SUSE-CU-2022:1007-1: Security update of trento/trento-runner

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Sat May 14 09:01:48 UTC 2022


SUSE Container Update Advisory: trento/trento-runner
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:1007-1
Container Tags        : trento/trento-runner:1.0.0 , trento/trento-runner:1.0.0-build4.8.1 , trento/trento-runner:latest
Container Release     : 4.8.1
Severity              : important
Type                  : security
References            : 1047218 1071995 1074971 1080978 1081495 1081495 1084533 1084842
                        1085785 1086185 1094680 1095817 1096008 1096677 1098017 1099119
                        1099192 1100504 1102522 1104821 1105000 1108038 1109412 1109413
                        1109414 1111996 1112534 1112535 1113247 1113252 1113255 1113313
                        1113978 1114209 1114209 1114592 1114832 1116827 1118644 1118830
                        1118831 1118897 1118897 1118898 1118898 1118899 1118899 1119634
                        1119706 1120640 1121034 1121035 1121056 1121397 1121967 1123013
                        1124644 1126826 1126829 1126831 1128376 1128746 1128794 1129389
                        1131264 1133131 1133232 1134068 1140126 1141190 1141897 1141913
                        1142649 1142649 1142772 1143609 1146475 1148517 1149145 1150164
                        1152590 1153768 1153770 1154016 1154025 1157755 1160086 1160254
                        1160590 1160590 1161913 1163333 1163744 1164903 1167939 1167939
                        1172608 1172798 1175132 1177047 1178577 1178614 1178624 1178675
                        1179036 1179341 1179898 1179899 1179900 1179901 1179902 1179903
                        1180451 1180454 1180461 1180713 1181452 1181618 1182252 1182345
                        1183043 1183511 1183909 1184519 1184620 1184794 1185348 1186642
                        1188941 1190589 1190649 1190649 1190649 1190649 1190649 1190649
                        1190649 1190649 1190649 1191468 1191473 1192267 1192377 1192378
                        1193597 1193598 1195628 1195834 1195835 1195838 1196107 1196732
                        1198062 1198237 1198423 1198424 1198922 CVE-2018-1000876 CVE-2018-16873
                        CVE-2018-16873 CVE-2018-16874 CVE-2018-16874 CVE-2018-16875 CVE-2018-16875
                        CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17985 CVE-2018-18309
                        CVE-2018-18483 CVE-2018-18484 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607
                        CVE-2018-19931 CVE-2018-19932 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671
                        CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-7187
                        CVE-2018-7187 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570
                        CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2019-1010180 CVE-2019-12972
                        CVE-2019-14250 CVE-2019-14250 CVE-2019-14444 CVE-2019-15847 CVE-2019-17450
                        CVE-2019-17451 CVE-2019-5736 CVE-2019-6486 CVE-2019-9074 CVE-2019-9075
                        CVE-2019-9077 CVE-2020-13844 CVE-2020-16590 CVE-2020-16591 CVE-2020-16592
                        CVE-2020-16593 CVE-2020-16598 CVE-2020-16599 CVE-2020-35448 CVE-2020-35493
                        CVE-2020-35496 CVE-2020-35507 CVE-2021-20197 CVE-2021-20284 CVE-2021-20294
                        CVE-2021-3487 CVE-2021-38297 CVE-2021-39293 CVE-2021-41771 CVE-2021-41772
                        CVE-2021-44716 CVE-2021-44717 CVE-2022-1271 CVE-2022-23772 CVE-2022-23773
                        CVE-2022-23806 CVE-2022-24675 CVE-2022-24921 CVE-2022-28327 ECO-368
                        SLE-6206 SLE-6738 
-----------------------------------------------------------------

The container trento/trento-runner was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:1189-1
Released:    Wed Jun 20 16:20:01 2018
Summary:     Security update for go, go1.9
Type:        security
Severity:    moderate
References:  1081495,1085785,CVE-2018-7187
This update for go and go1.9 fixes the following issues:
  
The following security issues have been addressed for both packages:
  
- CVE-2018-7187: Fixed the validation of the import path in the go get command,
  which allowed for arbitrary command execution via VCS path when the -insecure
  flag is used (bsc#1081495)

The following other changes have been made for go1.9:

- Fixes to the go command and the crypto/x509 and strings packages, which add
  minimal support to the go command for the vgo transition.
- Several fixes to the compiler and go command
- Fixed various issues in go trace (bsc#1085785):
- Ensure go binaries are not stripped (eg: go tools trace), this caused some of
  them to misbehave
- Ensure go trace html template is shipped as part of the installation,
  otherwise the web UI won't work

For details on any other changes see the Go milestones on the official
issue tracker.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2798-1
Released:    Wed Nov 28 07:48:35 2018
Summary:     Recommended update for make
Type:        recommended
Severity:    moderate
References:  1100504
This update for make fixes the following issues:

- Use a non-blocking read with pselect to avoid hangs (bsc#1100504)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:3064-1
Released:    Fri Dec 28 18:39:08 2018
Summary:     Security update for containerd, docker and go
Type:        security
Severity:    important
References:  1047218,1074971,1080978,1081495,1084533,1086185,1094680,1095817,1098017,1102522,1104821,1105000,1108038,1113313,1113978,1114209,1118897,1118898,1118899,1119634,1119706,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2018-7187

This update for containerd, docker and go fixes the following issues:

containerd and docker:

- Add backport for building containerd (bsc#1102522, bsc#1113313)
- Upgrade to containerd v1.1.2, which is required for Docker v18.06.1-ce.
  (bsc#1102522)
- Enable seccomp support on SLE12 (fate#325877)
- Update to containerd v1.1.1, which is the required version for the Docker
  v18.06.0-ce upgrade. (bsc#1102522)
- Put containerd under the podruntime slice (bsc#1086185) 
- 3rd party registries used the default Docker certificate (bsc#1084533)
- Handle build breakage due to missing 'export GOPATH' (caused by resolution of
  boo#1119634). I believe Docker is one of the only packages with this problem.

go:
  
- golang: arbitrary command execution via VCS path (bsc#1081495, CVE-2018-7187)
- Make profile.d/go.sh no longer set GOROOT=, in order to make switching
  between versions no longer break. This ends up removing the need for go.sh
  entirely (because GOPATH is also set automatically) (boo#1119634)
- Fix a regression that broke go get for import path patterns containing '...'
  (bsc#1119706)

Additionally, the package go1.10 has been added.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:6-1
Released:    Wed Jan  2 20:25:25 2019
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1099119,1099192


GCC 7 was updated to the GCC 7.4 release.

- Fix AVR configuration to not use __cxa_atexit or libstdc++ headers.
  Point to /usr/avr/sys-root/include as system header include directory.
- Includes fix for build with ISL 0.20.
- Pulls fix for libcpp lexing bug on ppc64le manifesting during
  build with gcc8.  [bsc#1099119]
- Pulls fix for forcing compile-time tuning even when building
  with -march=z13 on s390x.  [bsc#1099192]
- Fixes support for 32bit ASAN with glibc 2.27+


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:905-1
Released:    Mon Apr  8 16:48:02 2019
Summary:     Recommended update for gcc
Type:        recommended
Severity:    moderate
References:  1096008
This update for gcc fixes the following issues:

- Fix gcc-PIE spec to properly honor -no-pie at link time. (bsc#1096008)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1105-1
Released:    Tue Apr 30 12:10:58 2019
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1084842,1114592,1124644,1128794,1129389,1131264,SLE-6738
This update for gcc7 fixes the following issues:

Update to gcc-7-branch head (r270528).

- Disables switch jump-tables when retpolines are used. This restores
  some lost performance for kernel builds with retpolines.  (bsc#1131264,
  jsc#SLE-6738)
- Fix ICE compiling tensorflow on aarch64. (bsc#1129389)
- Fix for aarch64 FMA steering pass use-after-free. (bsc#1128794)
- Fix for s390x FP load-and-test issue. (bsc#1124644)
- Improve build reproducability by disabling address-space randomization
  during build.
- Adjust gnat manual entries in the info directory. (bsc#1114592)
- Includes fix to no longer try linking -lieee with -mieee-fp. (bsc#1084842)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1234-1
Released:    Tue May 14 18:31:52 2019
Summary:     Security update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork
Type:        security
Severity:    important
References:  1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
This update for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork fixes the following issues:

Security issues fixed:

- CVE-2019-5736: containerd: Fixing container breakout vulnerability (bsc#1121967).
- CVE-2019-6486: go security release, fixing crypto/elliptic CPU DoS vulnerability affecting P-521 and P-384 (bsc#1123013).
- CVE-2018-16873: go secuirty release, fixing cmd/go remote command execution (bsc#1118897).
- CVE-2018-16874: go security release, fixing cmd/go directory traversal (bsc#1118898).
- CVE-2018-16875: go security release, fixing crypto/x509 CPU denial of service (bsc#1118899).

Other changes and bug fixes:

- Update to containerd v1.2.5, which is required for v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to runc 2b18fe1d885e, which is required for Docker v18.09.5-ce (bsc#1128376, bsc#1134068).
- Update to Docker 18.09.5-ce see upstream changelog in the packaged (bsc#1128376, bsc#1134068).
- docker-test: Improvements to test packaging (bsc#1128746).
- Move daemon.json file to /etc/docker directory (bsc#1114832).
- Revert golang(API) removal since it turns out this breaks >= requires in certain cases (bsc#1114209).
- Fix go build failures (bsc#1121397).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2702-1
Released:    Wed Oct 16 18:41:30 2019
Summary:     Security update for gcc7
Type:        security
Severity:    moderate
References:  1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847
This update for gcc7 to r275405 fixes the following issues:

Security issues fixed:

- CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649).
- CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145).

Non-security issue fixed:

- Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2779-1
Released:    Thu Oct 24 16:57:42 2019
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206
This update for binutils fixes the following issues:

binutils was updated to current 2.32 branch [jsc#ECO-368].

Includes following security fixes:

- CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412)
- CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413)
- CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414)
- CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827)
- CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996)
- CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535)
- CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534)
- CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255)
- CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252)
- CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247)
- CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831)
- CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830)
- CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035)
- CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034)
- CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in  load_specific_debug_section in objdump.c (bsc#1121056)
- CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640)
- CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772)

- enable xtensa architecture (Tensilica lc6 and related)
- Use -ffat-lto-objects in order to provide assembly for static libs
  (bsc#1141913).
- Fixed some LTO build issues (bsc#1133131 bsc#1133232).
- riscv: Don't check ABI flags if no code section
- Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016).
- Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590).

Update to binutils 2.32:

* The binutils now support for the C-SKY processor series.
* The x86 assembler now supports a -mvexwig=[0|1] option to control
  encoding of VEX.W-ignored (WIG) VEX instructions.
  It also has a new -mx86-used-note=[yes|no] option to generate (or
  not) x86 GNU property notes.  
* The MIPS assembler now supports the Loongson EXTensions R2 (EXT2),
  the Loongson EXTensions (EXT) instructions, the Loongson Content
  Address Memory (CAM) ASE and the Loongson MultiMedia extensions
  Instructions (MMI) ASE.
* The addr2line, c++filt, nm and objdump tools now have a default
  limit on the maximum amount of recursion that is allowed whilst
  demangling strings.  This limit can be disabled if necessary.
* Objdump's --disassemble option can now take a parameter,
  specifying the starting symbol for disassembly.  Disassembly will
  continue from this symbol up to the next symbol or the end of the
  function.
* The BFD linker will now report property change in linker map file
  when merging GNU properties.
* The BFD linker's -t option now doesn't report members within
  archives, unless -t is given twice.  This makes it more useful
  when generating a list of files that should be packaged for a
  linker bug report.
* The GOLD linker has improved warning messages for relocations that
  refer to discarded sections.

- Improve relro support on s390 [fate#326356]
- Fix broken debug symbols (bsc#1118644)
- Handle ELF compressed header alignment correctly.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:10-1
Released:    Thu Jan  2 12:35:06 2020
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1146475
This update for gcc7 fixes the following issues:

- Fix miscompilation with thread-safe localstatic initialization (gcc#85887).
- Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:395-1
Released:    Tue Feb 18 14:16:48 2020
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1160086

This update for gcc7 fixes the following issue:

- Fixed a miscompilation in zSeries code (bsc#1160086)

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:453-1
Released:    Tue Feb 25 10:51:53 2020
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1160590
This update for binutils fixes the following issues:

- Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3060-1
Released:    Wed Oct 28 08:09:21 2020
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1126826,1126829,1126831,1140126,1142649,1143609,1153768,1153770,1157755,1160254,1160590,1163333,1163744,CVE-2019-12972,CVE-2019-14250,CVE-2019-14444,CVE-2019-17450,CVE-2019-17451,CVE-2019-9074,CVE-2019-9075,CVE-2019-9077
This update for binutils fixes the following issues:

binutils was updated to version 2.35. (jsc#ECO-2373)

Update to binutils 2.35:

* The assembler can now produce DWARF-5 format line number tables.
* Readelf now has a 'lint' mode to enable extra checks of the files it is processing.
* Readelf will now display '[...]' when it has to truncate a symbol name.  
  The old behaviour - of displaying as many characters as possible, up to
  the 80 column limit - can be restored by the use of the --silent-truncation
  option.
* The linker can now produce a dependency file listing the inputs that it
  has processed, much like the -M -MP option supported by the compiler.

- fix DT_NEEDED order with -flto [bsc#1163744]


Update to binutils 2.34:

* The disassembler (objdump --disassemble) now has an option to
  generate ascii art thats show the arcs between that start and end
  points of control flow instructions.
* The binutils tools now have support for debuginfod.  Debuginfod is a 
  HTTP service for distributing ELF/DWARF debugging information as
  well as source code.  The tools can now connect to debuginfod
  servers in order to download debug information about the files that
  they are processing.
* The assembler and linker now support the generation of ELF format
  files for the Z80 architecture.

- Add new subpackages for libctf and libctf-nobfd.
- Disable LTO due to bsc#1163333.
- Includes fixes for these CVEs:
  bsc#1153768 aka CVE-2019-17451 aka PR25070
  bsc#1153770 aka CVE-2019-17450 aka PR25078

- fix various build fails on aarch64 (PR25210, bsc#1157755).

Update to binutils 2.33.1:

* Adds support for the Arm Scalable Vector Extension version 2
  (SVE2) instructions, the Arm Transactional Memory Extension (TME)
  instructions and the Armv8.1-M Mainline and M-profile Vector
  Extension (MVE) instructions.
* Adds support for the Arm Cortex-A76AE, Cortex-A77 and Cortex-M35P
  processors and the AArch64 Cortex-A34, Cortex-A65, Cortex-A65AE,
  Cortex-A76AE, and Cortex-A77 processors.
* Adds a .float16 directive for both Arm and AArch64 to allow
  encoding of 16-bit floating point literals.
* For MIPS, Add -m[no-]fix-loongson3-llsc option to fix (or not)
  Loongson3 LLSC Errata.  Add a --enable-mips-fix-loongson3-llsc=[yes|no]
  configure time option to set the default behavior. Set the default
  if the configure option is not used to 'no'.
* The Cortex-A53 Erratum 843419 workaround now supports a choice of
  which workaround to use.  The option --fix-cortex-a53-843419 now
  takes an optional argument --fix-cortex-a53-843419[=full|adr|adrp]
  which can be used to force a particular workaround to be used.
  See --help for AArch64 for more details.
* Add support for GNU_PROPERTY_AARCH64_FEATURE_1_BTI and
  GNU_PROPERTY_AARCH64_FEATURE_1_PAC  in ELF GNU program properties
  in the AArch64 ELF linker. 
* Add -z force-bti for AArch64 to enable GNU_PROPERTY_AARCH64_FEATURE_1_BTI
  on output while warning about missing GNU_PROPERTY_AARCH64_FEATURE_1_BTI 
  on inputs and use PLTs protected with BTI.
* Add -z pac-plt for AArch64 to pick PAC enabled PLTs.
* Add --source-comment[=<txt>] option to objdump which if present,
  provides a prefix to source code lines displayed in a disassembly.
* Add --set-section-alignment <section-name>=<power-of-2-align>
  option to objcopy to allow the changing of section alignments.
* Add --verilog-data-width option to objcopy for verilog targets to
  control width of data elements in verilog hex format.
* The separate debug info file options of readelf (--debug-dump=links
  and --debug-dump=follow) and objdump (--dwarf=links and
  --dwarf=follow-links) will now display and/or follow multiple
  links if more than one are present in a file.  (This usually
  happens when gcc's -gsplit-dwarf option is used).
  In addition objdump's --dwarf=follow-links now also affects its
  other display options, so that for example, when combined with
  --syms it will cause the symbol tables in any linked debug info
  files to also be displayed.  In addition when combined with
  --disassemble the --dwarf= follow-links option will ensure that
  any symbol tables in the linked files are read and used when
  disassembling code in the main file.
* Add support for dumping types encoded in the Compact Type Format
  to objdump and readelf.
- Includes fixes for these CVEs:
  bsc#1126826 aka CVE-2019-9077 aka PR1126826
  bsc#1126829 aka CVE-2019-9075 aka PR1126829
  bsc#1126831 aka CVE-2019-9074 aka PR24235
  bsc#1140126 aka CVE-2019-12972 aka PR23405
  bsc#1143609 aka CVE-2019-14444 aka PR24829
  bsc#1142649 aka CVE-2019-14250 aka PR90924

* Add xBPF target
* Fix various problems with DWARF 5 support in gas
* fix nm -B for objects compiled with -flto and -fcommon.

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3640-1
Released:    Mon Dec  7 13:24:41 2020
Summary:     Recommended update for binutils
Type:        recommended
Severity:    important
References:  1179036,1179341
This update for binutils fixes the following issues:

Update binutils 2.35 branch to commit 1c5243df:

* Fixes PR26520, aka [bsc#1179036], a problem in addr2line with
  certain DWARF variable descriptions.
* Also fixes PR26711, PR26656, PR26655, PR26929, PR26808, PR25878,
  PR26740, PR26778, PR26763, PR26685, PR26699, PR26902, PR26869,
  PR26711
* The above includes fixes for dwo files produced by modern dwp,
  fixing several problems in the DWARF reader.

Update binutils to 2.35.1 and rebased branch diff:

* This is a point release over the previous 2.35 version, containing bug
  fixes, and as an exception to the usual rule, one new feature.  The
  new feature is the support for a new directive in the assembler:
  '.nop'.  This directive creates a single no-op instruction in whatever
  encoding is correct for the target architecture.  Unlike the .space or
  .fill this is a real instruction, and it does affect the generation of
  DWARF line number tables, should they be enabled. This fixes an 
  incompatibility introduced in the latest update that broke the install
  scripts of the Oracle server. [bsc#1179341]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3749-1
Released:    Thu Dec 10 14:39:28 2020
Summary:     Security update for gcc7
Type:        security
Severity:    moderate
References:  1150164,1161913,1167939,1172798,1178577,1178614,1178624,1178675,CVE-2020-13844
This update for gcc7 fixes the following issues:

- CVE-2020-13844: Added mitigation for aarch64 Straight Line Speculation issue (bsc#1172798)
- Enable fortran for the nvptx offload compiler. 
- Update README.First-for.SuSE.packagers
- avoid assembler errors with AVX512 gather and scatter instructions when using -masm=intel.
- Backport the aarch64 -moutline-atomics feature and accumulated fixes but not its
  default enabling.  [jsc#SLE-12209, bsc#1167939]
- Fixed 32bit libgnat.so link.  [bsc#1178675]
- Fixed memcpy miscompilation on aarch64. [bsc#1178624, bsc#1178577]
- Fixed debug line info for try/catch.  [bsc#1178614]
- Remove -mbranch-protection=standard (aarch64 flag) when gcc7 is used to build gcc7 (ie when ada is enabled)
- Fixed corruption of pass private ->aux via DF. [gcc#94148]
- Fixed debug information issue with inlined functions and passed by reference arguments.  [gcc#93888]
- Fixed binutils release date detection issue.
- Fixed register allocation issue with exception handling code on s390x.  [bsc#1161913] 
- Fixed miscompilation of some atomic code on aarch64. [bsc#1150164]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3791-1
Released:    Mon Dec 14 17:39:19 2020
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  
This update for gzip fixes the following issue:

- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
  
  Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:79-1
Released:    Tue Jan 12 10:49:34 2021
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1167939
This update for gcc7 fixes the following issues:

- Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval.  [bsc#1167939]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:596-1
Released:    Thu Feb 25 10:26:30 2021
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  1181618
This update for gcc7 fixes the following issues:

- Fixed webkit2gtk3 build (bsc#1181618)
- Change GCC exception licenses to SPDX format
- Remove include-fixed/pthread.h

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:598-1
Released:    Thu Feb 25 10:30:23 2021
Summary:     Recommended update for go
Type:        recommended
Severity:    moderate
References:  1164903,1172608,1175132
This update for go fixes the following issues:

Update to current stable go1.15 (bsc#1175132)

* Ensure 'Provides: golang(API) = %{api_version}' is consistent
  to improve package resolution for common go dependency expressions
  'BuildRequires: golang(API) >= 1.x' and BuildRequires: go >= 1.x
  OBS projects that contain go code often have prjconf entries
  'Prefer: go' which selects go metapackage over go1.x packages.
  When go metapackage Provides: version is lower than go1.x versions,
  'Prefer: go' is not effective and build failures occur with errors
  unresolvable: have choice for golang(API) >= 1.13: go1.13 go1.14
  Edits and changelog Jeff Kowalczyk <jkowalczyk at suse.com> (bsc#1172608)

* Unify '{version'} and '{short_version}' as '{api_version}' for
  'Provides: golang(API) = %{api_version}'
* Use both 'BuildRequires: go%{api_version}' and 'Requires: go%{api_version}'
  to trigger build errors if go1.x is unavailable
* Add aarch64 to supported systems for go-race via
  %define tsan_arch x86_64 aarch64
* Add tsan_arch x86_64 aarch64 for suse_version >= 1500 and
  sle_version >= 150000, formerly conditional on suse_version >= 1315
* Ensure %ifarch %{tsan_arch} always evaluates (nil does not work)
  via dummy tsan_arch on systems where go-race is not supported

Update to current stable go1.14 (bsc#1164903)

* Remove redundant Provides: go-doc=%{version} per rpmlint warning

- Change suse_version >= 1315 (was 1550) defines short_version 1.12
  go1.12 packages are available for SLE-12.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:716-1
Released:    Fri Mar  5 17:22:27 2021
Summary:     Recommended update for go
Type:        recommended
Severity:    moderate
References:  1182345
This update for go fixes the following issues:

- Update to current stable go1.16 (bsc#1182345)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1018-1
Released:    Tue Apr  6 14:29:13 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1180713
This update for gzip fixes the following issues:

- Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1289-1
Released:    Wed Apr 21 14:02:46 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1177047
This update for gzip fixes the following issues:

- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1291-1
Released:    Wed Apr 21 14:04:06 2021
Summary:     Recommended update for mpfr
Type:        recommended
Severity:    moderate
References:  1141190
This update for mpfr fixes the following issues:

- Fixed an issue when building for ppc64le (bsc#1141190)

Technical library fixes:

- A subtraction of two numbers of the same sign or addition of two numbers of different signs
  can be rounded incorrectly (and the ternary value can be incorrect) when one of the two
  inputs is reused as the output (destination) and all these MPFR numbers have exactly
  GMP_NUMB_BITS bits of precision (typically, 32 bits on 32-bit machines, 64 bits on 64-bit
  machines).
- The mpfr_fma and mpfr_fms functions can behave incorrectly in case of internal overflow or
  underflow.
- The result of the mpfr_sqr function can be rounded incorrectly in a rare case near underflow
  when the destination has exactly GMP_NUMB_BITS bits of precision (typically, 32 bits on
  32-bit machines, 64 bits on 64-bit machines) and the input has at most GMP_NUMB_BITS bits
  of precision.
- The behavior and documentation of the mpfr_get_str function are inconsistent concerning the
  minimum precision (this is related to the change of the minimum precision from 2 to 1 in
  MPFR 4.0.0). The get_str patch fixes this issue in the following way: the value 1 can now be
  provided for n (4th argument of mpfr_get_str); if n = 0, then the number of significant digits
  in the output string can now be 1, as already implied by the documentation (but the code was
  increasing it to 2).
- The mpfr_cmp_q function can behave incorrectly when the rational (mpq_t) number has a null
  denominator.
- The mpfr_inp_str and mpfr_out_str functions might behave incorrectly when the stream is a
  null pointer: the stream is replaced by stdin and stdout, respectively. This behavior is
  useless, not documented (thus incorrect in case a null pointer would have a special meaning),
  and not consistent with other input/output functions.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1926-1
Released:    Thu Jun 10 08:38:14 2021
Summary:     Recommended update for gcc
Type:        recommended
Severity:    moderate
References:  1096677
This update for gcc fixes the following issues:

- Added gccgo symlink and go and gofmt as alternatives to support parallel installation
  of golang (bsc#1096677)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1935-1
Released:    Thu Jun 10 10:45:09 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1186642

This update for gzip fixes the following issue:

- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
  to migration issues. (bsc#1186642)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2993-1
Released:    Thu Sep  9 14:31:33 2021
Summary:     Recommended update for gcc
Type:        recommended
Severity:    moderate
References:  1185348
This update for gcc fixes the following issues:

- With gcc-PIE add -pie even when -fPIC is specified but we are
  not linking a shared library.  [bsc#1185348]
- Fix postun of gcc-go alternative.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3315-1
Released:    Wed Oct  6 19:29:43 2021
Summary:     Recommended update for go1.17
Type:        recommended
Severity:    moderate
References:  1190589,1190649,CVE-2021-39293
This update for go1.17 fixes the following issues:

This is the initial go 1.17 shipment. 

go1.17.1 (released 2021-09-09) includes a security fix to the
archive/zip package, as well as bug fixes to the compiler,
linker, the go command, and to the crypto/rand, embed, go/types,
html/template, and net/http packages.  (bsc#1190649)

CVE-2021-39293: Fixed an overflow in preallocation check that can cause OOM panic in archive/zip (bsc#1190589)

go1.17 (released 2021-08-16) is a major release of Go.

go1.17.x minor releases will be provided through August 2022.

See https://github.com/golang/go/wiki/Go-Release-Cycle

Most changes are in the implementation of the toolchain, runtime,
and libraries. As always, the release maintains the Go 1 promise
of compatibility. We expect almost all Go programs to continue to
compile and run as before. (bsc#1190649)

* See release notes https://golang.org/doc/go1.17. Excerpts
  relevant to OBS environment and for SUSE/openSUSE follow:
* The compiler now implements a new way of passing function
  arguments and results using registers instead of the
  stack. Benchmarks for a representative set of Go packages and
  programs show performance improvements of about 5%, and a
  typical reduction in binary size of about 2%. This is currently
  enabled for Linux, macOS, and Windows on the 64-bit x86
  architecture (the linux/amd64, darwin/amd64, and windows/amd64
  ports). This change does not affect the functionality of any
  safe Go code and is designed to have no impact on most assembly
  code.
* When the linker uses external linking mode, which is the
  default when linking a program that uses cgo, and the linker is
  invoked with a -I option, the option will now be passed to the
  external linker as a -Wl,--dynamic-linker option.
* The runtime/cgo package now provides a new facility that allows
  to turn any Go values to a safe representation that can be used
  to pass values between C and Go safely. See runtime/cgo.Handle
  for more information.
* ARM64 Go programs now maintain stack frame pointers on the
  64-bit ARM architecture on all operating systems. Previously,
  stack frame pointers were only enabled on Linux, macOS, and
  iOS.
* Pruned module graphs in go 1.17 modules: If a module specifies
  go 1.17 or higher, the module graph includes only the immediate
  dependencies of other go 1.17 modules, not their full
  transitive dependencies. To convert the go.mod file for an
  existing module to Go 1.17 without changing the selected
  versions of its dependencies, run: go mod tidy -go=1.17
  By default, go mod tidy verifies that the selected versions of
  dependencies relevant to the main module are the same versions
  that would be used by the prior Go release (Go 1.16 for a
  module that specifies go 1.17), and preserves the go.sum
  entries needed by that release even for dependencies that are
  not normally needed by other commands.
  The -compat flag allows that version to be overridden to
  support older (or only newer) versions, up to the version
  specified by the go directive in the go.mod file. To tidy a go
  1.17 module for Go 1.17 only, without saving checksums for (or
  checking for consistency with) Go 1.16: go mod tidy
  -compat=1.17
  Note that even if the main module is tidied with -compat=1.17,
  users who require the module from a go 1.16 or earlier module
  will still be able to use it, provided that the packages use
  only compatible language and library features.
  The go mod graph subcommand also supports the -go flag, which
  causes it to report the graph as seen by the indicated Go
  version, showing dependencies that may otherwise be pruned out.
* Module deprecation comments: Module authors may deprecate a
  module by adding a // Deprecated: comment to go.mod, then
  tagging a new version. go get now prints a warning if a module
  needed to build packages named on the command line is
  deprecated. go list -m -u prints deprecations for all
  dependencies (use -f or -json to show the full message). The go
  command considers different major versions to be distinct
  modules, so this mechanism may be used, for example, to provide
  users with migration instructions for a new major version.
* go get -insecure flag is deprecated and has been removed. To
  permit the use of insecure schemes when fetching dependencies,
  please use the GOINSECURE environment variable. The -insecure
  flag also bypassed module sum validation, use GOPRIVATE or
  GONOSUMDB if you need that functionality. See go help
  environment for details.
* go get prints a deprecation warning when installing commands
  outside the main module (without the -d flag). go install
  cmd at version should be used instead to install a command at a
  specific version, using a suffix like @latest or @v1.2.3. In Go
  1.18, the -d flag will always be enabled, and go get will only
  be used to change dependencies in go.mod.
* go.mod files missing go directives: If the main module's go.mod
  file does not contain a go directive and the go command cannot
  update the go.mod file, the go command now assumes go 1.11
  instead of the current release. (go mod init has added go
  directives automatically since Go 1.12.)
  If a module dependency lacks an explicit go.mod file, or its
  go.mod file does not contain a go directive, the go command now
  assumes go 1.16 for that dependency instead of the current
  release. (Dependencies developed in GOPATH mode may lack a
  go.mod file, and the vendor/modules.txt has to date never
  recorded the go versions indicated by dependencies' go.mod
  files.)
* vendor contents: If the main module specifies go 1.17 or
  higher, go mod vendor now annotates vendor/modules.txt with the
  go version indicated by each vendored module in its own go.mod
  file. The annotated version is used when building the module's
  packages from vendored source code.
  If the main module specifies go 1.17 or higher, go mod vendor
  now omits go.mod and go.sum files for vendored dependencies,
  which can otherwise interfere with the ability of the go
  command to identify the correct module root when invoked within
  the vendor tree.
* Password prompts: The go command by default now suppresses SSH
  password prompts and Git Credential Manager prompts when
  fetching Git repositories using SSH, as it already did
  previously for other Git password prompts. Users authenticating
  to private Git repos with password-protected SSH may configure
  an ssh-agent to enable the go command to use password-protected
  SSH keys.
* go mod download: When go mod download is invoked without
  arguments, it will no longer save sums for downloaded module
  content to go.sum. It may still make changes to go.mod and
  go.sum needed to load the build list. This is the same as the
  behavior in Go 1.15. To save sums for all modules, use:
  go mod download all
* The go command now understands //go:build lines and prefers
  them over // +build lines. The new syntax uses boolean
  expressions, just like Go, and should be less error-prone. As
  of this release, the new syntax is fully supported, and all Go
  files should be updated to have both forms with the same
  meaning. To aid in migration, gofmt now automatically
  synchronizes the two forms. For more details on the syntax and
  migration plan, see https://golang.org/design/draft-gobuild.
* go run now accepts arguments with version suffixes (for
  example, go run example.com/cmd at v1.0.0). This causes go run to
  build and run packages in module-aware mode, ignoring the
  go.mod file in the current directory or any parent directory,
  if there is one. This is useful for running executables without
  installing them or without changing dependencies of the current
  module.
* The format of stack traces from the runtime (printed when an
  uncaught panic occurs, or when runtime.Stack is called) is
  improved.
* TLS strict ALPN: When Config.NextProtos is set, servers now
  enforce that there is an overlap between the configured
  protocols and the ALPN protocols advertised by the client, if
  any. If there is no mutually supported protocol, the connection
  is closed with the no_application_protocol alert, as required
  by RFC 7301. This helps mitigate the ALPACA cross-protocol
  attack. As an exception, when the value 'h2' is included in the
  server's Config.NextProtos, HTTP/1.1 clients will be allowed to
  connect as if they didn't support ALPN. See issue go#46310 for
  more information.
* crypto/ed25519: The crypto/ed25519 package has been rewritten,
  and all operations are now approximately twice as fast on amd64
  and arm64. The observable behavior has not otherwise changed.
* crypto/elliptic: CurveParams methods now automatically invoke
  faster and safer dedicated implementations for known curves
  (P-224, P-256, and P-521) when available. Note that this is a
  best-effort approach and applications should avoid using the
  generic, not constant-time CurveParams methods and instead use
  dedicated Curve implementations such as P256. The P521 curve
  implementation has been rewritten using code generated by the
  fiat-crypto project, which is based on a formally-verified
  model of the arithmetic operations. It is now constant-time and
  three times faster on amd64 and arm64. The observable behavior
  has not otherwise changed.
* crypto/tls: The new Conn.HandshakeContext method allows the
  user to control cancellation of an in-progress TLS
  handshake. The provided context is accessible from various
  callbacks through the new ClientHelloInfo.Context and
  CertificateRequestInfo.Context methods. Canceling the context
  after the handshake has finished has no effect.
  Cipher suite ordering is now handled entirely by the crypto/tls
  package. Currently, cipher suites are sorted based on their
  security, performance, and hardware support taking into account
  both the local and peer's hardware. The order of the
  Config.CipherSuites field is now ignored, as well as the
  Config.PreferServerCipherSuites field. Note that
  Config.CipherSuites still allows applications to choose what
  TLS 1.0–1.2 cipher suites to enable.
  The 3DES cipher suites have been moved to InsecureCipherSuites
  due to fundamental block size-related weakness. They are still
  enabled by default but only as a last resort, thanks to the
  cipher suite ordering change above.
  Beginning in the next release, Go 1.18, the Config.MinVersion
  for crypto/tls clients will default to TLS 1.2, disabling TLS
  1.0 and TLS 1.1 by default. Applications will be able to
  override the change by explicitly setting
  Config.MinVersion. This will not affect crypto/tls servers.
* crypto/x509: CreateCertificate now returns an error if the
  provided private key doesn't match the parent's public key, if
  any. The resulting certificate would have failed to verify.
* crypto/x509: The temporary GODEBUG=x509ignoreCN=0 flag has been
  removed.
* crypto/x509: ParseCertificate has been rewritten, and now
  consumes ~70% fewer resources. The observable behavior has not
  otherwise changed, except for error messages.
* crypto/x509: Beginning in the next release, Go 1.18,
  crypto/x509 will reject certificates signed with the SHA-1 hash
  function. This doesn't apply to self-signed root
  certificates. Practical attacks against SHA-1 have been
  demonstrated in 2017 and publicly trusted Certificate
  Authorities have not issued SHA-1 certificates since 2015.
* go/build: The new Context.ToolTags field holds the build tags
  appropriate to the current Go toolchain configuration.
* net/http package now uses the new (*tls.Conn).HandshakeContext
  with the Request context when performing TLS handshakes in the
  client or server.
* syscall: On Unix-like systems, the process group of a child
  process is now set with signals blocked. This avoids sending a
  SIGTTOU to the child when the parent is in a background process
  group.
* time: The new Time.IsDST method can be used to check whether
  the time is in Daylight Savings Time in its configured
  location.
* time: The new Time.UnixMilli and Time.UnixMicro methods return
  the number of milliseconds and microseconds elapsed since
  January 1, 1970 UTC respectively.
* time: The new UnixMilli and UnixMicro functions return the
  local Time corresponding to the given Unix time.

- Add bash scripts used by go tool commands to provide a more
  complete cross-compiling go toolchain install.


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3488-1
Released:    Wed Oct 20 16:18:39 2021
Summary:     Security update for go1.17
Type:        security
Severity:    moderate
References:  1190649,1191468,CVE-2021-38297
This update for go1.17 fixes the following issues:

Update to go1.17.2

- CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3616-1
Released:    Thu Nov  4 12:29:16 2021
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1179898,1179899,1179900,1179901,1179902,1179903,1180451,1180454,1180461,1181452,1182252,1183511,1184620,1184794,CVE-2020-16590,CVE-2020-16591,CVE-2020-16592,CVE-2020-16593,CVE-2020-16598,CVE-2020-16599,CVE-2020-35448,CVE-2020-35493,CVE-2020-35496,CVE-2020-35507,CVE-2021-20197,CVE-2021-20284,CVE-2021-3487
This update for binutils fixes the following issues:

Update to binutils 2.37:

* The GNU Binutils sources now requires a C99 compiler and library to
  build.
* Support for Realm Management Extension (RME) for AArch64 has been
  added.
* A new linker option '-z report-relative-reloc' for x86 ELF targets
  has been added to report dynamic relative relocations.
* A new linker option '-z start-stop-gc' has been added to disable
  special treatment of __start_*/__stop_* references when
  --gc-sections.
* A new linker options '-Bno-symbolic' has been added which will
  cancel the '-Bsymbolic' and '-Bsymbolic-functions' options.
* The readelf tool has a new command line option which can be used to
  specify how the numeric values of symbols are reported.
  --sym-base=0|8|10|16 tells readelf to display the values in base 8,
  base 10 or base 16.  A sym base of 0 represents the default action
  of displaying values under 10000 in base 10 and values above that in
  base 16.
* A new format has been added to the nm program.  Specifying
  '--format=just-symbols' (or just using -j) will tell the program to
  only display symbol names and nothing else.
* A new command line option '--keep-section-symbols' has been added to
  objcopy and strip.  This stops the removal of unused section symbols
  when the file is copied.  Removing these symbols saves space, but
  sometimes they are needed by other tools.
* The '--weaken', '--weaken-symbol' and '--weaken-symbols' options
  supported by objcopy now make undefined symbols weak on targets that
  support weak symbols. 
* Readelf and objdump can now display and use the contents of .debug_sup
  sections.
* Readelf and objdump will now follow links to separate debug info
  files by default.  This behaviour can be stopped via the use of the
  new '-wN' or '--debug-dump=no-follow-links' options for readelf and
  the '-WN' or '--dwarf=no-follow-links' options for objdump.  Also
  the old behaviour can be restored by the use of the
  '--enable-follow-debug-links=no' configure time option.

  The semantics of the =follow-links option have also been slightly
  changed.  When enabled, the option allows for the loading of symbol
  tables and string tables from the separate files which can be used
  to enhance the information displayed when dumping other sections,
  but it does not automatically imply that information from the
  separate files should be displayed.

  If other debug section display options are also enabled (eg
  '--debug-dump=info') then the contents of matching sections in both
  the main file and the separate debuginfo file *will* be displayed.
  This is because in most cases the debug section will only be present
  in one of the files.

  If however non-debug section display options are enabled (eg
  '--sections') then the contents of matching parts of the separate
  debuginfo file will *not* be displayed.  This is because in most
  cases the user probably only wanted to load the symbol information
  from the separate debuginfo file.  In order to change this behaviour
  a new command line option --process-links can be used.  This will
  allow di0pslay options to applied to both the main file and any
  separate debuginfo files.

* Nm has a new command line option: '--quiet'.  This suppresses 'no
  symbols' diagnostic.

Update to binutils 2.36:

New features in the Assembler:

- General:

   * When setting the link order attribute of ELF sections, it is now
     possible to use a numeric section index instead of symbol name.
   * Added a .nop directive to generate a single no-op instruction in
     a target neutral manner.  This instruction does have an effect on
     DWARF line number generation, if that is active.
   * Removed --reduce-memory-overheads and --hash-size as gas now
     uses hash tables that can be expand and shrink automatically.

- X86/x86_64:

   * Add support for AVX VNNI, HRESET, UINTR, TDX, AMX and Key
     Locker instructions. 
   * Support non-absolute segment values for lcall and ljmp.
   * Add {disp16} pseudo prefix to x86 assembler.
   * Configure with --enable-x86-used-note by default for Linux/x86.

-  ARM/AArch64:

   * Add support for Cortex-A78, Cortex-A78AE and Cortex-X1,
     Cortex-R82, Neoverse V1, and Neoverse N2 cores.
   * Add support for ETMv4 (Embedded Trace Macrocell), ETE (Embedded
     Trace Extension), TRBE (Trace Buffer Extension), CSRE (Call
     Stack Recorder Extension) and BRBE (Branch Record Buffer
     Extension) system registers.
   * Add support for Armv8-R and Armv8.7-A ISA extensions.
   * Add support for DSB memory nXS barrier, WFET and WFIT
     instruction for Armv8.7.
   * Add support for +csre feature for -march. Add CSR PDEC
     instruction for CSRE feature in AArch64.
   * Add support for +flagm feature for -march in Armv8.4 AArch64.
   * Add support for +ls64 feature for -march in Armv8.7
     AArch64. Add atomic 64-byte load/store instructions for this
     feature. 
   * Add support for +pauth (Pointer Authentication) feature for
     -march in AArch64.

New features in the Linker:

  * Add --error-handling-script=<NAME> command line option to allow
    a helper script to be invoked when an undefined symbol or a
    missing library is encountered.  This option can be suppressed
    via the configure time switch: --enable-error-handling-script=no.
  * Add -z x86-64-{baseline|v[234]} to the x86 ELF linker to mark
    x86-64-{baseline|v[234]} ISA level as needed.
  * Add -z unique-symbol to avoid duplicated local symbol names.
  * The creation of PE format DLLs now defaults to using a more
    secure set of DLL characteristics.
  * The linker now deduplicates the types in .ctf sections.  The new 
     command-line option --ctf-share-types describes how to do this:
     its default value, share-unconflicted, produces the most compact
     output.
  * The linker now omits the 'variable section' from .ctf sections
    by default, saving space.  This is almost certainly what you
    want unless you are working on a project that has its own
    analogue of symbol tables that are not reflected in the ELF
    symtabs.

New features in other binary tools:

  * The ar tool's previously unused l modifier is now used for
    specifying dependencies of a static library. The arguments of
    this option (or --record-libdeps long form option) will be
    stored verbatim in the __.LIBDEP member of the archive, which
    the linker may read at link time.
  * Readelf can now display the contents of LTO symbol table
    sections when asked to do so via the --lto-syms command line
    option.
  * Readelf now accepts the -C command line option to enable the
    demangling of symbol names.  In addition the --demangle=<style>,
    --no-demangle, --recurse-limit and --no-recurse-limit options
    are also now availale.

The following security fixes are addressed by the update:

- CVE-2021-20197: Fixed a race condition which allows users to own arbitrary files (bsc#1181452).
- CVE-2021-20284: Fixed a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c (bsc#1183511).
- CVE-2021-3487: Fixed a denial of service via excessive debug section size causing excessive memory consumption in bfd's dwarf2.c read_section() (bsc#1184620).
- CVE-2020-35448: Fixed a heap-based buffer over-read in bfd_getl_signed_32() in libbfd.c (bsc#1184794).
- CVE-2020-16590: Fixed a double free vulnerability in process_symbol_table() (bsc#1179898).
- CVE-2020-16591: Fixed an invalid read in process_symbol_table() (bsc#1179899).
- CVE-2020-16592: Fixed an use-after-free in bfd_hash_lookup() (bsc#1179900).
- CVE-2020-16593: Fixed a null pointer dereference in scan_unit_for_symbols() (bsc#1179901).
- CVE-2020-16598: Fixed a null pointer dereference in debug_get_real_type() (bsc#1179902).
- CVE-2020-16599: Fixed a null pointer dereference in _bfd_elf_get_symbol_version_string() (bsc#1179903)
- CVE-2020-35493: Fixed heap-based buffer overflow in bfd_pef_parse_function_stubs function in bfd/pef.c via crafted PEF file (bsc#1180451).
- CVE-2020-35496: Fixed multiple null pointer dereferences in bfd module due to not checking return value of bfd_malloc (bsc#1180454).
- CVE-2020-35507: Fixed a null pointer dereference in bfd_pef_parse_function_stubs() (bsc#1180461).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3643-1
Released:    Tue Nov  9 19:32:18 2021
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1183909,1184519,1188941,1191473,1192267,CVE-2021-20294
This update for binutils fixes the following issues:

- For compatibility on old code stream that expect 'brcl 0,label' to
  not be disassembled as 'jgnop label' on s390x.  (bsc#1192267)
  This reverts IBM zSeries HLASM support for now.
- Fixed that ppc64 optflags did not enable LTO (bsc#1188941).
- Fix empty man-pages from broken release tarball
- Fixed a memory corruption with rpath option (bsc#1191473).
- Fixed slow performance of stripping some binaries (bsc#1183909).

Security issue fixed:

- CVE-2021-20294: Fixed out-of-bounds write in print_dynamic_symbol in readelf (bnc#1184519)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3798-1
Released:    Wed Nov 24 18:01:36 2021
Summary:     Recommended update for gcc7
Type:        recommended
Severity:    moderate
References:  


This update for gcc7 fixes the following issues:

- Fixed a build issue when built with recent kernel headers.
- Backport the '-fpatchable-function-entry' feature from newer GCC. (jsc#SLE-20049)
- do not handle exceptions in std::thread (jsc#CAR-1182)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3833-1
Released:    Wed Dec  1 16:04:48 2021
Summary:     Security update for go1.17
Type:        security
Severity:    moderate
References:  1190649,1192377,1192378,CVE-2021-41771,CVE-2021-41772
This update for go1.17 fixes the following issues:

Security update go1.17.3 (released 2021-11-04) (bsc#1190649).

- CVE-2021-41771: Fixed invalid dynamic symbol table command that could have caused panic (bsc#1192377).
- CVE-2021-41772: Fixed panic on (*Reader).Open (bsc#1192378).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4186-1
Released:    Thu Dec 23 12:35:45 2021
Summary:     Security update for go1.17
Type:        security
Severity:    moderate
References:  1190649,1193597,1193598,CVE-2021-44716,CVE-2021-44717
This update for go1.17 fixes the following issues:

Updated to upstream version 1.17.5 to include fixes to the compiler, linker,
syscall, runtime, the net/http, go/types, and time packages (bsc#1190649)

- CVE-2021-44717: syscall: don't close fd 0 on ForkExec error (bsc#1193598).
- CVE-2021-44716: net/http: limit growth of header canonicalization cache (bsc#1193597).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:78-1
Released:    Fri Jan 14 10:30:21 2022
Summary:     Recommended update for go1.17
Type:        recommended
Severity:    moderate
References:  1190649
This update for go1.17 fixes the following issues:

Update to go1.17.6 released 2022-01-06. (bsc#1190649)

- It includes fixes to the compiler, linker, runtime, and the crypto/x509, net/http, and reflect packages.

  * go#50165 crypto/x509: error parsing large ASN.1 identifiers
  * go#50073 runtime: race detector `SIGABRT` or `SIGSEGV` on macOS Monterey
  * go#49961 reflect: segmentation violation while using html/template
  * go#49921 x/net/http2: `http.Server.WriteTimeout` does not fire if the http2 stream's window is out of space.
  * go#49413 cmd/compile: internal compiler error: `Op...LECall and OpDereference have mismatched mem`
  * go#48116 runtime: mallocs cause `base outside usable address space` panic when running on iOS 14

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:321-1
Released:    Thu Feb  3 12:55:16 2022
Summary:     Recommended update for go
Type:        recommended
Severity:    moderate
References:  1190649
This update for go fixes the following issues:

- Update the go wrapper package to switch to the current stable go1.17 (bsc#1190649)
- Add golang Provides for RH/Fedora compatibility

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:723-1
Released:    Fri Mar  4 10:31:46 2022
Summary:     Security update for go1.17
Type:        security
Severity:    important
References:  1190649,1195834,1195835,1195838,CVE-2022-23772,CVE-2022-23773,CVE-2022-23806
This update for go1.17 fixes the following issues:

- CVE-2022-23806: Fixed incorrect returned value in crypto/elliptic IsOnCurve (bsc#1195838).
- CVE-2022-23772: Fixed overflow in Rat.SetString in math/big can lead to uncontrolled memory consumption (bsc#1195835).
- CVE-2022-23773: Fixed incorrect access control in cmd/go (bsc#1195834).

The following non-security bugs were fixed:

- go#50978 crypto/elliptic: IsOnCurve returns true for invalid field elements
- go#50701 math/big: Rat.SetString may consume large amount of RAM and crash
- go#50687 cmd/go: do not treat branches with semantic-version names as releases
- go#50942 cmd/asm: 'compile: loop' compiler bug?
- go#50867 cmd/compile: incorrect use of CMN on arm64
- go#50812 cmd/go: remove bitbucket VCS probing
- go#50781 runtime: incorrect frame information in traceback traversal may hang the process.
- go#50722 debug/pe: reading debug_info section of PE files that use the DWARF5 form DW_FORM_line_strp causes error
- go#50683 cmd/compile: MOVWreg missing sign-extension following a Copy from a floating-point LoadReg
- go#50586 net/http/httptest: add fipsonly compliant certificate in for NewTLSServer(), for dev.boringcrypto branch
- go#50297 cmd/link: does not set section type of .init_array correctly
- go#50246 runtime: intermittent os/exec.Command.Start() Hang on Darwin in Presence of 'plugin' Package

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1167-1
Released:    Tue Apr 12 17:51:47 2022
Summary:     Security update for go1.17
Type:        security
Severity:    important
References:  1183043,1190649,1196732,CVE-2022-24921
This update for go1.17 fixes the following issues:

Update to version 1.17.8 (bsc#1190649):
  - CVE-2022-24921: Fixed a potential denial of service via large regular
    expressions (bsc#1196732).

Non-security fixes:
  - Fixed an issue with v2 modules (go#51332).
  - Fixed an issue when building source in riscv64 (go#51199).
  - Increased compatibility for the DNS protocol in the net module (go#51162).
  - Fixed an issue with histograms in the runtime/metrics module (go#50734).
  - Fixed an issue when parsing x509 certificates (go#51000).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1409-1
Released:    Tue Apr 26 12:54:57 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1195628,1196107
This update for gcc11 fixes the following issues:

- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Fixed memory corruption when creating dependences with the D language frontend.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recommends.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1411-1
Released:    Tue Apr 26 17:48:58 2022
Summary:     Security update for go1.17
Type:        security
Severity:    moderate
References:  1190649,1198423,1198424,CVE-2022-24675,CVE-2022-28327
This update for go1.17 fixes the following issues:

- Updated to version 1.17.9 (bsc#1190649):
  - CVE-2022-24675: Fixed a stack overflow via crafted PEM file (bsc#1198423).
  - CVE-2022-28327: Fixed a potential panic when using big P-256 scalars in the
    crypto/elliptic module (bsc#1198424).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1439-1
Released:    Wed Apr 27 16:08:04 2022
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1198237
This update for binutils fixes the following issues:

- The official name IBM z16 for IBM zSeries arch14 is recognized.  (bsc#1198237)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1566-1
Released:    Sat May  7 12:33:28 2022
Summary:     Recommended update for go1.17
Type:        recommended
Severity:    moderate
References:  
This update for go1.17 fixes the following issues:

- Remove remaining use of gold linker when bootstrapping with
  gccgo.

  * History: go1.8.3 2017-06-18 added conditional if gccgo defined
    BuildRequires: binutils-gold for arches other than s390x
  * No information available why binutils-gold was used initially
  * Unrelated to upstream recent hardcoded gold dependency for ARM

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1617-1
Released:    Tue May 10 14:40:12 2022
Summary:     Security update for gzip
Type:        security
Severity:    important
References:  1198062,1198922,CVE-2022-1271
This update for gzip fixes the following issues:

- CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)


The following package changes have been done:

- gzip-1.10-150200.10.1 added
- libasan4-7.5.0+r278197-4.30.1 added
- libatomic1-11.2.1+git610-150000.1.6.6 added
- libcilkrts5-7.5.0+r278197-4.30.1 added
- libctf-nobfd0-2.37-150100.7.29.1 added
- libgomp1-11.2.1+git610-150000.1.6.6 added
- libisl15-0.18-1.443 added
- libitm1-11.2.1+git610-150000.1.6.6 added
- liblsan0-11.2.1+git610-150000.1.6.6 added
- libmpfr6-4.0.2-3.3.1 added
- libmpx2-8.2.1+r264010-1.3.7 added
- libmpxwrappers2-8.2.1+r264010-1.3.7 added
- libtsan0-11.2.1+git610-150000.1.6.6 added
- libubsan0-7.5.0+r278197-4.30.1 added
- linux-glibc-devel-5.3-3.2.10 added
- make-4.2.1-7.3.2 added
- pkg-config-0.29.2-1.436 added
- libmpc3-1.1.0-1.47 added
- libxcrypt-devel-4.4.15-150300.4.2.41 added
- libctf0-2.37-150100.7.29.1 added
- binutils-2.37-150100.7.29.1 added
- cpp7-7.5.0+r278197-4.30.1 added
- glibc-devel-2.31-150300.20.7 added
- cpp-7-3.9.1 added
- gcc7-7.5.0+r278197-4.30.1 added
- gcc-7-3.9.1 added
- go1.17-1.17.9-150000.1.31.1 added
- go-1.17-3.20.1 added


More information about the sle-security-updates mailing list