.0.1969 (bsc#1215940) - CVE-2023-5441: segfault in exmode when redrawing (bsc#1216001) - CVE-2023-5535: use-after-free from buf_contents_changed() (bsc#1216167) - CVE-2023-46246: Integer Overflow in :history command (bsc#1216696) The following package changes have been done: - crypto-policies-20210917.c9d86d1-150400.3.6.1 updated - grub2-i386-pc-2.06-150400.11.41.1 updated - grub2-x86_64-efi-2.06-150400.11.41.1 updated - grub2-x86_64-xen-2.06-150400.11.41.1 updated - grub2-2.06-150400.11.41.1 updated - kernel-default-5.14.21-150400.24.97.1 updated - libavahi-client3-0.8-150400.7.10.1 updated - libavahi-common3-0.8-150400.7.10.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libjansson4-2.14-150000.3.5.1 updated - libopenssl1_1-1.1.1l-150400.7.60.2 updated - libpci3-3.5.6-150300.13.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated - libxml2-2-2.9.14-150400.5.25.1 updated - libzypp-17.31.22-150400.3.43.1 updated - openssl-1_1-1.1.1l-150400.7.60.2 updated - pciutils-3.5.6-150300.13.6.1 updated - python-instance-billing-flavor-check-0.0.4-150400.1.1 updated - python3-requests-2.25.1-150300.3.6.1 updated - python3-setuptools-44.1.1-150400.9.6.1 updated - python3-urllib3-1.25.10-150300.4.9.1 updated - rsyslog-module-relp-8.2306.0-150400.5.21.1 updated - rsyslog-8.2306.0-150400.5.21.1 updated - vim-data-common-9.0.2103-150000.5.57.1 updated - vim-9.0.2103-150000.5.57.1 updated - xen-libs-4.16.5_08-150400.4.40.1 updated - xen-tools-domU-4.16.5_08-150400.4.40.1 updated - zypper-1.14.66-150400.3.35.1 updated From sle-container-updates at lists.suse.com Wed Nov 29 15:11:50 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 29 Nov 2023 15:11:50 -0000 Subject: SUSE-CU-2023:3915-1: Security update of caasp/v4/cilium Message-ID: <20231129151147.B86D3FBA9@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/cilium ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3915-1 Container Tags : caasp/v4/cilium:1.6.6 , caasp/v4/cilium:1.6.6-rev6 , caasp/v4/cilium:1.6.6-rev6-build3.17.1 Container Release : 3.17.1 Severity : critical Type : security References : 1040589 1041742 1065270 1082318 1087072 1089497 1099272 1099695 1115529 1121227 1121230 1122004 1122021 1127591 1128846 1142579 1148309 1158763 1159635 1160285 1162964 1172113 1172427 1173277 1174075 1174414 1174911 1177047 1178233 1180065 1180689 1180713 1180995 1181475 1181826 1181961 1181961 1182959 1183533 1184501 1185597 1185637 1185712 1187512 1187906 1188374 1189152 1189282 1189802 1190447 1190926 1191157 1191473 1191502 1191908 1192951 1193007 1193015 1193489 1193625 1193659 1193759 1193805 1193841 1193929 1194038 1194229 1194550 1194597 1194640 1194642 1194768 1194770 1194783 1194848 1194883 1194898 1195054 1195149 1195217 1195251 1195258 1195283 1195326 1195468 1195517 1195529 1195560 1195628 1195633 1195654 1195773 1195792 1195856 1195899 1195999 1196025 1196025 1196026 1196036 1196061 1196093 1196107 1196167 1196168 1196169 1196171 1196275 1196317 1196368 1196406 1196490 1196514 1196784 1196840 1196861 1196861 1196877 1196925 1196939 1197004 1197004 1197024 1197065 1197134 1197178 1197443 1197459 1197592 1197684 1197716 1197771 1197775 1197794 1198062 1198062 1198237 1198237 1198341 1198422 1198446 1198458 1198627 1198731 1198752 1198925 1199042 1199132 1199132 1199140 1199166 1199223 1199224 1199232 1199240 1199492 1199524 1199895 1199918 1199926 1199927 1199944 1200170 1200441 1200441 1200485 1200550 1200735 1200737 1200800 1200842 1200962 1200993 1201092 1201099 1201225 1201576 1201627 1201638 1201680 1201783 1201959 1201972 1201978 1202020 1202175 1202593 1202816 1202966 1202967 1202969 1203248 1203249 1203438 1203649 1203652 1203652 1203715 1203760 1204111 1204112 1204113 1204357 1204366 1204367 1204383 1204505 1204548 1204585 1204585 1204690 1204708 1204956 1205126 1205145 1205570 1205636 1205646 1206080 1206309 1206337 1206346 1206346 1206412 1206480 1206480 1206513 1206556 1206579 1206684 1206684 1206949 1207533 1207534 1207534 1207536 1207992 1208037 1208038 1208040 1208067 1208329 1208409 1209122 1209209 1209210 1209211 1209212 1209214 1209406 1209533 1209624 1209642 1209873 1209878 1210096 1210297 1210323 1210411 1210412 1210434 1210507 1210557 1210557 1210593 1210733 1210740 1210870 1211079 1211231 1211232 1211233 1211261 1211339 1211419 1211427 1211427 1211430 1211604 1211605 1211606 1211607 1211661 1211945 1211946 1211947 1211948 1211951 1212101 1212101 1212126 1212187 1212187 1212222 1212422 1212475 1212475 1212475 1212475 1213231 1213282 1213458 1213487 1213517 1213557 1213673 1213853 1213854 1213865 1213915 1213915 1214025 1214052 1214052 1214052 1214052 1214054 1214290 1214292 1214395 1214460 1214460 1214565 1214567 1214579 1214580 1214604 1214611 1214619 1214620 1214623 1214624 1214625 1214768 1214806 1215007 1215286 1215427 1215505 1215713 1215979 1216006 1216006 1216091 1216129 1216174 1216378 1216664 1216922 CVE-2015-8985 CVE-2016-3709 CVE-2018-20573 CVE-2018-20574 CVE-2018-25032 CVE-2018-7738 CVE-2019-1010204 CVE-2019-19906 CVE-2019-2708 CVE-2019-6285 CVE-2019-6292 CVE-2020-14367 CVE-2020-19726 CVE-2020-29362 CVE-2021-20206 CVE-2021-20206 CVE-2021-22570 CVE-2021-28153 CVE-2021-32256 CVE-2021-3530 CVE-2021-3541 CVE-2021-3648 CVE-2021-36690 CVE-2021-3826 CVE-2021-3999 CVE-2021-4209 CVE-2021-45078 CVE-2021-46195 CVE-2021-46828 CVE-2021-46848 CVE-2022-0778 CVE-2022-1271 CVE-2022-1271 CVE-2022-1271 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586 CVE-2022-1664 CVE-2022-1706 CVE-2022-2068 CVE-2022-2097 CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407 CVE-2022-2509 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-27781 CVE-2022-27782 CVE-2022-27943 CVE-2022-29155 CVE-2022-29458 CVE-2022-29824 CVE-2022-29824 CVE-2022-32206 CVE-2022-32208 CVE-2022-32221 CVE-2022-34903 CVE-2022-3515 CVE-2022-35205 CVE-2022-35206 CVE-2022-35252 CVE-2022-35737 CVE-2022-37434 CVE-2022-38126 CVE-2022-38127 CVE-2022-38533 CVE-2022-40303 CVE-2022-40304 CVE-2022-40674 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-4285 CVE-2022-42898 CVE-2022-4304 CVE-2022-4304 CVE-2022-43552 CVE-2022-43680 CVE-2022-44840 CVE-2022-45703 CVE-2022-46908 CVE-2022-47629 CVE-2022-47673 CVE-2022-47695 CVE-2022-47696 CVE-2022-48063 CVE-2022-48064 CVE-2022-48065 CVE-2022-48468 CVE-2022-4899 CVE-2022-4904 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-0687 CVE-2023-1579 CVE-2023-1972 CVE-2023-2222 CVE-2023-23916 CVE-2023-25585 CVE-2023-25587 CVE-2023-25588 CVE-2023-2603 CVE-2023-2650 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 CVE-2023-28484 CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 CVE-2023-29499 CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 CVE-2023-32611 CVE-2023-32636 CVE-2023-32643 CVE-2023-32665 CVE-2023-3446 CVE-2023-34969 CVE-2023-35945 CVE-2023-36054 CVE-2023-3817 CVE-2023-39615 CVE-2023-4016 CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-4156 CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-4641 CVE-2023-4813 CVE-2023-5678 ----------------------------------------------------------------- The container caasp/v4/cilium was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:337-1 Released: Fri Feb 4 10:24:28 2022 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1193007,1194597,1194898 This update for libzypp fixes the following issues: - RepoManager: remember execution errors in exception history (bsc#1193007) - Fix exception handling when reading or writing credentials (bsc#1194898) - Fix install path for parser (bsc#1194597) - Fix Legacy include (bsc#1194597) - Public header files on older distros must use c++11 (bsc#1194597) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:473-1 Released: Thu Feb 17 10:29:42 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1195326 This update for libzypp, zypper fixes the following issues: - Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:498-1 Released: Fri Feb 18 10:46:56 2022 Summary: Security update for expat Type: security Severity: important References: 1195054,1195217,CVE-2022-23852,CVE-2022-23990 This update for expat fixes the following issues: - CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054). - CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:511-1 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1082318,1189152 This update for coreutils fixes the following issues: - Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152). - Properly sort docs and license files (bsc#1082318). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:523-1 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1193759,1193841 This update for systemd fixes the following issues: - systemctl: exit with 1 if no unit files found (bsc#1193841). - add rules for virtual devices (bsc#1193759). - enforce 'none' for loop devices (bsc#1193759). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1187512 This update for yast2-network fixes the following issues: - Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1190447 This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:702-1 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1196036,CVE-2022-24407 This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:713-1 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315 This update for expat fixes the following issues: - CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025). - CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026). - CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168). - CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169). - CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:787-1 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: This update for openldap2 fixes the following issue: - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate References: 1195654 This update for update-alternatives fixes the following issues: - Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1195468 This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:823-1 Released: Mon Mar 14 15:16:37 2022 Summary: Security update for protobuf Type: security Severity: moderate References: 1195258,CVE-2021-22570 This update for protobuf fixes the following issues: - CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:832-1 Released: Mon Mar 14 17:27:03 2022 Summary: Security update for glibc Type: security Severity: important References: 1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 glibc was updated to fix the following issues: Security issues fixed: - CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770) - CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640) - CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625) Also the following bug was fixed: - Fix pthread_rwlock_try*lock stalls (bsc#1195560) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important References: 1196025,1196784,CVE-2022-25236 This update for expat fixes the following issues: - Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367 This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don???t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don???t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv at .service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:853-1 Released: Tue Mar 15 19:27:30 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1196877,CVE-2022-0778 This update for openssl-1_1 fixes the following issues: - CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1182959,1195149,1195792,1195856 This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:867-1 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1193805 This update for libtirpc fixes the following issues: - Fix memory leak in client protocol version 2 code (bsc#1193805) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:874-1 Released: Wed Mar 16 10:40:52 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1197004 This update for openldap2 fixes the following issue: - Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate References: 1196275,1196406 This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1021-1 Released: Tue Mar 29 13:24:21 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1195899 This update for systemd fixes the following issues: - allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1196093,1197024 This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important References: 1197459,CVE-2018-25032 This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1073-1 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Type: security Severity: moderate References: 1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292 This update for yaml-cpp fixes the following issues: - CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227). - CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230). - CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004). - CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1194883 This update for aaa_base fixes the following issues: - Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883) - Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1109-1 Released: Mon Apr 4 17:50:01 2022 Summary: Recommended update for util-linux Type: recommended Severity: important References: 1172427,1194642 This update for util-linux fixes the following issues: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) - Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642) - Warn if uuidd lock state is not usable. (bsc#1194642) - Fix 'su -s' bash completion. (bsc#1172427) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1131-1 Released: Fri Apr 8 09:43:53 2022 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: important References: 1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134 This update for libsolv, libzypp, zypper fixes the following issues: Security relevant fix: - Harden package signature checks (bsc#1184501). libsolv to 0.7.22: - reworked choice rule generation to cover more usecases - support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514) - support parsing of Debian's Multi-Arch indicator - fix segfault on conflict resolution when using bindings - fix split provides not working if the update includes a forbidden vendor change - support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY - support zstd compressed control files in debian packages - add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20) - support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata - support queying of the custom vendor check function new function: pool_get_custom_vendorcheck - support solv files with an idarray block - allow accessing the toolversion at runtime libzypp to 17.30.0: - ZConfig: Update solver settings if target changes (bsc#1196368) - Fix possible hang in singletrans mode (bsc#1197134) - Do 2 retries if mount is still busy. - Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing. - Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry. - Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925) - Fix handling of ISO media in releaseAll (bsc#1196061) - Hint on common ptf resolver conflicts (bsc#1194848) - Hint on ptf<>patch resolver conflicts (bsc#1194848) zypper to 1.14.52: - info: print the packages upstream URL if available (fixes #426) - info: Fix SEGV with not installed PTFs (bsc#1196317) - Don't prevent less restrictive umasks (bsc#1195999) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important References: 1198062,CVE-2022-1271 This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1250-1 Released: Sun Apr 17 15:39:47 2022 Summary: Security update for gzip Type: security Severity: important References: 1177047,1180713,1198062,CVE-2022-1271 This update for gzip fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) The following non-security bugs were fixed: - Fixed an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1196939 This update for e2fsprogs fixes the following issues: - Add support for 'libreadline7' for Leap. (bsc#1196939) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1195628,1196107 This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1438-1 Released: Wed Apr 27 15:27:19 2022 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: low References: 1195251 This update for systemd-presets-common-SUSE fixes the following issue: - enable vgauthd service for VMWare by default (bsc#1195251) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1439-1 Released: Wed Apr 27 16:08:04 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1198237 This update for binutils fixes the following issues: - The official name IBM z16 for IBM zSeries arch14 is recognized. (bsc#1198237) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1452-1 Released: Thu Apr 28 10:48:06 2022 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1193489 This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1197794 This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1656-1 Released: Fri May 13 15:38:02 2022 Summary: Recommended update for llvm7 Type: recommended Severity: moderate References: 1197775 This update for llvm7 fixes the following issues: - Backport fixes and changes from Factory. (bsc#1197775) - Drop RUNPATH from packaged binaries, instead set LD_LIBRARY_PATH for building and testing to simulate behavior of actual package. - Fix build with linux-glibc-devel 5.13. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important References: 1197771 This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1674-1 Released: Mon May 16 10:12:11 2022 Summary: Security update for gzip Type: security Severity: important References: CVE-2022-1271 This update for gzip fixes the following issues: - CVE-2022-1271: Add hardening for zgrep. (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important References: 1198446,CVE-2022-1304 This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1691-1 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate References: 1197443 This update for augeas fixes the following issue: - Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1750-1 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490). - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1832-1 Released: Tue May 24 11:52:33 2022 Summary: Security update for openldap2 Type: security Severity: important References: 1191157,1197004,1199240,CVE-2022-29155 This update for openldap2 fixes the following issues: Security: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). Bugfixes: - allow specification of max/min TLS version with TLS1.3 (bsc#1191157) - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004) - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1851-1 Released: Thu May 26 08:59:55 2022 Summary: Recommended update for gcc8 Type: recommended Severity: moderate References: 1197716 This update for gcc8 fixes the following issues: - Fix build against SP4. (bsc#1197716) - Remove bogus fixed include bits/statx.h from glibc 2.30 (bsc#1197716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1040589 This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2049-1 Released: Mon Jun 13 09:23:52 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1191908,1198422 This update for binutils fixes the following issues: - Revert back to old behaviour of not ignoring the in-section content of to be relocated fields on x86-64, even though that's a RELA architecture. Compatibility with buggy object files generated by old tools. [bsc#1198422] - Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2068-1 Released: Tue Jun 14 10:14:47 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1185637,1199166,CVE-2022-1292 This update for openssl-1_1 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2157-1 Released: Wed Jun 22 17:11:26 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1198458 This update for binutils fixes the following issues: - For building the shim 15.6~rc1 and later versions aarch64 image, objcopy needs to support efi-app-aarch64 target. (bsc#1198458) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2179-1 Released: Fri Jun 24 14:05:25 2022 Summary: Security update for openssl Type: security Severity: moderate References: 1200550,CVE-2022-2068 This update for openssl fixes the following issues: - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2311-1 Released: Wed Jul 6 15:16:17 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1201099,CVE-2022-2097 This update for openssl-1_1 fixes the following issues: - CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2323-1 Released: Thu Jul 7 12:16:58 2022 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: low References: This update for systemd-presets-branding-SLE fixes the following issues: - Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2405-1 Released: Fri Jul 15 11:47:57 2022 Summary: Security update for p11-kit Type: security Severity: moderate References: 1180065,CVE-2020-29362 This update for p11-kit fixes the following issues: - CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2471-1 Released: Thu Jul 21 04:42:58 2022 Summary: Recommended update for systemd Type: recommended Severity: important References: 1148309,1191502,1195529,1200170 This update for systemd fixes the following issues: - Allow control characters in environment variable values (bsc#1200170) - basic/env-util: Allow newlines in values of environment variables - man: tweak description of auto/noauto (bsc#1191502) - shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309) - shared/install: fix error codes returned by install_context_apply() - shared/install: ignore failures for auxiliary files - systemctl: suppress enable/disable messages when `-q` is given - test-env-util: Verify that \r is disallowed in env var values - test-env-util: print function headers - udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2571-1 Released: Thu Jul 28 04:20:52 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1194550,1197684,1199042 This update for libzypp, zypper fixes the following issues: libzypp: - appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684) - zypp-rpm: flush rpm script output buffer before sending endOfScriptTag - PluginRepoverification: initial version hooked into repo::Downloader and repo refresh - Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042) - singletrans: no dry-run commit if doing just download-only - Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo. - Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER zypper: - Basic JobReport for 'cmdout/monitor' - versioncmp: if verbose, also print the edition 'parts' which are compared - Make sure MediaAccess is closed on exception (bsc#1194550) - Display plus-content hint conditionally - Honor the NO_COLOR environment variable when auto-detecting whether to use color - Define table columns which should be sorted natural [case insensitive] - lr/ls: Use highlight color on name and alias as well ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2717-1 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Type: security Severity: moderate References: 1198627,CVE-2022-29458 This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2829-1 Released: Wed Aug 17 13:33:11 2022 Summary: Security update for curl Type: security Severity: important References: 1199223,1199224,1200735,1200737,CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208 This update for curl fixes the following issues: - CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223). - CVE-2022-27782: Fixed an issue where TLS and SSH connections would be reused even when a related option had been changed (bsc#1199224). - CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused by an unbounded number of compression layers (bsc#1200735). - CVE-2022-32208: Fixed an incorrect message verification issue when performing FTP transfers using krb5 (bsc#1200737). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2830-1 Released: Wed Aug 17 14:36:26 2022 Summary: Security update for gnutls Type: security Severity: important References: 1196167,1202020,CVE-2021-4209,CVE-2022-2509 This update for gnutls fixes the following issues: - CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020). - CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2866-1 Released: Mon Aug 22 15:36:30 2022 Summary: Security update for systemd-presets-common-SUSE Type: security Severity: moderate References: 1199524,1200485,CVE-2022-1706 This update for systemd-presets-common-SUSE fixes the following issues: - CVE-2022-1706: Fixed accessible configs from unprivileged containers in VMs running on VMware products (bsc#1199524). The following non-security bugs were fixed: - Modify branding-preset-states to fix systemd-presets-common-SUSE not enabling new user systemd service preset configuration just as it handles system service presets. By passing an (optional) second parameter 'user', the save/apply-changes commands now work with user services instead of system ones (bsc#1200485) - Add the wireplumber user service preset to enable it by default in SLE15-SP4 where it replaced pipewire-media-session, but keep pipewire-media-session preset so we don't have to branch the systemd-presets-common-SUSE package for SP4 (bsc#1200485) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2905-1 Released: Fri Aug 26 05:30:33 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1198341 This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2944-1 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Type: recommended Severity: important References: 1181475 This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2947-1 Released: Wed Aug 31 09:16:21 2022 Summary: Security update for zlib Type: security Severity: important References: 1202175,CVE-2022-37434 This update for zlib fixes the following issues: - CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2991-1 Released: Thu Sep 1 16:04:30 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1198752,1200800,1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed an uncontrolled file descriptor consumption, which could be exploited by remote attackers to prevent applications using the library from accepting new connections (bsc#1201680). Non-security fixes: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2994-1 Released: Fri Sep 2 10:44:54 2022 Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame Type: recommended Severity: moderate References: 1198925 This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925) No codechanges were done in this update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3129-1 Released: Wed Sep 7 04:42:53 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1197178,1198731,1200842 This update for util-linux fixes the following issues: - su: Change owner and mode for pty (bsc#1200842) - agetty: Resolve tty name even if stdin is specified (bsc#1197178) - libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731) - mesg: use only stat() to get the current terminal status (bsc#1200842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3144-1 Released: Wed Sep 7 11:04:23 2022 Summary: Security update for gpg2 Type: security Severity: important References: 1201225,CVE-2022-34903 This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a potential signature forgery via injection into the status line when certain unusual conditions are met (bsc#1201225). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3221-1 Released: Fri Sep 9 04:31:28 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1199895,1200993,1201092,1201576,1201638 This update for libzypp, zypper fixes the following issues: libzypp: - Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895) - Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092) - Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993) - Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend. zypper: - Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638) - Reject install/remove modifier without argument (bsc#1201576) - zypper-download: Handle unresolvable arguments as errors - Put signing key supplying repository name in quotes ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3262-1 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1199140 This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate References: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3549-1 Released: Fri Oct 7 14:39:40 2022 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1159635,CVE-2019-19906 This update for cyrus-sasl fixes the following issues: - CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3566-1 Released: Tue Oct 11 16:19:09 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: critical References: 1189282,1201972,1203649 This update for libzypp, zypper fixes the following issues: libzypp: - Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282) - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Remove migration code that is no longer needed (bsc#1203649) - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined zypper: - Fix contradiction in the man page: `--download-in-advance` option is the default behavior - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Fix tests to use locale 'C.UTF-8' rather than 'en_US' - Make sure 'up' respects solver related CLI options (bsc#1201972) - Remove unneeded code to compute the PPP status because it is now auto established - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3597-1 Released: Mon Oct 17 13:13:16 2022 Summary: Security update for expat Type: security Severity: important References: 1203438,CVE-2022-40674 This update for expat fixes the following issues: - CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical References: 1204357,CVE-2022-3515 This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3774-1 Released: Wed Oct 26 12:21:09 2022 Summary: Security update for curl Type: security Severity: important References: 1202593,1204383,CVE-2022-32221,CVE-2022-35252 This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3784-1 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Type: security Severity: critical References: 1204690,CVE-2021-46848 This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3805-1 Released: Thu Oct 27 17:19:46 2022 Summary: Security update for dbus-1 Type: security Severity: important References: 1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012 This update for dbus-1 fixes the following issues: - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113). Bugfixes: - Disable asserts (bsc#1087072). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3871-1 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3882-1 Released: Mon Nov 7 09:06:03 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1180995 This update for openssl-1_1 fixes the following issues: - FIPS: Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode. (bsc#1180995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3905-1 Released: Tue Nov 8 12:23:17 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1196840,1199492,1199918,1199926,1199927 This update for aaa_base and iputils fixes the following issues: aaa_base: - Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927) - The wrapper rootsh is not a restricted shell (bsc#1199492) iputils: - Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3912-1 Released: Tue Nov 8 13:38:11 2022 Summary: Security update for expat Type: security Severity: important References: 1204708,CVE-2022-43680 This update for expat fixes the following issues: - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3961-1 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3975-1 Released: Mon Nov 14 15:41:13 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1201959 This update for util-linux fixes the following issues: - libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4081-1 Released: Fri Nov 18 15:40:46 2022 Summary: Security update for dpkg Type: security Severity: low References: 1199944,CVE-2022-1664 This update for dpkg fixes the following issues: - CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4146-1 Released: Mon Nov 21 09:56:12 2022 Summary: Security update for binutils Type: security Severity: moderate References: 1142579,1185597,1185712,1188374,1191473,1193929,1194783,1197592,1198237,1202816,1202966,1202967,1202969,CVE-2019-1010204,CVE-2021-3530,CVE-2021-3648,CVE-2021-3826,CVE-2021-45078,CVE-2021-46195,CVE-2022-27943,CVE-2022-38126,CVE-2022-38127,CVE-2022-38533 This update for binutils fixes the following issues: The following security bugs were fixed: - CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579). - CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597). - CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374). - CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969). - CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929). - CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783). - CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592). - CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966). - CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967). - CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816). The following non-security bugs were fixed: - SLE toolchain update of binutils, update to 2.39 from 2.37. - Update to 2.39: * The ELF linker will now generate a warning message if the stack is made executable. Similarly it will warn if the output binary contains a segment with all three of the read, write and execute permission bits set. These warnings are intended to help developers identify programs which might be vulnerable to attack via these executable memory regions. The warnings are enabled by default but can be disabled via a command line option. It is also possible to build a linker with the warnings disabled, should that be necessary. * The ELF linker now supports a --package-metadata option that allows embedding a JSON payload in accordance to the Package Metadata specification. * In linker scripts it is now possible to use TYPE= in an output section description to set the section type value. * The objdump program now supports coloured/colored syntax highlighting of its disassembler output for some architectures. (Currently: AVR, RiscV, s390, x86, x86_64). * The nm program now supports a --no-weak/-W option to make it ignore weak symbols. * The readelf and objdump programs now support a -wE option to prevent them from attempting to access debuginfod servers when following links. * The objcopy program's --weaken, --weaken-symbol, and --weaken-symbols options now works with unique symbols as well. - Update to 2.38: * elfedit: Add --output-abiversion option to update ABIVERSION. * Add support for the LoongArch instruction set. * Tools which display symbols or strings (readelf, strings, nm, objdump) have a new command line option which controls how unicode characters are handled. By default they are treated as normal for the tool. Using --unicode=locale will display them according to the current locale. Using --unicode=hex will display them as hex byte values, whilst --unicode=escape will display them as escape sequences. In addition using --unicode=highlight will display them as unicode escape sequences highlighted in red (if supported by the output device). * readelf -r dumps RELR relative relocations now. * Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been added to objcopy in order to enable UEFI development using binutils. * ar: Add --thin for creating thin archives. -T is a deprecated alias without diagnostics. In many ar implementations -T has a different meaning, as specified by X/Open System Interface. * Add support for AArch64 system registers that were missing in previous releases. * Add support for the LoongArch instruction set. * Add a command-line option, -muse-unaligned-vector-move, for x86 target to encode aligned vector move as unaligned vector move. * Add support for Cortex-R52+ for Arm. * Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64. * Add support for Cortex-A710 for Arm. * Add support for Scalable Matrix Extension (SME) for AArch64. * The --multibyte-handling=[allow|warn|warn-sym-only] option tells the assembler what to when it encoutners multibyte characters in the input. The default is to allow them. Setting the option to 'warn' will generate a warning message whenever any multibyte character is encountered. Using the option to 'warn-sym-only' will make the assembler generate a warning whenever a symbol is defined containing multibyte characters. (References to undefined symbols will not generate warnings). * Outputs of .ds.x directive and .tfloat directive with hex input from x86 assembler have been reduced from 12 bytes to 10 bytes to match the output of .tfloat directive. * Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in AArch64 GAS. * Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS. * Add support for Intel AVX512_FP16 instructions. * Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF linker to pack relative relocations in the DT_RELR section. * Add support for the LoongArch architecture. * Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF linker to control canonical function pointers and copy relocation. * Add --max-cache-size=SIZE to set the the maximum cache size to SIZE bytes. - Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes. - Add gprofng subpackage. - Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237). - Add back fix for bsc#1191473, which got lost in the update to 2.38. - Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712). - Enable PRU architecture for AM335x CPU (Beagle Bone Black board) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4155-1 Released: Mon Nov 21 14:36:17 2022 Summary: Security update for krb5 Type: security Severity: important References: 1205126,CVE-2022-42898 This update for krb5 fixes the following issues: - CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4214-1 Released: Thu Nov 24 16:17:31 2022 Summary: Security update for libdb-4_8 Type: security Severity: low References: 1174414,CVE-2019-2708 This update for libdb-4_8 fixes the following issues: - CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4256-1 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4592-1 Released: Tue Dec 20 16:51:35 2022 Summary: Security update for cni Type: security Severity: important References: 1181961,CVE-2021-20206 This update for cni fixes the following issues: - CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4593-1 Released: Tue Dec 20 16:55:16 2022 Summary: Security update for cni-plugins Type: security Severity: important References: 1181961,CVE-2021-20206 This update for cni-plugins fixes the following issues: - CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1206337,CVE-2022-46908 This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:56-1 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Type: security Severity: moderate References: 1206579,CVE-2022-47629 This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low References: 1206412 This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:188-1 Released: Fri Jan 27 12:07:19 2023 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Follow up fix for bug bsc#1203652 due to libxml2 issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:308-1 Released: Tue Feb 7 17:33:37 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1207533,1207534,1207536,CVE-2022-4304,CVE-2023-0215,CVE-2023-0286 This update for openssl-1_1 fixes the following issues: - CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533). - CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536). - CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:446-1 Released: Fri Feb 17 09:52:43 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194038,1205646 This update for util-linux fixes the following issues: - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). - libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:486-1 Released: Thu Feb 23 10:38:13 2023 Summary: Security update for c-ares Type: security Severity: important References: 1208067,CVE-2022-4904 This update for c-ares fixes the following issues: Updated to version 1.19.0: - CVE-2022-4904: Fixed missing string length check in config_sortlist() (bsc#1208067). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:676-1 Released: Wed Mar 8 14:33:23 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1204585 This update for libxml2 fixes the following issues: - Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:776-1 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:787-1 Released: Thu Mar 16 19:37:18 2023 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949 This update for libsolv, libzypp, zypper fixes the following issues: libsolv: - Do not autouninstall SUSE PTF packages - Ensure 'duplinvolvedmap_all' is reset when a solver is reused - Fix 'keep installed' jobs not disabling 'best update' rules - New '-P' and '-W' options for `testsolv` - New introspection interface for weak dependencies similar to ruleinfos - Ensure special case file dependencies are written correctly in the testcase writer - Support better info about alternatives - Support decision reason queries - Support merging of related decisions - Support stringification of multiple solvables - Support stringification of ruleinfo, decisioninfo and decision reasons libzypp: - Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233) - Avoid redirecting 'history.logfile=/dev/null' into the target - Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956) - Enhance yaml-cpp detection - Improve download of optional files - MultiCurl: Make sure to reset the progress function when falling back. - Properly reset range requests (bsc#1204548) - Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version. - Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls. - Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side. - ProgressData: enforce reporting the INIT||END state (bsc#1206949) - ps: fix service detection on newer Tumbleweed systems (bsc#1205636) zypper: - Allow to (re)add a service with the same URL (bsc#1203715) - Bump dependency requirement to libzypp-devel 17.31.7 or greater - Explain outdatedness of repositories - patterns: Avoid dispylaing superfluous @System entries (bsc#1205570) - Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions. - Update man page and explain '.no_auto_prune' (bsc#1204956) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1748-1 Released: Tue Apr 4 09:06:59 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1209624,CVE-2023-0464 This update for openssl-1_1 fixes the following issues: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1753-1 Released: Tue Apr 4 11:55:00 2023 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: This update for systemd-presets-common-SUSE fixes the following issue: - Enable systemd-pstore.service by default (jsc#PED-2663) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1908-1 Released: Wed Apr 19 08:38:53 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1209873,1209878,CVE-2023-0465,CVE-2023-0466 This update for openssl-1_1 fixes the following issues: - CVE-2023-0465: Fixed ignored invalid certificate policies in leaf certificates (bsc#1209878). - CVE-2023-0466: Fixed disabled certificate policy check (bsc#1209873). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1979-1 Released: Tue Apr 25 09:36:43 2023 Summary: Security update for protobuf-c Type: security Severity: important References: 1210323,CVE-2022-48468 This update for protobuf-c fixes the following issues: - CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1991-1 Released: Tue Apr 25 13:22:19 2023 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1160285,1210096 This update for permissions fixes the following issues: * mariadb: settings for new auth_pam_tool (bsc#1160285, bsc#1210096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2048-1 Released: Wed Apr 26 21:05:45 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469 This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed: - Added W3C conformance tests to the testsuite (bsc#1204585). - Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2068-1 Released: Fri Apr 28 13:55:00 2023 Summary: Security update for shadow Type: security Severity: moderate References: 1210507,CVE-2023-29383 This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2074-1 Released: Fri Apr 28 17:02:25 2023 Summary: Security update for zstd Type: security Severity: moderate References: 1209533,CVE-2022-4899 This update for zstd fixes the following issues: - CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1210434,CVE-2023-29491 This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2133-1 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1206513 This update for zlib fixes the following issues: - Add DFLTCC support for using inflate() with a small window (bsc#1206513) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2226-1 Released: Wed May 17 09:55:49 2023 Summary: Security update for curl Type: security Severity: important References: 1206309,1207992,1209209,1209210,1209211,1209212,1209214,1211231,1211232,1211233,1211339,CVE-2022-43552,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 This update for curl fixes the following issues: - CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231). - CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232). - CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233). - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2248-1 Released: Thu May 18 17:06:33 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1127591,1195633,1208329,1209406,1210870 This update for libzypp, zypper fixes the following issues: - Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633) - multicurl: propagate ssl settings stored in repo url (bsc#1127591) - MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Teach MediaNetwork to retry on HTTP2 errors. - Fix selecting installed patterns from picklist (bsc#1209406) - man: better explanation of --priority ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2313-1 Released: Tue May 30 09:29:25 2023 Summary: Security update for c-ares Type: security Severity: important References: 1211604,1211605,1211606,1211607,CVE-2023-31124,CVE-2023-31130,CVE-2023-31147,CVE-2023-32067 This update for c-ares fixes the following issues: Update to version 1.19.1: - CVE-2023-32067: 0-byte UDP payload causes Denial of Service (bsc#1211604) - CVE-2023-31147: Insufficient randomness in generation of DNS query IDs (bsc#1211605) - CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton() (bsc#1211606) - CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607) - Fix uninitialized memory warning in test - ares_getaddrinfo() should allow a port of 0 - Fix memory leak in ares_send() on error - Fix comment style in ares_data.h - Fix typo in ares_init_options.3 - Sync ax_pthread.m4 with upstream - Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2324-1 Released: Tue May 30 15:52:17 2023 Summary: Security update for cni-plugins Type: security Severity: important References: 1200441 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.19 security release (bsc#1200441). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2325-1 Released: Tue May 30 15:57:30 2023 Summary: Security update for cni Type: security Severity: important References: 1200441 This update of cni fixes the following issues: - rebuild the package with the go 1.19 security release (bsc#1200441). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2327-1 Released: Tue May 30 16:44:58 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1211430,CVE-2023-2650 This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2333-1 Released: Wed May 31 09:01:28 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1210593 This update for zlib fixes the following issue: - Fix function calling order to avoid crashes (bsc#1210593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2472-1 Released: Thu Jun 8 10:05:45 2023 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1211661 This update for libzypp fixes the following issues: - Do not unconditionally release a medium if provideFile failed (bsc#1211661) - libzypp.spec.cmake: remove duplicate file listing - Update to version 17.31.12 (22) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2496-1 Released: Tue Jun 13 15:19:20 2023 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1212187 This update for libzypp fixes the following issue: - Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2622-1 Released: Fri Jun 23 13:42:21 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1201627,1207534,CVE-2022-4304 This update for openssl-1_1 fixes the following issues: - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). - Update further expiring certificates that affect tests [bsc#1201627] * Add openssl-Update-further-expiring-certificates.patch ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2625-1 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2644-1 Released: Tue Jun 27 09:23:49 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1211261,1212187,1212222 This update for libzypp, zypper fixes the following issues: libzypp was updated to version 17.31.14 (22): - build: honor libproxy.pc's includedir (bsc#1212222) - Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins. zypper was updated to version 1.14.61: - targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261) - targetos: Update help and man page (bsc#1211261) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2868-1 Released: Tue Jul 18 11:35:52 2023 Summary: Security update for cni Type: security Severity: important References: 1206346 This update of cni fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2869-1 Released: Tue Jul 18 11:39:26 2023 Summary: Security update for cni-plugins Type: security Severity: important References: 1206346 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.20 security release (bsc#1206346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2879-1 Released: Wed Jul 19 09:45:34 2023 Summary: Security update for dbus-1 Type: security Severity: moderate References: 1212126,CVE-2023-34969 This update for dbus-1 fixes the following issues: - CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate References: 1089497 This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme new requirements ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2955-1 Released: Tue Jul 25 05:22:54 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1193015 This update for util-linux fixes the following issues: - Fix memory leak on parse errors in libmount. (bsc#1193015) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2956-1 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Type: security Severity: moderate References: 1211419,CVE-2023-2603 This update for libcap fixes the following issues: - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2961-1 Released: Tue Jul 25 09:32:56 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213487,CVE-2023-3446 This update for openssl-1_1 fixes the following issues: - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2998-1 Released: Thu Jul 27 08:39:49 2023 Summary: Recommended update for libdb-4_8 Type: recommended Severity: moderate References: 1099695 This update for libdb-4_8 fixes the following issues: - Fix incomplete license tag (bsc#1099695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3068-1 Released: Mon Jul 31 16:33:43 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1213517 This update for openssl-1_1 fixes the following issues: - Dont pass zero length input to EVP_Cipher (bsc#1213517) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3191-1 Released: Fri Aug 4 06:29:08 2023 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1211079 This update for cryptsetup fixes the following issues: - Handle system with low memory and no swap space (bsc#1211079) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3388-1 Released: Wed Aug 23 17:14:22 2023 Summary: Recommended update for binutils Type: recommended Severity: important References: 1213282 This update for binutils fixes the following issues: - Add `binutils-disable-dt-relr.sh` to address compatibility problems with the glibc version included in future SUSE Linux Enterprise releases (bsc#1213282, jsc#PED-1435) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3434-1 Released: Thu Aug 24 15:05:22 2023 Summary: Security update for krb5 Type: security Severity: important References: 1214054,CVE-2023-36054 This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3440-1 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Type: security Severity: low References: 1214025,CVE-2023-4156 This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3513-1 Released: Fri Sep 1 15:47:41 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1158763,1210740,1213231,1213557,1213673 This update for libzypp, zypper fixes the following issues: - Fix occasional isue with downloading very small files (bsc#1213673) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - Revised explanation of --force-resolution in man page (bsc#1213557) - Print summary hint if policies were violated due to --force-resolution (bsc#1213557) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3535-1 Released: Tue Sep 5 14:46:31 2023 Summary: Security update for glib2 Type: security Severity: important References: 1183533,1211945,1211946,1211947,1211948,1211951,CVE-2021-28153,CVE-2023-29499,CVE-2023-32611,CVE-2023-32636,CVE-2023-32643,CVE-2023-32665 This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files. (bsc#1183533) - CVE-2023-32665: Fixed GVariant deserialisation which does not match spec for non-normal data. (bsc#1211945) - CVE-2023-32643: Fixed a heap-buffer-overflow in g_variant_serialised_get_child(). (bsc#1211946) - CVE-2023-29499: Fixed GVariant offset table entry size which is not checked in is_normal(). (bsc#1211947) - CVE-2023-32636: Fixed a wrong timeout in fuzz_variant_text(). (bsc#1211948) - CVE-2023-32611: Fixed an issue where g_variant_byteswap() can take a long time with some non-normal inputs. (bsc#1211951) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important References: 1214052,CVE-2023-4039 This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3686-1 Released: Tue Sep 19 17:23:03 2023 Summary: Security update for gcc7 Type: security Severity: important References: 1195517,1196861,1204505,1205145,1214052,CVE-2023-4039 This update for gcc7 fixes the following issues: Security issue fixed: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). Other fixes: - Fixed KASAN kernel compile. [bsc#1205145] - Fixed ICE with C++17 code as reported in [bsc#1204505] - Fixed altivec.h redefining bool in C++ which makes bool unusable (bsc#1195517): - Adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3698-1 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1214768,CVE-2023-39615 This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3815-1 Released: Wed Sep 27 18:20:25 2023 Summary: Security update for cni Type: security Severity: important References: 1212475 This update of cni fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3816-1 Released: Wed Sep 27 18:25:44 2023 Summary: Security update for cni-plugins Type: security Severity: important References: 1212475 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3825-1 Released: Wed Sep 27 18:48:53 2023 Summary: Security update for binutils Type: security Severity: important References: 1200962,1206080,1206556,1208037,1208038,1208040,1208409,1209642,1210297,1210733,1213458,1214565,1214567,1214579,1214580,1214604,1214611,1214619,1214620,1214623,1214624,1214625,CVE-2020-19726,CVE-2021-32256,CVE-2022-35205,CVE-2022-35206,CVE-2022-4285,CVE-2022-44840,CVE-2022-45703,CVE-2022-47673,CVE-2022-47695,CVE-2022-47696,CVE-2022-48063,CVE-2022-48064,CVE-2022-48065,CVE-2023-0687,CVE-2023-1579,CVE-2023-1972,CVE-2023-2222,CVE-2023-25585,CVE-2023-25587,CVE-2023-25588 This update for binutils fixes the following issues: Update to version 2.41 [jsc#PED-5778]: * The MIPS port now supports the Sony Interactive Entertainment Allegrex processor, used with the PlayStation Portable, which implements the MIPS II ISA along with a single-precision FPU and a few implementation-specific integer instructions. * Objdump's --private option can now be used on PE format files to display the fields in the file header and section headers. * New versioned release of libsframe: libsframe.so.1. This release introduces versioned symbols with version node name LIBSFRAME_1.0. This release also updates the ABI in an incompatible way: this includes removal of sframe_get_funcdesc_with_addr API, change in the behavior of sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs. * SFrame Version 2 is now the default (and only) format version supported by gas, ld, readelf and objdump. * Add command-line option, --strip-section-headers, to objcopy and strip to remove ELF section header from ELF file. * The RISC-V port now supports the following new standard extensions: - Zicond (conditional zero instructions) - Zfa (additional floating-point instructions) - Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng, Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions) * The RISC-V port now supports the following vendor-defined extensions: - XVentanaCondOps * Add support for Intel FRED, LKGS and AMX-COMPLEX instructions. * A new .insn directive is recognized by x86 gas. * Add SME2 support to the AArch64 port. * The linker now accepts a command line option of --remap-inputs = to relace any input file that matches with . In addition the option --remap-inputs-file= can be used to specify a file containing any number of these remapping directives. * The linker command line option --print-map-locals can be used to include local symbols in a linker map. (ELF targets only). * For most ELF based targets, if the --enable-linker-version option is used then the version of the linker will be inserted as a string into the .comment section. * The linker script syntax has a new command for output sections: ASCIZ 'string' This will insert a zero-terminated string at the current location. * Add command-line option, -z nosectionheader, to omit ELF section header. - Contains fixes for these non-CVEs (not security bugs per upstreams SECURITY.md): * bsc#1209642 aka CVE-2023-1579 aka PR29988 * bsc#1210297 aka CVE-2023-1972 aka PR30285 * bsc#1210733 aka CVE-2023-2222 aka PR29936 * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc) * bsc#1214565 aka CVE-2020-19726 aka PR26240 * bsc#1214567 aka CVE-2022-35206 aka PR29290 * bsc#1214579 aka CVE-2022-35205 aka PR29289 * bsc#1214580 aka CVE-2022-44840 aka PR29732 * bsc#1214604 aka CVE-2022-45703 aka PR29799 * bsc#1214611 aka CVE-2022-48065 aka PR29925 * bsc#1214619 aka CVE-2022-48064 aka PR29922 * bsc#1214620 aka CVE-2022-48063 aka PR29924 * bsc#1214623 aka CVE-2022-47696 aka PR29677 * bsc#1214624 aka CVE-2022-47695 aka PR29846 * bsc#1214625 aka CVE-2022-47673 aka PR29876 - This only existed only for a very short while in SLE-15, as the main variant in devel:gcc subsumed this in binutils-revert-rela.diff. Hence: - Document fixed CVEs: * bsc#1208037 aka CVE-2023-25588 aka PR29677 * bsc#1208038 aka CVE-2023-25587 aka PR29846 * bsc#1208040 aka CVE-2023-25585 aka PR29892 * bsc#1208409 aka CVE-2023-0687 aka PR29444 - Enable bpf-none cross target and add bpf-none to the multitarget set of supported targets. - Disable packed-relative-relocs for old codestreams. They generate buggy relocations when binutils-revert-rela.diff is active. [bsc#1206556] - Disable ZSTD debug section compress by default. - Enable zstd compression algorithm (instead of zlib) for debug info sections by default. - Pack libgprofng only for supported platforms. - Move libgprofng-related libraries to the proper locations (packages). - Add --without=bootstrap for skipping of bootstrap (faster testing of the package). - Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515] Update to version 2.40: * Objdump has a new command line option --show-all-symbols which will make it display all symbols that match a given address when disassembling. (Normally only the first symbol that matches an address is shown). * Add --enable-colored-disassembly configure time option to enable colored disassembly output by default, if the output device is a terminal. Note, this configure option is disabled by default. * DCO signed contributions are now accepted. * objcopy --decompress-debug-sections now supports zstd compressed debug sections. The new option --compress-debug-sections=zstd compresses debug sections with zstd. * addr2line and objdump --dwarf now support zstd compressed debug sections. * The dlltool program now accepts --deterministic-libraries and --non-deterministic-libraries as command line options to control whether or not it generates deterministic output libraries. If neither of these options are used the default is whatever was set when the binutils were configured. * readelf and objdump now have a newly added option --sframe which dumps the SFrame section. * Add support for Intel RAO-INT instructions. * Add support for Intel AVX-NE-CONVERT instructions. * Add support for Intel MSRLIST instructions. * Add support for Intel WRMSRNS instructions. * Add support for Intel CMPccXADD instructions. * Add support for Intel AVX-VNNI-INT8 instructions. * Add support for Intel AVX-IFMA instructions. * Add support for Intel PREFETCHI instructions. * Add support for Intel AMX-FP16 instructions. * gas now supports --compress-debug-sections=zstd to compress debug sections with zstd. * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections. * Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs, XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx, XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head ISA manual, which are implemented in the Allwinner D1. * Add support for the RISC-V Zawrs extension, version 1.0-rc4. * Add support for Cortex-X1C for Arm. * New command line option --gsframe to generate SFrame unwind information on x86_64 and aarch64 targets. * The linker has a new command line option to suppress the generation of any warning or error messages. This can be useful when there is a need to create a known non-working binary. The option is -w or --no-warnings. * ld now supports zstd compressed debug sections. The new option --compress-debug-sections=zstd compresses debug sections with zstd. * Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd} that selects the default compression algorithm for --enable-compressed-debug-sections. * Remove support for -z bndplt (MPX prefix instructions). - Includes fixes for these CVEs: * bsc#1206080 aka CVE-2022-4285 aka PR29699 - Enable by default: --enable-colored-disassembly. - fix build on x86_64_vX platforms ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3937-1 Released: Tue Oct 3 11:33:38 2023 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1213854,1214292,1214395,1215007 This update for zypper fixes the following issues: - Fix name of the bash completion script (bsc#1215007) - Update notes about failing signature checks (bsc#1214395) - Improve the SIGINT handler to be signal safe (bsc#1214292) - Update to version 1.14.64 - Changed location of bash completion script (bsc#1213854). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3958-1 Released: Wed Oct 4 09:16:06 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213853,CVE-2023-3817 This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4025-1 Released: Tue Oct 10 13:41:02 2023 Summary: Security update for shadow Type: security Severity: low References: 1214806,CVE-2023-4641 This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4047-1 Released: Wed Oct 11 10:40:26 2023 Summary: Security update for glibc Type: security Severity: moderate References: 1215286,1215505,CVE-2023-4813 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Other changes: - Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243) - Run vismain only if linker supports protected data symbol (bsc#1215505) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4126-1 Released: Thu Oct 19 09:38:31 2023 Summary: Security update for cni Type: security Severity: important References: 1212475,1216006 This update of cni fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4127-1 Released: Thu Oct 19 09:43:23 2023 Summary: Security update for cni-plugins Type: security Severity: important References: 1212475,1216006 This update of cni-plugins fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4217-1 Released: Thu Oct 26 12:20:27 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4512-1 Released: Tue Nov 21 17:25:02 2023 Summary: Security update for util-linux Type: security Severity: important References: 1213865,CVE-2018-7738 This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4520-1 Released: Tue Nov 21 17:42:13 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4536-1 Released: Thu Nov 23 08:19:05 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4613-1 Released: Wed Nov 29 15:46:24 2023 Summary: Updates Cilium Type: security Severity: important References: 1215713,1216174,CVE-2023-35945,CVE-2023-44487 Updates Cilium addon as it got rebuild to include a couple of sercurity fixes The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150000.3.60.1 updated - binutils-2.41-150100.7.46.1 updated - cilium-proxy-20200109-150100.3.3.14.1 updated - clang7-7.0.1-150100.3.22.2 updated - cni-plugins-0.8.6-150100.3.20.1 updated - cni-0.7.1-150100.3.16.1 updated - coreutils-8.29-4.3.1 updated - cpp7-7.5.0+r278197-150000.4.35.1 updated - dbus-1-1.12.2-150100.8.17.1 updated - filesystem-15.0-11.8.1 updated - gawk-4.2.1-150000.3.3.1 updated - gcc7-7.5.0+r278197-150000.4.35.1 updated - glibc-32bit-2.26-150000.13.70.1 updated - glibc-devel-32bit-2.26-150000.13.70.1 updated - glibc-devel-2.26-150000.13.70.1 updated - glibc-2.26-150000.13.70.1 updated - gpg2-2.2.5-150000.4.22.1 updated - grep-3.1-150000.4.6.1 updated - gzip-1.10-150000.4.15.1 updated - krb5-1.16.3-150100.3.30.1 updated - libLLVM7-7.0.1-150100.3.22.2 updated - libLTO7-7.0.1-150100.3.22.2 updated - libasan4-7.5.0+r278197-150000.4.35.1 updated - libassuan0-2.5.5-150000.4.5.2 updated - libatomic1-13.2.1+git7813-150000.1.6.1 updated - libaugeas0-1.10.1-150000.3.12.1 updated - libblkid1-2.33.2-150100.4.40.1 updated - libcap2-2.26-150000.4.9.1 updated - libcares2-1.19.1-150000.3.23.1 updated - libcilkrts5-7.5.0+r278197-150000.4.35.1 updated - libclang7-7.0.1-150100.3.22.2 updated - libcom_err2-1.43.8-150000.4.33.1 updated - libcryptsetup12-2.0.6-150100.4.6.1 updated - libctf-nobfd0-2.41-150100.7.46.1 updated - libctf0-2.41-150100.7.46.1 updated - libcurl4-7.60.0-150000.51.1 updated - libdb-4_8-4.8.30-150000.7.9.1 updated - libdbus-1-3-1.12.2-150100.8.17.1 updated - libexpat1-2.2.5-150000.3.25.1 updated - libfdisk1-2.33.2-150100.4.40.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libglib-2_0-0-2.54.3-150000.4.29.1 updated - libgnutls30-3.6.7-150000.6.45.2 updated - libgomp1-13.2.1+git7813-150000.1.6.1 updated - libgpgme11-1.10.0-150000.4.6.2 updated - libitm1-13.2.1+git7813-150000.1.6.1 updated - libksba8-1.3.5-150000.4.6.1 updated - libldap-2_4-2-2.4.46-150000.9.74.3 updated - libldap-data-2.4.46-150000.9.74.3 updated - liblsan0-13.2.1+git7813-150000.1.6.1 updated - liblzma5-5.2.3-150000.4.7.1 updated - libmount1-2.33.2-150100.4.40.1 updated - libmpx2-8.2.1+r264010-150000.1.6.4 updated - libmpxwrappers2-8.2.1+r264010-150000.1.6.4 updated - libncurses6-6.1-150000.5.15.1 updated - libnghttp2-14-1.40.0-150000.3.17.1 updated - libopenssl1_1-1.1.0i-150100.14.68.1 updated - libp11-kit0-0.23.2-150000.4.16.1 updated - libpcre1-8.45-150000.20.13.1 updated - libprocps7-3.3.15-150000.7.34.1 updated - libprotobuf-c-devel-1.3.0-150000.3.3.1 updated - libprotobuf-c1-1.3.0-150000.3.3.1 updated - libprotobuf-lite20-3.9.2-150100.8.3.3 added - libprotobuf15-3.5.0-5.5.1 updated - libprotoc15-3.5.0-5.5.1 updated - libpsl5-0.20.1-150000.3.3.1 updated - libsasl2-3-2.1.26-150000.5.13.1 updated - libsmartcols1-2.33.2-150100.4.40.1 updated - libsolv-tools-0.7.24-150100.4.12.1 updated - libsqlite3-0-3.39.3-150000.3.20.1 updated - libstdc++6-devel-gcc7-7.5.0+r278197-150000.4.35.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libsystemd0-234-150000.24.111.1 updated - libtasn1-6-4.13-150000.4.8.1 updated - libtasn1-4.13-150000.4.8.1 updated - libtirpc-netconfig-1.0.2-150000.3.18.1 updated - libtirpc3-1.0.2-150000.3.18.1 updated - libtsan0-11.3.0+git1637-150000.1.11.2 updated - libubsan0-7.5.0+r278197-150000.4.35.1 updated - libudev1-234-150000.24.111.1 updated - libusb-1_0-0-1.0.21-150000.3.5.1 updated - libuuid1-2.33.2-150100.4.40.1 updated - libxml2-2-2.9.7-150000.3.63.1 updated - libyaml-cpp0_6-0.6.1-4.5.1 updated - libz1-1.2.11-150000.3.48.1 updated - libzstd1-1.4.4-150000.1.9.1 updated - libzypp-17.31.22-150100.3.120.1 updated - llvm7-7.0.1-150100.3.22.2 updated - ncurses-utils-6.1-150000.5.15.1 updated - openssl-1_1-1.1.0i-150100.14.68.1 added - openssl-1.1.0i-3.3.1 added - pam-1.3.0-150000.6.61.1 updated - perl-base-5.26.1-150000.7.15.1 updated - permissions-20181116-150100.9.41.1 updated - procps-3.3.15-150000.7.34.1 updated - protobuf-c-1.3.0-150000.3.3.1 updated - shadow-4.6-150100.3.11.1 updated - systemd-presets-branding-SLE-15.1-150100.20.11.1 updated - systemd-presets-common-SUSE-15-150100.8.20.1 updated - systemd-234-150000.24.111.1 updated - terminfo-base-6.1-150000.5.15.1 updated - udev-234-150000.24.111.1 updated - update-alternatives-1.19.0.4-150000.4.4.1 updated - util-linux-2.33.2-150100.4.40.1 updated - zypper-1.14.66-150100.3.90.1 updated - container:sles15-image-15.0.0-6.2.848 updated - libprotobuf-lite15-3.5.0-5.2.1 removed From sle-container-updates at lists.suse.com Wed Nov 29 15:12:02 2023 From: sle-container-updates at lists.suse.com (sle-container-updates at lists.suse.com) Date: Wed, 29 Nov 2023 15:12:02 -0000 Subject: SUSE-CU-2023:3916-1: Security update of caasp/v4/cilium-operator Message-ID: <20231129151156.CE772FBA9@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/cilium-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3916-1 Container Tags : caasp/v4/cilium-operator:1.6.6 , caasp/v4/cilium-operator:1.6.6-rev6 , caasp/v4/cilium-operator:1.6.6-rev6-build3.17.1 Container Release : 3.17.1 Severity : critical Type : security References : 1040589 1041742 1065270 1082318 1089497 1099272 1115529 1121227 1121230 1122004 1122021 1127591 1128846 1148309 1158763 1159635 1160285 1162964 1172113 1172427 1173277 1174075 1174911 1178233 1180065 1180689 1180995 1181475 1181826 1182959 1183533 1184501 1185637 1187512 1187906 1189152 1189282 1189802 1190447 1190926 1191157 1191502 1192951 1193007 1193015 1193489 1193625 1193659 1193759 1193805 1193841 1194038 1194229 1194550 1194597 1194640 1194642 1194768 1194770 1194848 1194883 1194898 1195149 1195283 1195326 1195468 1195529 1195560 1195628 1195633 1195773 1195792 1195856 1195899 1195999 1196036 1196061 1196093 1196107 1196167 1196275 1196317 1196368 1196406 1196490 1196514 1196840 1196861 1196877 1196925 1196939 1197004 1197004 1197024 1197065 1197134 1197178 1197443 1197459 1197684 1197771 1197794 1198062 1198341 1198446 1198627 1198731 1198752 1198925 1199042 1199132 1199132 1199140 1199166 1199223 1199224 1199232 1199240 1199492 1199895 1199918 1199926 1199927 1200170 1200550 1200735 1200737 1200800 1200842 1200993 1201092 1201099 1201225 1201576 1201627 1201638 1201680 1201783 1201959 1201972 1201978 1202020 1202175 1202593 1203248 1203249 1203649 1203652 1203652 1203715 1203760 1204357 1204366 1204367 1204383 1204548 1204585 1204585 1204690 1204956 1205126 1205570 1205636 1205646 1206309 1206337 1206412 1206480 1206480 1206513 1206579 1206684 1206684 1206949 1207533 1207534 1207534 1207536 1207992 1208329 1209122 1209209 1209210 1209211 1209212 1209214 1209406 1209533 1209624 1209873 1209878 1210096 1210411 1210412 1210434 1210507 1210557 1210557 1210593 1210740 1210870 1211231 1211232 1211233 1211261 1211339 1211419 1211427 1211427 1211430 1211661 1211945 1211946 1211947 1211948 1211951 1212101 1212101 1212187 1212187 1212222 1212422 1213231 1213487 1213517 1213557 1213673 1213853 1213854 1213865 1213915 1213915 1214052 1214052 1214052 1214054 1214290 1214292 1214395 1214460 1214460 1214768 1214806 1215007 1215286 1215427 1215505 1215979 1216091 1216129 1216378 1216664 1216922 CVE-2015-8985 CVE-2016-3709 CVE-2018-20573 CVE-2018-20574 CVE-2018-25032 CVE-2018-7738 CVE-2019-19906 CVE-2019-6285 CVE-2019-6292 CVE-2020-14367 CVE-2020-29362 CVE-2021-28153 CVE-2021-3541 CVE-2021-36690 CVE-2021-3999 CVE-2021-4209 CVE-2021-46828 CVE-2021-46848 CVE-2022-0778 CVE-2022-1271 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586 CVE-2022-2068 CVE-2022-2097 CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-24407 CVE-2022-2509 CVE-2022-27781 CVE-2022-27782 CVE-2022-29155 CVE-2022-29458 CVE-2022-29824 CVE-2022-29824 CVE-2022-32206 CVE-2022-32208 CVE-2022-32221 CVE-2022-34903 CVE-2022-3515 CVE-2022-35252 CVE-2022-35737 CVE-2022-37434 CVE-2022-40303 CVE-2022-40304 CVE-2022-42898 CVE-2022-4304 CVE-2022-4304 CVE-2022-43552 CVE-2022-46908 CVE-2022-47629 CVE-2022-4899 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-23916 CVE-2023-2603 CVE-2023-2650 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 CVE-2023-28484 CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 CVE-2023-29499 CVE-2023-32611 CVE-2023-32636 CVE-2023-32643 CVE-2023-32665 CVE-2023-3446 CVE-2023-36054 CVE-2023-3817 CVE-2023-39615 CVE-2023-4016 CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-45322 CVE-2023-45853 CVE-2023-4641 CVE-2023-4813 CVE-2023-5678 ----------------------------------------------------------------- The container caasp/v4/cilium-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:337-1 Released: Fri Feb 4 10:24:28 2022 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1193007,1194597,1194898 This update for libzypp fixes the following issues: - RepoManager: remember execution errors in exception history (bsc#1193007) - Fix exception handling when reading or writing credentials (bsc#1194898) - Fix install path for parser (bsc#1194597) - Fix Legacy include (bsc#1194597) - Public header files on older distros must use c++11 (bsc#1194597) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:473-1 Released: Thu Feb 17 10:29:42 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1195326 This update for libzypp, zypper fixes the following issues: - Fix handling of redirected command in-/output (bsc#1195326) This fixes delays at the end of zypper operations, where zypper unintentionally waits for appdata plugin scripts to complete. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:511-1 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate References: 1082318,1189152 This update for coreutils fixes the following issues: - Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152). - Properly sort docs and license files (bsc#1082318). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:523-1 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1193759,1193841 This update for systemd fixes the following issues: - systemctl: exit with 1 if no unit files found (bsc#1193841). - add rules for virtual devices (bsc#1193759). - enforce 'none' for loop devices (bsc#1193759). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1187512 This update for yast2-network fixes the following issues: - Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1190447 This update for filesystem fixes the following issues: - Release ported filesystem to LTSS channels (bsc#1190447). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:702-1 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1196036,CVE-2022-24407 This update for cyrus-sasl fixes the following issues: - CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:787-1 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: This update for openldap2 fixes the following issue: - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1195468 This update for procps fixes the following issues: - Stop registering signal handler for SIGURG, to avoid `ps` failure if someone sends such signal. Without the signal handler, SIGURG will just be ignored. (bsc#1195468) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:832-1 Released: Mon Mar 14 17:27:03 2022 Summary: Security update for glibc Type: security Severity: important References: 1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219 glibc was updated to fix the following issues: Security issues fixed: - CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768) - CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770) - CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640) - CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625) Also the following bug was fixed: - Fix pthread_rwlock_try*lock stalls (bsc#1195560) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate References: 1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367 This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don???t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don???t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv at .service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:853-1 Released: Tue Mar 15 19:27:30 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1196877,CVE-2022-0778 This update for openssl-1_1 fixes the following issues: - CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1182959,1195149,1195792,1195856 This update for openssl-1_1 fixes the following issues: openssl-1_1: - Fix PAC pointer authentication in ARM (bsc#1195856) - Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792) - FIPS: Fix function and reason error codes (bsc#1182959) - Enable zlib compression support (bsc#1195149) glibc: - Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1 linux-glibc-devel: - Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1 libxcrypt: - Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1 zlib: - Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:867-1 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1193805 This update for libtirpc fixes the following issues: - Fix memory leak in client protocol version 2 code (bsc#1193805) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:874-1 Released: Wed Mar 16 10:40:52 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1197004 This update for openldap2 fixes the following issue: - Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate References: 1196275,1196406 This update for filesystem and systemd-rpm-macros fixes the following issues: filesystem: - Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639) systemd-rpm-macros: - Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1021-1 Released: Tue Mar 29 13:24:21 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1195899 This update for systemd fixes the following issues: - allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1196093,1197024 This update for pam fixes the following issues: - Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093) - Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important References: 1197459,CVE-2018-25032 This update for zlib fixes the following issues: - CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1073-1 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Type: security Severity: moderate References: 1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292 This update for yaml-cpp fixes the following issues: - CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227). - CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230). - CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004). - CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1194883 This update for aaa_base fixes the following issues: - Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883) - Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8 multi byte characters as well as support the vi mode of readline library ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1109-1 Released: Mon Apr 4 17:50:01 2022 Summary: Recommended update for util-linux Type: recommended Severity: important References: 1172427,1194642 This update for util-linux fixes the following issues: - Improve throughput and reduce clock sequence increments for high load situation with time based version 1 uuids. (bsc#1194642) - Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642) - Warn if uuidd lock state is not usable. (bsc#1194642) - Fix 'su -s' bash completion. (bsc#1172427) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1131-1 Released: Fri Apr 8 09:43:53 2022 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: important References: 1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134 This update for libsolv, libzypp, zypper fixes the following issues: Security relevant fix: - Harden package signature checks (bsc#1184501). libsolv to 0.7.22: - reworked choice rule generation to cover more usecases - support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514) - support parsing of Debian's Multi-Arch indicator - fix segfault on conflict resolution when using bindings - fix split provides not working if the update includes a forbidden vendor change - support strict repository priorities new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY - support zstd compressed control files in debian packages - add an ifdef allowing to rename Solvable dependency members ('requires' is a keyword in C++20) - support setting/reading userdata in solv files new functions: repowriter_set_userdata, solv_read_userdata - support queying of the custom vendor check function new function: pool_get_custom_vendorcheck - support solv files with an idarray block - allow accessing the toolversion at runtime libzypp to 17.30.0: - ZConfig: Update solver settings if target changes (bsc#1196368) - Fix possible hang in singletrans mode (bsc#1197134) - Do 2 retries if mount is still busy. - Fix package signature check (bsc#1184501) Pay attention that header and payload are secured by a valid signature and report more detailed which signature is missing. - Retry umount if device is busy (bsc#1196061, closes #381) A previously released ISO image may need a bit more time to release it's loop device. So we wait a bit and retry. - Fix serializing/deserializing type mismatch in zypp-rpm protocol (bsc#1196925) - Fix handling of ISO media in releaseAll (bsc#1196061) - Hint on common ptf resolver conflicts (bsc#1194848) - Hint on ptf<>patch resolver conflicts (bsc#1194848) zypper to 1.14.52: - info: print the packages upstream URL if available (fixes #426) - info: Fix SEGV with not installed PTFs (bsc#1196317) - Don't prevent less restrictive umasks (bsc#1195999) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important References: 1198062,CVE-2022-1271 This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1196939 This update for e2fsprogs fixes the following issues: - Add support for 'libreadline7' for Leap. (bsc#1196939) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1195628,1196107 This update for gcc11 fixes the following issues: - Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107] - Fixed memory corruption when creating dependences with the D language frontend. - Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628] - Put libstdc++6-pp Requires on the shared library and drop to Recommends. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1452-1 Released: Thu Apr 28 10:48:06 2022 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1193489 This update for perl fixes the following issues: - Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1197794 This update for pam fixes the following issue: - Do not include obsolete header files (bsc#1197794) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important References: 1197771 This update for libpsl fixes the following issues: - Fix libpsl compilation issues (bsc#1197771) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important References: 1198446,CVE-2022-1304 This update for e2fsprogs fixes the following issues: - CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault and possibly arbitrary code execution. (bsc#1198446) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1691-1 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate References: 1197443 This update for augeas fixes the following issue: - Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1750-1 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1196490,1199132,CVE-2022-23308,CVE-2022-29824 This update for libxml2 fixes the following issues: - CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490). - CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1832-1 Released: Tue May 24 11:52:33 2022 Summary: Security update for openldap2 Type: security Severity: important References: 1191157,1197004,1199240,CVE-2022-29155 This update for openldap2 fixes the following issues: Security: - CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240). Bugfixes: - allow specification of max/min TLS version with TLS1.3 (bsc#1191157) - libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004) - restore CLDAP functionality in CLI tools (jsc#PM-3288) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1040589 This update for grep fixes the following issues: - Make profiling deterministic. (bsc#1040589, SLE-24115) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1192951,1193659,1195283,1196861,1197065 This update for gcc11 fixes the following issues: Update to the GCC 11.3.0 release. * includes SLS hardening backport on x86_64. [bsc#1195283] * includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861] * fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065] * use --with-cpu rather than specifying --with-arch/--with-tune * Fix D memory corruption in -M output. * Fix ICE in is_this_parameter with coroutines. [bsc#1193659] * fixes issue with debug dumping together with -o /dev/null * fixes libgccjit issue showing up in emacs build [bsc#1192951] * Package mwaitintrin.h ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2068-1 Released: Tue Jun 14 10:14:47 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1185637,1199166,CVE-2022-1292 This update for openssl-1_1 fixes the following issues: - CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2179-1 Released: Fri Jun 24 14:05:25 2022 Summary: Security update for openssl Type: security Severity: moderate References: 1200550,CVE-2022-2068 This update for openssl fixes the following issues: - CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2311-1 Released: Wed Jul 6 15:16:17 2022 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1201099,CVE-2022-2097 This update for openssl-1_1 fixes the following issues: - CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important References: 1199232,CVE-2022-1586 This update for pcre fixes the following issues: - CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2405-1 Released: Fri Jul 15 11:47:57 2022 Summary: Security update for p11-kit Type: security Severity: moderate References: 1180065,CVE-2020-29362 This update for p11-kit fixes the following issues: - CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2471-1 Released: Thu Jul 21 04:42:58 2022 Summary: Recommended update for systemd Type: recommended Severity: important References: 1148309,1191502,1195529,1200170 This update for systemd fixes the following issues: - Allow control characters in environment variable values (bsc#1200170) - basic/env-util: Allow newlines in values of environment variables - man: tweak description of auto/noauto (bsc#1191502) - shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309) - shared/install: fix error codes returned by install_context_apply() - shared/install: ignore failures for auxiliary files - systemctl: suppress enable/disable messages when `-q` is given - test-env-util: Verify that \r is disallowed in env var values - test-env-util: print function headers - udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2571-1 Released: Thu Jul 28 04:20:52 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1194550,1197684,1199042 This update for libzypp, zypper fixes the following issues: libzypp: - appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684) - zypp-rpm: flush rpm script output buffer before sending endOfScriptTag - PluginRepoverification: initial version hooked into repo::Downloader and repo refresh - Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042) - singletrans: no dry-run commit if doing just download-only - Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were removed at the beginning of the repo. - Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER zypper: - Basic JobReport for 'cmdout/monitor' - versioncmp: if verbose, also print the edition 'parts' which are compared - Make sure MediaAccess is closed on exception (bsc#1194550) - Display plus-content hint conditionally - Honor the NO_COLOR environment variable when auto-detecting whether to use color - Define table columns which should be sorted natural [case insensitive] - lr/ls: Use highlight color on name and alias as well ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2717-1 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Type: security Severity: moderate References: 1198627,CVE-2022-29458 This update for ncurses fixes the following issues: - CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2829-1 Released: Wed Aug 17 13:33:11 2022 Summary: Security update for curl Type: security Severity: important References: 1199223,1199224,1200735,1200737,CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208 This update for curl fixes the following issues: - CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223). - CVE-2022-27782: Fixed an issue where TLS and SSH connections would be reused even when a related option had been changed (bsc#1199224). - CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused by an unbounded number of compression layers (bsc#1200735). - CVE-2022-32208: Fixed an incorrect message verification issue when performing FTP transfers using krb5 (bsc#1200737). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2830-1 Released: Wed Aug 17 14:36:26 2022 Summary: Security update for gnutls Type: security Severity: important References: 1196167,1202020,CVE-2021-4209,CVE-2022-2509 This update for gnutls fixes the following issues: - CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020). - CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2905-1 Released: Fri Aug 26 05:30:33 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1198341 This update for openldap2 fixes the following issues: - Prevent memory reuse which may lead to instability (bsc#1198341) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2944-1 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Type: recommended Severity: important References: 1181475 This update for procps fixes the following issues: - Fix 'free' command reporting misleading 'used' value (bsc#1181475) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2947-1 Released: Wed Aug 31 09:16:21 2022 Summary: Security update for zlib Type: security Severity: important References: 1202175,CVE-2022-37434 This update for zlib fixes the following issues: - CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2991-1 Released: Thu Sep 1 16:04:30 2022 Summary: Security update for libtirpc Type: security Severity: important References: 1198752,1200800,1201680,CVE-2021-46828 This update for libtirpc fixes the following issues: - CVE-2021-46828: Fixed an uncontrolled file descriptor consumption, which could be exploited by remote attackers to prevent applications using the library from accepting new connections (bsc#1201680). Non-security fixes: - Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800) - Fix memory leak in params.r_addr assignement (bsc#1198752) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2994-1 Released: Fri Sep 2 10:44:54 2022 Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame Type: recommended Severity: moderate References: 1198925 This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925) No codechanges were done in this update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3129-1 Released: Wed Sep 7 04:42:53 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1197178,1198731,1200842 This update for util-linux fixes the following issues: - su: Change owner and mode for pty (bsc#1200842) - agetty: Resolve tty name even if stdin is specified (bsc#1197178) - libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731) - mesg: use only stat() to get the current terminal status (bsc#1200842) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3144-1 Released: Wed Sep 7 11:04:23 2022 Summary: Security update for gpg2 Type: security Severity: important References: 1201225,CVE-2022-34903 This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a potential signature forgery via injection into the status line when certain unusual conditions are met (bsc#1201225). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3221-1 Released: Fri Sep 9 04:31:28 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1199895,1200993,1201092,1201576,1201638 This update for libzypp, zypper fixes the following issues: libzypp: - Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895) - Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092) - Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993) - Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend. zypper: - Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638) - Reject install/remove modifier without argument (bsc#1201576) - zypper-download: Handle unresolvable arguments as errors - Put signing key supplying repository name in quotes ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3262-1 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1199140 This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate References: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgrade autoconf ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3549-1 Released: Fri Oct 7 14:39:40 2022 Summary: Security update for cyrus-sasl Type: security Severity: important References: 1159635,CVE-2019-19906 This update for cyrus-sasl fixes the following issues: - CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3566-1 Released: Tue Oct 11 16:19:09 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: critical References: 1189282,1201972,1203649 This update for libzypp, zypper fixes the following issues: libzypp: - Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282) - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Remove migration code that is no longer needed (bsc#1203649) - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined zypper: - Fix contradiction in the man page: `--download-in-advance` option is the default behavior - Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972) - Fix tests to use locale 'C.UTF-8' rather than 'en_US' - Make sure 'up' respects solver related CLI options (bsc#1201972) - Remove unneeded code to compute the PPP status because it is now auto established - Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical References: 1204357,CVE-2022-3515 This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3774-1 Released: Wed Oct 26 12:21:09 2022 Summary: Security update for curl Type: security Severity: important References: 1202593,1204383,CVE-2022-32221,CVE-2022-35252 This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3784-1 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Type: security Severity: critical References: 1204690,CVE-2021-46848 This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3871-1 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3882-1 Released: Mon Nov 7 09:06:03 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1180995 This update for openssl-1_1 fixes the following issues: - FIPS: Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode. (bsc#1180995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3905-1 Released: Tue Nov 8 12:23:17 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1196840,1199492,1199918,1199926,1199927 This update for aaa_base and iputils fixes the following issues: aaa_base: - Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927) - The wrapper rootsh is not a restricted shell (bsc#1199492) iputils: - Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3961-1 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3975-1 Released: Mon Nov 14 15:41:13 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1201959 This update for util-linux fixes the following issues: - libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4155-1 Released: Mon Nov 21 14:36:17 2022 Summary: Security update for krb5 Type: security Severity: important References: 1205126,CVE-2022-42898 This update for krb5 fixes the following issues: - CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4256-1 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module. The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1206337,CVE-2022-46908 This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:56-1 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Type: security Severity: moderate References: 1206579,CVE-2022-47629 This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low References: 1206412 This update for procps fixes the following issues: - Improve memory handling/usage (bsc#1206412) - Make sure that correct library version is installed (bsc#1206412) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:188-1 Released: Fri Jan 27 12:07:19 2023 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Follow up fix for bug bsc#1203652 due to libxml2 issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:308-1 Released: Tue Feb 7 17:33:37 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1207533,1207534,1207536,CVE-2022-4304,CVE-2023-0215,CVE-2023-0286 This update for openssl-1_1 fixes the following issues: - CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533). - CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536). - CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:446-1 Released: Fri Feb 17 09:52:43 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1194038,1205646 This update for util-linux fixes the following issues: - Fix tests not passing when '@' character is in build path: Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038). - libuuid continuous clock handling for time based UUIDs: Prevent use of the new libuuid ABI by uuidd %post before update of libuuid1 (bsc#1205646). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:676-1 Released: Wed Mar 8 14:33:23 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1204585 This update for libxml2 fixes the following issues: - Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:776-1 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:787-1 Released: Thu Mar 16 19:37:18 2023 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949 This update for libsolv, libzypp, zypper fixes the following issues: libsolv: - Do not autouninstall SUSE PTF packages - Ensure 'duplinvolvedmap_all' is reset when a solver is reused - Fix 'keep installed' jobs not disabling 'best update' rules - New '-P' and '-W' options for `testsolv` - New introspection interface for weak dependencies similar to ruleinfos - Ensure special case file dependencies are written correctly in the testcase writer - Support better info about alternatives - Support decision reason queries - Support merging of related decisions - Support stringification of multiple solvables - Support stringification of ruleinfo, decisioninfo and decision reasons libzypp: - Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233) - Avoid redirecting 'history.logfile=/dev/null' into the target - Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956) - Enhance yaml-cpp detection - Improve download of optional files - MultiCurl: Make sure to reset the progress function when falling back. - Properly reset range requests (bsc#1204548) - Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version. - Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls. - Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side. - ProgressData: enforce reporting the INIT||END state (bsc#1206949) - ps: fix service detection on newer Tumbleweed systems (bsc#1205636) zypper: - Allow to (re)add a service with the same URL (bsc#1203715) - Bump dependency requirement to libzypp-devel 17.31.7 or greater - Explain outdatedness of repositories - patterns: Avoid dispylaing superfluous @System entries (bsc#1205570) - Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions. - Update man page and explain '.no_auto_prune' (bsc#1204956) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1748-1 Released: Tue Apr 4 09:06:59 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1209624,CVE-2023-0464 This update for openssl-1_1 fixes the following issues: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1908-1 Released: Wed Apr 19 08:38:53 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1209873,1209878,CVE-2023-0465,CVE-2023-0466 This update for openssl-1_1 fixes the following issues: - CVE-2023-0465: Fixed ignored invalid certificate policies in leaf certificates (bsc#1209878). - CVE-2023-0466: Fixed disabled certificate policy check (bsc#1209873). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1991-1 Released: Tue Apr 25 13:22:19 2023 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1160285,1210096 This update for permissions fixes the following issues: * mariadb: settings for new auth_pam_tool (bsc#1160285, bsc#1210096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2048-1 Released: Wed Apr 26 21:05:45 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469 This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed: - Added W3C conformance tests to the testsuite (bsc#1204585). - Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2068-1 Released: Fri Apr 28 13:55:00 2023 Summary: Security update for shadow Type: security Severity: moderate References: 1210507,CVE-2023-29383 This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2074-1 Released: Fri Apr 28 17:02:25 2023 Summary: Security update for zstd Type: security Severity: moderate References: 1209533,CVE-2022-4899 This update for zstd fixes the following issues: - CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1210434,CVE-2023-29491 This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2133-1 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1206513 This update for zlib fixes the following issues: - Add DFLTCC support for using inflate() with a small window (bsc#1206513) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2226-1 Released: Wed May 17 09:55:49 2023 Summary: Security update for curl Type: security Severity: important References: 1206309,1207992,1209209,1209210,1209211,1209212,1209214,1211231,1211232,1211233,1211339,CVE-2022-43552,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 This update for curl fixes the following issues: - CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231). - CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232). - CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233). - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). - CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2248-1 Released: Thu May 18 17:06:33 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1127591,1195633,1208329,1209406,1210870 This update for libzypp, zypper fixes the following issues: - Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633) - multicurl: propagate ssl settings stored in repo url (bsc#1127591) - MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Teach MediaNetwork to retry on HTTP2 errors. - Fix selecting installed patterns from picklist (bsc#1209406) - man: better explanation of --priority ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2327-1 Released: Tue May 30 16:44:58 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1211430,CVE-2023-2650 This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2333-1 Released: Wed May 31 09:01:28 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1210593 This update for zlib fixes the following issue: - Fix function calling order to avoid crashes (bsc#1210593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2472-1 Released: Thu Jun 8 10:05:45 2023 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1211661 This update for libzypp fixes the following issues: - Do not unconditionally release a medium if provideFile failed (bsc#1211661) - libzypp.spec.cmake: remove duplicate file listing - Update to version 17.31.12 (22) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2496-1 Released: Tue Jun 13 15:19:20 2023 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1212187 This update for libzypp fixes the following issue: - Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2622-1 Released: Fri Jun 23 13:42:21 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1201627,1207534,CVE-2022-4304 This update for openssl-1_1 fixes the following issues: - CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption. The previous fix for this timing side channel turned out to cause a severe 2-3x performance regression in the typical use case (bsc#1207534). - Update further expiring certificates that affect tests [bsc#1201627] * Add openssl-Update-further-expiring-certificates.patch ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2625-1 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: - Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204 * includes regression and other bug fixes - Speed up builds with --enable-link-serialization. - Update embedded newlib to version 4.2.0 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2644-1 Released: Tue Jun 27 09:23:49 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1211261,1212187,1212222 This update for libzypp, zypper fixes the following issues: libzypp was updated to version 17.31.14 (22): - build: honor libproxy.pc's includedir (bsc#1212222) - Curl: trim all custom headers (bsc#1212187) HTTP/2 RFC 9113 forbids fields ending with a space. So we make sure all custom headers are trimmed. This also includes headers returned by URL-Resolver plugins. zypper was updated to version 1.14.61: - targetos: Add an error note if XPath:/product/register/target is not defined in /etc/products.d/baseproduct (bsc#1211261) - targetos: Update help and man page (bsc#1211261) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate References: 1089497 This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme new requirements ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2955-1 Released: Tue Jul 25 05:22:54 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1193015 This update for util-linux fixes the following issues: - Fix memory leak on parse errors in libmount. (bsc#1193015) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2956-1 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Type: security Severity: moderate References: 1211419,CVE-2023-2603 This update for libcap fixes the following issues: - CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2961-1 Released: Tue Jul 25 09:32:56 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213487,CVE-2023-3446 This update for openssl-1_1 fixes the following issues: - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3068-1 Released: Mon Jul 31 16:33:43 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1213517 This update for openssl-1_1 fixes the following issues: - Dont pass zero length input to EVP_Cipher (bsc#1213517) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3434-1 Released: Thu Aug 24 15:05:22 2023 Summary: Security update for krb5 Type: security Severity: important References: 1214054,CVE-2023-36054 This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3513-1 Released: Fri Sep 1 15:47:41 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1158763,1210740,1213231,1213557,1213673 This update for libzypp, zypper fixes the following issues: - Fix occasional isue with downloading very small files (bsc#1213673) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - Revised explanation of --force-resolution in man page (bsc#1213557) - Print summary hint if policies were violated due to --force-resolution (bsc#1213557) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3535-1 Released: Tue Sep 5 14:46:31 2023 Summary: Security update for glib2 Type: security Severity: important References: 1183533,1211945,1211946,1211947,1211948,1211951,CVE-2021-28153,CVE-2023-29499,CVE-2023-32611,CVE-2023-32636,CVE-2023-32643,CVE-2023-32665 This update for glib2 fixes the following issues: - CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files. (bsc#1183533) - CVE-2023-32665: Fixed GVariant deserialisation which does not match spec for non-normal data. (bsc#1211945) - CVE-2023-32643: Fixed a heap-buffer-overflow in g_variant_serialised_get_child(). (bsc#1211946) - CVE-2023-29499: Fixed GVariant offset table entry size which is not checked in is_normal(). (bsc#1211947) - CVE-2023-32636: Fixed a wrong timeout in fuzz_variant_text(). (bsc#1211948) - CVE-2023-32611: Fixed an issue where g_variant_byteswap() can take a long time with some non-normal inputs. (bsc#1211951) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important References: 1214052,CVE-2023-4039 This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3698-1 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1214768,CVE-2023-39615 This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3937-1 Released: Tue Oct 3 11:33:38 2023 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1213854,1214292,1214395,1215007 This update for zypper fixes the following issues: - Fix name of the bash completion script (bsc#1215007) - Update notes about failing signature checks (bsc#1214395) - Improve the SIGINT handler to be signal safe (bsc#1214292) - Update to version 1.14.64 - Changed location of bash completion script (bsc#1213854). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3958-1 Released: Wed Oct 4 09:16:06 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213853,CVE-2023-3817 This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4025-1 Released: Tue Oct 10 13:41:02 2023 Summary: Security update for shadow Type: security Severity: low References: 1214806,CVE-2023-4641 This update for shadow fixes the following issues: - CVE-2023-4641: Fixed potential password leak (bsc#1214806). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4047-1 Released: Wed Oct 11 10:40:26 2023 Summary: Security update for glibc Type: security Severity: moderate References: 1215286,1215505,CVE-2023-4813 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Other changes: - Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243) - Run vismain only if linker supports protected data symbol (bsc#1215505) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4217-1 Released: Thu Oct 26 12:20:27 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1216129,CVE-2023-45322 This update for libxml2 fixes the following issues: - CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4512-1 Released: Tue Nov 21 17:25:02 2023 Summary: Security update for util-linux Type: security Severity: important References: 1213865,CVE-2018-7738 This update for util-linux fixes the following issues: - CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4520-1 Released: Tue Nov 21 17:42:13 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1216922,CVE-2023-5678 This update for openssl-1_1 fixes the following issues: - CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4536-1 Released: Thu Nov 23 08:19:05 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1041742,1203760,1212422,1215979,1216091 This update for libzypp, zypper fixes the following issues: - Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091) - Fix comment typo on zypp.conf (bsc#1215979) - Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742) - Make sure the old target is deleted before a new one is created (bsc#1203760) - Return 104 also if info suggests near matches - Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422) - commit: Insert a headline to separate output of different rpm scripts (bsc#1041742) The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150000.3.60.1 updated - coreutils-8.29-4.3.1 updated - filesystem-15.0-11.8.1 updated - glibc-2.26-150000.13.70.1 updated - gpg2-2.2.5-150000.4.22.1 updated - grep-3.1-150000.4.6.1 updated - krb5-1.16.3-150100.3.30.1 updated - libassuan0-2.5.5-150000.4.5.2 updated - libaugeas0-1.10.1-150000.3.12.1 updated - libblkid1-2.33.2-150100.4.40.1 updated - libcap2-2.26-150000.4.9.1 updated - libcom_err2-1.43.8-150000.4.33.1 updated - libcurl4-7.60.0-150000.51.1 updated - libfdisk1-2.33.2-150100.4.40.1 updated - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libglib-2_0-0-2.54.3-150000.4.29.1 updated - libgnutls30-3.6.7-150000.6.45.2 updated - libgpgme11-1.10.0-150000.4.6.2 updated - libksba8-1.3.5-150000.4.6.1 updated - libldap-2_4-2-2.4.46-150000.9.74.3 updated - libldap-data-2.4.46-150000.9.74.3 updated - liblzma5-5.2.3-150000.4.7.1 updated - libmount1-2.33.2-150100.4.40.1 updated - libncurses6-6.1-150000.5.15.1 updated - libnghttp2-14-1.40.0-150000.3.17.1 updated - libopenssl1_1-1.1.0i-150100.14.68.1 updated - libp11-kit0-0.23.2-150000.4.16.1 updated - libpcre1-8.45-150000.20.13.1 updated - libprocps7-3.3.15-150000.7.34.1 updated - libprotobuf-lite20-3.9.2-150100.8.3.3 added - libpsl5-0.20.1-150000.3.3.1 updated - libsasl2-3-2.1.26-150000.5.13.1 updated - libsmartcols1-2.33.2-150100.4.40.1 updated - libsolv-tools-0.7.24-150100.4.12.1 updated - libsqlite3-0-3.39.3-150000.3.20.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - libsystemd0-234-150000.24.111.1 updated - libtasn1-6-4.13-150000.4.8.1 updated - libtasn1-4.13-150000.4.8.1 updated - libtirpc-netconfig-1.0.2-150000.3.18.1 updated - libtirpc3-1.0.2-150000.3.18.1 updated - libudev1-234-150000.24.111.1 updated - libusb-1_0-0-1.0.21-150000.3.5.1 updated - libuuid1-2.33.2-150100.4.40.1 updated - libxml2-2-2.9.7-150000.3.63.1 updated - libyaml-cpp0_6-0.6.1-4.5.1 updated - libz1-1.2.11-150000.3.48.1 updated - libzstd1-1.4.4-150000.1.9.1 updated - libzypp-17.31.22-150100.3.120.1 updated - ncurses-utils-6.1-150000.5.15.1 updated - openssl-1_1-1.1.0i-150100.14.68.1 added - openssl-1.1.0i-3.3.1 added - pam-1.3.0-150000.6.61.1 updated - perl-base-5.26.1-150000.7.15.1 updated - permissions-20181116-150100.9.41.1 updated - procps-3.3.15-150000.7.34.1 updated - shadow-4.6-150100.3.11.1 updated - terminfo-base-6.1-150000.5.15.1 updated - util-linux-2.33.2-150100.4.40.1 updated - zypper-1.14.66-150100.3.90.1 updated - container:sles15-image-15.0.0-6.2.848 updated - libprotobuf-lite15-3.5.0-5.2.1 removed