SUSE-CU-2023:2346-1: Security update of rancher/elemental-teal/5.3

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Jul 20 07:02:39 UTC 2023


SUSE Container Update Advisory: rancher/elemental-teal/5.3
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2346-1
Container Tags        : rancher/elemental-teal/5.3:1.1.5 , rancher/elemental-teal/5.3:1.1.5-4.5.9 , rancher/elemental-teal/5.3:latest
Container Release     : 4.5.9
Severity              : important
Type                  : security
References            : 1185116 1185116 1201627 1202118 1202118 1203141 1204478 1204563
                        1205811 1207410 1207534 1208581 1209601 1209681 1210164 1210593
                        1210640 1210702 1211230 1211231 1211232 1211233 1211272 1211430
                        1211795 1212260 1212623 1212662 CVE-2022-4304 CVE-2023-2650 CVE-2023-28319
                        CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 CVE-2023-2953 
-----------------------------------------------------------------

The container rancher/elemental-teal/5.3 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2224-1
Released:    Wed May 17 09:53:54 2023
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1211230,1211231,1211232,1211233,CVE-2023-28319,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322
This update for curl adds the following feature:

Update to version 8.0.1 (jsc#PED-2580)

- CVE-2023-28319: use-after-free in SSH sha256 fingerprint check (bsc#1211230).
- CVE-2023-28320: siglongjmp race condition (bsc#1211231).
- CVE-2023-28321: IDN wildcard matching (bsc#1211232).
- CVE-2023-28322: POST-after-PUT confusion (bsc#1211233).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2240-1
Released:    Wed May 17 19:56:54 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1203141,1207410
This update for systemd fixes the following issues:

- udev-rules: fix nvme symlink creation on namespace changes (bsc#1207410)
- Optimize when hundred workers claim the same symlink with the same priority (bsc#1203141)
- Add nss-resolve and systemd-network to Packagehub-Subpackages (MSC-626)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2276-1
Released:    Wed May 24 07:54:42 2023
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1204563,1208581
This update for grub2 fixes the following issues:

- grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563) 

- Fix PowerVS deployment fails to boot with 90 cores (bsc#1208581)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2279-1
Released:    Wed May 24 07:57:53 2023
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1204478,1210640
This update for dracut fixes the following issues:

- Update to version 055+suse.342.g2e6dce8e:
  fips=1 and separate /boot break s390x (bsc#1204478):
  * fix(fips): move fips-boot script to pre-pivot
  * fix(fips): only unmount /boot if it was mounted by the fips module
  * feat(fips): add progress messages
  * fix(fips): do not blindly remove /boot
  * fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2307-1
Released:    Mon May 29 10:29:49 2023
Summary:     Recommended update for kbd
Type:        recommended
Severity:    low
References:  1210702
This update for kbd fixes the following issue:

- Add 'ara' vc keymap, 'ara' is slightly better than 'arabic' as it matches the name of its X11 layout counterpart. (bsc#1210702)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2317-1
Released:    Tue May 30 14:01:22 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1210164
This update for util-linux fixes the following issue:

- Add upstream patch to prevent possible performance degradation of libuuid (bsc#1210164)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2333-1
Released:    Wed May 31 09:01:28 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1210593
This update for zlib fixes the following issue:

- Fix function calling order to avoid crashes (bsc#1210593)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2342-1
Released:    Thu Jun  1 11:34:20 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1211430,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:

- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2438-1
Released:    Wed Jun  7 07:33:01 2023
Summary:     Recommended update for kernel-firmware
Type:        recommended
Severity:    moderate
References:  1205811,1209601,1209681
This update for kernel-firmware fixes the following issues:

- Add firmware for QAT 4xxx (jsc#PED-3699, bsc#1209601)
- Add iwlwifi-*-72 ucode (bsc#1209681)
- Update constraints for 8GB (bsc#1205811)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2482-1
Released:    Mon Jun 12 07:19:53 2023
Summary:     Recommended update for systemd-rpm-macros
Type:        recommended
Severity:    moderate
References:  1211272
This update for systemd-rpm-macros fixes the following issues:

- Adjust functions so they are disabled when called from a chroot (bsc#1211272)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2484-1
Released:    Mon Jun 12 08:49:58 2023
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1211795,CVE-2023-2953
This update for openldap2 fixes the following issues:

- CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2625-1
Released:    Fri Jun 23 17:16:11 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

  * includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2648-1
Released:    Tue Jun 27 09:52:35 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1201627,1207534,CVE-2022-4304
This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).

- Update further expiring certificates that affect the testsuite (bsc#1201627).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2767-1
Released:    Mon Jul  3 21:22:32 2023
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1212662
This update for dracut fixes the following issues:

- Update to version 055+suse.344.g3d5cd8fb
- Continue parsing if ldd prints 'cannot execute binary file' (bsc#1212662)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2788-1
Released:    Thu Jul  6 11:51:02 2023
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1185116,1202118
This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nspr was updated to version 4.35

* fixes for building with clang
* use the number of online processors for the
  PR_GetNumberOfProcessors() API on some platforms
* fix build on mips+musl libc
* Add support for the LoongArch 64-bit architecture

mozilla-nss was update to NSS 3.90:

* clang-format lib/freebl/stubs.c
* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

update to NSS 3.89.1

* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.

update to NSS 3.89

* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32

update to NSS 3.88.1

* improve handling of unknown PKCS#12 safe bag types

update to NSS 3.88

* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead

update to NSS 3.87

* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks

update to NSS 3.86

* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.

update to NSS 3.85

* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Mark _nss_version_c unused on clang-cl
* bmo#1795668 - Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.

update to NSS 3.84
* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.

update to NSS 3.83

* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension with retry configs
  in EncryptedExtensions and if not accepting ECH. Changed config setting
  behavior to skip configs with unsupported mandatory extensions instead
  of failing
* Added ECH client support to BoGo shim. Changed CHInner creation to
  skip TLS 1.2 only extensions to comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1

update to NSS 3.82

* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

update to NSS 3.81

* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104

- raised NSPR requirement to 4.34.1

- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

update to NSS 3.80

* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
	  by allocating it on initialization. Replaced
	  redundant code with assert. Debug builds: Added
	  buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2797-1
Released:    Fri Jul  7 16:32:57 2023
Summary:     Recommended update for elemental, elemental-cli, elemental-operator, elemental-post-build-extract-iso, k9s
Type:        recommended
Severity:    moderate
References:  
This update fixes the following issues:

elemental:
    
- Update version from 1.1.4 to 1.1.5:
  * Enable cloud-config from removable devices
  * Ensure names are unique for all stages
  * Do not compare versions from different repositories on upgrades
  * Include build-iso in OBS workflow
  * Add containerized ISO image
    
elemental-cli:
    
- Update version from 0.2.5 to 0.3.1:
  * Add multi-arch support for pulling images
  * Fix version command to proper show version and commit


elemental-operator:    

- Update version from 1.2.2 to 1.2.5:
  * operator: Copy cloud-config file instead of its link
  * Add channel hook-failed delete policy
  * Include display name field on ManagedOSVersions
  * Add ISO type in ManagedOSVersions
  * Include elemental-teal-channel by default on chart install
  * Add tests for containerized base ISO and utilitie


elemental-post-build-extract-iso:    
    
- Update ISO path to current containerized ISOs
- Adapt generation script to rancher/elemental-cli#404 so it makes use of the proper paths in after-install hooks.
- Add last project name element to image name.
- Create a timestamped image name.
    
k9s
    
- Update to version 0.27.4:
  * Allow customization of log indicator toggles closes
  * Fixed an issue when views use saved context view by switching.
  * Fix for missing job annotations created from CronJob.
  * Roles are rendered using same colorer function from skin
  * Convert command to lowercase in the command palette
  * Allowing a few hard coded colors to be configurable
  * Add support for renaming contexts.
  * Fix accessing nil map.
  * Add missing help menu to 'one_dark' skin

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2800-1
Released:    Mon Jul 10 07:35:22 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1212623
This update for openssl-1_1 fixes the following issues:

- Check the OCSP RESPONSE in openssl s_client command and terminate
  connection if a revoked certificate is found. [bsc#1212623]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2814-1
Released:    Wed Jul 12 22:05:25 2023
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1185116,1202118
This update for mozilla-nss fixes the following issues:

mozilla-nss was updated to NSS 3.90:

* Add a constant time select function
* Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
* output early build errors by default
* Update the technical constraints for KamuSM
* Add BJCA Global Root CA1 and CA2 root certificates
* Enable default UBSan Checks
* Add explicit handling of zero length records
* Tidy up DTLS ACK Error Handling Path
* Refactor zero length record tests
* Fix compiler warning via correct assert
* run linux tests on nss-t/t-linux-xlarge-gcp
* In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator
* Fix reading raw negative numbers
* Repairing unreachable code in clang built with gyp
* Integrate Vale Curve25519
* Removing unused flags for Hacl*
* Adding a better error message
* Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* Fall back to the softokn when writing certificate trust
* FIPS-104-3 requires we restart post programmatically
* cmd/ecperf: fix dangling pointer warning on gcc 13
* Update ACVP dockerfile for compatibility with debian package changes
* Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files
* Removed deprecated sprintf function and replaced with snprintf
* fix rst warnings in nss doc
* Fix incorrect pygment style
* Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag

- Merge the libfreebl3-hmac and libsoftokn3-hmac packages into the respective libraries. (bsc#1185116)

update to NSS 3.89.1

* Update the technical constraints for KamuSM.
* Add BJCA Global Root CA1 and CA2 root certificates.

update to NSS 3.89

* revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* PR_STATIC_ASSERT is cursed
* Need to add policy control to keys lengths for signatures
* Fix unreachable code warning in fuzz builds
* Fix various compiler warnings in NSS
* Enable various compiler warnings for clang builds
* set PORT error after sftk_HMACCmp failure
* Need to add policy control to keys lengths for signatures
* remove data length assertion in sec_PKCS7Decrypt
* Make high tag number assertion failure an error
* CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384
* Tolerate certificate_authorities xtn in ClientHello
* Fix build failure on Windows
* migrate Win 2012 tasks to Azure
* fix title length in doc
* Add interop tests for HRR and PSK to GREASE suite
* Add presence/absence tests for TLS GREASE
* Correct addition of GREASE value to ALPN xtn
* CH extension permutation
* TLS GREASE (RFC8701)
* improve handling of unknown PKCS#12 safe bag types
* use a different treeherder symbol for each docker image build task
* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag
* build failure while implicitly casting SECStatus to PRUInt32

update to NSS 3.88.1

* improve handling of unknown PKCS#12 safe bag types

update to NSS 3.88

* remove nested table in rst doc
* Export NSS_CMSSignerInfo_GetDigestAlgTag.
* build failure while implicitly casting SECStatus to PRUInt32
* Add check for ClientHello SID max length
* Added EarlyData ALPN test support to BoGo shim
* ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup
* On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm
* ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test
* Added Bogo ECH rejection test support
* Added ECH 0Rtt support to BoGo shim
* RSA OAEP Wycheproof JSON
* RSA decrypt Wycheproof JSON
* ECDSA Wycheproof JSON
* ECDH Wycheproof JSON
* PKCS#1v1.5 wycheproof json
* Use X25519 wycheproof json
* Move scripts to python3
* Properly link FuzzingEngine for oss-fuzz.
* Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384)
* NSS needs to move off of DSA for integrity checks
* Add initial testing with ACVP vector sets using acvp-rust
* Don't clone libFuzzer, rely on clang instead

update to NSS 3.87

* NULL password encoding incorrect
* Fix rng stub signature for fuzzing builds
* Updating the compiler parsing for build
* Modification of supported compilers
* tstclnt crashes when accessing gnutls server without a user cert in the database.
* Add configuration option to enable source-based coverage sanitizer
* Update ECCKiila generated files.
* Add support for the LoongArch 64-bit architecture
* add checks for zero-length RSA modulus to avoid memory errors and failed assertions later
* Additional zero-length RSA modulus checks

update to NSS 3.86

* conscious language removal in NSS
* Set nssckbi version number to 2.60
* Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates
* Remove Staat der Nederlanden EV Root CA from NSS
* Remove EC-ACC root cert from NSS
* Remove SwissSign Platinum CA - G2 from NSS
* Remove Network Solutions Certificate Authority
* compress docker image artifact with zstd
* Migrate nss from AWS to GCP
* Enable static builds in the CI
* Removing SAW docker from the NSS build system
* Initialising variables in the rsa blinding code
* Implementation of the double-signing of the message for ECDSA
* Adding exponent blinding for RSA.

update to NSS 3.85

* Modification of the primes.c and dhe-params.c in order to have better looking tables
* Update zlib in NSS to 1.2.13
* Skip building modutil and shlibsign when building in Firefox
* Use __STDC_VERSION__ rather than __STDC__ as a guard
* Remove redundant variable definitions in lowhashtest
* Add note about python executable to build instructions.

update to NSS 3.84

* Bump minimum NSPR version to 4.35
* Add a flag to disable building libnssckbi.

update to NSS 3.83

* Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags
* Set nssckbi version number to 2.58
* Add two SECOM root certificates to NSS
* Add two DigitalSign root certificates to NSS
* Remove Camerfirma Global Chambersign Root from NSS
* Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test
* Removed skipping of ECH on equality of private and public server name
* Added comment and bug reference to ECHRandomHRRExtension bogo test
* Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR
* Added check for server only sending ECH extension
	with retry configs in EncryptedExtensions and if not
	accepting ECH. Changed config setting behavior to
	skip configs with unsupported mandatory extensions
	instead of failing
* Added ECH client support to BoGo shim. Changed
	CHInner creation to skip TLS 1.2 only extensions to
	comply with BoGo
* Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs
* Update BoGo tests to recent BoringSSL version
* Bump minimum NSPR version to 4.34.1

update to NSS 3.82

* check for null template in sec_asn1{d,e}_push_state
* QuickDER: Forbid NULL tags with non-zero length
* Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
* Cast the result of GetProcAddress
* pk11wrap: Tighten certificate lookup based on PKCS #11 URI.

update to NSS 3.81

* Enable aarch64 hardware crypto support on OpenBSD
* make NSS_SecureMemcmp 0/1 valued
* Add no_application_protocol alert handler and test client error code is set
* Gracefully handle null nickname in CERT_GetCertNicknameWithValidity
* required for Firefox 104

- raised NSPR requirement to 4.34.1

- changing some Requires from (pre) to generic as (pre) is not sufficient (bsc#1202118)

update to NSS 3.80

* Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
* Add support for asynchronous client auth hooks.
* nss-policy-check: make unknown keyword check optional.
* GatherBuffer: Reduced plaintext buffer allocations
	by allocating it on initialization. Replaced
	redundant code with assert. Debug builds: Added
	buffer freeing/allocation for each record.
* Mark 3.79 as an ESR release.
* Bump nssckbi version number for June.
* Remove Hellenic Academic 2011 Root.
* Add E-Tugra Roots.
* Add Certainly Roots.
* Add DigitCert Roots.
* Protect SFTKSlot needLogin with slotLock.
* Compare signature and signatureAlgorithm fields in legacy certificate verifier.
* Uninitialized value in cert_VerifyCertChainOld.
* Unchecked return code in sec_DecodeSigAlg.
* Uninitialized value in cert_ComputeCertType.
* Avoid data race on primary password change.
* Replace ppc64 dcbzl intrinisic.
* Allow LDFLAGS override in makefile builds.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2827-1
Released:    Fri Jul 14 11:27:47 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  
This update for libxml2 fixes the following issues:

- Build also for modern python version (jsc#PED-68)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2855-1
Released:    Mon Jul 17 16:35:21 2023
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1212260
This update for openldap2 fixes the following issues:

- libldap2 crashes on ldap_sasl_bind_s (bsc#1212260)


The following package changes have been done:

- kbd-legacy-2.4.0-150400.5.6.1 updated
- libldap-data-2.4.46-150200.14.17.1 updated
- libuuid1-2.37.2-150400.8.17.1 updated
- libudev1-249.16-150400.8.28.3 updated
- libsmartcols1-2.37.2-150400.8.17.1 updated
- libcap2-2.63-150400.3.3.1 updated
- libblkid1-2.37.2-150400.8.17.1 updated
- libaudit1-3.0.6-150400.4.10.1 updated
- libfdisk1-2.37.2-150400.8.17.1 updated
- mozilla-nspr-4.35-150000.3.29.1 updated
- libz1-1.2.11-150000.3.45.1 updated
- libgcc_s1-12.3.0+git1204-150000.1.10.1 updated
- libstdc++6-12.3.0+git1204-150000.1.10.1 updated
- mozilla-nss-certs-3.90-150400.3.32.1 updated
- libxml2-2-2.9.14-150400.5.19.1 updated
- libsystemd0-249.16-150400.8.28.3 updated
- libfreebl3-3.90-150400.3.32.1 updated
- libmount1-2.37.2-150400.8.17.1 updated
- mozilla-nss-3.90-150400.3.32.1 updated
- libsoftokn3-3.90-150400.3.32.1 updated
- elemental-dracut-config-0.10.7-150400.3.3.1 updated
- elemental-grub-config-0.10.7-150400.3.3.1 updated
- elemental-immutable-rootfs-0.10.7-150400.3.3.1 updated
- elemental-register-1.2.5-150400.3.3.1 updated
- elemental-support-1.2.5-150400.3.3.1 updated
- elemental-updater-1.1.5-150400.3.3.1 updated
- systemd-rpm-macros-13-150000.7.33.1 updated
- grub2-2.06-150400.11.33.1 updated
- grub2-i386-pc-2.06-150400.11.33.1 updated
- libopenssl1_1-1.1.1l-150400.7.45.1 updated
- libldap-2_4-2-2.4.46-150200.14.17.1 updated
- libcurl4-8.0.1-150400.5.23.1 updated
- kbd-2.4.0-150400.5.6.1 updated
- systemd-249.16-150400.8.28.3 updated
- util-linux-2.37.2-150400.8.17.1 updated
- udev-249.16-150400.8.28.3 updated
- util-linux-systemd-2.37.2-150400.8.17.1 updated
- systemd-sysvinit-249.16-150400.8.28.3 updated
- dracut-055+suse.344.g3d5cd8fb-150400.3.25.1 updated
- kernel-firmware-usb-network-20220509-150400.4.16.1 updated
- kernel-firmware-realtek-20220509-150400.4.16.1 updated
- kernel-firmware-qlogic-20220509-150400.4.16.1 updated
- kernel-firmware-platform-20220509-150400.4.16.1 updated
- kernel-firmware-network-20220509-150400.4.16.1 updated
- kernel-firmware-mellanox-20220509-150400.4.16.1 updated
- kernel-firmware-mediatek-20220509-150400.4.16.1 updated
- kernel-firmware-marvell-20220509-150400.4.16.1 updated
- kernel-firmware-liquidio-20220509-150400.4.16.1 updated
- kernel-firmware-iwlwifi-20220509-150400.4.16.1 updated
- kernel-firmware-intel-20220509-150400.4.16.1 updated
- kernel-firmware-i915-20220509-150400.4.16.1 updated
- kernel-firmware-chelsio-20220509-150400.4.16.1 updated
- kernel-firmware-bnx2-20220509-150400.4.16.1 updated
- elemental-cli-0.3.1-150400.3.3.1 updated
- elemental-init-setup-0.10.7-150400.3.3.1 updated
- elemental-init-services-0.10.7-150400.3.3.1 updated
- elemental-init-recovery-0.10.7-150400.3.3.1 updated
- elemental-init-network-0.10.7-150400.3.3.1 updated
- elemental-init-live-0.10.7-150400.3.3.1 updated
- elemental-init-boot-assessment-0.10.7-150400.3.3.1 updated
- elemental-init-config-0.10.7-150400.3.3.1 updated
- elemental-toolkit-0.10.7-150400.3.3.1 updated
- elemental-1.1.5-150400.3.3.1 updated
- k9s-0.27.4-150400.3.3.1 updated
- container:suse-sle-micro-rancher-5.3-latest-- added
- container:micro-for-rancher-image-5.3.0-7.2.150 removed


More information about the sle-updates mailing list