References : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624
1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074
1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997
1184997 1185239 1185325 1186015 1186642 1186642 1186673 CVE-2020-29651
This update for zypper fixes the following issues:
zypper was upgraded to 1.14.44:
- man page: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)
libzypp was upgraded from version 17.25.8 to version 17.25.10
- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.
This update for python-py fixes the following issues:
- CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505).
This update for gcc10 fixes the following issues:
- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)
This update for libzypp, zypper fixes the following issues:
libzypp was updated to 17.26.0:
- Work around download.o.o broken https redirects.
- Allow trusted repos to add additional signing keys (bsc#1184326)
Repositories signed with a trusted gpg key may import additional
package signing keys. This is needed if different keys were used
to sign the the packages shipped by the repository.
- MediaCurl: Fix logging of redirects.
- Use 15.3 resolver problem and solution texts on all distros.
- $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the
zypp lock (bsc#1184399)
Helps boot time services like 'zypper purge-kernels' to wait for
the zypp lock until other services using zypper have completed.
- Fix purge-kernels is broken in Leap 15.3 (bsc#1185325)
Leap 15.3 introduces a new kernel package called
kernel-flavour-extra, which contain kmp's. Currently kmp's are
detected by name '.*-kmp(-.*)?' but this does not work which
those new packages. This patch fixes the problem by checking
packages for kmod(*) and ksym(*) provides and only falls back to
name checking if the package in question does not provide one of
- Introduce zypp-runpurge, a tool to run purge-kernels on
zypper was updated to 1.14.45:
- Fix service detection with cgroupv2 (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Add report when receiving new package signing keys from a
trusted repo (bsc#1184326)
- Added translation using Weblate (Kabyle)
This update for openssh fixes the following issues:
- Further attempts to mitigate instances of secrets lingering in memory
after a session exits to meet key zeroization requirements. (bsc#1186673)
This update for libxml2 fixes the following issues:
- CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)
This update for nfs-utils fixes the following issues:
- Ensured thread safety when opening files over NFS to prevent a
use-after-free issue (bsc#1183194)
This update for gzip fixes the following issue:
- gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
This update for nghttp2 fixes the following issue:
- The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead
to migration issues. (bsc#1186642)
This update for gpg2 fixes the following issues:
- Fixed an issue where the gpg-agent's ssh-agent does not handle flags
in signing requests properly (bsc#1161268 and bsc#1172308).
This update for ceph and ceph-csi fixes the following issues:
- updated ceph to upstream version 15.2.13:
* mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526)
The whole upstream changelog can be found here:
- CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When
the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys,
allowing key reuse. An attacker who can request a global_id can exploit the ability of any
user to request a global_id previously associated with another user, as ceph does not force
the reuse of old keys to generate new ones. The highest threat from this vulnerability is to
data confidentiality and integrity as well as system availability (bsc#1183074)