SUSE Container Update Advisory: suse/sles/15.2/virt-handler
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2021:232-1
Container Tags        : suse/sles/15.2/virt-handler:0.38.1 , suse/sles/15.2/virt-handler:0.38.1.5.8.45
Container Release     : 5.8.45
Severity              : important
Type                  : security
References            : 1005063 1027282 1029377 1029902 1040164 1042670 1069384 1070853
                        1078466 1079761 1081750 1082318 1083473 1083507 1084671 1086001
                        1088004 1088009 1088573 1094814 1094814 1098449 1104902 1105832
                        1107030 1107030 1109663 1109847 1112500 1112928 1115408 1118629
                        1120644 1120644 1122191 1122191 1123784 1125043 1128323 1128828
                        1129346 1129346 1130103 1130840 1130840 1131482 1133098 1133418
                        1133452 1133452 1137942 1138459 1138459 1139837 1141597 1141853
                        1141853 1142614 1144793 1146705 1149121 1149121 1149792 1149792
                        1149955 1149955 1149955 1151490 1151490 1153238 1153238 1153774
                        1154935 1155094 1159035 1159622 1161276 1161770 1161923 1162224
                        1162367 1162423 1162825 1162896 1165502 1165580 1165780 1165780
                        1165786 1165894 1165894 1167471 1168771 1169006 1171561 1171656
                        1171883 1172157 1172383 1172384 1172385 1172386 1172429 1172442
                        1172495 1172695 1172710 1173060 1173064 1173274 1173422 1173582
                        1173612 1174091 1174091 1174232 1174386 1174436 1174571 1174593
                        1174641 1174701 1174863 1174942 1175370 1175441 1175458 1175514
                        1175519 1175623 1176201 1176262 1176262 1176494 1176513 1176644
                        1176670 1176673 1176682 1176684 1176800 1177047 1177211 1177458
                        1177490 1177490 1177510 1177533 1177658 1177858 1178009 1178049
                        1178083 1178174 1178219 1178346 1178354 1178386 1178387 1178400
                        1178512 1178554 1178565 1178680 1178727 1178775 1178775 1178823
                        1178825 1178909 1178934 1179193 1179193 1179363 1179398 1179399
                        1179431 1179466 1179467 1179468 1179491 1179503 1179515 1179593
                        1179630 1179686 1179691 1179691 1179694 1179717 1179719 1179721
                        1179738 1179756 1179824 1180020 1180038 1180073 1180083 1180138
                        1180225 1180377 1180523 1180596 1180603 1180603 1180686 1180713
                        1180836 1180885 1181011 1181108 1181126 1181319 1181358 1181443
                        1181505 1181571 1181639 1181831 1181933 1182117 1182137 1182279
                        1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412
                        1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182425
                        1182577 1182791 1182899 1182959 1182968 1183012 1183064 1183094
                        1183370 1183371 1183374 1183456 1183457 1183749 1183791 1183796
                        1183797 1183852 1183933 1183934 1184064 1184136 1184358 1184401
                        1184435 1184614 1184687 1184690 1185163 1185190 1185408 1185408
                        1185409 1185409 1185410 1185410 1185438 1185562 1185698 1186114
                        637176 658604 673071 709442 743787 747125 751718 754447 754677
                        787526 809831 831629 834601 840054 871152 885662 885882 917607
                        942751 951166 955334 976199 983582 984751 985177 985348 989523
                        CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752
                        CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2016-0772 CVE-2016-1000110
                        CVE-2016-5636 CVE-2016-5699 CVE-2017-18207 CVE-2018-1000802 CVE-2018-1060
                        CVE-2018-1061 CVE-2018-14647 CVE-2018-15853 CVE-2018-15854 CVE-2018-15855
                        CVE-2018-15856 CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15861
                        CVE-2018-15862 CVE-2018-15863 CVE-2018-15864 CVE-2018-20406 CVE-2018-20406
                        CVE-2018-20852 CVE-2018-20852 CVE-2019-10160 CVE-2019-10160 CVE-2019-15903
                        CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16935 CVE-2019-16935
                        CVE-2019-16935 CVE-2019-17498 CVE-2019-18348 CVE-2019-20907 CVE-2019-20907
                        CVE-2019-20916 CVE-2019-20916 CVE-2019-25013 CVE-2019-3855 CVE-2019-3856
                        CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861
                        CVE-2019-3862 CVE-2019-3863 CVE-2019-5010 CVE-2019-5010 CVE-2019-5010
                        CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9893 CVE-2019-9947
                        CVE-2019-9947 CVE-2020-10761 CVE-2020-11080 CVE-2020-11947 CVE-2020-12829
                        CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13800 CVE-2020-14364
                        CVE-2020-14422 CVE-2020-14422 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092
                        CVE-2020-1971 CVE-2020-24352 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625
                        CVE-2020-25692 CVE-2020-25709 CVE-2020-25710 CVE-2020-25723 CVE-2020-26116
                        CVE-2020-27616 CVE-2020-27617 CVE-2020-27618 CVE-2020-27619 CVE-2020-27821
                        CVE-2020-28196 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443
                        CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223
                        CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228
                        CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285
                        CVE-2020-8286 CVE-2020-8492 CVE-2020-8492 CVE-2021-20181 CVE-2021-20203
                        CVE-2021-20221 CVE-2021-20231 CVE-2021-20232 CVE-2021-20257 CVE-2021-20305
                        CVE-2021-22876 CVE-2021-22890 CVE-2021-22898 CVE-2021-23336 CVE-2021-23840
                        CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218
                        CVE-2021-27219 CVE-2021-3177 CVE-2021-3326 CVE-2021-3416 CVE-2021-3426
                        CVE-2021-3449 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517
                        CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 PM-1350
                        SLE-9426 
-----------------------------------------------------------------

The container suse/sles/15.2/virt-handler was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2170-1
Released:    Mon Oct  8 10:31:14 2018
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1107030
This update for python3 fixes the following issues:

- Add -fwrapv to OPTS, which is default for python3 for bugs which 
  are caused by avoiding it. (bsc#1107030)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2485-1
Released:    Fri Oct 26 12:38:01 2018
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1112928
This update for kmod provides the following fixes:

- Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2018:2620-1
Released:    Thu Nov  8 17:57:34 2018
Summary:     Security update for libxkbcommon
Type:        security
Severity:    low
References:  1105832,CVE-2018-15853,CVE-2018-15854,CVE-2018-15855,CVE-2018-15856,CVE-2018-15857,CVE-2018-15858,CVE-2018-15859,CVE-2018-15861,CVE-2018-15862,CVE-2018-15863,CVE-2018-15864
This update for libxkbcommon to version 0.8.2 fixes the following issues:

- Fix a few NULL-dereferences, out-of-bounds access and undefined behavior in
  the XKB text format parser.
- CVE-2018-15853: Endless recursion could have been used by local attackers to
  crash xkbcommon users by supplying a crafted keymap file that triggers boolean
  negation (bsc#1105832).
- CVE-2018-15854: Unchecked NULL pointer usage could have been used by local
  attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying
  a crafted keymap file, because geometry tokens were desupported incorrectly
  (bsc#1105832).
- CVE-2018-15855: Unchecked NULL pointer usage could have been used by local
  attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying
  a crafted keymap file, because the XkbFile for an xkb_geometry section was
  mishandled (bsc#1105832).
- CVE-2018-15856: An infinite loop when reaching EOL unexpectedly could be used
  by local attackers to cause a denial of service during parsing of crafted
  keymap files (bsc#1105832).
- CVE-2018-15857: An invalid free in ExprAppendMultiKeysymList could have been
  used by local attackers to crash xkbcommon keymap parsers or possibly have
  unspecified other impact by supplying a crafted keymap file (bsc#1105832).
- CVE-2018-15858: Unchecked NULL pointer usage when handling invalid aliases in
  CopyKeyAliasesToKeymap could have been used by local attackers to crash (NULL
  pointer dereference) the xkbcommon parser by supplying a crafted keymap file
  (bsc#1105832).
- CVE-2018-15859: Unchecked NULL pointer usage when parsing invalid atoms in
  ExprResolveLhs could have been used by local attackers to crash (NULL pointer
  dereference) the xkbcommon parser by supplying a crafted keymap file, because
  lookup failures are mishandled (bsc#1105832).
- CVE-2018-15861: Unchecked NULL pointer usage in ExprResolveLhs could have
  been used by local attackers to crash (NULL pointer dereference) the xkbcommon
  parser by supplying a crafted keymap file that triggers an xkb_intern_atom
  failure (bsc#1105832).
- CVE-2018-15862: Unchecked NULL pointer usage in LookupModMask could have been
  used by local attackers to crash (NULL pointer dereference) the xkbcommon
  parser by supplying a crafted keymap file with invalid virtual modifiers
  (bsc#1105832).
- CVE-2018-15863: Unchecked NULL pointer usage in ResolveStateAndPredicate
  could have been used by local attackers to crash (NULL pointer dereference) the
  xkbcommon parser by supplying a crafted keymap file with a no-op modmask
  expression (bsc#1105832).
- CVE-2018-15864: Unchecked NULL pointer usage in resolve_keysym could have
  been used by local attackers to crash (NULL pointer dereference) the xkbcommon
  parser by supplying a crafted keymap file, because a map access attempt can
  occur for a map that was never created (bsc#1105832).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:170-1
Released:    Fri Jan 25 13:43:29 2019
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1118629
This update for kmod fixes the following issues:

- Fixes module dependency file corruption on parallel invocation (bsc#1118629).
- Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:215-1
Released:    Thu Jan 31 15:59:57 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1120644,1122191,CVE-2018-20406,CVE-2019-5010
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191)
- CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:464-1
Released:    Fri Feb 22 09:43:52 2019
Summary:     Recommended update for xkeyboard-config
Type:        recommended
Severity:    moderate
References:  1123784
This update for xkeyboard-config fixes the following issues:

- Fixes missing mappings for evdev keys KEY_RFKILL and KEY_WWAN. (bsc#1123784)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:966-1
Released:    Wed Apr 17 12:20:13 2019
Summary:     Recommended update for python-rpm-macros
Type:        recommended
Severity:    moderate
References:  1128323
This update for python-rpm-macros fixes the following issues:

The Python RPM macros were updated to version 20190408.32abece, fixing
bugs (bsc#1128323)

* Add missing $ expansion on the pytest call
* Rewrite pytest and pytest_arch into Lua macros with multiple arguments.
* We should preserve existing PYTHONPATH.
* Add --ignore to pytest calls to ignore build directories.
* Actually make pytest into function to capture arguments as well
* Add pytest definitions.
* Use upstream-recommended %{_rpmconfigdir}/macros.d directory
  for the rpm macros.
* Fix an issue with epoch printing having too many \
* add epoch while printing 'Provides:'

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:971-1
Released:    Wed Apr 17 14:43:26 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1129346,CVE-2019-9636
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:1160-1
Released:    Mon May  6 14:24:31 2019
Summary:     Recommended update for sg3_utils
Type:        recommended
Severity:    moderate
References:  1005063,1069384,1131482,1133418,840054
This update for sg3_utils fixes the following issues:

- Update to version 1.44~763+19.1ed0757:
  * rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384)
  * 40-usb-blacklist.rules: use ID_SCSI_INQUIRY (bsc#840054, bsc#1131482)
  * Changed versioning scheme (svn r763, pre-release of
    upstream 1.44, plus 16 SUSE patches, SUSE git commit b2fedfa)
  * 59-fc-wwpn-id.rules: fix rule syntax (bsc#1133418)
- Spec file: add fc_wwpn_id to generate by-path links for
  fibrechannel (bsc#1005063)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:1352-1
Released:    Fri May 24 14:41:44 2019
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1130840,1133452,CVE-2019-9947
This update for python3 to version 3.6.8 fixes the following issues:

Security issue fixed:

- CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840).

Non-security issue fixed:

- Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2050-1
Released:    Tue Aug  6 09:42:37 2019
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160
This update for python3 fixes the following issues:

Security issue fixed:

- CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459).
- CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853).

Non-security issue fixed:

- Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2517-1
Released:    Wed Oct  2 10:49:20 2019
Summary:     Security update for libseccomp
Type:        security
Severity:    moderate
References:  1082318,1128828,1142614,CVE-2019-9893
This update for libseccomp fixes the following issues:

Security issues fixed:

- CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828)

libseccomp was updated to new upstream release 2.4.1:

- Fix a BPF generation bug where the optimizer mistakenly
  identified duplicate BPF code blocks.

libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893):

- Update the syscall table for Linux v5.0-rc5
- Added support for the SCMP_ACT_KILL_PROCESS action
- Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute
- Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension
- Added support for the parisc and parisc64 architectures
- Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3)
- Return -EDOM on an endian mismatch when adding an architecture to a filter
- Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run()
- Fix PFC generation when a syscall is prioritized, but no rule exists
- Numerous fixes to the seccomp-bpf filter generation code
- Switch our internal hashing function to jhash/Lookup3 to MurmurHash3
- Numerous tests added to the included test suite, coverage now at ~92%
- Update our Travis CI configuration to use Ubuntu 16.04
- Numerous documentation fixes and updates

libseccomp was updated to release 2.3.3:

- Updated the syscall table for Linux v4.15-rc7


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2802-1
Released:    Tue Oct 29 11:39:05 2019
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426
This update for python3 to 3.6.9 fixes the following issues:

Security issues fixed:

- CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955)
- CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238).

Non-security issues fixed:

- Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490)
- Improved locale handling by implementing PEP 538.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:3018-1
Released:    Wed Nov 20 12:48:21 2019
Summary:     Recommended update for xkeyboard-config
Type:        recommended
Severity:    moderate
References:  1153774
This update for xkeyboard-config fixes the following issues:

- Fix capslock in Old Hungarian layout (bsc#1153774)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:114-1
Released:    Thu Jan 16 10:11:52 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
This update for python3 to version 3.6.10 fixes the following issues:

- CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507).
- CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955).
- CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:340-1
Released:    Thu Feb  6 13:03:56 2020
Summary:     Recommended update for python-rpm-macros
Type:        recommended
Severity:    moderate
References:  1161770
This update for python-rpm-macros fixes the following issues:

- Add macros related to the Python dist metadata dependency generator. (bsc#1161770)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:467-1
Released:    Tue Feb 25 12:00:39 2020
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492
This update for python3 fixes the following issues:

Security issues fixed:

- CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825).
- CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367).

Non-security issue fixed:

- If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:777-1
Released:    Tue Mar 24 18:07:52 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1165894
This update for python3 fixes the following issue:

- Rename idle icons to idle3 in order to not conflict with python2
  variant of the package (bsc#1165894)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1342-1
Released:    Tue May 19 13:27:31 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1149955,1165894,CVE-2019-16056
This update for python3 fixes the following issues:

- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1370-1
Released:    Thu May 21 19:06:00 2020
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    moderate
References:  1171656
This update for systemd-presets-branding-SLE fixes the following issues:

Cleanup of outdated autostart services (bsc#1171656):
- Remove acpid.service. acpid is only available on SLE via openSUSE
  backports.  In openSUSE acpid.service is *not* autostarted. I see no
  reason why it should be on SLE.
- Remove spamassassin.timer. This timer never seems to have existed.
  Instead spamassassin ships a 'sa-update.timer'. But it is not
  default-enabled and nobody ever complained about this.
- Remove snapd.apparmor.service: This service was proactively added a year
  ago, but snapd didn't even make it into openSUSE yet. There's no reason
  to keep this entry unless snapd actually enters SLE which is not
  foreseeable.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1492-1
Released:    Wed May 27 18:32:41 2020
Summary:     Recommended update for python-rpm-macros
Type:        recommended
Severity:    moderate
References:  1171561
This update for python-rpm-macros fixes the following issue:

- Update to version 20200207.5feb6c1 (bsc#1171561)
  * Do not write .pyc files for tests

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1822-1
Released:    Thu Jul  2 11:30:42 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1173274,CVE-2020-14422
This update for python3 fixes the following issues:

- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface 
  could have led to denial of service (bsc#1173274).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1989-1
Released:    Tue Jul 21 17:58:58 2020
Summary:     Recommended update to SLES-releases
Type:        recommended
Severity:    important
References:  1173582
This update of SLES-release provides the following fix:
- Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2015-1
Released:    Thu Jul 23 09:21:24 2020
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1172383,1172384,1172386,1172495,1172710,CVE-2020-10761,CVE-2020-13361,CVE-2020-13362,CVE-2020-13659,CVE-2020-13800
This update for qemu to version 4.2.1 fixes the following issues:

- CVE-2020-10761: Fixed a denial of service in Network Block Device (nbd) support infrastructure (bsc#1172710).
- CVE-2020-13800: Fixed a denial of service possibility in ati-vga emulation (bsc#1172495).
- CVE-2020-13659: Fixed a null pointer dereference possibility in MegaRAID SAS 8708EM2 emulation (bsc#1172386).
- CVE-2020-13362: Fixed an OOB access possibility in MegaRAID SAS 8708EM2 emulation (bsc#1172383).
- CVE-2020-13361: Fixed an OOB access possibility in ES1370 audio device emulation (bsc#1172384).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2277-1
Released:    Wed Aug 19 13:24:03 2020
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1174091,CVE-2019-20907
This update for python3 fixes the following issues:

- bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2638-1
Released:    Tue Sep 15 15:41:32 2020
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1165580
This update for cryptsetup fixes the following issues:

Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580)

- Fix support of larger metadata areas in *LUKS2* header.

  This release properly supports all specified metadata areas, as documented
  in *LUKS2* format description.
  Currently, only default metadata area size is used (in format or convert).
  Later cryptsetup versions will allow increasing this metadata area size.

- If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check
  if the requested *AEAD* algorithm with specified key size is available in kernel crypto API.
  This change avoids formatting a device that cannot be later activated.

  For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. 
  Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) 
  are already mandatory for LUKS2.

- Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option.

- Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt.

- Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested 
  sector size. Previously it was possible, and the device was rejected to activate by kernel later.

- Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash 
  algorithm with invalid keyslot preventing the device from activation.

- Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used
  both for data encryption and keyslot encryption in *LUKS1/2* devices.

  For benchmark, use:
    
      # cryptsetup benchmark -c xchacha12,aes-adiantum
      # cryptsetup benchmark -c xchacha20,aes-adiantum

  For LUKS format:
  
      # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2877-1
Released:    Wed Oct  7 14:43:20 2020
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1174386,1174641,1174863,1175370,1175441,1176494,CVE-2020-14364,CVE-2020-15863,CVE-2020-16092,CVE-2020-24352
This update for qemu fixes the following issues:

- CVE-2020-14364: Fixed an OOB access while processing USB packets (bsc#1175441,bsc#1176494).
- CVE-2020-16092: Fixed a denial of service in packet processing of various emulated NICs (bsc#1174641).
- CVE-2020-15863: Fixed a buffer overflow in the XGMAC device (bsc#1174386).
- CVE-2020-24352: Fixed an out-of-bounds read/write in ati-vga device emulation in ati_2d_blt (bsc#1175370).
- Allow to IPL secure guests with -no-reboot (bsc#1174863)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2890-1
Released:    Mon Oct 12 11:07:00 2020
Summary:     Recommended update for multipath-tools
Type:        recommended
Severity:    important
References:  1125043,1139837,1161923,1165786,1172157,1172429,1173060,1173064,1176644,1176670
This update for multipath-tools fixes the following issues:

- Fixed an issue where mapping two WWID's to the same multipath led to a data corruption (bsc#1172429)
- Improved logging of some failure cases (bsc#1173060, bsc#1173064)
- Limited the PRIN allocation length to 8192 bytes (bsc#1165786)
- Added '-e' option to enable foreign libraries (bsc#1139837)
- Fixed an issue when handling synthetic uevents (bsc#1161923)
- Fix handling of hardware properties for maps without paths (bsc#1176644)
- Fixed an issue where all paths were dropped from a storage array (bsc#1125043)
- Fixed handling of incompletely initialized udev devices (bsc#1172157)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3138-1
Released:    Tue Nov  3 12:14:03 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1104902,1154935,1165502,1167471,1173422,1176513,1176800
This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)
- test-seccomp: log function names
- test-seccomp: add log messages when skipping tests
- basic/virt: Detect PowerVM hypervisor (bsc#1176800)
- fs-util: suppress world-writable warnings if we read /dev/null
- udevadm: rename option '--log-priority' into '--log-level'
- udev: rename kernel option 'log_priority' into 'log_level'
- fstab-generator: add 'nofail' when  NFS 'bg' option is used (bsc#1176513)
- Fix memory protection default (bsc#1167471) 
- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)
- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3290-1
Released:    Wed Nov 11 12:25:32 2020
Summary:     Recommended update for findutils
Type:        recommended
Severity:    moderate
References:  1174232
This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)
  NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3313-1
Released:    Thu Nov 12 16:07:37 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1178387,CVE-2020-25692
This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3377-1
Released:    Thu Nov 19 09:29:32 2020
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1178512,CVE-2020-28196
This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3381-1
Released:    Thu Nov 19 10:53:38 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1177458,1177490,1177510
This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)
- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)
- mount: don't propagate errors from mount_setup_unit() further up
- Rely on the new build option --disable-remote for journal_remote
  This allows to drop the workaround that consisted in cleaning journal-upload files and
  {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.
- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package 
- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)
  These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.
- Make use of %{_unitdir} and %{_sysusersdir}
- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3420-1
Released:    Thu Nov 19 13:40:55 2020
Summary:     Recommended update for multipath-tools
Type:        recommended
Severity:    moderate
References:  1162896,1178354
This update for multipath-tools fixes the following issues:

- Avoid reading files extensions other than '.conf' from config dir. (bsc#1162896)
- Fix wrong usage of '%service_del_preun -n' macro in spec file. (bsc#1178354)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3462-1
Released:    Fri Nov 20 13:14:35 2020
Summary:     Recommended update for pam and sudo
Type:        recommended
Severity:    moderate
References:  1174593,1177858,1178727
This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3551-1
Released:    Fri Nov 27 14:54:37 2020
Summary:     Security update for libssh2_org
Type:        security
Severity:    moderate
References:  1130103,1178083,CVE-2019-17498,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863
This update for libssh2_org fixes the following issues:

- Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922]
   Enhancements and bugfixes:
    * adds ECDSA keys and host key support when using OpenSSL
    * adds ED25519 key and host key support when using OpenSSL 1.1.1
    * adds OpenSSH style key file reading
    * adds AES CTR mode support when using WinCNG
    * adds PEM passphrase protected file support for Libgcrypt and WinCNG
    * adds SHA256 hostkey fingerprint
    * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path()
    * adds explicit zeroing of sensitive data in memory
    * adds additional bounds checks to network buffer reads
    * adds the ability to use the server default permissions when creating sftp directories
    * adds support for building with OpenSSL no engine flag
    * adds support for building with LibreSSL
    * increased sftp packet size to 256k
    * fixed oversized packet handling in sftp
    * fixed building with OpenSSL 1.1
    * fixed a possible crash if sftp stat gets an unexpected response
    * fixed incorrect parsing of the KEX preference string value
    * fixed conditional RSA and AES-CTR support
    * fixed a small memory leak during the key exchange process
    * fixed a possible memory leak of the ssh banner string
    * fixed various small memory leaks in the backends
    * fixed possible out of bounds read when parsing public keys from the server
    * fixed possible out of bounds read when parsing invalid PEM files
    * no longer null terminates the scp remote exec command
    * now handle errors when diffie hellman key pair generation fails
    * improved building instructions
    * improved unit tests

- Version update to 1.8.2: [bsc#1130103]
   Bug fixes:
    * Fixed the misapplied userauth patch that broke 1.8.1
    * moved the MAX size declarations from the public header
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3593-1
Released:    Wed Dec  2 10:33:49 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1176262,1179193,CVE-2019-20916
This update for python3 fixes the following issues:

Update to 3.6.12 (bsc#1179193), including:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3620-1
Released:    Thu Dec  3 17:03:55 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)
  - Check whether the password contains a substring of of the user's name of at least `` characters length in 
  some form. This is enabled by the new parameter `usersubstr=`

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3626-1
Released:    Fri Dec  4 13:51:46 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1179515
This update for audit fixes the following issues:

- Enable Aarch64 processor support. (bsc#1179515) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3703-1
Released:    Mon Dec  7 20:17:32 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1179431
This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3721-1
Released:    Wed Dec  9 13:36:46 2020
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1179491,CVE-2020-1971
This update for openssl-1_1 fixes the following issues:
	  
- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3735-1
Released:    Wed Dec  9 18:19:24 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286
This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). 
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3791-1
Released:    Mon Dec 14 17:39:19 2020
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  
This update for gzip fixes the following issue:

- Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775)
  
  Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3809-1
Released:    Tue Dec 15 13:46:05 2020
Summary:     Recommended update for glib2
Type:        recommended
Severity:    moderate
References:  1178346
This update for glib2 fixes the following issues:

Update from version 2.62.5 to version 2.62.6:

- Support for slim format of timezone. (bsc#1178346)
- Fix DST incorrect end day when using slim format. (bsc#1178346)
- Fix SOCKS5 username/password authentication.
- Updated translations.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3853-1
Released:    Wed Dec 16 12:27:27 2020
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1084671,1169006,1174942,1175514,1175623,1178554,1178825
This update for util-linux fixes the following issue:

- Do not trigger the automatic close of CDROM. (bsc#1084671)
- Try to automatically configure broken serial lines. (bsc#1175514)
- Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514)
- Build with `libudev` support to support non-root users. (bsc#1169006)
- Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825)
- Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:3930-1
Released:    Wed Dec 23 18:19:39 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492
This update for python3 fixes the following issues:

- Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support
  calls eval() on content retrieved via HTTP.
- Change setuptools and pip version numbers according to new wheels
- Handful of changes to make python36 compatible with SLE15 and SLE12
  (jsc#ECO-2799, jsc#SLE-13738)
- add triplets for mips-r6 and riscv
- RISC-V needs CTYPES_PASS_BY_REF_HACK

Update to 3.6.12 (bsc#1179193)

* Ensure python3.dll is loaded from correct locations when Python is embedded
* The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface 
  incorrectly generated constant hash values of 32 and 128 respectively. This 
  resulted in always causing hash collisions. The fix uses hash() to generate 
  hash values for the tuple of (address, mask length, network address).
* Prevent http header injection by rejecting control characters in 
  http.client.putrequest(…).
* Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now 
  UnpicklingError instead of crashing.
* Avoid infinite loop when reading specially crafted TAR files using the tarfile 
  module

- This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091).

Update to 3.6.11:

- Disallow CR or LF in email.headerregistry. Address
  arguments to guard against header injection attacks.
- Disallow control characters in hostnames in http.client, addressing
  CVE-2019-18348. Such potentially malicious header injection URLs now
  cause a InvalidURL to be raised. (bsc#1155094)
- CVE-2020-8492: The AbstractBasicAuthHandler class
  of the urllib.request module uses an inefficient regular
  expression which can be exploited by an attacker to cause
  a denial of service. Fix the regex to prevent the
  catastrophic backtracking. Vulnerability reported by Ben
  Caller and Matt Schwager.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3942-1
Released:    Tue Dec 29 12:22:01 2020
Summary:     Recommended update for libidn2
Type:        recommended
Severity:    moderate
References:  1180138
This update for libidn2 fixes the following issues:

- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later,
  adjusted the RPM license tags (bsc#1180138)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3943-1
Released:    Tue Dec 29 12:24:45 2020
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1178823
This update for libxml2 fixes the following issues:

Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823)
* key/unique/keyref schema attributes currently use quadratic loops
  to check their various constraints (that keys are unique and that
  keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3946-1
Released:    Tue Dec 29 17:39:54 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    important
References:  1180377
This update for python3 fixes the following issues:

- A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3,
  which caused regressions in several applications. (bsc#1180377)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:6-1
Released:    Mon Jan  4 07:05:06 2021
Summary:     Recommended update for libdlm
Type:        recommended
Severity:    moderate
References:  1098449,1144793,1168771,1177533,1177658
This update for libdlm fixes the following issues:

- Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449)
- Add support for type 'uint64_t' to corosync ringid. (bsc#1168771)
- Include some fixes/enhancements for dlm_controld. (bsc#1144793)
- Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:129-1
Released:    Thu Jan 14 12:26:15 2021
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1178909,1179503,CVE-2020-25709,CVE-2020-25710
This update for openldap2 fixes the following issues:

Security issues fixed:

- CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909).
- CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909).

Non-security issue fixed:

- Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:152-1
Released:    Fri Jan 15 17:04:47 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1179691,1179738
This update for lvm2 fixes the following issues:

- Fix for lvm2 to use udev as external device by default. (bsc#1179691)
- Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:174-1
Released:    Wed Jan 20 07:55:23 2021
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1172695
This update for gnutls fixes the following issue:

- Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:197-1
Released:    Fri Jan 22 15:17:42 2021
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1171883,CVE-2020-8025
This update for permissions fixes the following issues:

- Update to version 20181224:
  * pcp: remove no longer needed / conflicting entries
         (bsc#1171883, CVE-2020-8025)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:220-1
Released:    Tue Jan 26 14:00:51 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1180603
This update for keyutils fixes the following issues:

- Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:233-1
Released:    Wed Jan 27 12:15:33 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1141597,1174436,1175458,1177490,1179363,1179824,1180225
This update for systemd fixes the following issues:

- Added a timestamp to the output of the busctl monitor command (bsc#1180225)
- Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824)
- Improved the caching of cgroups member mask (bsc#1175458)
- Fixed the dependency definition of sound.target (bsc#1179363)
- Fixed a bug that could lead to a potential error, when daemon-reload is called between
  StartTransientUnit and scope_start() (bsc#1174436)
- time-util: treat /etc/localtime missing as UTC (bsc#1141597)
- Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:265-1
Released:    Mon Feb  1 15:06:45 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1178775,1180885
This update for systemd fixes the following issues:

- Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998))
- Fix for an issue when container start causes interference in other containers. (bsc#1178775)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:278-1
Released:    Tue Feb  2 09:43:08 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1181319
This update for lvm2 fixes the following issues:

- Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:293-1
Released:    Wed Feb  3 12:52:34 2021
Summary:     Recommended update for gmp
Type:        recommended
Severity:    moderate
References:  1180603
This update for gmp fixes the following issues:

- correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:302-1
Released:    Thu Feb  4 13:18:35 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1179691
This update for lvm2 fixes the following issues:

- lvm2 will no longer use external_device_info_source='udev' as default because it introduced a
  regression (bsc#1179691).

  If this behavior is still wanted, please change this manually in the lvm.conf

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:339-1
Released:    Mon Feb  8 13:16:07 2021
Summary:     Optional update for pam
Type:        optional
Severity:    low
References:  
This update for pam fixes the following issues:

- Added rpm macros for this package, so that other packages can make use of it

This patch is optional to be installed - it doesn't fix any bugs.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:521-1
Released:    Fri Feb 19 11:00:33 2021
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1178049,1178565,1179717,1179719,1180523,1181639,1181933,1182137,CVE-2020-11947,CVE-2021-20181,CVE-2021-20203,CVE-2021-20221
This update for qemu fixes the following issues:

- Fixed potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Fixed out-of-bound access in iscsi (CVE-2020-11947 bsc#1180523)
- Fixed out-of-bound access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fixed out-of-bound access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)
- Fixed vfio-pci device on s390 enters error state (bsc#1179717 bsc#1179719)
- Fixed 'Failed to try-restart [email protected]' error while updating the
  qemu-guest-agent. (bsc#1178565)
- Apply fixes to qemu scsi passthrough with respect to timeout and
  error conditions, including using more correct status codes. Add
  more qemu tracing which helped track down these issues
  (bsc#1178049)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:529-1
Released:    Fri Feb 19 14:53:47 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177
This update for python3 fixes the following issues:

- CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
- Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:653-1
Released:    Fri Feb 26 19:53:43 2021
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326
This update for glibc fixes the following issues:

- Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
- x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:723-1
Released:    Mon Mar  8 16:45:27 2021
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
This update for openldap2 fixes the following issues:

- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
  X.509 DN parsing in decode.c ber_next_element, resulting in denial
  of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
  parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
  in the Certificate List Exact Assertion processing, resulting in
  denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
  cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
  saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
  in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
  crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
  saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
  Assertion processing, resulting in denial of service (schema_init.c
  serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
  control handling, resulting in denial of service (double free and
  out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
    in the issuerAndThisUpdateCheck function via a crafted packet,
    resulting in a denial of service (daemon exit) via a short timestamp.
    This is related to schema_init.c and checkTime.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:754-1
Released:    Tue Mar  9 17:10:49 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841
This update for openssl-1_1 fixes the following issues:

- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
- Fixed unresolved error codes in FIPS (bsc#1182959).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:778-1
Released:    Fri Mar 12 17:42:25 2021
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1182328,1182362,CVE-2021-27218,CVE-2021-27219
This update for glib2 fixes the following issues:

- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if
  the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:786-1
Released:    Mon Mar 15 11:19:23 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1176201
This update for zlib fixes the following issues:

- Fixed hw compression on z15 (bsc#1176201)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:924-1
Released:    Tue Mar 23 10:00:49 2021
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094
This update for filesystem the following issues:

- Remove duplicate line due to merge error
- Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) 
- Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
- Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
- Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

This update for systemd fixes the following issues:

- Fix for a possible memory leak. (bsc#1180020)
- Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
- Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
- Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
- Don't use shell redirections when calling a rpm macro. (bsc#1183094)
- 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:926-1
Released:    Tue Mar 23 13:20:24 2021
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1083473,1112500,1115408,1165780,1183012
This update for systemd-presets-common-SUSE fixes the following issues:

- Add default user preset containing:
  - enable `pulseaudio.socket` (bsc#1083473)
  - enable `pipewire.socket` (bsc#1183012)
  - enable `pipewire-pulse.socket` (bsc#1183012)
  - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23)
- Changes to the default preset:
  - enable `btrfsmaintenance-refresh.path`.
  - disable `btrfsmaintenance-refresh.service`.
  - enable `dnf-makecache.timer`.
  - enable `ignition-firstboot-complete.service`.
  - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500)
  - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408)
  - remove enable `updatedb.timer` 
- Avoid needless refresh on boot. (bsc#1165780)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:930-1
Released:    Wed Mar 24 12:09:23 2021
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1172442,1181358,CVE-2020-11080
This update for nghttp2 fixes the following issues:

- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:935-1
Released:    Wed Mar 24 12:19:10 2021
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1183456,1183457,CVE-2021-20231,CVE-2021-20232
This update for gnutls fixes the following issues:

- CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
- CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:947-1
Released:    Wed Mar 24 14:30:58 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1182379,CVE-2021-23336
This update for python3 fixes the following issues:

- python36 was updated to 3.6.13
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:948-1
Released:    Wed Mar 24 14:31:34 2021
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1183370,1183371,CVE-2021-24031,CVE-2021-24032
This update for zstd fixes the following issues:

- CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
- CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:955-1
Released:    Thu Mar 25 16:11:48 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1183852,CVE-2021-3449
This update for openssl-1_1 fixes the security issue:

* CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted
  renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation
  ClientHello omits the signature_algorithms extension but includes a
  signature_algorithms_cert extension, then a NULL pointer dereference will
  result, leading to a crash and a denial of service attack. OpenSSL TLS
  clients are not impacted by this issue. [bsc#1183852]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1004-1
Released:    Thu Apr  1 15:07:09 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    moderate
References:  1180073
This update for libcap fixes the following issues:

- Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
- Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1006-1
Released:    Thu Apr  1 17:44:57 2021
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1183933,1183934,CVE-2021-22876,CVE-2021-22890
This update for curl fixes the following issues:

- CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934)
- CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1018-1
Released:    Tue Apr  6 14:29:13 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1180713
This update for gzip fixes the following issues:

- Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1141-1
Released:    Mon Apr 12 13:13:36 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    low
References:  1182791
This update for openldap2 fixes the following issues:

- Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1206-1
Released:    Thu Apr 15 15:15:09 2021
Summary:     Recommended update for kubevirt
Type:        recommended
Severity:    moderate
References:  1183749
This update for kubevirt fixes the following issues:

- updated kubevirt to version 0.38.1
  
  This update for provides a lot of bug fixes and smaller changes. Please refer to this
  package's rpm changelog to get a full list of all changes.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1235-1
Released:    Fri Apr 16 08:12:09 2021
Summary:     Recommended update for numactl
Type:        recommended
Severity:    moderate
References:  1133098,1181571,1183796,955334,976199
This update for numactl fixes the following issues:

- Enabled LTO (bsc#1133098)
- Dropped the dependency from perl - it was no longer in use
- Included sys/sysmacros.h to fix an issue when building this package from source (bsc#1181571, bsc#1183796)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1243-1
Released:    Fri Apr 16 14:45:04 2021
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1172385,1173612,1176673,1176682,1176684,1178174,1178400,1178934,1179466,1179467,1179468,1179686,1181108,1182425,1182577,1182968,1184064,CVE-2020-12829,CVE-2020-15469,CVE-2020-25084,CVE-2020-25624,CVE-2020-25625,CVE-2020-25723,CVE-2020-27616,CVE-2020-27617,CVE-2020-27821,CVE-2020-28916,CVE-2020-29129,CVE-2020-29130,CVE-2020-29443,CVE-2021-20257,CVE-2021-3416
This update for qemu fixes the following issues:

- CVE-2020-12829: Fix OOB access in sm501 device emulation (bsc#1172385)
- CVE-2020-25723: Fix use-after-free in usb xhci packet handling (bsc#1178934)
- CVE-2020-25084: Fix use-after-free in usb ehci packet handling (bsc#1176673)
- CVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci emulation (bsc#1176684)
- CVE-2020-25624: Fix OOB access in usb hcd-ohci emulation (bsc#1176682)
- CVE-2020-27617: Fix guest triggerable assert in shared network handling code (bsc#1178174)
- CVE-2020-28916: Fix infinite loop (DoS) in e1000e device emulation (bsc#1179468)
- CVE-2020-29443: Fix OOB access in atapi emulation (bsc#1181108)
- CVE-2020-27821: Fix heap overflow in MSIx emulation (bsc#1179686)
- CVE-2020-15469: Fix null pointer deref. (DoS) in mmio ops (bsc#1173612)
- CVE-2021-20257: Fix infinite loop (DoS) in e1000 device emulation (bsc#1182577)
- CVE-2021-3416:  Fix OOB access (stack overflow) in rtl8139 NIC emulation (bsc#1182968)
- CVE-2021-3416:  Fix OOB access (stack overflow) in other NIC emulations (bsc#1182968)
- CVE-2020-27616: Fix OOB access in ati-vga emulation (bsc#1178400)
- CVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet processing (bsc#1179466, CVE-2020-29130, bsc#1179467)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Add split-provides through forsplits/13 to cover updates of SLE15-SP2 to SLE15-SP3, and openSUSE equivalents (bsc#1184064)
- Added a few more usability improvements for our git packaging workflow

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1286-1
Released:    Tue Apr 20 20:10:21 2021
Summary:     Recommended update for SLES-release
Type:        recommended
Severity:    moderate
References:  1180836
This recommended update for SLES-release provides the following fix:

- Revert the problematic changes previously released and make sure the version is high
  enough to obsolete the package on containers and images. (bsc#1180836)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1289-1
Released:    Wed Apr 21 14:02:46 2021
Summary:     Recommended update for gzip
Type:        recommended
Severity:    moderate
References:  1177047
This update for gzip fixes the following issues:

- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1295-1
Released:    Wed Apr 21 14:08:19 2021
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1184136
This update for systemd-presets-common-SUSE fixes the following issues:

- Enabled hcn-init.service for HNV on POWER (bsc#1184136)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1296-1
Released:    Wed Apr 21 14:09:28 2021
Summary:     Optional update for e2fsprogs
Type:        optional
Severity:    low
References:  1183791
This update for e2fsprogs fixes the following issues:

- Fixed an issue when building e2fsprogs (bsc#1183791)

This patch does not fix any user visible issues and is therefore optional to install.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1297-1
Released:    Wed Apr 21 14:10:10 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1178219
This update for systemd fixes the following issues:

- Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot
  be stopped properly and would leave mount points mounted.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1407-1
Released:    Wed Apr 28 15:49:02 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    important
References:  1184690
This update for libcap fixes the following issues:

- Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1412-1
Released:    Wed Apr 28 17:09:28 2021
Summary:     Security update for libnettle
Type:        security
Severity:    important
References:  1184401,CVE-2021-20305
This update for libnettle fixes the following issues:

- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1449-1
Released:    Fri Apr 30 08:08:25 2021
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    moderate
References:  1165780
This update for systemd-presets-branding-SLE fixes the following issues:

- Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1466-1
Released:    Tue May  4 08:30:57 2021
Summary:     Security update for permissions
Type:        security
Severity:    important
References:  1182899
This update for permissions fixes the following issues:

- etc/permissions: remove unnecessary entries (bsc#1182899)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1481-1
Released:    Tue May  4 14:18:32 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1178680
This update for lvm2 fixes the following issues:

- Add metadata-based autoactivation property for volume group and logical volume. (bsc#1178680)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1523-1
Released:    Wed May  5 18:24:20 2021
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
This update for libxml2 fixes the following issues:

- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1527-1
Released:    Thu May  6 08:58:53 2021
Summary:     Recommended update for bash
Type:        recommended
Severity:    important
References:  1183064
This update for bash fixes the following issues:

- Fixed a segmentation fault that used to occur when bash read a history file
  that was malformed in a very specific way. (bsc#1183064)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1528-1
Released:    Thu May  6 15:31:23 2021
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1161276
This update for openssl-1_1 fixes the following issues:

- Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1543-1
Released:    Fri May  7 15:16:32 2021
Summary:     Recommended update for patterns-microos
Type:        recommended
Severity:    moderate
References:  1184435
This update for patterns-microos provides the following fix:

- Require the libvirt-daemon-qemu package and include the needed dependencies in the
  product. (bsc#1184435)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1557-1
Released:    Tue May 11 09:50:00 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1183374,CVE-2021-3426
This update for python3 fixes the following issues:

- CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1565-1
Released:    Tue May 11 14:20:04 2021
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1185163
This update for krb5 fixes the following issues:

- Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1582-1
Released:    Wed May 12 13:40:03 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1184687,1185190
This update for lvm2 fixes the following issues:

- Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190)
- Fixed and issue when LVM can't be disabled on boot. (bsc#1184687)
- Update patch for avoiding apply warning messages. (bsc#1012973)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1589-1
Released:    Wed May 12 13:45:15 2021
Summary:     Recommended update for numactl
Type:        recommended
Severity:    low
References:  
This update for numactl fixes the following issues:

- Added bug fixes to enable support for 32 bit systems (jsc#SLE-17217) 

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1592-1
Released:    Wed May 12 13:47:41 2021
Summary:     Optional update for sed
Type:        optional
Severity:    low
References:  1183797
This update for sed fixes the following issues:

- Fixed a building issue with glibc-2.31 (bsc#1183797).

This patch is optional to install.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1612-1
Released:    Fri May 14 17:09:39 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1184614
This update for openldap2 fixes the following issue:

- Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1643-1
Released:    Wed May 19 13:51:48 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    important
References:  1181443,1184358,1185562
This update for pam fixes the following issues:

- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
  an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1647-1
Released:    Wed May 19 13:59:12 2021
Summary:     Security update for lz4
Type:        security
Severity:    important
References:  1185438,CVE-2021-3520
This update for lz4 fixes the following issues:

- CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1654-1
Released:    Wed May 19 16:43:36 2021
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
This update for libxml2 fixes the following issues:

- CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1762-1
Released:    Wed May 26 12:30:01 2021
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1186114,CVE-2021-22898
This update for curl fixes the following issues:

- CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
- Allow partial chain verification [jsc#SLE-17956]
  * Have intermediate certificates in the trust store be treated
    as trust-anchors, in the same way as self-signed root CA
    certificates are. This allows users to verify servers using
    the intermediate cert only, instead of needing the whole chain.
  * Set FLAG_TRUSTED_FIRST unconditionally.
  * Do not check partial chains with CRL check.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1773-1
Released:    Wed May 26 17:22:21 2021
Summary:     Recommended update for python3
Type:        recommended
Severity:    low
References:  
This update for python3 fixes the following issues:

- Make sure to close the import_failed.map file after the exception
  has been raised in order to avoid ResourceWarnings when the
  failing import is part of a try...except block.