SUSE-CU-2024:4378-1: Security update of suse/manager/5.0/x86_64/server
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Tue Sep 17 11:36:55 UTC 2024
SUSE Container Update Advisory: suse/manager/5.0/x86_64/server
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:4378-1
Container Tags : suse/manager/5.0/x86_64/server:5.0.1 , suse/manager/5.0/x86_64/server:5.0.1.7.5.1 , suse/manager/5.0/x86_64/server:latest
Container Release : 7.5.1
Severity : important
Type : security
References : 1081596 1159034 1167721 1181625 1190273 1194818 1194818 1205628
1206627 1208913 1209377 1211583 1211753 1214980 1215341 1216063
1216908 1218609 1218640 1219004 1219559 1219660 1220356 1220523
1220664 1220690 1220693 1220696 1221365 1221563 1221751 1221752
1221753 1221760 1221786 1221787 1221821 1221822 1221824 1221827
1221854 1222021 1222075 1222075 1222285 1222693 1222804 1222807
1222811 1222813 1222814 1222821 1222822 1222826 1222828 1222830
1222833 1222834 1222899 1222985 1223094 1223107 1223336 1223535
1223571 1223724 1224014 1224016 1224038 1224051 1224113 1224113
1224115 1224116 1224118 1224771 1224797 1225267 1225907 1225976
1226014 1226030 1226100 1226125 1226128 1226157 1226447 1226448
1226463 1226463 1226469 1226493 1226664 1227067 1227106 1227127
1227138 1227138 1227205 1227268 1227269 1227270 1227271 1227272
1227276 1227278 1227298 1227298 1227308 1227353 1227399 1227456
1227525 1227574 1227625 1227711 1227793 1227888 1227918 1228042
1228046 1228046 1228047 1228047 1228048 1228048 1228050 1228051
1228051 1228052 1228052 1228105 1228124 1228138 1228149 1228206
1228208 1228255 1228256 1228257 1228258 1228265 1228322 1228322
1228420 1228535 1228548 1228732 1228770 1228787 1228968 1229013
1229329 1229465 1229975 1230093 222971 916845 CVE-2013-4235 CVE-2013-4235
CVE-2019-20633 CVE-2022-4065 CVE-2023-29483 CVE-2023-52425 CVE-2023-5388
CVE-2024-0397 CVE-2024-0450 CVE-2024-0760 CVE-2024-1737 CVE-2024-1975
CVE-2024-21131 CVE-2024-21131 CVE-2024-21138 CVE-2024-21138 CVE-2024-21140
CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21145 CVE-2024-21147
CVE-2024-21147 CVE-2024-24577 CVE-2024-34750 CVE-2024-36387 CVE-2024-37891
CVE-2024-38473 CVE-2024-38474 CVE-2024-38475 CVE-2024-38476 CVE-2024-38477
CVE-2024-39573 CVE-2024-39884 CVE-2024-4032 CVE-2024-4076 CVE-2024-4317
CVE-2024-5535 CVE-2024-5535 CVE-2024-6119 CVE-2024-6197 CVE-2024-6345
CVE-2024-7264 CVE-2024-7348 CVE-2024-8096
-----------------------------------------------------------------
The container suse/manager/5.0/x86_64/server was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2405-1
Released: Thu Jul 11 10:21:19 2024
Summary: Security update for apache2
Type: security
Severity: important
References: 1227270,1227271,CVE-2024-38477,CVE-2024-39573
This update for apache2 fixes the following issues:
- CVE-2024-38477: Fixed null pointer dereference in mod_proxy (bsc#1227270)
- CVE-2024-39573: Fixed potential SSRF in mod_rewrite (bsc#1227271)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2479-1
Released: Mon Jul 15 10:33:22 2024
Summary: Security update for python3
Type: security
Severity: important
References: 1219559,1220664,1221563,1221854,1222075,1226447,1226448,CVE-2023-52425,CVE-2024-0397,CVE-2024-0450,CVE-2024-4032
This update for python3 fixes the following issues:
- CVE-2023-52425: Fixed backport so it uses features sniffing, not just comparing version number (bsc#1219559).
- CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
- CVE-2024-4032: Rearranging definition of private v global IP. (bsc#1226448)
- CVE-2024-0397: Remove a memory race condition in ssl.SSLContext certificate store methods. (bsc#1226447)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2485-1
Released: Mon Jul 15 14:37:17 2024
Summary: Security update for tomcat
Type: security
Severity: important
References: 1227399,CVE-2024-34750
This update for tomcat fixes the following issues:
Updated to version 9.0.91:
- CVE-2024-34750: Fixed an improper handling of exceptional
conditions (bsc#1227399).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2519-1
Released: Tue Jul 16 13:46:38 2024
Summary: Recommended update for salt
Type: recommended
Severity: moderate
References: 1216063
This update for salt fixes the following issues:
- Speed up salt.matcher.confirm_top by using __context__
- Do not call the async wrapper calls with the separate thread
- Prevent OOM with high amount of batch async calls (bsc#1216063)
- Add missing contextvars dependency in salt.version
- Skip tests for unsupported algorithm on old OpenSSL version
- Remove redundant `_file_find` call to the master
- Prevent possible exception in tornado.concurrent.Future._set_done
- Make reactor engine less blocking the EventPublisher
- Make salt-master self recoverable on killing EventPublisher
- Improve broken events catching and reporting
- Make logging calls lighter
- Remove unused import causing delays on starting salt-master
- Mark python3-CherryPy as recommended package for the testsuite
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2568-1
Released: Mon Jul 22 05:19:24 2024
Summary: Security update for mockito, snakeyaml, testng
Type: security
Severity: important
References: 1205628,CVE-2022-4065
This update for mockito, snakeyaml, testng fixes the following issues:
mockito was updated to version 5.11.0:
- Added bundle manifest to the mockito-core artifact
- Mockito 5 is making core changes to ensure compatibility with future JDK versions.
- Switch the Default MockMaker to mockito-inline (not applicable to mockito-android)
* Mockito 2.7.6 introduced the mockito-inline mockmaker based on the 'inline bytecode' principle, offering
compatibility advantages over the subclass mockmaker
* This change avoids JDK restrictions, such as violating module boundaries and leaking subclass creation
- Legitimate use cases for the subclass mockmaker:
* Scenarios where the inline mockmaker does not function, such as on Graal VM's native image
* If avoiding mocking final classes, the subclass mockmaker remains a viable option, although issues may arise on
JDK 17+
* Mockito aims to support both mockmakers, allowing users to choose based on their requirements.
- Update the Minimum Supported Java Version to 11
* Mockito 5 raised the minimum supported Java version to 11
* Community member @reta contributed to this change.
* Users still on JDK 8 can continue using Mockito 4, with minimal API differences between versions
- New type() Method on ArgumentMatcher
* The ArgumentMatcher interface now includes a new type() method to support varargs methods, addressing previous
limitations
* Users can now differentiate between matching calls with any exact number of arguments or match any number of
arguments
* Mockito 5 provides a default implementation of the new method, ensuring backward compatibility.
* No obligation for users to implement the new method; Mockito 5 considers Void.type by default for varargs handling
* ArgumentCaptor is now fully type-aware, enabling capturing specific subclasses on a generic method.
- byte-buddy does not bundle asm, but uses objectweb-asm as external library
snake-yaml was updated to version 2.2:
- Changes of version 2.2:
* Define default scalar style as PLAIN (for polyglot Maven)
* Add missing 'exports org.yaml.snakeyaml.inspector' to module-info.java
- Changes of version 2.1:
* Heavy Allocation in Emitter.analyzeScalar(String) due to Regex Overhead
* Use identity in toString() for sequences to avoid OutOfMemoryError
* NumberFormatException from SnakeYAML due to int overflow for corrupt YAML version
* Document size limit should be applied to single document notthe whole input stream
* Detect invalid Unicode code point (thanks to Tatu Saloranta)
* Remove Trusted*Inspector classes from main sources tree
- Changes of version 2.0:
* Rollback to Java 7 target
* Add module-info.java
* Migrate to Java 8
* Remove many deprecated constructors
* Remove long deprecated methods in FlowStyle
* Do not allow global tags by default
* Yaml.LoadAs() signature to support Class<? super T> type instead of Class<T>
* CustomClassLoaderConstructor takes LoaderOptions
* Check input parameters for non-null values
testng was updated to version 7.10.1:
- Security issues fixed:
* CVE-2022-4065: Fixed Zip Slip Vulnerability (bsc#1205628)
- Changes of version 7.10.1:
* Fixed maven build with junit5
- Changes of version 7.10.0:
* Minor discrepancy fixes
* Deleting TestNG eclipse plugin specific classes
* Remove deprecated JUnit related support in TestNG
* Handle exceptions in emailable Reporter
* Added wrapperbot and update workflow order
* Support ITestNGFactory customisation
* Streamlined data provider listener invocation
* Streamlined Guice Module creation in concurrency.
* Copy test result attributes when unexpected failures
* chore: use explicit dependency versions instead of refreshVersions
* Removed Ant
* Support ordering of listeners
* Added errorprone
* Allow custom thread pool executors to be wired in.
* Allow data providers to be non cacheable
* Use Locks instead of synchronised keyword
* Document pgp artifact signing keys
* Added Unique Id for all test class instances
* Added issue management workflows
* Map object to configurations
* Allow listeners to be disabled at runtime
* Streamlined Data Provider execution
* Honour inheritance when parsing listener factories
* Tweaks around accessing SuiteResult
* Streamlined random generation
* Streamlined dependencies for configurations
- Changes of version 7.9.0:
* Fixed maps containing nulls can be incorrectly considered equal
* Test Results as artifacts for failed runs
* Fixed data races
* Dont honour params specified in suite-file tag
* Decouple SuiteRunner and TestRunner
* Disable Native DI for BeforeSuite methods
* Streamlined running Parallel Dataproviders+retries
* Removed extra whitespace in log for Configuration.createMethods()
* Added the link for TestNG Documentation's GitHub Repo in README.md
* FirstTimeOnlyConfig methods + Listener invocations
* Added overrideGroupsFromCliInParentChildXml test
* Ensure thread safety for attribute access
* Added @inherited to the Listeners annotation
* Restrict Group inheritance to Before|AfterGroups
* Ensure ITestResult injected to @AfterMethod is apt
* Support suite level thread pools for data provider
* Favour CompletableFuture instead of PoolService
* Favour FutureTask for concurrency support
* Shared Threadpool for normal/datadriven tests.
* Abort for invalid combinations
- Changes of version 7.8.0:
* [Feature] Not exception but warning if some (not all) of the given test names are not found in suite files.
* [Feature] Generate testng-results.xml per test suite
* [Feature] Allow test classes to define 'configfailurepolicy' at a per class level
* XmlTest index is not set for test suites invoked with YAML
* Listener's onAfterClass is called before @afterclass configuration methods are executed.
* After upgrading to TestNG 7.5.0, setting ITestResult.status to FAILURE doesn't fail the test anymore
* JUnitReportReporter should capture the test case output at the test case level
* TestNG.xml doesn't honour Parallel value of a clone
* before configuration and before invocation should be 'SKIP' when beforeMethod is 'skip'
* Test listeners specified in parent testng.xml file are not included in testng-failed.xml file
* Discrepancies with DataProvider and Retry of failed tests
* Skipped Tests with DataProvider appear as failed
* testng-results xml reports config skips from base classes as ignored
* Feature: Check that specific object present in List
* Upgraded snakeyaml to 2.0
- Changes of version 7.7.1:
* Streamline overloaded assertion methods for Groovy
- Changes of version 7.7.0:
* Replace FindBugs by SpotBugs
* Gradle: Drop forUseAtConfigurationTime()
* Added ability to provide custom message to assertThrows\expectThrows methods
* Only resolve hostname once
* Prevent overlogging of debug msgs in Graph impl
* Streamlined dataprovider invoking in abstract classes
* Streamlined TestResult due to expectedExceptions
* Unexpected test runs count with retry analyzer
* Make PackageUtils compliant with JPMS
* Ability to retry a data provider during failures
* Fixing bug with DataProvider retry
* Added config key for callback discrepancy behavior
* Fixed FileAlreadyExistsException error on copy
* JarFileUtils.delete(File f) throw actual exception (instead of FileNotFound) when file cannot be deleted #2825
* Changing assertion message of the osgitest
* Enhancing the Matrix
* Avoid Compilation errors on Semeru JDK flavour.
* Add addition yml extension
* Support getting dependencies info for a test
* Honour regex in dependsOnMethods
* Ensure All tests run all the time
* Deprecate support for running Spock Tests
* Streamline dependsOnMethods for configurations
* Ensure ITestContext available for JUnit4 tests
* Deprecate support for running JUnit tests
* Changes of 7.6.1
* Fix Files.copy() such that parent dirs are created
* Remove deprecated utility methods
- Changes of version 7.6.0:
* Remove redundant Parameter implementation
* Upgraded to JDK11
* Move SimpleBaseTest to be Kotlin based
* Restore testnames when using suites in suite.
* Moving ClassHelperTests into Kotlin
* IHookable and IConfigurable callback discrepancy
* Minor refactoring
* Add additional condition for assertEqualsNoOrder
* beforeConfiguration() listener method should be invoked for skipped configurations as well
* Keep the initial order of listeners
* SuiteRunner could not be initial by default Configuration
* Enable Dataprovider failures to be considered.
* BeforeGroups should run before any matched test
* Fixed possible StringIndexOutOfBoundsException exception in XmlReporter
* DataProvider: possibility to unload dataprovider class, when done with it
* Fixed possibilty that AfterGroups method is invoked before all tests
* Fixed equals implementation for WrappedTestNGMethod
* Wire-In listeners consistently
* Streamline AfterClass invocation
* Show FQMN for tests in console
* Honour custom attribute values in TestNG default reports
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2581-1
Released: Mon Jul 22 12:48:13 2024
Summary: Recommended update for sssd
Type: recommended
Severity: moderate
References: 1226157
This update for sssd fixes the following issue:
- Revert the change dropping the default configuration file. If
/usr/etc exists will be installed there, otherwise in /etc
(bsc#1226157)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2587-1
Released: Mon Jul 22 13:44:54 2024
Summary: Recommended update for openssh
Type: recommended
Severity: moderate
References: 1227456
This update for openssh fixes the following issues:
- Remove empty line at the end of sshd-sle.pamd (bsc#1227456)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2597-1
Released: Tue Jul 23 09:03:59 2024
Summary: Security update for apache2
Type: security
Severity: important
References: 1227268,1227269,1227272,CVE-2024-36387,CVE-2024-38475,CVE-2024-38476
This update for apache2 fixes the following issues:
- CVE-2024-36387: Fixed DoS by null pointer in websocket over HTTP/2 (bsc#1227272)
- CVE-2024-38475: Fixed improper escaping of output in mod_rewrite (bsc#1227268)
- CVE-2024-38476: Fixed server may use exploitable/malicious backend application output to run local handlers via internal redirect (bsc#1227269)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2610-1
Released: Sat Jul 27 16:42:39 2024
Summary: Security update for libgit2
Type: security
Severity: important
References: 1219660,CVE-2024-24577
This update for libgit2 fixes the following issues:
- CVE-2024-24577: Fixed arbitrary code execution due to heap corruption in git_index_add (bsc#1219660)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2628-1
Released: Tue Jul 30 09:09:07 2024
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1227298,1228046,1228047,1228048,1228051,1228052,CVE-2024-21131,CVE-2024-21138,CVE-2024-21140,CVE-2024-21145,CVE-2024-21147
This update for java-17-openjdk fixes the following issues:
Updated to version 17.0.12+7 (July 2024 CPU):
- CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
- CVE-2024-21138: Fixed an infinite loop due to excessive symbol
length (bsc#1228047).
- CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check
Elimination (bsc#1228048).
- CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling
(bsc#1228052).
- CVE-2024-21145: Fixed an index overflow in RangeCheckElimination
(bsc#1228051).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2629-1
Released: Tue Jul 30 09:11:33 2024
Summary: Security update for java-11-openjdk
Type: security
Severity: important
References: 1227298,1228046,1228047,1228048,1228050,1228051,1228052,CVE-2024-21131,CVE-2024-21138,CVE-2024-21140,CVE-2024-21144,CVE-2024-21145,CVE-2024-21147
This update for java-11-openjdk fixes the following issues:
Updated to version 11.0.24+8 (July 2024 CPU):
- CVE-2024-21131: Fixed a potential UTF8 size overflow (bsc#1228046).
- CVE-2024-21138: Fixed an infinite loop due to excessive symbol
length (bsc#1228047).
- CVE-2024-21140: Fixed a pre-loop limit overflow in Range Check
Elimination (bsc#1228048).
- CVE-2024-21147: Fixed an out-of-bounds access in 2D image handling
(bsc#1228052).
- CVE-2024-21145: Fixed an index overflow in RangeCheckElimination
(bsc#1228051).
- CVE-2024-21144: Fixed an excessive loading time in Pack200 due to
improper header validation (bsc#1228050).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2630-1
Released: Tue Jul 30 09:12:44 2024
Summary: Security update for shadow
Type: security
Severity: important
References: 916845,CVE-2013-4235
This update for shadow fixes the following issues:
- CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2635-1
Released: Tue Jul 30 09:14:09 2024
Summary: Security update for openssl-3
Type: security
Severity: important
References: 1222899,1223336,1226463,1227138,CVE-2024-5535
This update for openssl-3 fixes the following issues:
Security fixes:
- CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138)
Other fixes:
- Build with no-afalgeng (bsc#1226463)
- Build with enabled sm2 and sm4 support (bsc#1222899)
- Fix non-reproducibility issue (bsc#1223336)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2636-1
Released: Tue Jul 30 09:14:22 2024
Summary: Security update for bind
Type: security
Severity: important
References: 1228255,1228256,1228257,1228258,CVE-2024-0760,CVE-2024-1737,CVE-2024-1975,CVE-2024-4076
This update for bind fixes the following issues:
Update to release 9.18.28
Security fixes:
- CVE-2024-0760: Fixed a flood of DNS messages over TCP may make the server unstable (bsc#1228255)
- CVE-2024-1737: Fixed BIND's database will be slow if a very large number of RRs exist at the same name (bsc#1228256)
- CVE-2024-1975: Fixed SIG(0) can be used to exhaust CPU resources (bsc#1228257)
- CVE-2024-4076: Fixed assertion failure when serving both stale cache data and authoritative zone content (bsc#1228258)
Changelog:
* Command-line options for IPv4-only (named -4) and IPv6-only
(named -6) modes are now respected for zone primaries,
also-notify, and parental-agents.
* An RPZ response’s SOA record TTL was set to 1 instead of the
SOA TTL, if add-soa was used. This has been fixed.
* When a query related to zone maintenance (NOTIFY, SOA) timed
out close to a view shutdown (triggered e.g. by rndc reload),
named could crash with an assertion failure. This has been
fixed.
* The statistics channel counters that indicated the number of
currently connected TCP IPv4/IPv6 clients were not properly
adjusted in certain failure scenarios. This has been fixed.
* Some servers that could not be reached due to EHOSTDOWN or
ENETDOWN conditions were incorrectly prioritized during server
selection. These are now properly handled as unreachable.
* On some systems the libuv call may return an error code when
sending a TCP reset for a connection, which triggers an
assertion failure in named. This error condition is now dealt
with in a more graceful manner, by logging the incident and
shutting down the connection.
* Changes to listen-on statements were ignored on reconfiguration
unless the port or interface address was changed, making it
impossible to change a related listener transport type. That
issue has been fixed.
* A bug in the keymgr code unintentionally slowed down some
DNSSEC key rollovers. This has been fixed.
* Some ISO 8601 durations were accepted erroneously, leading to
shorter durations than expected. This has been fixed
* A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed.
* Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed.
* The logic for cleaning up expired cached DNS records was
tweaked to be more aggressive. This change helps with enforcing
max-cache-ttl and max-ncache-ttl in a timely manner.
* It was possible to trigger a use-after-free assertion when the
overmem cache cleaning was initiated. This has been fixed.
New Features:
* A new option signatures-jitter has been added to dnssec-policy
to allow signature expirations to be spread out over a period
of time.
* The statistics channel now includes counters that indicate the
number of currently connected TCP IPv4/IPv6 clients.
* Added RESOLVER.ARPA to the built in empty zones.
Feature Changes:
* DNSSEC signatures that are not valid because the current time
falls outside the signature inception and expiration dates are
skipped instead of causing an immediate validation failure.
Security Fixes:
* A malicious DNS client that sent many queries over TCP but
never read the responses could cause a server to respond slowly
or not at all for other clients. This has been fixed.
(CVE-2024-0760)
* It is possible to craft excessively large resource records
sets, which have the effect of slowing down database
processing. This has been addressed by adding a configurable
limit to the number of records that can be stored per name and
type in a cache or zone database. The default is 100, which can
be tuned with the new max-records-per-type option.
* It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
adding a configurable limit to the number of records that can
be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
max-types-per-name option. (CVE-2024-1737)
* Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975)
* Due to a logic error, lookups that triggered serving stale data
and required lookups in local authoritative zone data could
have resulted in an assertion failure. This has been fixed.
* Potential data races were found in our DoH implementation,
related to HTTP/2 session object management and endpoints set
object management after reconfiguration. These issues have been
fixed.
* When looking up the NS records of parent zones as part of
looking up DS records, it was possible for named to trigger an
assertion failure if serve-stale was enabled. This has been
fixed. (CVE-2024-4076)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2641-1
Released: Tue Jul 30 09:29:36 2024
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References:
This update for systemd fixes the following issues:
systemd was updated from version 254.13 to version 254.15:
- Changes in version 254.15:
* boot: cover for hardware keys on phones/tablets
* Conditional PSI check to reflect changes done in 5.13
* core/dbus-manager: refuse SoftReboot() for user managers
* core/exec-invoke: reopen OpenFile= fds with O_NOCTTY
* core/exec-invoke: use sched_setattr instead of sched_setscheduler
* core/unit: follow merged units before updating SourcePath= timestamp too
* coredump: correctly take tmpfs size into account for compression
* cryptsetup: improve TPM2 blob display
* docs: Add section to HACKING.md on distribution packages
* docs: fixed dead link to GNOME documentation
* docs/CODING_STYLE: document that we nowadays prefer (const char*) for func ret type
* Fixed typo in CAP_BPF description
* LICENSES/README: expand text to summarize state for binaries and libs
* man: fully adopt ~/.local/state/
* man/systemd.exec: list inaccessible files for ProtectKernelTunables
* man/tmpfiles: remove outdated behavior regarding symlink ownership
* meson: bpf: propagate 'sysroot' for cross compilation
* meson: Define __TARGET_ARCH macros required by bpf
* mkfs-util: Set sector size for btrfs as well
* mkosi: drop CentOS 8 from CI
* mkosi: Enable hyperscale-packages-experimental for CentOS
* mountpoint-util: do not assume symlinks are not mountpoints
* os-util: avoid matching on the wrong extension-release file
* README: add missing CONFIG_MEMCG kernel config option for oomd
* README: update requirements for signed dm-verity
* resolved: allow the full TTL to be used by OPT records
* resolved: correct parsing of OPT extended RCODEs
* sysusers: handle NSS errors gracefully
* TEST-58-REPART: reverse order of diff args
* TEST-64-UDEV-STORAGE: Make nvme_subsystem expected pci symlinks more generic
* test: fixed TEST-24-CRYPTSETUP on SUSE
* test: install /etc/hosts
* Use consistent spelling of systemd.condition_first_boot argument
* util: make file_read() 64bit offset safe
* vmm: make sure we can handle smbios objects without variable part
- Changes in version 254.14:
* analyze: show pcrs also in sha384 bank
* chase: Tighten '.' and './' check
* core/service: fixed accept-socket deserialization
* efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too
* executor: check for all permission related errnos when setting up IPC namespace
* install: allow removing symlinks even for units that are gone
* json: use secure un{base64,hex}mem for sensitive variants
* man,units: drop 'temporary' from description of systemd-tmpfiles
* missing_loop.h: fixed LOOP_SET_STATUS_SETTABLE_FLAGS
* repart: fixed memory leak
* repart: Use CRYPT_ACTIVATE_PRIVATE
* resolved: permit dnssec rrtype questions when we aren't validating
* rules: Limit the number of device units generated for serial ttys
* run: do not pass the pty slave fd to transient service in a machine
* sd-dhcp-server: clear buffer before receive
* strbuf: use GREEDY_REALLOC to grow the buffer
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2655-1
Released: Tue Jul 30 15:34:16 2024
Summary: Security update for python-dnspython
Type: security
Severity: moderate
References: 1222693,CVE-2023-29483
This update for python-dnspython fixes the following issues:
- CVE-2023-29483: Fixed an issue that allowed remote attackers to
interfere with DNS name resolution (bsc#1222693).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2662-1
Released: Tue Jul 30 15:41:34 2024
Summary: Security update for python-urllib3
Type: security
Severity: moderate
References: 1226469,CVE-2024-37891
This update for python-urllib3 fixes the following issues:
- CVE-2024-37891: Fixed proxy-authorization request header is not stripped during cross-origin redirects (bsc#1226469)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2667-1
Released: Tue Jul 30 16:14:01 2024
Summary: Recommended update for libxkbcommon
Type: recommended
Severity: moderate
References: 1218640,1228322
This update of libxkbcommon fixes the following issue:
- ship libxkbregistry0-32bit and libxbkregistry-devel-32bit for use by Wine. (bsc#1218640 bsc#1228322)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2677-1
Released: Wed Jul 31 06:58:52 2024
Summary: Recommended update for wicked
Type: recommended
Severity: important
References: 1225976,1226125,1226664
This update for wicked fixes the following issues:
- Update to version 0.6.76
- compat-suse: warn user and create missing parent config of infiniband children
- client: fix origin in loaded xml-config with obsolete port references but missing port interface config, causing a no-carrier of master (bsc#1226125)
- ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
- wireless: add frequency-list in station mode (jsc#PED-8715)
- client: fix crash while hierarchy traversing due to loop in e.g. systemd-nspawn containers (bsc#1226664)
- man: add supported bonding options to ifcfg-bonding(5) man page
- arputil: Document minimal interval for getopts
- man: (re)generate man pages from md sources
- client: warn on interface wait time reached
- compat-suse: fix dummy type detection from ifname to not cause conflicts with e.g. correct vlan config on dummy0.42 interfaces
- compat-suse: fix infiniband and infiniband child type detection from ifname
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2684-1
Released: Wed Jul 31 20:04:41 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1214980,1222804,1222807,1222811,1222813,1222814,1222821,1222822,1222826,1222828,1222830,1222833,1222834,1223724,1224113,1224115,1224116,1224118,1227918,CVE-2023-5388
This update for mozilla-nss fixes the following issues:
- Fixed startup crash of Firefox when using FIPS-mode (bsc#1223724).
- Added 'Provides: nss' so other RPMs that require 'nss' can
be installed (jira PED-6358).
- FIPS: added safe memsets (bsc#1222811)
- FIPS: restrict AES-GCM (bsc#1222830)
- FIPS: Updated FIPS approved cipher lists (bsc#1222813, bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118)
- FIPS: Updated FIPS self tests (bsc#1222807, bsc#1222828, bsc#1222834)
- FIPS: Updated FIPS approved cipher lists (bsc#1222804, bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116)
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
depends on it and will create a broken, empty config, if sed is
missing (bsc#1227918)
Update to NSS 3.101.2:
* bmo#1905691 - ChaChaXor to return after the function
update to NSS 3.101.1:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
update to NSS 3.101:
* add diagnostic assertions for SFTKObject refcount.
* freeing the slot in DeleteCertAndKey if authentication failed
* fix formatting issues.
* Add Firmaprofesional CA Root-A Web to NSS.
* remove invalid acvp fuzz test vectors.
* pad short P-384 and P-521 signatures gtests.
* remove unused FreeBL ECC code.
* pad short P-384 and P-521 signatures.
* be less strict about ECDSA private key length.
* Integrate HACL* P-521.
* Integrate HACL* P-384.
* memory leak in create_objects_from_handles.
* ensure all input is consumed in a few places in mozilla::pkix
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* clean up escape handling
* Use lib::pkix as default validator instead of the old-one
* Need to add high level support for PQ signing.
* Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* Allow for non-full length ecdsa signature when using softoken
* Modification of .taskcluster.yml due to mozlint indent defects
* Implement support for PBMAC1 in PKCS#12
* disable VLA warnings for fuzz builds.
* remove redundant AllocItem implementation.
* add PK11_ReadDistrustAfterAttribute.
* - Clang-formatting of SEC_GetMgfTypeByOidTag update
* Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* sftk_getParameters(): Fix fallback to default variable after error with configfile.
* Switch to the mozillareleases/image_builder image
- switch from ec_field_GFp to ec_field_plain
Update to NSS 3.100:
* merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
* remove ckcapi.
* avoid a potential PK11GenericObject memory leak.
* Remove incomplete ESDH code.
* Decrypt RSA OAEP encrypted messages.
* Fix certutil CRLDP URI code.
* Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
* Add ability to encrypt and decrypt CMS messages using ECDH.
* Correct Templates for key agreement in smime/cmsasn.c.
* Moving the decodedCert allocation to NSS.
* Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
Update to NSS 3.99:
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
Update to NSS 3.98:
* (CVE-2023-5388) Timing attack against RSA decryption in TLS
* Certificate Compression: enabling the check that the compression was advertised
* Move Windows workers to nss-1/b-win2022-alpha
* Remove Email trust bit from OISTE WISeKey Global Root GC CA
* Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
* Certificate Compression: Updating nss_bogo_shim to support Certificate compression
* TLS Certificate Compression (RFC 8879) Implementation
* Add valgrind annotations to freebl kyber operations for constant-time execution tests
* Set nssckbi version number to 2.66
* Add Telekom Security roots
* Add D-Trust 2022 S/MIME roots
* Remove expired Security Communication RootCA1 root
* move keys to a slot that supports concatenation in PK11_ConcatSymKeys
* remove unmaintained tls-interop tests
* bogo: add support for the -ipv6 and -shim-id shim flags
* bogo: add support for the -curves shim flag and update Kyber expectations
* bogo: adjust expectation for a key usage bit test
* mozpkix: add option to ignore invalid subject alternative names
* Fix selfserv not stripping `publicname:` from -X value
* take ownership of ecckilla shims
* add valgrind annotations to freebl/ec.c
* PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* Update zlib to 1.3.1
Update to NSS 3.97:
* make Xyber768d00 opt-in by policy
* add libssl support for xyber768d00
* add PK11_ConcatSymKeys
* add Kyber and a PKCS#11 KEM interface to softoken
* add a FreeBL API for Kyber
* part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* part 1: add a script for vendoring kyber from pq-crystals repo
* Removing the calls to RSA Blind from loader.*
* fix worker type for level3 mac tasks
* RSA Blind implementation
* Remove DSA selftests
* read KWP testvectors from JSON
* Backed out changeset dcb174139e4f
* Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* Wrap CC shell commands in gyp expansions
Update to NSS 3.96.1:
* Use pypi dependencies for MacOS worker in ./build_gyp.sh
* p7sign: add -a hash and -u certusage (also p7verify cleanups)
* add a defensive check for large ssl_DefSend return values
* Add dependency to the taskcluster script for Darwin
* Upgrade version of the MacOS worker for the CI
Update to NSS 3.95:
* Bump builtins version number.
* Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
* Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* Remove 3 TrustCor Root Certificates from NSS.
* Remove Camerfirma root certificates from NSS.
* Remove old Autoridad de Certificacion Firmaprofesional Certificate.
* Add four Commscope root certificates to NSS.
* Add TrustAsia Global Root CA G3 and G4 root certificates.
* Include P-384 and P-521 Scalar Validation from HACL*
* Include P-256 Scalar Validation from HACL*.
* After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
* Add means to provide library parameters to C_Initialize
* add OSXSAVE and XCR0 tests to AVX2 detection.
* Typo in ssl3_AppendHandshakeNumber
* Introducing input check of ssl3_AppendHandshakeNumber
* Fix Invalid casts in instance.c
Update to NSS 3.94:
* Updated code and commit ID for HACL*
* update ACVP fuzzed test vector: refuzzed with current NSS
* Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
* NSS needs a database tool that can dump the low level representation of the database
* declare string literals using char in pkixnames_tests.cpp
* avoid implicit conversion for ByteString
* update rust version for acvp docker
* Moving the init function of the mpi_ints before clean-up in ec.c
* P-256 ECDH and ECDSA from HACL*
* Add ACVP test vectors to the repository
* Stop relying on std::basic_string<uint8_t>
* Transpose the PPC_ABI check from Makefile to gyp
Update to NSS 3.93:
* Update zlib in NSS to 1.3.
* softoken: iterate hashUpdate calls for long inputs.
* regenerate NameConstraints test certificates (bsc#1214980).
Update to NSS 3.92:
* Set nssckbi version number to 2.62
* Add 4 Atos TrustedRoot Root CA certificates to NSS
* Add 4 SSL.com Root CA certificates
* Add Sectigo E46 and R46 Root CA certificates
* Add LAWtrust Root CA2 (4096)
* Remove E-Tugra Certification Authority root
* Remove Camerfirma Chambers of Commerce Root.
* Remove Hongkong Post Root CA 1
* Remove E-Tugra Global Root CA ECC v3 and RSA v3
* Avoid redefining BYTE_ORDER on hppa Linux
Update to NSS 3.91:
* Implementation of the HW support check for ADX instruction
* Removing the support of Curve25519
* Fix comment about the addition of ticketSupportsEarlyData
* Adding args to enable-legacy-db build
* dbtests.sh failure in 'certutil dump keys with explicit default trust flags'
* Initialize flags in slot structures
* Improve the length check of RSA input to avoid heap overflow
* Followup Fixes
* avoid processing unexpected inputs by checking for m_exptmod base sign
* add a limit check on order_k to avoid infinite loop
* Update HACL* to commit 5f6051d2
* add SHA3 to cryptohi and softoken
* HACL SHA3
* Disabling ASM C25519 for A but X86_64
Update to NSS 3.90.3:
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* clean up escape handling.
* remove redundant AllocItem implementation.
* Disable ASM support for Curve25519.
* Disable ASM support for Curve25519 for all but X86_64.
-----------------------------------------------------------------
Advisory ID: SUSE-feature-2024:2688-1
Released: Thu Aug 1 07:00:59 2024
Summary: Feature update for Public Cloud
Type: feature
Severity: important
References: 1222075,1227067,1227106,1227711
This update for Public Cloud fixes the following issues:
- Added Public Cloud packages and dependencies to SLE Micro 5.5 to enhance SUSE Manager 5.0 (jsc#SMO-345):
* google-guest-agent (no source changes)
* google-guest-configs (no source changes)
* google-guest-oslogin (no source changes)
* google-osconfig-agent (no source changes)
* growpart-rootgrow (no source changes)
* python-azure-agent (includes bug fixes see below)
* python-cssselect (no source changes)
* python-instance-billing-flavor-check (no source changes)
* python-toml (no source changes)
* python3-lxml (inlcudes a bug fix, see below)
- python-azure-agent received the following fixes:
* Use the proper option to force btrfs to overwrite a file system on the resource disk if one already exists
(bsc#1227711)
* Set Provisioning.Agent parameter to 'cloud-init' in SLE Micro 5.5 and newer (bsc#1227106)
* Do not package `waagent2.0` in Python 3 builds
* Do not require `wicked` in non-SUSE build environments
* Apply python3 interpreter patch in non SLE build environments (bcs#1227067)
- python3-lxml also received the following fix:
* Fixed compatibility with system libexpat in tests (bnc#1222075)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2691-1
Released: Thu Aug 1 12:12:47 2024
Summary: Recommended update for fence-agents
Type: recommended
Severity: moderate
References: 1224797
This update for fence-agents fixes the following issues:
- Fix Azure native fencing does not start due to Python version. (bsc#1224797) (jsc#PED-8887)
- The updated fence-agents does not include anymore the Azure fence-agents.
- If you are on Azure, you need to install in addition the package fence-agents-azure-arm.
This package (fence-agents-azure-arm) is only installable with Public Cloud Module enabled
which provides the required Python3.11 dependencies.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2747-1
Released: Mon Aug 5 18:14:40 2024
Summary: Recommended update for suseconnect-ng
Type: recommended
Severity: important
References: 1219004,1223107,1226128
This update for suseconnect-ng fixes the following issues:
- Version update
* Added uname as collector
* Added SAP workload detection
* Added detection of container runtimes
* Multiple fixes on ARM64 detection
* Use `read_values` for the CPU collector on Z
* Fixed data collection for ppc64le
* Grab the home directory from /etc/passwd if needed (bsc#1226128)
* Build zypper-migration and zypper-packages-search as standalone
binaries rather then one single binary
* Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004)
* Include /etc/products.d in directories whose content are backed
up and restored if a zypper-migration rollback happens (bsc#1219004)
* Add the ability to upload the system uptime logs, produced by the
suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report
(jsc#PED-7982) (jsc#PED-8018)
* Add support for third party packages in SUSEConnect
* Refactor existing system information collection implementation
self-signed SSL certificate (bsc#1223107)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2779-1
Released: Tue Aug 6 14:35:49 2024
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1228548
This update for permissions fixes the following issue:
* cockpit: moved setuid executable (bsc#1228548)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2780-1
Released: Tue Aug 6 14:36:01 2024
Summary: Security update for patch
Type: security
Severity: low
References: 1167721,CVE-2019-20633
This update for patch fixes the following issues:
- CVE-2019-20633: Fixed double-free/OOB read in pch.c (bsc#1167721)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2784-1
Released: Tue Aug 6 14:58:38 2024
Summary: Security update for curl
Type: security
Severity: important
References: 1227888,1228535,CVE-2024-6197,CVE-2024-7264
This update for curl fixes the following issues:
- CVE-2024-7264: Fixed ASN.1 date parser overread (bsc#1228535)
- CVE-2024-6197: Fixed freeing stack buffer in utf8asn1str (bsc#1227888)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2788-1
Released: Tue Aug 6 15:50:29 2024
Summary: Recommended update for sudo
Type: recommended
Severity: moderate
References: 1227574
This update for sudo fixes the following issue:
- Fix Wrong permissions on /usr/share/polkit-1/rules.d (bsc#1227574).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2791-1
Released: Tue Aug 6 16:35:06 2024
Summary: Recommended update for various 32bit packages
Type: recommended
Severity: moderate
References: 1228322
This update of various packages delivers 32bit variants to allow running Wine
on SLE PackageHub 15 SP6.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2808-1
Released: Wed Aug 7 09:49:32 2024
Summary: Security update for shadow
Type: security
Severity: moderate
References: 1228770,CVE-2013-4235
This update for shadow fixes the following issues:
- Fixed not copying of skel files (bsc#1228770)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2869-1
Released: Fri Aug 9 15:59:29 2024
Summary: Security update for ca-certificates-mozilla
Type: security
Severity: important
References: 1220356,1227525
This update for ca-certificates-mozilla fixes the following issues:
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
- Added: FIRMAPROFESIONAL CA ROOT-A WEB
- Distrust: GLOBALTRUST 2020
- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
Added:
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
- D-Trust SBR Root CA 1 2022
- D-Trust SBR Root CA 2 2022
- Telekom Security SMIME ECC Root 2021
- Telekom Security SMIME RSA Root 2023
- Telekom Security TLS ECC Root 2020
- Telekom Security TLS RSA Root 2023
- TrustAsia Global Root CA G3
- TrustAsia Global Root CA G4
Removed:
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- Chambers of Commerce Root - 2008
- Global Chambersign Root - 2008
- Security Communication Root CA
- Symantec Class 1 Public Primary Certification Authority - G6
- Symantec Class 2 Public Primary Certification Authority - G6
- TrustCor ECA-1
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2
- VeriSign Class 1 Public Primary Certification Authority - G3
- VeriSign Class 2 Public Primary Certification Authority - G3
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2886-1
Released: Tue Aug 13 09:46:48 2024
Summary: Recommended update for dmidecode
Type: recommended
Severity: moderate
References:
This update for dmidecode fixes the following issues:
- Version update (jsc#PED-8574):
* Support for SMBIOS 3.6.0. This includes new memory device types, new
processor upgrades, and Loongarch support
* Support for SMBIOS 3.7.0. This includes new port types, new processor
upgrades, new slot characteristics and new fields for memory modules
* Add bash completion
* Decode HPE OEM records 197, 216, 224, 230, 238, 239, 242 and 245
* Implement options --list-strings and --list-types
* Update HPE OEM records 203, 212, 216, 221, 233 and 236
* Update Redfish support
* Bug fixes:
- Fix enabled slot characteristics not being printed
* Minor improvements:
- Print slot width on its own line
- Use standard strings for slot width
* Add a --no-quirks option
* Drop the CPUID exception list
* Obsoletes patches removed :
dmidecode-do-not-let-dump-bin-overwrite-an-existing-file,
dmidecode-fortify-entry-point-length-checks,
dmidecode-split-table-fetching-from-decoding,
dmidecode-write-the-whole-dump-file-at-once,
dmioem-fix-segmentation-fault-in-dmi_hp_240_attr,
dmioem-hpe-oem-record-237-firmware-change,
dmioem-typo-fix-virutal-virtual,
ensure-dev-mem-is-a-character-device-file,
news-fix-typo,
use-read_file-to-read-from-dump
Update for HPE servers from upstream:
- dmioem-update-hpe-oem-type-238 patch: Decode PCI bus segment in
HPE type 238 records
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2888-1
Released: Tue Aug 13 11:07:41 2024
Summary: Recommended update for util-linux
Type: recommended
Severity: moderate
References: 1159034,1194818,1218609,1222285
This update for util-linux fixes the following issues:
- agetty: Prevent login cursor escape (bsc#1194818).
- Document unexpected side effects of lazy destruction (bsc#1159034).
- Don't delete binaries not common for all architectures. Create an
util-linux-extra subpackage instead, so users of third party
tools can use them (bsc#1222285).
- Improved man page for chcpu (bsc#1218609).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2912-1
Released: Wed Aug 14 20:20:13 2024
Summary: Recommended update for cloud-regionsrv-client
Type: recommended
Severity: important
References: 1222985,1223571,1224014,1224016,1227308
This update for cloud-regionsrv-client contains the following fixes:
- Update to version 10.3.0 (bsc#1227308, bsc#1222985)
+ Add support for sidecar registry
Podman and rootless Docker support to set up the necessary
configuration for the container engines to run as defined
+ Add running command as root through sudoers file
- Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016)
+ In addition to logging, write message to stderr when registration fails
+ Detect transactional-update system with read only setup and use
the transactional-update command to register
+ Handle operation in a different target root directory for credentials
checking
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2918-1
Released: Thu Aug 15 06:59:39 2024
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1223535,1226100,1228124
This update for grub2 fixes the following issues:
- Fix btrfs subvolume for platform modules not mounting at runtime when the
default subvolume is the topmost root tree (bsc#1228124)
- Fix error in grub-install when root is on tmpfs (bsc#1226100)
- Fix input handling in ppc64le grub2 has high latency (bsc#1223535)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2932-1
Released: Thu Aug 15 12:05:04 2024
Summary: Recommended update for supportutils
Type: recommended
Severity: moderate
References: 1222021,1227127,1228265
This update for supportutils fixes the following issues:
Changes to version 3.2.8
+ Avoid getting duplicate kernel verifications in boot.text (pr#190)
+ lvm: suppress file descriptor leak warnings from lvm commands (pr#191)
+ docker_info: Add timestamps to container logs (pr#196)
+ Key value pairs and container log timestamps (bsc#1222021 PED-8211, pr#198)
+ Update supportconfig get pam.d sorted (pr#199)
+ yast_files: Exclude .zcat (pr#201)
+ Sanitize grub bootloader (bsc#1227127, pr#203)
+ Sanitize regcodes (pr#204)
+ Improve product detection (pr#205)
+ Add read_values for s390x (bsc#1228265, pr#206)
+ hardware_info: Remove old alsa ver check (pr#209)
+ drbd_info: Fix incorrect escape of quotes (pr#210)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:2933-1
Released: Thu Aug 15 12:12:50 2024
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1225907,1226463,1227138,CVE-2024-5535
This update for openssl-1_1 fixes the following issues:
- CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)
Other fixes:
- Build with no-afalgeng. (bsc#1226463)
- Fixed C99 violations to allow the package to build with GCC 14. (bsc#1225907)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2957-1
Released: Mon Aug 19 10:48:01 2024
Summary: Recommended update for ldb, samba
Type: recommended
Severity: moderate
References: 1228732
This update for ldb, samba fixes the following issues:
- Many qsort() comparisons are non-transitive, which can lead to
out-of-bounds access in some circumstances.
- Fix a crash when joining offline and 'kerberos method' includes
keytab (bsc#1228732).
- Fix reading the password from STDIN or environment vars if it
was already given in the command line (bsc#1228732).
- netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0.
- Anonymous smb3 signing/encryption should be allowed (similar to Windows Server 2022).
- Panic in dreplsrv_op_pull_source_apply_changes_trigger.
- winbindd, net ads join and other things don't work on an ipv6 only host.
- Smbcacls incorrectly propagates inheritance with Inherit-Only flag.
- http library doesn't support 'chunked transfer encoding'.
- fd_handle_destructor() panics within an smbd_smb2_close() if
vfs_stat_fsp() fails in fd_close()
- samba-gpupdate: Correctly implement site support.
- libgpo: Segfault in python bindings.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2967-1
Released: Mon Aug 19 15:41:29 2024
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1194818
This update for pam fixes the following issue:
- Prevent cursor escape from the login prompt (bsc#1194818).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:2971-1
Released: Tue Aug 20 08:13:06 2024
Summary: Recommended update for perl-DBD-Pg, perl-DBD-SQLite, perl-DBI, perl-YAML-LibYAML
Type: recommended
Severity: moderate
References:
This update for perl-DBD-Pg, perl-DBD-SQLite, perl-DBI, perl-YAML-LibYAML fixes the following issues:
perl-DBI was updated from version 1.642 to 1.643:
- Updated Devel::PPPort and removed redundant compatibility macros
- Correct minor typo in documentation
- Correct documentation introducing $dbh->selectall_array()
- Introduced select and do wrappers earlier in the documentation
- Mark as deprecated old API functions which overflow or are affected by Unicode issues
- Add new attribute RaiseWarn, similar to RaiseError
perl-DBD-SQLite was updated from version 1.66 to 1.74:
- Fixed disabling of __perllib_provides
- Upgraded SQLite to 3.42.0
- Added missing possible table_type values to POD
- Set UTF8CACHE to avoid slowdown with -DDEBUGGING
- Lowercase datatype in table column metadata for back-compatibility
- Fixed test failure on perl built with -DDEBUGGING
- Improve sqlite_load_extension documentation
- Add a feature to unregister a created function
- Fixed accented characters in POD
- Link embedded sqlite devel files to system files
- Use the system sqlite rather than the built-in one
- Fixed documentation to use the correct attribute with sqlite_
- Modify the fix to silence the sqlite_unicode warning not to check the attribute twice
- Fix an encoding issue of naive
- Made DBD_SQLITE_STRING_MODE constants exportable
- Stop setting THREADSAFE=0 if perl has pthread (ie. 5.20+)
- Fixed a memory leak in ::VirtualTable
- Introduced 'string_mode' handle attribute to fix long-standing issues of sqlite_unicode
- Added a dependency from dbdimp.o to the *.inc files included into dbdimp.c
- Fixed an offset issue of VirtualTable
- Fixed quadmath issues
- Added sqlite_txn_state method to see internal state of the backend
- Switched to XSLoader
- Use quadmath_snprintf if USE_QUADMATH is defined
- Use av_fetch instead of av_shift
perl-DBD-Pg was update from version 3.10.4 to 3.18.0:
- Support new PQclosePrepared function, added in Postgres 17
- Improved documentation about ping always returning a value
- New database handle attribute pg_skip_deallocate
Prevents any deallocation of automatically prepared
statements to support new pgBouncer feature
- Fix to handle escaped quotes in connection string
- Return number of affected rows from a MERGE command
- Added support for Github CI actions
- Removed undocumented internal-only pg_pid_number attribute
- Small warning in docs about PG_CHAR
- Added new attribute 'pg_int8_as_string', for backwards compatibility.
- Added a META.json file; rename META.yml to META.yaml
- Fix 03smethod.t $sth->last_insert_id skip count for DBI < 1.642
- Documentation improvements for service files
- Automatically use 64-bit versions of large object functions when available
- Set UTF8 flag as needed for error messages
- In tests, do not assume what the default transaction isolation level will be
- Make tests smarter about detecting pg_ctl results in different locales
- Adjust tests for the fact that reltuples can be -1 in Postgres
version 13 and later. This is mostly reflected in the CARDINALITY
column for $dbh->statistics_info.
- Correctly pull back pg_async status from statement handle.
Previously, $dbh->{pg_async} would return undef.
- Remove the experimental 'fulltest' Makefile target.
- The $dbh->primary_key_info and $dbh->foreign_key_info methods will now always return
a statement handle, even with no matches. Previously, they returned undef directly.
Callers can check if the returned handle contains any rows.
- The $dbh->tables method will always return a list, even if it is empty.
- Add pg_lo_tell64, pg_lo_seek64, and pg_lo_truncate64, for anyone dealing
with really, really, really large 'large objects'. Requires Postgres 9.3 or better.
- Allow test to run again when using a non-superuser to connect
- Adjust tests to force loading proper version of DBD::Pg every time.
- Removed the long-deprecated _pg_use_catalog method.
- Many improvements and changes to the test suite.
- Redo the 'last_result' internals in dbdimp.c, which fixes a memory leak.
- Fixed regression in Perl length() for returned query results
- Make $sth->finish() do a little less. Notably, even
after calling finish(), pg_error_field will still work
on the last action performed.
- Tweak tests so Windows boxes pass
- Run tests in verbose mode
- Prevent DBI from flipping AutoCommit to 'on' after a failed commit
- Revert overly aggressive testing shortcut as it can cause installs to fail
- Return the table info row last in statistics_info.
This fixes statistics_info on pre-8.3 servers.
- Fixed ASC_OR_DESC field in statistics_info
- Indicate NULL ordering in statistics_info
- Adjust Makefile to fix failing 'fulltest' target on BSD systems
- Indicate non-key index columns (INCLUDE) in statistics_info
- Return an empty result set instead of undef from statistics_info
when the requested table doesn't exist and $unique_only is false.
- Fixed segfault during st destroy
- Improved testing for table_info()
- Improved UTF-8 wording in documentaion
perl-YAML-LibYAML was updated to version 0.89:
- Breaking Change: Set $YAML::XS::LoadBlessed default to false to make it more secure
- Fixed disabling of __perllib_provides
- Recognise core booleans on Perl 5.36+ at dump time
- Fixed YAML::XS pod in cpanminus
- Convert doc from Swim to Markdown
- Added option ForbidDuplicateKeys
- Recognize tied variables
- Updated libyaml sources to 0.2.4. Changes affecting YAML::XS are
- Output '...' at the stream end after a block scalar with trailing empty lines
- Accept '%YAML 1.2' directives (they are ignored and do not change behaviour though)
- Fix memory leak when loading invalid YAML
- Support aliasing scalars resolved as null or booleans
- Add YAML::XS::LibYAML::libyaml_version()
- Support standard !!int/!!float tags instead of dying
- Fixed double free/core dump when Dump()ing binary data
- Update config.h from libyaml
- Update libyaml to version 0.2.2. Most important change for users is that plain
urls in flow style can be parsed now. Example: `[ http://yaml.org]`.
- Added $Indent - number of spaces when dumping
- Implemented $LoadCode
- Update to libyaml 0.2.1. It's forbidden now to escape single quotes inside double quotes
- When disabling $LoadBlessed, return scalars not refs
- Save anchors also for blessed scalars
- Fixed format specifier/argument mismatch
- Fixed a C90-compatibility issue
- Prevent warning about unused variables
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3054-1
Released: Wed Aug 28 14:48:31 2024
Summary: Security update for python3-setuptools
Type: security
Severity: important
References: 1228105,CVE-2024-6345
This update for python3-setuptools fixes the following issues:
- CVE-2024-6345: Fixed code execution via download functions in the package_index module (bsc#1228105)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3106-1
Released: Tue Sep 3 17:00:40 2024
Summary: Security update for openssl-3
Type: security
Severity: moderate
References: 1220523,1220690,1220693,1220696,1221365,1221751,1221752,1221753,1221760,1221786,1221787,1221821,1221822,1221824,1221827,1229465,CVE-2024-6119
This update for openssl-3 fixes the following issues:
- CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465)
Other fixes:
- FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365).
- FIPS: RSA keygen PCT requirements.
- FIPS: Check that the fips provider is available before setting
it as the default provider in FIPS mode (bsc#1220523).
- FIPS: Port openssl to use jitterentropy (bsc#1220523).
- FIPS: Block non-Approved Elliptic Curves (bsc#1221786).
- FIPS: Service Level Indicator (bsc#1221365).
- FIPS: Output the FIPS-validation name and module version which uniquely
identify the FIPS validated module (bsc#1221751).
- FIPS: Add required selftests: (bsc#1221760).
- FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821).
- FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827).
- FIPS: Zero initialization required (bsc#1221752).
- FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696).
- FIPS: NIST SP 800-56Brev2 (bsc#1221824).
- FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787).
- FIPS: Port openssl to use jitterentropy (bsc#1220523).
- FIPS: NIST SP 800-56Arev3 (bsc#1221822).
- FIPS: Error state has to be enforced (bsc#1221753).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3121-1
Released: Tue Sep 3 17:15:32 2024
Summary: Recommended update for yast2-users
Type: recommended
Severity: moderate
References: 1206627,1208913,1209377,1211583,1211753,1228149
This update for yast2-users fixes the following issues:
- Relax check in GECOS field, allow any data except colons (bsc#1228149).
- Backport changes to avoid namespace collisions.
- Branch package for SP6 (bsc#1208913).
- YaST can no longer modify NIS users and groups (bnc#1206627).
- YaST2: Adding several users via yast fails sometimes (bnc#1209377).
- Importing user during installation can lead to password malformation (bnc#1211583).
- YaST2 ayast_setup setup broken on SLES15-SP4 (bnc#1211753).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3124-1
Released: Tue Sep 3 17:38:34 2024
Summary: Recommended update for cryptsetup
Type: recommended
Severity: moderate
References: 1229975
This update for cryptsetup fixes the following issues:
- FIPS: Extend the password for PBKDF2 benchmarking to be more than 20
chars to meet FIPS 140-3 requirements (bsc#1229975)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3129-1
Released: Tue Sep 3 17:40:36 2024
Summary: Recommended update for unzip
Type: recommended
Severity: moderate
References: 1190273
This update for unzip fixes the following issues:
- Add patch to fix issue with some files being incorrectly detected as symlinks (boo#1190273)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3131-1
Released: Tue Sep 3 17:42:24 2024
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1224113
This update for mozilla-nss fixes the following issues:
- FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3132-1
Released: Tue Sep 3 17:43:10 2024
Summary: Recommended update for permissions
Type: recommended
Severity: moderate
References: 1228968,1229329
This update for permissions fixes the following issues:
- Update to version 20240826:
* permissions: remove outdated entries (bsc#1228968)
- Update to version 20240826:
* cockpit: revert path change (bsc#1229329)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3135-1
Released: Wed Sep 4 08:36:23 2024
Summary: Recommended update for rsyslog
Type: recommended
Severity: moderate
References:
This update for rsyslog fixes the following issues:
- Version upgrade
- patches replaced by upgrade (details in upgrade logs)
* Revert 'Update omlibdbi.c'
* imkmsg: add params 'readMode' and 'expectedBootCompleteSeconds'
* testbench: fix 'typo' in test case
* omazureeventhubs: Corrected handling of transport closed failures
* imkmsg: add module param parseKernelTimestamp
* imfile: remove state file on file delete fix
* imklog bugfix: keepKernelTimestamp=off config param did not work
* Netstreamdriver: deallocate certificate related resources
* TLS subsystem: add remote hostname to error reporting
* Fix forking issue do to close_range call
* replace debian sample systemd service file by readme
* testbench: bump zookeeper version to match current offering
* Update rsyslog.service sample unit to the latest version used in Debian Trixie
* Only keep a single rsyslog.service for Debian
* Remove no longer used --with-systemdsystemunitdir configure switch
* use logind instead of utmp for wall messages with systemd
* Typo fixes
* Drop CAP_IPC_LOCK capability
* Add CAP_NET_RAW capability due to the omudpspoof module
* Add new global config option 'libcapng.enable'
* tcp net subsystem: handle data race gracefully
* Avoid crash on restart in imrelp SIGTTIN handler
- patches replaced by upgrade
* fix startup issue on modern systemd systems
* Fix misspeling in message.
* tcpflood bugfix: plain tcp send error not properly reported
* omprog bugfix: Add CAP_DAC_OVERRIDE to the bounding set
* testbench: cleanup and improve some more imfile tests
* lookup tables: fix static analyzer issue
* lookup tables bugfix: reload on HUP did not work when backgrounded
* CI: fix and cleaup github workflow
* imjournal: Support input module
* testbench: make test more reliable
* tcpflood: add -A option to NOT abort when sending fails
* tcpflood: fix today's programming error
* openssl: Replaced depreceated method SSLv23_method with TLS_method
* testbench improvement: define state file directories for imfile tests
* testbench: cleanup a test and some nitfixes to it
* tcpflood bugfix: TCP sending was not implemented properly
* testbench: make waiting for HUP processing more reliable
* build system: make rsyslogd execute when --disable-inet is configured
* CI: update zookeper download to newer version
* ossl driver: Using newer INIT API for OpenSSL 1.1+ Versions
* ossl: Fix CRL File Expire from 1 day to 100 years.
* PR5175: Add TLS CRL Support for GnuTLS driver and OpenSSL 1.0.2+
* omazureeventhubs: Initial implementation of new output module
* TLS CRL Support Issue 5081
* action.resumeintervalmax: the parameter was not respected
* IMHIREDIS::FIXED:: Restore compatiblity with hiredis < v1.0.0
* Add the 'batchsize' parameter to imhiredis
* Clear undefined behavior in libgcry.c (GH #5167)
* Do not try to drop capabilities when we don't have any
* testbench: use newer zookeeper version in tests
* build system: more precise error message on too-old lib
* Fix quoting for omprog, improg, mmexternal
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3159-1
Released: Fri Sep 6 12:15:52 2024
Summary: Security update for postgresql16
Type: security
Severity: important
References: 1224038,1224051,1229013,CVE-2024-4317,CVE-2024-7348
This update for postgresql16 fixes the following issues:
- Upgrade to 16.4 (bsc#1229013)
- CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013)
- CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See the release notes for the steps that have to be taken to fix existing PostgreSQL instances. (bsc#1224038)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3166-1
Released: Mon Sep 9 12:25:30 2024
Summary: Recommended update for glibc
Type: recommended
Severity: moderate
References: 1228042
This update for glibc fixes the following issue:
- s390x-wcsncmp patch for s390x: Fix segfault in wcsncmp (bsc#1228042).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3172-1
Released: Mon Sep 9 12:55:40 2024
Summary: Security update for apache2
Type: security
Severity: important
References: 1227276,1227278,1227353,CVE-2024-38473,CVE-2024-38474,CVE-2024-39884
This update for apache2 fixes the following issues:
- CVE-2024-38474: Fixed substitution encoding issue in mod_rewrite (bsc#1227278)
- CVE-2024-38473: Fixed encoding problem in mod_proxy (bsc#1227276)
- CVE-2024-39884: Fixed source code disclosure with handlers configured via AddType (bsc#1227353)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3178-1
Released: Mon Sep 9 14:39:12 2024
Summary: Recommended update for libzypp, zypper, libsolv, zypp-plugin, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings
Type: recommended
Severity: important
References: 1081596,1223094,1224771,1225267,1226014,1226030,1226493,1227205,1227625,1227793,1228138,1228206,1228208,1228420,1228787,222971
This update for libzypp, zypper, libsolv, zypp-plugin, PackageKit-branding-SLE, PackageKit, libyui, yast2-pkg-bindings fixes the following issues:
- Make sure not to statically linked installed tools (bsc#1228787)
- MediaPluginType must be resolved to a valid MediaHandler (bsc#1228208)
- Export asSolvable for YAST (bsc#1228420)
- Export CredentialManager for legacy YAST versions (bsc#1228420)
- Fix 4 typos in zypp.conf
- Fix typo in the geoip update pipeline (bsc#1228206)
- Export RepoVariablesStringReplacer for yast2 (bsc#1228138)
- Removed dependency on external find program in the repo2solv tool
- Fix return value of repodata.add_solv()
- New SOLVER_FLAG_FOCUS_NEW flag
- Fix return value of repodata.add_solv() in the bindings
- Fix SHA-224 oid in solv_pgpvrfy
- Translation: updated .pot file.
- Conflict with python zypp-plugin < 0.6.4 (bsc#1227793)
- Fix int overflow in Provider
- Fix error reporting on repoindex.xml parse error (bsc#1227625)
- Keep UrlResolverPlugin API public
- Blacklist /snap executables for 'zypper ps' (bsc#1226014)
- Fix handling of buddies when applying locks (bsc#1225267)
- Fix readline setup to handle Ctrl-C and Ctrl-D correctly (bsc#1227205)
- Show rpm install size before installing (bsc#1224771)
- Install zypp/APIConfig.h legacy include
- Update soname due to RepoManager refactoring and cleanup
- Workaround broken libsolv-tools-base requirements
- Strip ssl_clientkey from repo urls (bsc#1226030)
- Remove protobuf build dependency
- Lazily attach medium during refresh workflows (bsc#1223094)
- Refactor RepoManager and add Service workflows
- Let_readline_abort_on_Ctrl-C (bsc#1226493)
- packages: add '--system' to show @System packages (bsc#222971)
- Provide python3-zypp-plugin down to SLE12 (bsc#1081596)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3180-1
Released: Mon Sep 9 14:50:18 2024
Summary: Recommended update for binutils
Type: recommended
Severity: moderate
References: 1215341,1216908
This update for binutils fixes the following issues:
Update to current 2.43.1 branch [jsc#PED-10474]:
Update to version 2.43:
* new .base64 pseudo-op, allowing base64 encoded data as strings
* Intel APX: add support for CFCMOV, CCMP, CTEST, zero-upper, NF
(APX_F now fully supported)
* x86 Intel syntax now warns about more mnemonic suffixes
* macros and .irp/.irpc/.rept bodies can use \+ to get at number
of times the macro/body was executed
* aarch64: support 'armv9.5-a' for -march, add support for LUT
and LUT2
* s390: base register operand in D(X,B) and D(L,B) can now be
omitted (ala 'D(X,)'); warn when register type doesn't match
operand type (use option
'warn-regtype-mismatch=[strict|relaxed|no]' to adjust)
* riscv: support various extensions: Zacas, Zcmp, Zfbfmin,
Zvfbfmin, Zvfbfwma, Smcsrind/Sscsrind, XCvMem, XCvBi, XCvElw,
XSfCease, all at version 1.0;
remove support for assembly of privileged spec 1.9.1 (linking
support remains)
* arm: remove support for some old co-processors: Maverick and FPA
* mips: '--trap' now causes either trap or breakpoint instructions
to be emitted as per current ISA, instead of always using trap
insn and failing when current ISA was incompatible with that
* LoongArch: accept .option pseudo-op for fine-grained control
of assembly code options; add support for DT_RELR
* readelf: now displays RELR relocations in full detail;
add -j/--display-section to show just those section(s) content
according to their type
* objdump/readelf now dump also .eh_frame_hdr (when present) when
dumping .eh_frame
* gprofng: add event types for AMD Zen3/Zen4 and Intel Ice Lake
processors; add minimal support for riscv
* linker:
- put .got and .got.plt into relro segment
- add -z isa-level-report=[none|all|needed|used] to the x86 ELF
linker to report needed and used x86-64 ISA levels
- add --rosegment option which changes the -z separate-code
option so that only one read-only segment is created (instead
of two)
- add --section-ordering-file <FILE> option to add extra
mapping of input sections to output sections
- add -plugin-save-temps to store plugin intermediate files
permanently
Update to version 2.42:
* Add support for many aarch64 extensions: SVE2.1, SME2.1, B16B16,
RASv2, LSE128, GCS, CHK, SPECRES2, LRCPC3, THE, ITE, D128, XS and
flags to enable them: '+fcma', '+jscvt', '+frintts', '+flagm2',
'+rcpc2' and '+wfxt'
* Add experimantal support for GAS to synthesize call-frame-info for
some hand-written asm (--scfi=experimental) on x86-64.
* Add support for more x86-64 extensions: APX: 32 GPRs, NDD, PUSH2/POP2,
PUSHP/POPP; USER_MSR, AVX10.1, PBNDKB, SM4, SM3, SHA512, AVX-VNNI-INT16.
* Add support for more RISC-V extensions: T-Head v2.3.0, CORE-V v1.0,
SiFive VCIX v1.0.
* BPF assembler: ';' separates statements now, and does not introduce
line comments anymore (use '#' or '//' for this).
* x86-64 ld: Add '-z mark-plt/-z nomark-plt' to mark PLT entries with
dynamic tags.
* risc-v ld: Add '--[no-]check-uleb128'.
* New linker script directive: REVERSE, to be combined with SORT_BY_NAME
or SORT_BY_INIT_PRIORITY, reverses the generated order.
* New linker options --warn-execstack-objects (warn only about execstack
when input object files request it), and --error-execstack plus
--error-rxw-segments to convert the existing warnings into errors.
* objdump: Add -Z/--decompress to be used with -s/--full-contents to
decompress section contents before displaying.
* readelf: Add --extra-sym-info to be used with --symbols (currently
prints section name of references section index).
* objcopy: Add --set-section-flags for x86_64 to include
SHF_X86_64_LARGE.
* s390 disassembly: add target-specific disasm option 'insndesc',
as in 'objdump -M insndesc' to display an instruction description
as comment along with the disassembly.
- Add binutils-use-less-memory.diff to be a little nicer to 32bit
userspace and huge links. [bsc#1216908]
- Add libzstd-devel to Requires of binutils-devel. (bsc#1215341)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:3199-1
Released: Wed Sep 11 08:46:57 2024
Summary: Recommended update for yast2-installation
Type: recommended
Severity: moderate
References: 1181625
This update for yast2-installation fixes the following issue:
- Don't block in AutoYaST upgrade (bsc#1181625).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:3204-1
Released: Wed Sep 11 10:55:22 2024
Summary: Security update for curl
Type: security
Severity: moderate
References: 1230093,CVE-2024-8096
This update for curl fixes the following issues:
- CVE-2024-8096: OCSP stapling bypass with GnuTLS. (bsc#1230093)
The following package changes have been done:
- glibc-2.38-150600.14.8.2 updated
- libuuid1-2.39.3-150600.4.9.4 updated
- libsmartcols1-2.39.3-150600.4.9.4 updated
- libblkid1-2.39.3-150600.4.9.4 updated
- libfdisk1-2.39.3-150600.4.9.4 updated
- libassuan0-2.5.5-150000.4.7.1 updated
- libmount1-2.39.3-150600.4.9.4 updated
- libudev1-254.15-150600.4.8.1 updated
- libopenssl3-3.1.4-150600.5.15.1 updated
- libopenssl-3-fips-provider-3.1.4-150600.5.15.1 updated
- libcurl4-8.6.0-150600.4.6.1 updated
- login_defs-4.8.1-150600.17.6.1 updated
- permissions-20240826-150600.10.9.1 updated
- libgpgme11-1.23.0-150600.3.2.1 updated
- libsolv-tools-base-0.7.30-150400.3.27.2 updated
- pam-1.3.0-150000.6.71.2 updated
- libzypp-17.35.8-150600.3.19.1 updated
- shadow-4.8.1-150600.17.6.1 updated
- zypper-1.14.76-150600.10.6.13 updated
- util-linux-2.39.3-150600.4.9.4 updated
- curl-8.6.0-150600.4.6.1 updated
- concurrent-1.3.4-277.150600.277.5 updated
- openssl-3-3.1.4-150600.5.15.1 updated
- ca-certificates-mozilla-2.68-150200.33.1 updated
- libsystemd0-254.15-150600.4.8.1 updated
- systemd-254.15-150600.4.8.1 updated
- dmidecode-3.6-150400.16.11.2 updated
- glibc-locale-base-2.38-150600.14.8.2 updated
- jose4j-0.9.5-150600.1.3 updated
- libctf-nobfd0-2.43-150100.7.49.1 updated
- libfreebl3-3.101.2-150400.3.51.1 updated
- libipa_hbac0-2.9.3-150600.3.9.2 updated
- libopenssl1_1-1.1.1w-150600.5.6.1 updated
- libpcsclite1-1.9.4-150400.3.2.1 updated
- libpq5-16.4-150600.16.5.1 updated
- libsolv-tools-0.7.30-150400.3.27.2 updated
- libsss_idmap0-2.9.3-150600.3.9.2 updated
- libsss_nss_idmap0-2.9.3-150600.3.9.2 updated
- libyaml-0-2-0.1.7-150000.3.2.1 updated
- openssh-common-9.6p1-150600.6.9.1 updated
- patch-2.7.6-150000.5.6.1 updated
- release-notes-susemanager-5.0.0-150600.19.2 updated
- ruby-solv-0.7.30-150400.3.27.2 updated
- simple-xml-2.6.2-0.150600.10.5 updated
- sitemesh-2.1-0.150600.8.73 updated
- snmp-mibs-5.9.4-150600.24.2.1 updated
- stringtree-json-2.0.9-0.150600.12.5 updated
- sudo-1.9.15p5-150600.3.6.2 updated
- susemanager-schema-utility-5.0.10-150600.1.3 updated
- unzip-6.00-150000.4.14.1 updated
- util-linux-systemd-2.39.3-150600.4.9.4 updated
- woodstox-4.4.2-150600.1.107 updated
- suseconnect-ng-1.11.0-150600.3.5.3 updated
- libyui16-4.5.3-150500.3.10.1 updated
- libyui-ncurses16-4.5.3-150500.3.10.1 updated
- glibc-locale-2.38-150600.14.8.2 updated
- libxcb1-1.13-150000.3.11.1 updated
- libctf0-2.43-150100.7.49.1 updated
- binutils-2.43-150100.7.49.1 updated
- libcryptsetup12-2.7.0-150600.3.3.1 updated
- libpython3_6m1_0-3.6.15-150300.10.65.1 updated
- python3-base-3.6.15-150300.10.65.1 updated
- python3-3.6.15-150300.10.65.2 updated
- python3-curses-3.6.15-150300.10.65.2 updated
- postgresql16-16.4-150600.16.5.1 updated
- libgit2-28-0.28.4-150200.3.9.1 updated
- libsss_certmap0-2.9.3-150600.3.9.2 updated
- bind-utils-9.18.28-150600.3.3.1 updated
- glibc-devel-2.38-150600.14.8.2 updated
- mozilla-nss-certs-3.101.2-150400.3.51.1 updated
- openssh-fips-9.6p1-150600.6.9.1 updated
- redstone-xmlrpc-1.1_20071120-0.150600.9.5 updated
- spacewalk-java-lib-5.0.11-150600.1.10 updated
- uyuni-reportdb-schema-5.0.6-150600.1.6 updated
- libsuseconnect-1.11.0-150600.3.5.3 updated
- libyui-ncurses-pkg16-4.5.3-150500.3.10.1 updated
- perl-DBI-1.643-150600.12.3.2 updated
- libsnmp40-5.9.4-150600.24.2.1 updated
- apache2-prefork-2.4.58-150600.5.23.1 updated
- openssh-server-9.6p1-150600.6.9.1 updated
- openssh-clients-9.6p1-150600.6.9.1 updated
- wicked-0.6.76-150600.11.9.1 updated
- wicked-service-0.6.76-150600.11.9.1 updated
- python3-zypp-plugin-0.6.4-150400.13.4.1 updated
- python3-solv-0.7.30-150400.3.27.2 updated
- python3-cssselect-1.0.3-150400.3.7.4 updated
- python3-PyYAML-5.4.1-150300.3.3.1 updated
- postgresql16-server-16.4-150600.16.5.1 updated
- libldb2-2.8.1-150600.3.3.4 updated
- supportutils-3.2.8-150600.3.3.1 updated
- mozilla-nss-3.101.2-150400.3.51.1 updated
- libsoftokn3-3.101.2-150400.3.51.1 updated
- susemanager-schema-5.0.10-150600.1.3 updated
- udev-254.15-150600.4.8.1 updated
- suseconnect-ruby-bindings-1.11.0-150600.3.5.3 updated
- yast2-pkg-bindings-4.6.5-150600.3.6.1 updated
- perl-DBD-Pg-3.18.0-150600.14.3.2 updated
- perl-SNMP-5.9.4-150600.24.2.1 updated
- net-snmp-5.9.4-150600.24.2.1 updated
- apache2-2.4.58-150600.5.23.1 updated
- openssh-9.6p1-150600.6.9.1 updated
- grub2-2.12-150600.8.3.1 updated
- grub2-i386-pc-2.12-150600.8.3.1 updated
- rsyslog-8.2406.0-150600.12.3.2 updated
- python3-dnspython-1.15.0-150000.3.7.1 updated
- python3-lxml-4.9.1-150500.3.4.3 updated
- postgresql16-contrib-16.4-150600.16.5.1 updated
- sssd-ldap-2.9.3-150600.3.9.2 updated
- sssd-2.9.3-150600.3.9.2 updated
- sssd-krb5-common-2.9.3-150600.3.9.2 updated
- samba-client-libs-4.19.7+git.357.1d7950ebd62-150600.3.3.2 updated
- java-17-openjdk-headless-17.0.12.0-150400.3.45.1 updated
- java-11-openjdk-headless-11.0.24.0-150000.3.116.1 updated
- grub2-x86_64-efi-2.12-150600.8.3.1 updated
- python3-setuptools-44.1.1-150400.9.9.1 updated
- spacewalk-backend-sql-postgresql-5.0.8-150600.3.44.11 updated
- sssd-krb5-2.9.3-150600.3.9.2 updated
- sssd-dbus-2.9.3-150600.3.9.2 updated
- python3-sssd-config-2.9.3-150600.3.9.2 updated
- sssd-ad-2.9.3-150600.3.9.2 updated
- tomcat-servlet-4_0-api-9.0.91-150200.68.1 updated
- tomcat-el-3_0-api-9.0.91-150200.68.1 updated
- java-17-openjdk-17.0.12.0-150400.3.45.1 updated
- java-11-openjdk-11.0.24.0-150000.3.116.1 updated
- spacewalk-base-minimal-5.0.9-150600.1.13 updated
- sssd-tools-2.9.3-150600.3.9.2 updated
- sssd-ipa-2.9.3-150600.3.9.2 updated
- tomcat-jsp-2_3-api-9.0.91-150200.68.1 updated
- xmlpull-api-1.1.3.1-150600.1.4 updated
- tomcat-taglibs-standard-1_2_5-1.2.5-150600.1.104 updated
- quartz-2.3.0-150600.1.107 updated
- prometheus-jmx_exporter-0.3.1-150600.1.5 updated
- prometheus-client-java-0.3.0-150600.1.103 updated
- picocontainer-1.3.7-150600.1.5 updated
- mvel2-2.2.6.Final-150600.1.105 updated
- lucene-2.4.1-150600.1.107 updated
- kie-soup-7.17.0.Final-150600.1.98 updated
- kie-api-7.17.0-150600.1.97 updated
- jpa-api-2.2.2-150600.1.10 updated
- java-saml-2.4.0-150600.1.4 updated
- ical4j-3.0.18-150600.1.92 updated
- hibernate-commons-annotations-5.0.4-150600.1.106 updated
- ehcache-2.10.1-150600.1.108 updated
- dwr-3.0.2-0.150600.10.5 updated
- drools-7.17.0-150600.1.94 updated
- spacewalk-base-minimal-config-5.0.9-150600.1.13 updated
- tomcat-lib-9.0.91-150200.68.1 updated
- reflections-0.9.10-150600.1.4 updated
- pgjdbc-ng-0.8.7-150600.1.102 updated
- prometheus-jmx_exporter-tomcat-0.3.1-150600.1.5 updated
- byte-buddy-dep-1.11.12-150600.1.11 updated
- optaplanner-7.17.0-150600.1.95 updated
- snakeyaml-2.2-150200.3.15.1 updated
- python3-urllib3-1.25.10-150300.4.12.1 updated
- hibernate-types-2.16.2-150600.1.6 updated
- simple-core-3.1.3-0.150600.8.5 updated
- byte-buddy-1.11.12-150600.1.11 updated
- xmlsec-2.0.7-150600.1.99 updated
- statistics-1.0.2-150600.1.102 updated
- spark-core-2.9.3-150600.1.139 updated
- spacewalk-backend-5.0.8-150600.3.44.11 updated
- python3-spacewalk-client-tools-5.0.6-150600.3.90.10 updated
- spacewalk-client-tools-5.0.6-150600.3.90.10 updated
- spacewalk-base-5.0.9-150600.1.13 updated
- spacewalk-search-5.0.2-150600.1.4 updated
- jade4j-1.2.7-150600.2.3 updated
- subscription-matcher-0.38-150600.1.2 updated
- jakarta-commons-validator-1.1.4-21.150600.19.118 updated
- salt-netapi-client-0.21.0-150600.1.5 updated
- python3-salt-3006.0-150500.4.38.2 updated
- salt-3006.0-150500.4.38.2 updated
- fence-agents-4.13.1+git.1704296072.32469f29-150600.3.9.1 updated
- spacewalk-backend-sql-5.0.8-150600.3.44.11 updated
- hibernate5-core-5.3.25-150600.1.90 updated
- spark-template-jade-2.7.1-150600.1.5 updated
- tomcat-9.0.91-150200.68.1 updated
- struts-1.2.9-162.150600.33.6 updated
- yast2-users-4.6.6-150600.3.3.5 updated
- salt-master-3006.0-150500.4.38.2 updated
- cobbler-3.3.3-150600.3.7 updated
- spacewalk-backend-server-5.0.8-150600.3.44.11 updated
- hibernate5-ehcache-5.3.25-150600.1.90 updated
- hibernate5-c3p0-5.3.25-150600.1.90 updated
- spacewalk-java-postgresql-5.0.11-150600.1.10 updated
- spacewalk-branding-5.0.2-150600.1.3 updated
- yast2-installation-4.6.13-150600.3.3.3 updated
- spacewalk-java-config-5.0.11-150600.1.10 updated
- salt-api-3006.0-150500.4.38.2 updated
- spacewalk-backend-xmlrpc-5.0.8-150600.3.44.11 updated
- spacewalk-backend-xml-export-libs-5.0.8-150600.3.44.11 updated
- spacewalk-backend-package-push-server-5.0.8-150600.3.44.11 updated
- spacewalk-backend-iss-5.0.8-150600.3.44.11 updated
- spacewalk-backend-app-5.0.8-150600.3.44.11 updated
- spacewalk-html-5.0.9-150600.1.13 updated
- spacewalk-taskomatic-5.0.11-150600.1.10 updated
- spacewalk-java-5.0.11-150600.1.10 updated
- spacewalk-backend-iss-export-5.0.8-150600.3.44.11 updated
- spacewalk-backend-tools-5.0.8-150600.3.44.11 updated
- container:suse-manager-5.0-init-5.0.1-5.0.1-7.3.17 added
- container:suse-manager-5.0-init-5.0.0-5.0.0-5.19 removed
- libabsl2401_0_0-20240116.1-150600.17.7 removed
- libprotobuf-lite25_1_0-25.1-150600.16.4.2 removed
More information about the sle-container-updates
mailing list