SUSE Container Update Advisory: suse/sle15
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:162-1
Container Tags        : suse/sle15:15.3 , suse/sle15:15.3.15.13
Container Release     : 15.13
Severity              : important
Type                  : security
References            : 1050625 1165424 1169947 1170801 1172477 1172925 1173106 1173273
                        1173336 1173529 1174011 1174016 1174240 1174561 1174918 1175342
                        1175592 1177238 1177275 1177427 1177583 1178910 1178966 1179083
                        1179222 1179415 1179816 1179847 1179909 1180077 1180663 1180721
                        1181328 1181622 1182629 CVE-2017-9271 
-----------------------------------------------------------------

The container suse/sle15 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1938-1
Released:    Thu Jul 16 14:43:32 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1169947,1170801,1172925,1173106
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to:

- Enable zstd compression support for sle15

zypper was updated to version 1.14.37:

- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)

libzypp was updated to 17.24.0

- Fix core dump with corrupted history file (bsc#1170801)
- Enable zchunk metadata download if libsolv supports it.
- Better handling of the purge-kernels algorithm. (bsc#1173106)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1987-1
Released:    Tue Jul 21 17:02:15 2020
Summary:     Recommended update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings
Type:        recommended
Severity:    important
References:  1172477,1173336,1174011
This update for libsolv, libzypp, yast2-packager, yast2-pkg-bindings fixes the following issues:

libsolv:

- No source changes, just shipping it as an installer update (required by yast2-pkg-bindings).

libzypp:

- Proactively send credentials if the URL specifes '?auth=basic' and a username.
  (bsc#1174011)
- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)

yast2-packager:

- Handle variable expansion in repository name. (bsc#1172477)
- Improve medium type detection, do not report Online medium when the /media.1/products
  file is missing in the repository, SMT does not mirror this file. (bsc#1173336)

yast2-pkg-bindings:

- Extensions to handle raw repository name. (bsc#1172477)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2819-1
Released:    Thu Oct  1 10:39:16 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:

Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
  a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.

Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
  (bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:109-1
Released:    Wed Jan 13 10:13:24 2021
Summary:     Security update for libzypp, zypper
Type:        security
Severity:    moderate
References:  1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271
This update for libzypp, zypper fixes the following issues:

Update zypper to version 1.14.41

Update libzypp to 17.25.4

- CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
- RepoManager: Force refresh if repo url has changed (bsc#1174016)
- RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
- RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
- RpmDb: If no database exists use the _dbpath configured in rpm.  Still makes sure a compat
  symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
- Fixed update of gpg keys with elongated expire date (bsc#179222)
- needreboot: remove udev from the list (bsc#1179083)
- Fix lsof monitoring (bsc#1179909)

yast-installation was updated to 4.2.48:

- Do not cleanup the libzypp cache when the system has low memory,
  incomplete cache confuses libzypp later (bsc#1179415)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:169-1
Released:    Tue Jan 19 16:18:46 2021
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1179816,1180077,1180663,1180721
This update for libsolv, libzypp, zypper fixes the following issues:

libzypp was updated to 17.25.6:

- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)

zypper was updated to 1.14.42:

- Fix source-download commnds help (bsc#1180663)
- man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)

libsolv was updated to 0.7.16;

- do not ask the namespace callback for splitprovides when writing a testcase
- fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes
- improve choicerule generation so that package updates are prefered in more cases

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:874-1
Released:    Thu Mar 18 09:41:54 2021
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1179847,1181328,1181622,1182629
This update for libsolv, libzypp, zypper fixes the following issues:

- support multiple collections in updateinfo parser
- Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328)
- Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629)
- Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847)
- Fix '%posttrans' script execution. (fixes #265)
- Repo: Allow multiple baseurls specified on one line (fixes #285)
- Regex: Fix memory leak and undefined behavior.
- Add rpm buildrequires for test suite (fixes #279)
- Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use.
- doc: give more details about creating versioned package locks. (bsc#1181622)
- man: Document synonymously used patch categories (bsc#1179847)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1426-1
Released:    Thu Apr 29 06:23:13 2021
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    moderate
References:  
This update for libsolv fixes the following issues:

- Fix rare segfault in resolve_jobrules() that could happen if new rules are learnt.
- Fix a couple of memory leaks in error cases.
- Fix error handling in solv_xfopen_fd()
- Fixed 'regex' code on win32.
- Fixed memory leak in choice rule generation