SUSE-CU-2023:2281-1: Security update of bci/openjdk-devel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jul 14 07:09:59 UTC 2023


SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2281-1
Container Tags        : bci/openjdk-devel:17 , bci/openjdk-devel:17-10.6 , bci/openjdk-devel:latest
Container Release     : 10.6
Severity              : moderate
Type                  : security
References            : 1185116 1202118 1210714 1211430 CVE-2023-1255 CVE-2023-2650 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2620-1
Released:    Fri Jun 23 13:41:36 2023
Summary:     Security update for openssl-3
Type:        security
Severity:    moderate
References:  1210714,1211430,CVE-2023-1255,CVE-2023-2650
This update for openssl-3 fixes the following issues:

- CVE-2023-1255: Fixed input buffer over-read in AES-XTS implementation on 64 bit ARM (bsc#1210714).
- CVE-2023-2650: Fixed possible DoS translating ASN.1 object identifiers (bsc#1211430).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2811-1
Released:    Wed Jul 12 11:56:18 2023
Summary:     Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt
Type:        recommended
Severity:    moderate
References:  
This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues:

This update provides a feature update to the FIDO2 stack.

Changes in libfido2:

- Version 1.13.0 (2023-02-20)

    * New API calls:

      + fido_assert_empty_allow_list;
      + fido_cred_empty_exclude_list.

    * fido2-token: fix issue when listing large blobs.

- Version 1.12.0 (2022-09-22)

  * Support for COSE_ES384.
  * Improved support for FIDO 2.1 authenticators.

  * New API calls:

    + es384_pk_free;
    + es384_pk_from_EC_KEY;
    + es384_pk_from_EVP_PKEY;
    + es384_pk_from_ptr;
    + es384_pk_new;
    + es384_pk_to_EVP_PKEY;
    + fido_cbor_info_certs_len;
    + fido_cbor_info_certs_name_ptr;
    + fido_cbor_info_certs_value_ptr;
    + fido_cbor_info_maxrpid_minpinlen;
    + fido_cbor_info_minpinlen;
    + fido_cbor_info_new_pin_required;
    + fido_cbor_info_rk_remaining;
    + fido_cbor_info_uv_attempts;
    + fido_cbor_info_uv_modality.

   * Documentation and reliability fixes.

- Version 1.11.0 (2022-05-03)

  * Experimental PCSC support; enable with -DUSE_PCSC.
  * Improved OpenSSL 3.0 compatibility.
  * Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.
  * winhello: advertise 'uv' instead of 'clientPin'.
  * winhello: support hmac-secret in fido_dev_get_assert().
  * New API calls:

    + fido_cbor_info_maxlargeblob.

  * Documentation and reliability fixes.
  * Separate build and regress targets.

- Version 1.10.0 (2022-01-17)

  * bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.
  * New API calls:

     - fido_dev_info_set;
     - fido_dev_io_handle;
     - fido_dev_new_with_info;
     - fido_dev_open_with_info.
  * Cygwin and NetBSD build fixes.
  * Documentation and reliability fixes.
  * Support for TPM 2.0 attestation of COSE_ES256 credentials.

- Version 1.9.0 (2021-10-27)

  * Enabled NFC support on Linux.
  * Support for FIDO 2.1 'minPinLength' extension.
  * Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation.
  * Support for TPM 2.0 attestation.
  * Support for device timeouts; see fido_dev_set_timeout().
  * New API calls:

       - es256_pk_from_EVP_PKEY;
       - fido_cred_attstmt_len;
       - fido_cred_attstmt_ptr;
       - fido_cred_pin_minlen;
       - fido_cred_set_attstmt;
       - fido_cred_set_pin_minlen;
       - fido_dev_set_pin_minlen_rpid;
       - fido_dev_set_timeout;
       - rs256_pk_from_EVP_PKEY.

  * Reliability and portability fixes.
  * Better handling of HID devices without identification strings; gh#381.

- Update to version 1.8.0:

	* Better support for FIDO 2.1 authenticators.
	* Support for attestation format 'none'.
	* New API calls:

		- fido_assert_set_clientdata;
		- fido_cbor_info_algorithm_cose;
		- fido_cbor_info_algorithm_count;
		- fido_cbor_info_algorithm_type;
		- fido_cbor_info_transports_len;
		- fido_cbor_info_transports_ptr;
		- fido_cred_set_clientdata;
		- fido_cred_set_id;
		- fido_credman_set_dev_rk;
		- fido_dev_is_winhello.

	* fido2-token: new -Sc option to update a resident credential.
	* Documentation and reliability fixes.
	* HID access serialisation on Linux.

- Update to version 1.7.0:

  * hid_win: detect devices with vendor or product IDs > 0x7fff
  * Support for FIDO 2.1 authenticator configuration.
  * Support for FIDO 2.1 UV token permissions.
  * Support for FIDO 2.1 'credBlobs' and 'largeBlobs' extensions.
  * New API calls
  * New fido_init flag to disable fido_dev_open’s U2F fallback
  * Experimental NFC support on Linux.

- Enabled hidapi again, issues related to hidapi are fixed upstream

- Update to version 1.6.0:

  * Documentation and reliability fixes.

  * New API calls:

    + fido_cred_authdata_raw_len;
    + fido_cred_authdata_raw_ptr;
    + fido_cred_sigcount;
    + fido_dev_get_uv_retry_count;
    + fido_dev_supports_credman.
  * Hardened Windows build.
  * Native FreeBSD and NetBSD support.
  * Use CTAP2 canonical CBOR when combining hmac-secret and credProtect.

- Create a udev subpackage and ship the udev rule.

Changes in python-fido2:

- update to 0.9.3:

  * Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ
  * Support the latest Windows webauthn.h API (included in Windows 11).
  * Add product name and serial number to HidDescriptors.
  * Remove the need for the uhid-freebsd dependency on FreeBSD.

- Update to version 0.9.1

  * Add new CTAP error codes and improve handling of unknown codes.
  * Client: API changes to better support extensions.
  * Client.make_credential now returns a AuthenticatorAttestationResponse,
    which holds the AttestationObject and ClientData, as well as any
    client extension results for the credential.
  * Client.get_assertion now returns an AssertionSelection object,
    which is used to select between multiple assertions
  * Renames: The CTAP1 and CTAP2 classes have been renamed to
    Ctap1 and Ctap2, respectively.
  * ClientPin: The ClientPin API has been restructured to support
    multiple PIN protocols, UV tokens, and token permissions.
  * CTAP 2.1 PRE: Several new features have been added for CTAP 2.1
  * HID: The platform specific HID code has been revamped

- Version 0.8.1 (released 2019-11-25)

  * Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified.

- Version 0.8.0 (released 2019-11-25)

  * New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.
  * CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request.
  * Fido2Client:

    - make_credential/get_assertion now take WebAuthn options objects.
    - timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.

  * Fido2Server:

    - ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.
    - RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.
    - Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.
    - Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.
    - Fido2Server.timeout is now in ms and of type int.

  * Support native WebAuthn API on Windows through WindowsClient.

- Version 0.7.2 (released 2019-10-24)

  * Support for the TPM attestation format.
  * Allow passing custom challenges to register/authenticate in Fido2Server.
  * Bugfix: CTAP2 CANCEL command response handling fixed.
  * Bugfix: Fido2Client fix handling of empty allow_list.
  * Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.

- Version 0.7.1 (released 2019-09-20)

  * Enforce canonical CBOR on Authenticator responses by default.
  * PCSC: Support extended APDUs.
  * Server: Verify that UP flag is set.
  * U2FFido2Server: Implement AppID exclusion extension.
  * U2FFido2Server: Allow custom U2F facet verification.
  * Bugfix: U2FFido2Server.authenticate_complete now returns the result.

- Version 0.7.0 (released 2019-06-17)

  * Add support for NFC devices using PCSC.
  * Add support for the hmac-secret Authenticator extension.
  * Honor max credential ID length and number of credentials to Authenticator.
  * Add close() method to CTAP devices to explicitly release their resources.

- Version 0.6.0 (released 2019-05-10)

  * Don't fail if CTAP2 Info contains unknown fields.
  * Replace cbor loads/dumps functions with encode/decode/decode_from.
  * Server: Add support for AuthenticatorAttachment.
  * Server: Add support for more key algorithms.
  * Client: Expose CTAP2 Info object as Fido2Client.info. 

Changes in yubikey-manager:

- Update to version 4.0.9 (released 2022-06-17)

  * Dependency: Add support for python-fido2 1.x
  * Fix: Drop stated support for Click 6 as features from 7 are being used.

- Update to version 4.0.8 (released 2022-01-31)

  * Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.
  * Bugfix: Fix issue with displaying a Steam credential when it is the only account.
  * Bugfix: Prevent installation of files in site-packages root.
  * Bugfix: Fix cleanup logic in PIV for protected management key.
  * Add support for token identifier when programming slot-based HOTP.
  * Add support for programming NDEF in text mode.
  * Dependency: Add support for Cryptography ⇐ 38.

- version update to 4.0.7

  ** Bugfix release: Fix broken naming for 'YubiKey 4', and a small OATH issue with
      touch Steam credentials.

- version 4.0.6 (released 2021-09-08)

   ** Improve handling of YubiKey device reboots.
   ** More consistently mask PIN/password input in prompts.
   ** Support switching mode over CCID for YubiKey Edge.
   ** Run pkill from PATH instead of fixed location.

- version 4.0.5 (released 2021-07-16)

   ** Bugfix: Fix PIV feature detection for some YubiKey NEO versions.
   ** Bugfix: Fix argument short form for --period when adding TOTP credentials.
   ** Bugfix: More strict validation for some arguments, resulting in better error messages.
   ** Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
   ** Bugfix: Fix prompting for access code in the otp settings command (now uses '-A -').

- Update to version 4.0.3

  * Add support for fido reset over NFC.
  * Bugfix: The --touch argument to piv change-management-key was
    ignored.
  * Bugfix: Don’t prompt for password when importing PIV key/cert
    if file is invalid.
  * Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
  * Bugfix: Detect PKCS#12 format when outer sequence uses
    indefinite length.
  * Dependency: Add support for Click 8.

- Update to version 4.0.2

  * Update device names
  * Add read_info output to the --diagnose command, and show
    exception types.
  * Bugfix: Fix read_info for YubiKey Plus.
  * Add support for YK5-based FIPS YubiKeys.
  * Bugfix: Fix OTP device enumeration on Win32.
  * Drop reliance on libusb and libykpersonalize.
  * Support the 'fido' and 'otp' subcommands over NFC
  * New 'ykman --diagnose' command to aid in troubleshooting.
  * New 'ykman apdu' command for sending raw APDUs over the smart
    card interface.
  * New 'yubikit' package added for custom development and advanced
    scripting.
  * OpenPGP: Add support for KDF enabled YubiKeys.
  * Static password: Add support for FR, IT, UK and BEPO keyboard
    layouts.

- Update to 3.1.1

  * Add support for YubiKey 5C NFC
  * OpenPGP: set-touch now performs compatibility checks before prompting for PIN
  * OpenPGP: Improve error messages and documentation for set-touch
  * PIV: read-object command no longer adds a trailing newline
  * CLI: Hint at missing permissions when opening a device fails
  * Linux: Improve error handling when pcscd is not running
  * Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!
  * Bugfix: set-touch now accepts the cached-fixed option
  * Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
  * Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate
  * Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate
  * Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception

- Version 3.1.0 (released 2019-08-20)

  * Add support for YubiKey 5Ci
  * OpenPGP: the info command now prints OpenPGP specification version as well
  * OpenPGP: Update support for attestation to match OpenPGP v3.4
  * PIV: Use UTC time for self-signed certificates
  * OTP: Static password now supports the Norman keyboard layout

- Version 3.0.0 (released 2019-06-24)

  * Add support for new YubiKey Preview and lightning form factor
  * FIDO: Support for credential management
  * OpenPGP: Support for OpenPGP attestation, cardholder certificates and
    cached touch policies
  * OTP: Add flag for using numeric keypad when sending digits 

- Version 2.1.1 (released 2019-05-28)

  * OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud
  * Don’t automatically select the U2F applet on YubiKey NEO, it might be
    blocked by the OS
  * ChalResp: Always pad challenge correctly
  * Bugfix: Don’t crash with older versions of cryptography
  * Bugfix: Password was always prompted in OATH command, even if sent as
    argument

Changes in yubikey-manager-qt:

- update to 1.2.5:

  * Compatibility update for ykman 5.0.1.
  * Update to Python 3.11.
  * Update product images.

- Update to version 1.2.4 (released 2021-10-26)

  * Update device names and images.
  * PIV: Fix import of certificate.

- Update to version 1.2.3

  * Improved error handling when using Security Key Series devices.
  * PIV: Fix generation of certificate in slot 9c.

- Update to version 1.2.2

  * Fix detection of YubiKey Plus
  * Compatibility update for yubikey-manager 4.0
  * Bugfix: Device caching with multiple devices
  * Drop dependencies on libusb and libykpers.
  * Add additional product names and images

- update to 1.1.5

  * Add support for YubiKey 5C NFC

- Update to version 1.1.4

 * OTP: Add option to upload YubiOTP credential to YubiCloud
 * Linux: Show hint about pcscd service if opening device fails
 * Bugfix: Signal handling now compatible with Python 3.8

- Version 1.1.3 (released 2019-08-20)

  * Add suppport for YubiKey 5Ci
  * PIV: Use UTC time for self-signed certificates

- Version 1.1.2 (released 2019-06-24)

  * Add support for new YubiKey Preview
  * PIV: The popup for the management key now have a 'Use default' option
  * Windows: Fix issue with importing PIV certificates
  * Bugfix: generate static password now works correctly 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2814-1
Released:    Wed Jul 12 22:05:25 2023
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1185116,1202118
This update for mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.90:

* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

update to NSS 3.89.1

* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.

update to NSS 3.89

* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32

update to NSS 3.88.1

* improve handling of unknown PKCS#12 safe bag types

update to NSS 3.88

* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead

update to NSS 3.87

* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks

update to NSS 3.86

* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.

update to NSS 3.85

* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Use __STDC_VERSION__ rather than __STDC__ as a guard
* Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.

update to NSS 3.84

* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.

update to NSS 3.83

* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension
	with retry configs in EncryptedExtensions and if not
	accepting ECH. Changed config setting behavior to
	skip configs with unsupported mandatory extensions
	instead of failing
* Added ECH client support to BoGo shim. Changed
	CHInner creation to skip TLS 1.2 only extensions to
	comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1

update to NSS 3.82

* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

update to NSS 3.81

* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104

- raised NSPR requirement to 4.34.1

- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

update to NSS 3.80

* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
	by allocating it on initialization. Replaced
	redundant code with assert. Debug builds: Added
	buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.


The following package changes have been done:

- libfreebl3-3.90-150400.3.32.1 updated
- mozilla-nss-certs-3.90-150400.3.32.1 updated
- mozilla-nss-3.90-150400.3.32.1 updated
- libsoftokn3-3.90-150400.3.32.1 updated
- libhidapi-hidraw0-0.10.1-1.6 added
- libopenssl3-3.0.8-150500.5.3.1 added
- libfido2-1-1.13.0-150400.5.3.1 updated
- container:bci-openjdk-17-15.5.17-10.2 updated
- libfido2-udev-1.5.0-1.30 removed
- libfreebl3-hmac-3.79.4-150400.3.29.1 removed
- libsoftokn3-hmac-3.79.4-150400.3.29.1 removed


More information about the sle-security-updates mailing list