SUSE Container Update Advisory: caasp/v4/k8s-sidecar
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2022:81-1
Container Tags        : caasp/v4/k8s-sidecar:0.1.75 , caasp/v4/k8s-sidecar:0.1.75-rev1 , caasp/v4/k8s-sidecar:0.1.75-rev1-build1.5.322
Container Release     : 1.5.322
Severity              : critical
Type                  : security
References            : 1002895 1010996 1011548 1027496 1029961 1029961 1040589 1047218
                        1050625 1071152 1071390 1078466 1082318 1084671 1087982 1088358
                        1100369 1102408 1104902 1106014 1107105 1109160 1110435 1113013
                        1118367 1118368 1122417 1125671 1125689 1125886 1128220 1130873
                        1130873 1133297 1134353 1138666 1138715 1138746 1138793 1139459
                        1140565 1141597 1142733 1146182 1146184 1146705 1146991 1149792
                        1149911 1149955 1149995 1151708 1152590 1152692 1153687 1153943
                        1153946 1154393 1154661 1154803 1154803 1154871 1154935 1154935
                        1155094 1155271 1155327 1156159 1156205 1156300 1156913 1157051
                        1157315 1157818 1158336 1158499 1158812 1158830 1158958 1158959
                        1158960 1159003 1159314 1159491 1159715 1159847 1159850 1159928
                        1159989 1160158 1160309 1160438 1160439 1160933 1160979 1161168
                        1161198 1161203 1161239 1161262 1161268 1161335 1161517 1161521
                        1161816 1162108 1162152 1162581 1162698 1162930 1163569 1164538
                        1164543 1164543 1164717 1164719 1164950 1165011 1165281 1165424
                        1165439 1165476 1165476 1165502 1165534 1165539 1165573 1165573
                        1165579 1165894 1165894 1166106 1166260 1166481 1166510 1166610
                        1166610 1166748 1166848 1166881 1167122 1167122 1167163 1167223
                        1167471 1167471 1167631 1167674 1167732 1167898 1168076 1168235
                        1168345 1168364 1168389 1168699 1168835 1168990 1168990 1169006
                        1169357 1169488 1169512 1169569 1169944 1169947 1169947 1169992
                        1170175 1170527 1170667 1170713 1170771 1170801 1170801 1170964
                        1171145 1171173 1171224 1171224 1171313 1171422 1171740 1171762
                        1171863 1171864 1171866 1171872 1171878 1171883 1171962 1171998
                        1172021 1172072 1172085 1172091 1172115 1172135 1172135 1172195
                        1172234 1172236 1172240 1172295 1172308 1172348 1172389 1172461
                        1172505 1172506 1172695 1172698 1172704 1172798 1172824 1172846
                        1172925 1172925 1172958 1172973 1172974 1173027 1173106 1173227
                        1173229 1173273 1173274 1173307 1173311 1173422 1173422 1173529
                        1173539 1173641 1173972 1173983 1174011 1174016 1174079 1174091
                        1174091 1174154 1174232 1174240 1174436 1174504 1174514 1174551
                        1174561 1174571 1174593 1174673 1174701 1174736 1174753 1174817
                        1174918 1174918 1174918 1174942 1175109 1175168 1175230 1175289
                        1175342 1175443 1175448 1175449 1175458 1175514 1175519 1175568
                        1175592 1175623 1175811 1175830 1175831 1175847 1176086 1176092
                        1176123 1176179 1176181 1176192 1176192 1176201 1176262 1176262
                        1176262 1176389 1176410 1176435 1176435 1176513 1176625 1176671
                        1176674 1176712 1176712 1176740 1176740 1176784 1176785 1176800
                        1176902 1176902 1177120 1177120 1177143 1177211 1177238 1177238
                        1177238 1177275 1177427 1177458 1177479 1177490 1177490 1177510
                        1177583 1177858 1177864 1177976 1178009 1178168 1178219 1178236
                        1178346 1178376 1178386 1178387 1178512 1178554 1178561 1178577
                        1178624 1178675 1178727 1178775 1178775 1178823 1178825 1178909
                        1178910 1178966 1179083 1179193 1179193 1179222 1179363 1179398
                        1179399 1179431 1179491 1179503 1179593 1179630 1179694 1179721
                        1179756 1179805 1179816 1179824 1179847 1179909 1180020 1180038
                        1180064 1180073 1180077 1180083 1180125 1180138 1180225 1180377
                        1180596 1180603 1180603 1180603 1180663 1180686 1180721 1180851
                        1180885 1180995 1181011 1181126 1181328 1181443 1181505 1181622
                        1181831 1181874 1181976 1182016 1182053 1182117 1182279 1182328
                        1182331 1182333 1182362 1182372 1182379 1182408 1182411 1182412
                        1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182421
                        1182422 1182471 1182604 1182629 1182791 1182936 1183064 1183085
                        1183094 1183268 1183370 1183371 1183374 1183374 1183456 1183457
                        1183589 1183628 1183791 1183797 1183818 1183858 1183933 1184326
                        1184358 1184399 1184401 1184435 1184505 1184614 1184614 1184690
                        1184761 1184967 1184994 1184994 1184997 1184997 1185016 1185046
                        1185163 1185239 1185325 1185331 1185408 1185408 1185409 1185409
                        1185410 1185410 1185417 1185438 1185524 1185540 1185562 1185588
                        1185698 1185807 1185958 1186015 1186049 1186114 1186447 1186489
                        1186503 1186602 1186910 1187060 1187105 1187153 1187210 1187212
                        1187224 1187270 1187273 1187292 1187338 1187400 1187425 1187466
                        1187512 1187654 1187668 1187738 1187760 1187911 1187993 1188018
                        1188063 1188063 1188156 1188217 1188218 1188219 1188220 1188291
                        1188344 1188435 1188571 1188623 1188713 1188921 1189031 1189206
                        1189241 1189287 1189465 1189465 1189480 1189521 1189521 1189683
                        1189803 1189929 1189996 1190052 1190059 1190199 1190234 1190325
                        1190356 1190373 1190374 1190440 1190465 1190645 1190712 1190739
                        1190793 1190815 1190858 1190915 1190933 1190984 1191252 1191286
                        1191324 1191370 1191563 1191609 1191987 1192161 1192248 1192337
                        1192436 1192688 1192717 1192790 1193480 1193481 1193488 1193521
                        1194251 1194362 1194474 1194476 1194477 1194478 1194479 1194480
                        906079 928700 928701 935885 935885 954813 973042 CVE-2015-3414
                        CVE-2015-3415 CVE-2016-10228 CVE-2017-3136 CVE-2017-9271 CVE-2018-5741
                        CVE-2019-16056 CVE-2019-16935 CVE-2019-18218 CVE-2019-18348 CVE-2019-18802
                        CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646
                        CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926
                        CVE-2019-19956 CVE-2019-19956 CVE-2019-19959 CVE-2019-20218 CVE-2019-20388
                        CVE-2019-20838 CVE-2019-20907 CVE-2019-20907 CVE-2019-20916 CVE-2019-20916
                        CVE-2019-20916 CVE-2019-25013 CVE-2019-5010 CVE-2019-6477 CVE-2019-9511
                        CVE-2019-9513 CVE-2020-10543 CVE-2020-10878 CVE-2020-11078 CVE-2020-11501
                        CVE-2020-12049 CVE-2020-12243 CVE-2020-12723 CVE-2020-13434 CVE-2020-13435
                        CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-13757 CVE-2020-13777
                        CVE-2020-13844 CVE-2020-14155 CVE-2020-14343 CVE-2020-14422 CVE-2020-14422
                        CVE-2020-15358 CVE-2020-15719 CVE-2020-1712 CVE-2020-1730 CVE-2020-1747
                        CVE-2020-1752 CVE-2020-1971 CVE-2020-24370 CVE-2020-24371 CVE-2020-24659
                        CVE-2020-24977 CVE-2020-25219 CVE-2020-25659 CVE-2020-25692 CVE-2020-25709
                        CVE-2020-25710 CVE-2020-26116 CVE-2020-26137 CVE-2020-26137 CVE-2020-26154
                        CVE-2020-27618 CVE-2020-27619 CVE-2020-28196 CVE-2020-29361 CVE-2020-29562
                        CVE-2020-29573 CVE-2020-29651 CVE-2020-35512 CVE-2020-36221 CVE-2020-36222
                        CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227
                        CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-7595 CVE-2020-8023
                        CVE-2020-8027 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285
                        CVE-2020-8286 CVE-2020-8492 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618
                        CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623
                        CVE-2020-8624 CVE-2020-9327 CVE-2021-20231 CVE-2021-20232 CVE-2021-20305
                        CVE-2021-21240 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923
                        CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23336
                        CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212
                        CVE-2021-27218 CVE-2021-27219 CVE-2021-3177 CVE-2021-3326 CVE-2021-33560
                        CVE-2021-33574 CVE-2021-33910 CVE-2021-33910 CVE-2021-3426 CVE-2021-3426
                        CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518
                        CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3580
                        CVE-2021-35942 CVE-2021-36222 CVE-2021-3712 CVE-2021-3712 CVE-2021-3733
                        CVE-2021-3737 CVE-2021-37600 CVE-2021-37750 CVE-2021-38185 CVE-2021-38185
                        CVE-2021-39537 CVE-2021-43618 CVE-2021-45960 CVE-2021-46143 CVE-2022-22822
                        CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
-----------------------------------------------------------------

The container caasp/v4/k8s-sidecar was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2454-1
Released:    Thu Oct 25 11:19:46 2018
Summary:     Recommended update for python-pyOpenSSL
Type:        recommended
Severity:    moderate
References:  1110435
This update for python-pyOpenSSL fixes the following issues:

- Handle duplicate certificate addition using X509_STORE_add_cert so
  it works after upgrading to openssl 1.1.1. (bsc#1110435)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2647-1
Released:    Fri Oct 11 17:12:06 2019
Summary:     Recommended update for python-pyOpenSSL
Type:        recommended
Severity:    moderate
References:  1149792
This update for python-pyOpenSSL fixes the following issues:

- Adds compatibility for openSSL 1.1.1d (bsc#1149792)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:36-1
Released:    Wed Jan  8 10:26:46 2020
Summary:     Recommended update for python-pyOpenSSL
Type:        recommended
Severity:    low
References:  1159989

This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:726-1
Released:    Thu Mar 19 13:23:03 2020
Summary:     Security update for nghttp2
Type:        security
Severity:    moderate
References:  1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513
This update for nghttp2 fixes the following issues:

Security issues fixed:

- CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).
- CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461).
- CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003)

Bug fixes and enhancements:

- Fixed mistake in spec file (bsc#1125689)

Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and
cilium-proxy (bsc#1166481)

  * lib: Add nghttp2_check_authority as public API
  * lib: Fix the bug that stream is closed with wrong error code
  * lib: Faster huffman encoding and decoding
  * build: Avoid filename collision of static and dynamic lib
  * build: Add new flag ENABLE_STATIC_CRT for Windows
  * build: cmake: Support building nghttpx with systemd
  * third-party: Update neverbleed to fix memory leak
  * nghttpx: Fix bug that mruby is incorrectly shared between
    backends
  * nghttpx: Reconnect h1 backend if it lost connection before
    sending headers
  * nghttpx: Returns 408 if backend timed out before sending
    headers
  * nghttpx: Fix request stal

- Conditionally remove dependecy on jemalloc for SLE-12 
- Require correct library from devel package - boo#1125689

Update to version 1.39.2 (bsc#1146184, bsc#1146182):

* This release fixes CVE-2019-9511 “Data Dribble” and CVE-2019-9513
  “Resource Loop” vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2
  frames cause Denial of Service by consuming CPU time. Check out
  https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
  for details. For nghttpx, additionally limiting inbound traffic by
  --read-rate and --read-burst options is quite effective against
  this kind of attack.

* Add nghttp2_option_set_max_outbound_ack API function
* nghttpx: Fix request stall

Update to version 1.39.1:

* This release fixes the bug that log-level is not set with
  cmd-line or configuration file. It also fixes FPE with default
  backend.

Changes for version 1.39.0:

* libnghttp2 now ignores content-length in 200 response to
  CONNECT request as per RFC 7230.
* mruby has been upgraded to 2.0.1.
* libnghttp2-asio now supports boost-1.70.
* http-parser has been replaced with llhttp.
* nghttpx now ignores Content-Length and Transfer-Encoding in 1xx
  or 200 to CONNECT.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:729-1
Released:    Thu Mar 19 14:44:22 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1166106
This update for glibc fixes the following issues:

- Allow dlopen of filter object to work (bsc#1166106, BZ #16272)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:777-1
Released:    Tue Mar 24 18:07:52 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1165894
This update for python3 fixes the following issue:

- Rename idle icons to idle3 in order to not conflict with python2
  variant of the package (bsc#1165894)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:793-1
Released:    Wed Mar 25 15:16:00 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1139459,1161262,1162108,1164717,1165579,CVE-2020-1712
This update for systemd fixes the following issues:

- manager: fix job mode when signalled to shutdown etc (bsc#1161262)
- remove fallback for user/exit.target
- dbus method Manager.Exit() does not start exit.target
- do not install rescue.target for alt-↑
- %j/%J unit specifiers


Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717).

Added the udev 60-ssd-scheduler.rules:

- This rules file which select the default IO scheduler for SSDs is
  being moved out from the git repo since this is not related to
  systemd or udev at all and is maintained by the kernel team.

- core: coldplug possible nop_job (bsc#1139459)
- Revert 'udev: use 'deadline' IO scheduler for SSD disks'
- Fix typo in function name
- polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712)
- sd-bus: introduce API for re-enqueuing incoming messages
- polkit: on async pk requests, re-validate action/details

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:814-1
Released:    Mon Mar 30 16:23:40 2020
Summary:     Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1
Type:        recommended
Severity:    moderate
References:  1161816,1162152,1167223
This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues:

libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223):

Full Release Notes can be found on:

	https://wiki.documentfoundation.org/ReleaseNotes/6.4

- Fixed broken handling of non-ASCII characters in the KDE filedialog
  (bsc#1161816)
- Move the animation library to core package bsc#1162152

xmlsec1 was updated to 1.2.28:

* Added BoringSSL support (chenbd).
* Added gnutls-3.6.x support (alonbl).
* Added DSA and ECDSA key size getter for MSCNG (vmiklos).
* Added --enable-mans configuration option (alonbl).
* Added coninuous build integration for MacOSX (vmiklos).
* Several other small fixes (more details).

- Make sure to recommend at least one backend when you install
  just xmlsec1

- Drop the gnutls backend as based on the tests it is quite borked:
  * We still have nss and openssl backend for people to use

Version update to 1.2.27:

* Added AES-GCM support for OpenSSL and MSCNG (snargit).
* Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos).
* Added RSA-OAEP support for MSCNG (vmiklos).
* Continuous build integration in Travis and Appveyor.
* Several other small fixes (more details).

myspell-dictionaries was updated to 20191219:

* Updated the English dictionaries: GB+US+CA+AU
* Bring shipped Spanish dictionary up to version 2.5


boost was updated to fix:
- add a backport of Boost.Optional::has_value() for LibreOffice

The QR-Code-generator is shipped:

- Initial commit, needed by libreoffice 6.4


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:820-1
Released:    Tue Mar 31 13:02:22 2020
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1167631,CVE-2020-1752
This update for glibc fixes the following issues:

- CVE-2020-1752: Fixed a use after free in glob which could have allowed
  a local attacker to create a specially crafted path that, when processed 
  by the glob function, could potentially have led to arbitrary code execution
  (bsc#1167631).
 
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:834-1
Released:    Tue Mar 31 17:21:34 2020
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1167163
This update for permissions fixes the following issue:

- whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:846-1
Released:    Thu Apr  2 07:24:07 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1164950,1166748,1167674
This update for libgcrypt fixes the following issues:

- FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950)
- FIPS: Fix drbg to be threadsafe (bsc#1167674)
- FIPS: Run self-tests from constructor during power-on [bsc#1166748]

  * Set up global_init as the constructor function:
  * Relax the entropy requirements on selftest. This is especially
    important for virtual machines to boot properly before the RNG
    is available:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:917-1
Released:    Fri Apr  3 15:02:25 2020
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1166510
This update for pam fixes the following issues:

- Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:948-1
Released:    Wed Apr  8 07:44:21 2020
Summary:     Security update for gmp, gnutls, libnettle
Type:        security
Severity:    moderate
References:  1152692,1155327,1166881,1168345,CVE-2020-11501
This update for gmp, gnutls, libnettle fixes the following issues:

Security issue fixed:

- CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

FIPS related bugfixes:

- FIPS: Install checksums for binary integrity verification which are
  required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
- FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if
  input is shorter than block size. (bsc#1166881)
- FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:959-1
Released:    Wed Apr  8 12:59:50 2020
Summary:     Security update for python-PyYAML
Type:        security
Severity:    important
References:  1165439,CVE-2020-1747
This update for python-PyYAML fixes the following issues:

- CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:961-1
Released:    Wed Apr  8 13:34:06 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1160979
This update for e2fsprogs fixes the following issues:

- e2fsck: clarify overflow link count error message (bsc#1160979)
- ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979)
- ext2fs: implement dir entry creation in htree directories (bsc#1160979)
- tests: add test to excercise indexed directories with metadata_csum (bsc#1160979)
- tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:967-1
Released:    Thu Apr  9 11:41:53 2020
Summary:     Security update for libssh
Type:        security
Severity:    moderate
References:  1168699,CVE-2020-1730
This update for libssh fixes the following issues:

- CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:969-1
Released:    Thu Apr  9 11:43:17 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1168364
This update for permissions fixes the following issues:

- Fixed spelling of icinga group (bsc#1168364)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:981-1
Released:    Mon Apr 13 15:43:44 2020
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1156300
This update for rpm fixes the following issues:

- Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1026-1
Released:    Fri Apr 17 16:14:43 2020
Summary:     Recommended update for libsolv
Type:        recommended
Severity:    moderate
References:  1159314
This update for libsolv fixes the following issues:

libsolv was updated to version 0.7.11:

- fix solv_zchunk decoding error if large chunks are used (bsc#1159314)
- treat retracted pathes as irrelevant
- made add_update_target work with multiversion installs

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1037-1
Released:    Mon Apr 20 10:49:39 2020
Summary:     Recommended update for python-pytest
Type:        recommended
Severity:    low
References:  1002895,1107105,1138666,1167732

This update fixes the following issues:

New python-pytest versions are provided.

In Basesystem:

- python3-pexpect: updated to 4.8.0
- python3-py: updated to 1.8.1
- python3-zipp: shipped as dependency in version 0.6.0

In Python2:

- python2-pexpect: updated to 4.8.0
- python2-py: updated to 1.8.1

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1047-1
Released:    Tue Apr 21 10:33:06 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1168835
This update for gnutls fixes the following issues:

- Backport AES XTS support (bsc#1168835)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1063-1
Released:    Wed Apr 22 10:46:50 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1165539,1169569
This update for libgcrypt fixes the following issues:

This update for libgcrypt fixes the following issues:
    
- FIPS: Switch the PCT to use the new signature operation (bsc#1165539)
- FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539)
- Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates.
- Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1094-1
Released:    Thu Apr 23 16:34:21 2020
Summary:     Recommended update for python-google-api-python-client
Type:        recommended
Severity:    moderate
References:  1088358,1160933
This update for python-google-api-python-client fixes the following issues:

- Fix dependencies to use google-auth instead of deprecated
  oauth2client (bsc#1160933, jsc#ECO-1148) 

python-cachetools 2.0.1 is shipped to the Public Cloud Module.
python-google-auth 1.5.1 is shipped to the Public Cloud Module.


python-google-api-python-client was updated to:

- Upgrade to 1.7.4: just series of minor bugfixes

- Fix check for error text on Python 3.7. (#278)
- Use new Auth URIs. (#281)
- Add code-of-conduct document. (#270)
- Fix some typos in test_urllib3.py (#268)
- Warn when using user credentials from the Cloud SDK (#266)
- Add compute engine-based IDTokenCredentials (#236)
- Corrected some typos (#265)

Update to 1.4.2:

- Raise a helpful exception when trying to refresh credentials without
  a refresh token. (#262)
- Fix links to README and CONTRIBUTING in docs/index.rst. (#260)
- Fix a typo in credentials.py. (#256)
- Use pytest instead of py.test per upstream recommendation,
  #dropthedot. (#255)
- Fix typo on exemple of jwt usage (#245)

New upstream release 1.4.1 (bsc#1088358)

- Added a check for the cryptography version before attempting to use it.

+ From version 1.4.0
  - Added `cryptography`-based RSA signer and verifier.
  - Added `google.oauth2.service_account.IDTokenCredentials`.
  - Improved documentation around ID Tokens
+ From version 1.3.0
  - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``.
  - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules``
    specify the right version.
  - ``default()`` now checks for the project ID environment var before
    warning about missing project ID.
  - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``.
  - Fixed example in docstring for ``ReadOnlyScoped``.
  - Made ``transport.requests`` use timeouts and retries
    to improve reliability.


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1108-1
Released:    Fri Apr 24 16:31:01 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1169992
This update for gnutls fixes the following issues:

- FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1175-1
Released:    Tue May  5 08:33:43 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1165011,1168076
This update for systemd fixes the following issues:

- Fix check for address to keep interface names stable. (bsc#1168076)
- Fix for checking non-normalized WHAT for network FS. (bsc#1165011)
- Allow to specify an arbitrary string for when vfs is used. (bsc#1165011)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1214-1
Released:    Thu May  7 11:20:34 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1169944
This update for libgcrypt fixes the following issues:

- FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1219-1
Released:    Thu May  7 17:10:42 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1170771,CVE-2020-12243
This update for openldap2 fixes the following issues:

- CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1226-1
Released:    Fri May  8 10:51:05 2020
Summary:     Recommended update for gcc9
Type:        recommended
Severity:    moderate
References:  1149995,1152590,1167898
This update for gcc9 fixes the following issues:

This update ships the GCC 9.3 release.

- Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
- Includes fix for binutils version parsing
- Add libstdc++6-pp provides and conflicts to avoid file conflicts
  with same minor version of libstdc++6-pp from gcc10.
- Add gcc9 autodetect -g at lto link (bsc#1149995)
- Install go tool buildid for bootstrapping go

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1271-1
Released:    Wed May 13 13:17:59 2020
Summary:     Recommended update for permissions
Type:        recommended
Severity:    important
References:  1171173
This update for permissions fixes the following issues:

- Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1290-1
Released:    Fri May 15 16:39:59 2020
Summary:     Recommended update for gnutls
Type:        recommended
Severity:    moderate
References:  1171422
This update for gnutls fixes the following issues:

- Add RSA 4096 key generation support in FIPS mode (bsc#1171422)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1294-1
Released:    Mon May 18 07:38:36 2020
Summary:     Security update for file
Type:        security
Severity:    moderate
References:  1154661,1169512,CVE-2019-18218
This update for file fixes the following issues:

Security issues fixed:

- CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

Non-security issue fixed:

- Fixed broken '--help' output (bsc#1169512).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1299-1
Released:    Mon May 18 07:43:21 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595
This update for libxml2 fixes the following issues:

- CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521).
- CVE-2019-19956: Fixed a memory leak (bsc#1159928).
- CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1328-1
Released:    Mon May 18 17:16:04 2020
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1155271
This update for grep fixes the following issues:

- Update testsuite expectations, no functional changes (bsc#1155271)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1342-1
Released:    Tue May 19 13:27:31 2020
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1149955,1165894,CVE-2019-16056
This update for python3 fixes the following issues:

- Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1361-1
Released:    Thu May 21 09:31:18 2020
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1171872
This update for libgcrypt fixes the following issues:

- FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1400-1
Released:    Mon May 25 14:09:02 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1162930
This update for glibc fixes the following issues:

- nptl: wait for pending setxid request also in detached thread. (bsc#1162930)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1404-1
Released:    Mon May 25 15:32:34 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1138793,1166260
This update for zlib fixes the following issues:

- Including the latest fixes from IBM (bsc#1166260)
  IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements
  deflate algorithm in hardware with estimated compression and decompression performance
  orders of magnitude faster than the current zlib and ratio comparable with that of level 1.
- Add SUSE specific fix to solve bsc#1138793.
  The fix will avoid to test if the app was linked with exactly same version of zlib
  like the one that is present on the runtime.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1496-1
Released:    Wed May 27 20:30:31 2020
Summary:     Recommended update for python-requests
Type:        recommended
Severity:    low
References:  1170175
This update for python-requests fixes the following issues:

- Fix for warnings 'test fails to build' for python http. (bsc#1170175)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1506-1
Released:    Fri May 29 17:22:11 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1087982,1170527
This update for aaa_base fixes the following issues:

- Not all XTerm based emulators do have a terminfo entry. (bsc#1087982)
- Better support of Midnight Commander. (bsc#1170527)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1532-1
Released:    Thu Jun  4 10:16:12 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1172021,CVE-2019-19956
This update for libxml2 fixes the following issues:

- CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1579-1
Released:    Tue Jun  9 17:05:23 2020
Summary:     Recommended update for audit
Type:        recommended
Severity:    important
References:  1156159,1172295
This update for audit fixes the following issues:

- Fix hang on startup. (bsc#1156159)
- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1584-1
Released:    Tue Jun  9 18:39:15 2020
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1172461,1172506,CVE-2020-13777
This update for gnutls fixes the following issues:

- CVE-2020-13777: Fixed an insecure session ticket key construction which could 
  have made the TLS server to not bind the session ticket encryption key with a
  value supplied by the application until the initial key rotation, allowing
  an attacker to bypass authentication in TLS 1.3 and recover previous
  conversations in TLS 1.2 (bsc#1172506).
- Fixed an  improper handling of certificate chain with cross-signed intermediate
  CA certificates (bsc#1172461).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1611-1
Released:    Fri Jun 12 09:38:05 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.13 to fix:

- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.4 to fix:

- Get retracted patch status from updateinfo data (jsc#SLE-8770)
  libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
  (fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
  HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
  zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
  and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
  wants to be able to get rid of the nginx/FastCGI-devel build
  requirement. Use 'rpmbuild --without mediabackend_tests' or
  'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- update translations
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
  libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
  supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
  packages are available. Avoid using retracted items as candidate
  (jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
  It's actually not needed and for this to work also libsolv needs
  to support it. You can sill use a librpmDb::db_const_iterator to
  access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Reformat manpages to workaround asciidoctor shortcomings
  (bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
  (jsc#SLE-5116)

zypper was updated to  version 1.14.36:

- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
  legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
  supplementing zypper means zypper-aptitude gets installed by
  default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1637-1
Released:    Wed Jun 17 15:07:58 2020
Summary:     Recommended update for zypper
Type:        recommended
Severity:    important
References:  1169947,1172925
This update for zypper fixes the following issues:

- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1682-1
Released:    Fri Jun 19 09:44:54 2020
Summary:     Security update for perl
Type:        security
Severity:    important
References:  1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723
This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have 
  allowed overwriting of allocated memory with attacker's data (bsc#1171863).
- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of 
  instructions into the compiled form of Perl regular expression (bsc#1171864).
- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a 
  compiled regular expression (bsc#1171866).
- Fixed a bad warning in features.ph (bsc#1172348).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1759-1
Released:    Thu Jun 25 18:44:37 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1169357
This update for krb5 fixes the following issue:

- Call systemd to reload the services instead of init-scripts. (bsc#1169357)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1760-1
Released:    Thu Jun 25 18:46:13 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1157315,1162698,1164538,1169488,1171145,1172072
This update for systemd fixes the following issues:

- Merge branch 'SUSE/v234' into SLE15 
  units: starting suspend.target should not fail when suspend is successful (bsc#1172072)
  core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set
  mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488)
  mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too
  udev: rename the persistent link for ATA devices (bsc#1164538)
  shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)
  tmpfiles: remove unnecessary assert (bsc#1171145)
  test-engine: manager_free() was called too early
  pid1: by default make user units inherit their umask from the user manager (bsc#1162698)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1773-1
Released:    Fri Jun 26 08:05:59 2020
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1173027,CVE-2020-8177
This update for curl fixes the following issues:

- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious 
  server to overwrite a local file when using the -J option (bsc#1173027).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1822-1
Released:    Thu Jul  2 11:30:42 2020
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1173274,CVE-2020-14422
This update for python3 fixes the following issues:

- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface 
  could have led to denial of service (bsc#1173274).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1396-1
Released:    Fri Jul  3 12:33:05 2020
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1082318,1133297
This update for zstd fixes the following issues:

- Fix for build error caused by wrong static libraries. (bsc#1133297)
- Correction in spec file marking the license as documentation. (bsc#1082318)
- Add new package for SLE-15. (jsc#ECO-1886)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1856-1
Released:    Mon Jul  6 17:05:51 2020
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1172698,1172704,CVE-2020-8023
This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).	  
- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:1860-1
Released:    Mon Jul  6 17:09:44 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1171883
This update for permissions fixes the following issues:

- Removed conflicting entries which might expose pcp to security issues (bsc#1171883) 	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:1869-1
Released:    Tue Jul  7 15:08:12 2020
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.14:

- Enable zstd compression support
- Support blacklisted packages in solver_findproblemrule()
  (bnc#1172135)
- Support rules with multiple negative literals in choice rule
  generation
- Fix solvable swapping messing up idarrays
- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.7:

- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Get retracted patch status from updateinfo data (jsc#SLE-8770)
  libsolv injects the indicator provides into packages only.
- remove 'using namespace std;' (bsc#1166610, fixes #218)
- Online doc: add 'Hardware (modalias) dependencies' page
  (fixes #216)
- Add HistoryLogReader actionFilter to parse only specific
  HistoryActionIDs.
- RepoVariables: Add safe guard in case the caller does not own a
  zypp instance.
- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.
- Fix package status computation regarding unneeded, orphaned, recommended
  and suggested packages (broken in 17.23.0) (bsc#1165476)
- Log patch status changes to history (jsc#SLE-5116)
- Allow to disable all WebServer dependent tests when building. OBS
  wants to be able to get rid of the nginx/FastCGI-devel build
  requirement. Use 'rpmbuild --without mediabackend_tests' or
  'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.
- boost: Fix deprecated auto_unit_test.hpp includes.
- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.
- Fix decision whether to download ZCHUNK files.
  libzypp and libsolv must both be able to read the format.
- yum::Downloader: Prefer zchunk compressed metadata if libvsolv
  supports it.
- Selectable: Fix highestAvailableVersionObj if only retracted
  packages are available. Avoid using retracted items as candidate
  (jsc#SLE-8770)
- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)
- RpmDb: Close API offering a custom rpmdb path
  It's actually not needed and for this to work also libsolv needs
  to support it. You can sill use a librpmDb::db_const_iterator to
  access a database at a custom location (ro).
- Remove legacy rpmV3database conversion code.
- Fix core dump with corrupted history file (bsc#1170801)

zypper was updated to 1.14.37:

- Reformat manpages to workaround asciidoctor shortcomings
  (bsc#1154803, bsc#1167122, bsc#1168990)
- Remove undocumented rug legacy stuff.
- Remove 'using namespace std;' (bsc#1166610)
- patch table: Add 'Since' column if history data are available
  (jsc#SLE-5116)
- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)
- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)
- Relax 'Do not allow the abbreviation of cli arguments' in
  legacy distibutions (bsc#1164543)
- Correctly detect ambigous switch abbreviations (bsc#1165573)
- zypper-aptitude: don't supplement zypper.
  supplementing zypper means zypper-aptitude gets installed by
  default and pulls in perl. Neither is desired on small systems.
- Do not allow the abbreviation of cli arguments (bsc#1164543)
- accoring to according in all translation files.
- Always show exception history if available.
- Use default package cache location for temporary repos (bsc#1130873)
- Print switch abbrev warning to stderr (bsc#1172925)
- Fix typo in man page (bsc#1169947)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2040-1
Released:    Fri Jul 24 13:58:53 2020
Summary:     Recommended update for libsolv, libzypp
Type:        recommended
Severity:    moderate
References:  1170801,1171224,1172135,1173106,1174011
This update for libsolv, libzypp fixes the following issues:

libsolv was updated to version 0.7.14:

- Enable zstd compression support for sle15
- Support blacklisted packages in solver_findproblemrule() (bsc#1172135)
- Support rules with multiple negative literals in choice rule
  generation

libzypp was updated to version 17.24.0:

- Enable zchunk metadata download if libsolv supports it.
- Older kernel-devel packages are not properly purged (bsc#1171224)
- doc: enhance service plugin example.
- Fix core dump with corrupted history file (bsc#1170801)
- Better handling of the purge-kernels algorithm. (bsc#1173106)
- Proactively send credentials if the URL specifes '?auth=basic' and a username.
  (bsc#1174011)
- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2083-1
Released:    Thu Jul 30 10:27:59 2020
Summary:     Recommended update for diffutils
Type:        recommended
Severity:    moderate
References:  1156913
This update for diffutils fixes the following issue:

- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2099-1
Released:    Fri Jul 31 08:06:40 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1173227,1173229,1173422
This update for systemd fixes the following issues:

- migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229)

  The marker is used to make sure the script is run only once. Instead
  of storing it in /usr, use /var which is more appropriate for such
  file.
  Also make it owned by systemd package.

- Fix inconsistent file modes for some ghost files (bsc#1173227)

  Ghost files are assumed by rpm to have mode 000 by default which is
  not consistent with file permissions set at runtime.
  Also /var/lib/systemd/random-seed was tracked wrongly as a
  directory.

  Also don't track (ghost) /etc/systemd/system/runlevel*.target
  aliases since we're not supposed to track units or aliases user
  might define/override.

- Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2224-1
Released:    Thu Aug 13 09:15:47 2020
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  1171878,1172085
This update for glibc fixes the following issues:

- Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178)
- Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2277-1
Released:    Wed Aug 19 13:24:03 2020
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1174091,CVE-2019-20907
This update for python3 fixes the following issues:

- bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2278-1
Released:    Wed Aug 19 21:26:08 2020
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1149911,1151708,1168235,1168389
This update for util-linux fixes the following issues:

- blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235)
- nologin: Add support for -c to prevent error from su -c. (bsc#1151708)
- Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389)
- mount: Fall back to device node name if /dev/mapper link not found. (bsc#1149911)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2284-1
Released:    Thu Aug 20 16:04:17 2020
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    important
References:  1010996,1071152,1071390,1154871,1174673,973042
This update for ca-certificates-mozilla fixes the following issues:

update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

  * AddTrust External CA Root
  * AddTrust Class 1 CA Root
  * LuxTrust Global Root 2
  * Staat der Nederlanden Root CA - G2
  * Symantec Class 1 Public Primary Certification Authority - G4
  * Symantec Class 2 Public Primary Certification Authority - G4
  * VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

  * certSIGN Root CA G2
  * e-Szigno Root CA 2017
  * Microsoft ECC Root Certificate Authority 2017
  * Microsoft RSA Root Certificate Authority 2017

- reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2384-1
Released:    Sat Aug 29 00:57:13 2020
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    low
References:  1170964
This update for e2fsprogs fixes the following issues:

- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2411-1
Released:    Tue Sep  1 13:28:47 2020
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1142733,1146991,1158336,1172195,1172824,1173539
This update for systemd fixes the following issues:

- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by
  'Exec*='. (bsc#1172824, bsc#1142733)
  
  pid1: improve message when setting up namespace fails.
  
  execute: let's close glibc syslog channels too.
  
  execute: normalize logging in *execute.c*.
  
  execute: fix typo in error message.
  
  execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.
  
  execute: make use of the new logging mode in *execute.c*
  
  log: add a mode where we open the log fds for every single log message.
  
  log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.
  
  execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result.
  
  execute: rework logging in *setup_keyring()* to include unit info.
  
  execute: improve and augment execution log messages.
  
- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)
- fix infinite timeout. (bsc#1158336)
- bpf: mount bpffs by default on boot. (bsc#1146991)
- man: explain precedence for options which take a list.
- man: unify titling, fix description of precedence in sysusers.d(5)
- udev-event: fix timeout log messages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2420-1
Released:    Tue Sep  1 13:48:35 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1174551,1174736
This update for zlib provides the following fixes:

- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)
- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2446-1
Released:    Wed Sep  2 09:33:22 2020
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1175109,CVE-2020-8231
This update for curl fixes the following issues:

- An application that performs multiple requests with libcurl's
  multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in
  rare circumstances experience that when subsequently using the
  setup connect-only transfer, libcurl will pick and use the wrong
  connection and instead pick another one the application has
  created since then. [bsc#1175109, CVE-2020-8231]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2581-1
Released:    Wed Sep  9 13:07:07 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1174154,CVE-2020-15719
This update for openldap2 fixes the following issues:

- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509
  SAN's falling back to CN validation in violation of rfc6125.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2612-1
Released:    Fri Sep 11 11:18:01 2020
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1176179,CVE-2020-24977
This update for libxml2 fixes the following issues:

- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2651-1
Released:    Wed Sep 16 14:42:55 2020
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1175811,1175830,1175831
This update for zlib fixes the following issues:

- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)
- Enable hardware compression on s390/s390x (jsc#SLE-13776)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released:    Tue Sep 22 15:06:36 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1174079
This update for krb5 fixes the following issue:

- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released:    Tue Sep 22 17:08:03 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:

- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2818-1
Released:    Thu Oct  1 10:38:55 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:

Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
  a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.

Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
  (bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2830-1
Released:    Fri Oct  2 10:34:26 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1161335,1176625
This update for permissions fixes the following issues:

- whitelist WMP (bsc#1161335, bsc#1176625)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released:    Tue Oct  6 16:13:20 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:

- DIR_COLORS (bug#1006973):
  
  - add screen.xterm-256color
  - add TERM rxvt-unicode-256color
  - sort and merge TERM entries in etc/DIR_COLORS
  
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released:    Tue Oct 13 14:22:43 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released:    Tue Oct 13 17:25:20 2020
Summary:     Security update for bind
Type:        security
Severity:    moderate
References:  1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver
  forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
  a request.  Root and TLD servers are no longer exempt
  from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
  Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
  the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
  whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
  lib/dns/rbtdb.c:new_reference() with a particular zone content
  and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
  incorrectly treated as 'zonesub' rules, which allowed
  keys used in 'subdomain' rules to update names outside
  of the specified subdomains. The problem was fixed by
  making sure 'subdomain' rules are again processed as
  described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
  was possible to trigger an assertion failure in code
  determining the number of bits in the PKCS#11 RSA public
  key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
  where QNAME minimization and forwarding were both
  enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
  sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
  verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created 
  chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll ' did not limit the number of saved files to .
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
  so that named, being a/the only member of the 'named' group
  has full r/w access yet cannot change directories owned by root
  in the case of a compromized named.
  [bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
  (init/named system/lwresd.init system/named.init in vendor-files)
  as this option is deprecated and causes rndc-confgen to fail.
  (bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
  of /usr/sbin/dnssec-keygen as BIND now uses the random number
  functions provided by the crypto library (i.e., OpenSSL or a
  PKCS#11 provider) as a source of randomness rather than /dev/random.
  Therefore the -r command line option no longer has any effect on
  dnssec-keygen. Leaving the option in genDDNSkey as to not break
  compatibility. Patch provided by Stefan Eisenwiener.
  [bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
  in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
  systemd context as well as legacy sysv, make use of start_daemon.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released:    Fri Oct 16 15:23:07 2020
Summary:     Security update for gcc10, nvptx-tools
Type:        security
Severity:    moderate
References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:

This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

	CC=gcc-10
	CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

Changes in nvptx-tools:

- Enable build on aarch64
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2950-1
Released:    Fri Oct 16 15:49:51 2020
Summary:     Recommended update for python-aliyun-python-sdk, python-aliyun-python-sdk-aas, python-aliyun-python-sdk-acm, python-aliyun-python-sdk-acms-open, python-aliyun-python-sdk-actiontrail, python-aliyun-python-sdk-adb, python-aliyun-python-sdk-address-purification, python-aliyun-python-sdk-aegis, python-aliyun-python-sdk-afs, python-aliyun-python-sdk-airec, python-aliyun-python-sdk-alidns, python-aliyun-python-sdk-aligreen-console, python-aliyun-python-sdk-alimt, python-aliyun-python-sdk-alinlp, python-aliyun-python-sdk-aliyuncvc, python-aliyun-python-sdk-amqp-open, python-aliyun-python-sdk-appmallsservice, python-aliyun-python-sdk-arms, python-aliyun-python-sdk-arms4finance, python-aliyun-python-sdk-baas, python-aliyun-python-sdk-brinekingdom, python-aliyun-python-sdk-bss, python-aliyun-python-sdk-bssopenapi, python-aliyun-python-sdk-cams, python-aliyun-python-sdk-cas, python-aliyun-python-sdk-cassandra, python-aliyun-python-sdk-cbn, python-aliyun-python-sdk-ccc, python-aliyu
 n-python-sdk-ccs, python-aliyun-python-sdk-cdn, python-aliyun-python-sdk-chatbot, python-aliyun-python-sdk-clickhouse, python-aliyun-python-sdk-cloudapi, python-aliyun-python-sdk-cloudauth, python-aliyun-python-sdk-cloudesl, python-aliyun-python-sdk-cloudgame, python-aliyun-python-sdk-cloudmarketing, python-aliyun-python-sdk-cloudphoto, python-aliyun-python-sdk-cloudwf, python-aliyun-python-sdk-cms, python-aliyun-python-sdk-codeup, python-aliyun-python-sdk-companyreg, python-aliyun-python-sdk-core, python-aliyun-python-sdk-cr, python-aliyun-python-sdk-crm, python-aliyun-python-sdk-cs, python-aliyun-python-sdk-csb, python-aliyun-python-sdk-cspro, python-aliyun-python-sdk-cusanalytic_sc_online, python-aliyun-python-sdk-das, python-aliyun-python-sdk-dataworks-public, python-aliyun-python-sdk-dbfs, python-aliyun-python-sdk-dbs, python-aliyun-python-sdk-dcdn, python-aliyun-python-sdk-dds, python-aliyun-python-sdk-democenter, python-aliyun-python-sdk-devops-rdc, python-aliyun-python-sdk-d
 ms-enterprise, python-aliyun-python-sdk-domain, python-aliyun-python-sdk-domain-intl, python-aliyun-python-sdk-drds, python-aliyun-python-sdk-dts, python-aliyun-python-sdk-dybaseapi, python-aliyun-python-sdk-dyplsapi, python-aliyun-python-sdk-dypnsapi, python-aliyun-python-sdk-dysmsapi, python-aliyun-python-sdk-dyvmsapi, python-aliyun-python-sdk-eas, python-aliyun-python-sdk-eci, python-aliyun-python-sdk-ecs, python-aliyun-python-sdk-edas, python-aliyun-python-sdk-ehpc, python-aliyun-python-sdk-elasticsearch, python-aliyun-python-sdk-emr, python-aliyun-python-sdk-ens, python-aliyun-python-sdk-ess, python-aliyun-python-sdk-faas, python-aliyun-python-sdk-facebody, python-aliyun-python-sdk-fnf, python-aliyun-python-sdk-foas, python-aliyun-python-sdk-ft, python-aliyun-python-sdk-geoip, python-aliyun-python-sdk-goodstech, python-aliyun-python-sdk-gpdb, python-aliyun-python-sdk-green, python-aliyun-python-sdk-gts-phd, python-aliyun-python-sdk-hbase, python-aliyun-python-sdk-hbr, python-al
 iyun-python-sdk-highddos, python-aliyun-python-sdk-hiknoengine, python-aliyun-python-sdk-hivisengine, python-aliyun-python-sdk-hpc, python-aliyun-python-sdk-hsm, python-aliyun-python-sdk-httpdns, python-aliyun-python-sdk-imageaudit, python-aliyun-python-sdk-imageenhan, python-aliyun-python-sdk-imageprocess, python-aliyun-python-sdk-imagerecog, python-aliyun-python-sdk-imagesearch, python-aliyun-python-sdk-imageseg, python-aliyun-python-sdk-imgsearch, python-aliyun-python-sdk-imm, python-aliyun-python-sdk-industry-brain, python-aliyun-python-sdk-iot, python-aliyun-python-sdk-iqa, python-aliyun-python-sdk-ivision, python-aliyun-python-sdk-ivpd, python-aliyun-python-sdk-jaq, python-aliyun-python-sdk-jarvis, python-aliyun-python-sdk-jarvis-public, python-aliyun-python-sdk-kms, python-aliyun-python-sdk-ledgerdb, python-aliyun-python-sdk-linkedmall, python-aliyun-python-sdk-linkface, python-aliyun-python-sdk-linkwan, python-aliyun-python-sdk-live, python-aliyun-python-sdk-lubancloud, pyth
 on-aliyun-python-sdk-market, python-aliyun-python-sdk-mopen, python-aliyun-python-sdk-mts, python-aliyun-python-sdk-multimediaai, python-aliyun-python-sdk-nas, python-aliyun-python-sdk-netana, python-aliyun-python-sdk-nlp-automl, python-aliyun-python-sdk-nls-cloud-meta, python-aliyun-python-sdk-objectdet, python-aliyun-python-sdk-ocr, python-aliyun-python-sdk-ocs, python-aliyun-python-sdk-oms, python-aliyun-python-sdk-ons, python-aliyun-python-sdk-onsmqtt, python-aliyun-python-sdk-oos, python-aliyun-python-sdk-openanalytics, python-aliyun-python-sdk-openanalytics-open, python-aliyun-python-sdk-opensearch, python-aliyun-python-sdk-ossadmin, python-aliyun-python-sdk-ots, python-aliyun-python-sdk-outboundbot, python-aliyun-python-sdk-paistudio, python-aliyun-python-sdk-petadata, python-aliyun-python-sdk-polardb, python-aliyun-python-sdk-productcatalog, python-aliyun-python-sdk-pts, python-aliyun-python-sdk-push, python-aliyun-python-sdk-pvtz, python-aliyun-python-sdk-qualitycheck, pyth
 on-aliyun-python-sdk-quickbi-public, python-aliyun-python-sdk-r-kvstore, python-aliyun-python-sdk-ram, python-aliyun-python-sdk-rdc, python-aliyun-python-sdk-rds, python-aliyun-python-sdk-reid, python-aliyun-python-sdk-resourcemanager, python-aliyun-python-sdk-retailcloud, python-aliyun-python-sdk-risk, python-aliyun-python-sdk-ros, python-aliyun-python-sdk-rtc, python-aliyun-python-sdk-sae, python-aliyun-python-sdk-saf, python-aliyun-python-sdk-sas, python-aliyun-python-sdk-sas-api, python-aliyun-python-sdk-scdn, python-aliyun-python-sdk-schedulerx2, python-aliyun-python-sdk-sddp, python-aliyun-python-sdk-slb, python-aliyun-python-sdk-smartag, python-aliyun-python-sdk-smc, python-aliyun-python-sdk-snsuapi, python-aliyun-python-sdk-status, python-aliyun-python-sdk-sts, python-aliyun-python-sdk-tag, python-aliyun-python-sdk-tesladam, python-aliyun-python-sdk-teslamaxcompute, python-aliyun-python-sdk-teslastream, python-aliyun-python-sdk-trademark, python-aliyun-python-sdk-ubsms, pyth
 on-aliyun-python-sdk-uis, python-aliyun-python-sdk-unimkt, python-aliyun-python-sdk-vcs, python-aliyun-python-sdk-viapiutils, python-aliyun-python-sdk-videoenhan, python-aliyun-python-sdk-videorecog, python-aliyun-python-sdk-videosearch, python-aliyun-python-sdk-videoseg, python-aliyun-python-sdk-visionai, python-aliyun-python-sdk-visionai-poc, python-aliyun-python-sdk-vod, python-aliyun-python-sdk-voicenavigator, python-aliyun-python-sdk-vpc, python-aliyun-python-sdk-vs, python-aliyun-python-sdk-waf-openapi, python-aliyun-python-sdk-webplus, python-aliyun-python-sdk-welfare-inner, python-aliyun-python-sdk-workorder, python-aliyun-python-sdk-xspace, python-aliyun-python-sdk-xtrace, python-aliyun-python-sdk-yundun, python-aliyun-python-sdk-yundun-ds, python-pycryptodome
Type:        recommended
Severity:    moderate
References:  1175230
This update for python-aliyun-python-sdk, python-aliyun-python-sdk-aas, python-aliyun-python-sdk-acm, python-aliyun-python-sdk-acms-open, python-aliyun-python-sdk-actiontrail, python-aliyun-python-sdk-adb, python-aliyun-python-sdk-address-purification, python-aliyun-python-sdk-aegis, python-aliyun-python-sdk-afs, python-aliyun-python-sdk-airec, python-aliyun-python-sdk-alidns, python-aliyun-python-sdk-aligreen-console, python-aliyun-python-sdk-alimt, python-aliyun-python-sdk-alinlp, python-aliyun-python-sdk-aliyuncvc, python-aliyun-python-sdk-amqp-open, python-aliyun-python-sdk-appmallsservice, python-aliyun-python-sdk-arms, python-aliyun-python-sdk-arms4finance, python-aliyun-python-sdk-baas, python-aliyun-python-sdk-brinekingdom, python-aliyun-python-sdk-bss, python-aliyun-python-sdk-bssopenapi, python-aliyun-python-sdk-cams, python-aliyun-python-sdk-cas, python-aliyun-python-sdk-cassandra, python-aliyun-python-sdk-cbn, python-aliyun-python-sdk-ccc, python-aliyun-python-sdk-ccs, py
 thon-aliyun-python-sdk-cdn, python-aliyun-python-sdk-chatbot, python-aliyun-python-sdk-clickhouse, python-aliyun-python-sdk-cloudapi, python-aliyun-python-sdk-cloudauth, python-aliyun-python-sdk-cloudesl, python-aliyun-python-sdk-cloudgame, python-aliyun-python-sdk-cloudmarketing, python-aliyun-python-sdk-cloudphoto, python-aliyun-python-sdk-cloudwf, python-aliyun-python-sdk-cms, python-aliyun-python-sdk-codeup, python-aliyun-python-sdk-companyreg, python-aliyun-python-sdk-core, python-aliyun-python-sdk-cr, python-aliyun-python-sdk-crm, python-aliyun-python-sdk-cs, python-aliyun-python-sdk-csb, python-aliyun-python-sdk-cspro, python-aliyun-python-sdk-cusanalytic_sc_online, python-aliyun-python-sdk-das, python-aliyun-python-sdk-dataworks-public, python-aliyun-python-sdk-dbfs, python-aliyun-python-sdk-dbs, python-aliyun-python-sdk-dcdn, python-aliyun-python-sdk-dds, python-aliyun-python-sdk-democenter, python-aliyun-python-sdk-devops-rdc, python-aliyun-python-sdk-dms-enterprise, pytho
 n-aliyun-python-sdk-domain, python-aliyun-python-sdk-domain-intl, python-aliyun-python-sdk-drds, python-aliyun-python-sdk-dts, python-aliyun-python-sdk-dybaseapi, python-aliyun-python-sdk-dyplsapi, python-aliyun-python-sdk-dypnsapi, python-aliyun-python-sdk-dysmsapi, python-aliyun-python-sdk-dyvmsapi, python-aliyun-python-sdk-eas, python-aliyun-python-sdk-eci, python-aliyun-python-sdk-ecs, python-aliyun-python-sdk-edas, python-aliyun-python-sdk-ehpc, python-aliyun-python-sdk-elasticsearch, python-aliyun-python-sdk-emr, python-aliyun-python-sdk-ens, python-aliyun-python-sdk-ess, python-aliyun-python-sdk-faas, python-aliyun-python-sdk-facebody, python-aliyun-python-sdk-fnf, python-aliyun-python-sdk-foas, python-aliyun-python-sdk-ft, python-aliyun-python-sdk-geoip, python-aliyun-python-sdk-goodstech, python-aliyun-python-sdk-gpdb, python-aliyun-python-sdk-green, python-aliyun-python-sdk-gts-phd, python-aliyun-python-sdk-hbase, python-aliyun-python-sdk-hbr, python-aliyun-python-sdk-high
 ddos, python-aliyun-python-sdk-hiknoengine, python-aliyun-python-sdk-hivisengine, python-aliyun-python-sdk-hpc, python-aliyun-python-sdk-hsm, python-aliyun-python-sdk-httpdns, python-aliyun-python-sdk-imageaudit, python-aliyun-python-sdk-imageenhan, python-aliyun-python-sdk-imageprocess, python-aliyun-python-sdk-imagerecog, python-aliyun-python-sdk-imagesearch, python-aliyun-python-sdk-imageseg, python-aliyun-python-sdk-imgsearch, python-aliyun-python-sdk-imm, python-aliyun-python-sdk-industry-brain, python-aliyun-python-sdk-iot, python-aliyun-python-sdk-iqa, python-aliyun-python-sdk-ivision, python-aliyun-python-sdk-ivpd, python-aliyun-python-sdk-jaq, python-aliyun-python-sdk-jarvis, python-aliyun-python-sdk-jarvis-public, python-aliyun-python-sdk-kms, python-aliyun-python-sdk-ledgerdb, python-aliyun-python-sdk-linkedmall, python-aliyun-python-sdk-linkface, python-aliyun-python-sdk-linkwan, python-aliyun-python-sdk-live, python-aliyun-python-sdk-lubancloud, python-aliyun-python-sdk
 -market, python-aliyun-python-sdk-mopen, python-aliyun-python-sdk-mts, python-aliyun-python-sdk-multimediaai, python-aliyun-python-sdk-nas, python-aliyun-python-sdk-netana, python-aliyun-python-sdk-nlp-automl, python-aliyun-python-sdk-nls-cloud-meta, python-aliyun-python-sdk-objectdet, python-aliyun-python-sdk-ocr, python-aliyun-python-sdk-ocs, python-aliyun-python-sdk-oms, python-aliyun-python-sdk-ons, python-aliyun-python-sdk-onsmqtt, python-aliyun-python-sdk-oos, python-aliyun-python-sdk-openanalytics, python-aliyun-python-sdk-openanalytics-open, python-aliyun-python-sdk-opensearch, python-aliyun-python-sdk-ossadmin, python-aliyun-python-sdk-ots, python-aliyun-python-sdk-outboundbot, python-aliyun-python-sdk-paistudio, python-aliyun-python-sdk-petadata, python-aliyun-python-sdk-polardb, python-aliyun-python-sdk-productcatalog, python-aliyun-python-sdk-pts, python-aliyun-python-sdk-push, python-aliyun-python-sdk-pvtz, python-aliyun-python-sdk-qualitycheck, python-aliyun-python-sdk
 -quickbi-public, python-aliyun-python-sdk-r-kvstore, python-aliyun-python-sdk-ram, python-aliyun-python-sdk-rdc, python-aliyun-python-sdk-rds, python-aliyun-python-sdk-reid, python-aliyun-python-sdk-resourcemanager, python-aliyun-python-sdk-retailcloud, python-aliyun-python-sdk-risk, python-aliyun-python-sdk-ros, python-aliyun-python-sdk-rtc, python-aliyun-python-sdk-sae, python-aliyun-python-sdk-saf, python-aliyun-python-sdk-sas, python-aliyun-python-sdk-sas-api, python-aliyun-python-sdk-scdn, python-aliyun-python-sdk-schedulerx2, python-aliyun-python-sdk-sddp, python-aliyun-python-sdk-slb, python-aliyun-python-sdk-smartag, python-aliyun-python-sdk-smc, python-aliyun-python-sdk-snsuapi, python-aliyun-python-sdk-status, python-aliyun-python-sdk-sts, python-aliyun-python-sdk-tag, python-aliyun-python-sdk-tesladam, python-aliyun-python-sdk-teslamaxcompute, python-aliyun-python-sdk-teslastream, python-aliyun-python-sdk-trademark, python-aliyun-python-sdk-ubsms, python-aliyun-python-sdk
 -uis, python-aliyun-python-sdk-unimkt, python-aliyun-python-sdk-vcs, python-aliyun-python-sdk-viapiutils, python-aliyun-python-sdk-videoenhan, python-aliyun-python-sdk-videorecog, python-aliyun-python-sdk-videosearch, python-aliyun-python-sdk-videoseg, python-aliyun-python-sdk-visionai, python-aliyun-python-sdk-visionai-poc, python-aliyun-python-sdk-vod, python-aliyun-python-sdk-voicenavigator, python-aliyun-python-sdk-vpc, python-aliyun-python-sdk-vs, python-aliyun-python-sdk-waf-openapi, python-aliyun-python-sdk-webplus, python-aliyun-python-sdk-welfare-inner, python-aliyun-python-sdk-workorder, python-aliyun-python-sdk-xspace, python-aliyun-python-sdk-xtrace, python-aliyun-python-sdk-yundun, python-aliyun-python-sdk-yundun-ds, python-pycryptodome contains the following changes:

Initial shipment for Alibaba Cloud SDK and dependencies. (bsc#1175230, jsc#ECO-2011, jsc#PM-1919)

The following packages are being added:
    python-aliyun-python-sdk-aas
    python-aliyun-python-sdk-acms-open
    python-aliyun-python-sdk-acm
    python-aliyun-python-sdk-actiontrail
    python-aliyun-python-sdk-adb
    python-aliyun-python-sdk-address-purification
    python-aliyun-python-sdk-aegis
    python-aliyun-python-sdk-afs
    python-aliyun-python-sdk-airec
    python-aliyun-python-sdk-alidns
    python-aliyun-python-sdk-aligreen-console
    python-aliyun-python-sdk-alimt
    python-aliyun-python-sdk-alinlp
    python-aliyun-python-sdk-aliyuncvc
    python-aliyun-python-sdk-amqp-open
    python-aliyun-python-sdk-appmallsservice
    python-aliyun-python-sdk-arms4finance
    python-aliyun-python-sdk-arms
    python-aliyun-python-sdk-baas
    python-aliyun-python-sdk-brinekingdom
    python-aliyun-python-sdk-bssopenapi
    python-aliyun-python-sdk-bss
    python-aliyun-python-sdk-cams
    python-aliyun-python-sdk-cassandra
    python-aliyun-python-sdk-cas
    python-aliyun-python-sdk-cbn
    python-aliyun-python-sdk-ccc
    python-aliyun-python-sdk-ccs
    python-aliyun-python-sdk-cdn
    python-aliyun-python-sdk-chatbot
    python-aliyun-python-sdk-clickhouse
    python-aliyun-python-sdk-cloudapi
    python-aliyun-python-sdk-cloudauth
    python-aliyun-python-sdk-cloudesl
    python-aliyun-python-sdk-cloudgame
    python-aliyun-python-sdk-cloudmarketing
    python-aliyun-python-sdk-cloudphoto
    python-aliyun-python-sdk-cloudwf
    python-aliyun-python-sdk-cms
    python-aliyun-python-sdk-codeup
    python-aliyun-python-sdk-companyreg
    python-aliyun-python-sdk-core
    python-aliyun-python-sdk-crm
    python-aliyun-python-sdk-cr
    python-aliyun-python-sdk-csb
    python-aliyun-python-sdk-cspro
    python-aliyun-python-sdk-cs
    python-aliyun-python-sdk-cusanalytic_sc_online
    python-aliyun-python-sdk-das
    python-aliyun-python-sdk-dataworks-public
    python-aliyun-python-sdk-dbfs
    python-aliyun-python-sdk-dbs
    python-aliyun-python-sdk-dcdn
    python-aliyun-python-sdk-dds
    python-aliyun-python-sdk-democenter
    python-aliyun-python-sdk-devops-rdc
    python-aliyun-python-sdk-dms-enterprise
    python-aliyun-python-sdk-domain-intl
    python-aliyun-python-sdk-domain
    python-aliyun-python-sdk-drds
    python-aliyun-python-sdk-dts
    python-aliyun-python-sdk-dybaseapi
    python-aliyun-python-sdk-dyplsapi
    python-aliyun-python-sdk-dypnsapi
    python-aliyun-python-sdk-dysmsapi
    python-aliyun-python-sdk-dyvmsapi
    python-aliyun-python-sdk-eas
    python-aliyun-python-sdk-eci
    python-aliyun-python-sdk-ecs
    python-aliyun-python-sdk-edas
    python-aliyun-python-sdk-ehpc
    python-aliyun-python-sdk-elasticsearch
    python-aliyun-python-sdk-emr
    python-aliyun-python-sdk-ens
    python-aliyun-python-sdk-ess
    python-aliyun-python-sdk-faas
    python-aliyun-python-sdk-facebody
    python-aliyun-python-sdk-fnf
    python-aliyun-python-sdk-foas
    python-aliyun-python-sdk-ft
    python-aliyun-python-sdk-geoip
    python-aliyun-python-sdk-goodstech
    python-aliyun-python-sdk-gpdb
    python-aliyun-python-sdk-green
    python-aliyun-python-sdk-gts-phd
    python-aliyun-python-sdk-hbase
    python-aliyun-python-sdk-hbr
    python-aliyun-python-sdk-highddos
    python-aliyun-python-sdk-hiknoengine
    python-aliyun-python-sdk-hivisengine
    python-aliyun-python-sdk-hpc
    python-aliyun-python-sdk-hsm
    python-aliyun-python-sdk-httpdns
    python-aliyun-python-sdk-imageaudit
    python-aliyun-python-sdk-imageenhan
    python-aliyun-python-sdk-imageprocess
    python-aliyun-python-sdk-imagerecog
    python-aliyun-python-sdk-imagesearch
    python-aliyun-python-sdk-imageseg
    python-aliyun-python-sdk-imgsearch
    python-aliyun-python-sdk-imm
    python-aliyun-python-sdk-industry-brain
    python-aliyun-python-sdk-iot
    python-aliyun-python-sdk-iqa
    python-aliyun-python-sdk-ivision
    python-aliyun-python-sdk-ivpd
    python-aliyun-python-sdk-jaq
    python-aliyun-python-sdk-jarvis-public
    python-aliyun-python-sdk-jarvis
    python-aliyun-python-sdk-kms
    python-aliyun-python-sdk-ledgerdb
    python-aliyun-python-sdk-linkedmall
    python-aliyun-python-sdk-linkface
    python-aliyun-python-sdk-linkwan
    python-aliyun-python-sdk-live
    python-aliyun-python-sdk-lubancloud
    python-aliyun-python-sdk-market
    python-aliyun-python-sdk-mopen
    python-aliyun-python-sdk-mts
    python-aliyun-python-sdk-multimediaai
    python-aliyun-python-sdk-nas
    python-aliyun-python-sdk-netana
    python-aliyun-python-sdk-nlp-automl
    python-aliyun-python-sdk-nls-cloud-meta
    python-aliyun-python-sdk-objectdet
    python-aliyun-python-sdk-ocr
    python-aliyun-python-sdk-ocs
    python-aliyun-python-sdk-oms
    python-aliyun-python-sdk-onsmqtt
    python-aliyun-python-sdk-ons
    python-aliyun-python-sdk-oos
    python-aliyun-python-sdk-openanalytics-open
    python-aliyun-python-sdk-openanalytics
    python-aliyun-python-sdk-opensearch
    python-aliyun-python-sdk-ossadmin
    python-aliyun-python-sdk-ots
    python-aliyun-python-sdk-outboundbot
    python-aliyun-python-sdk-paistudio
    python-aliyun-python-sdk-petadata
    python-aliyun-python-sdk-polardb
    python-aliyun-python-sdk-productcatalog
    python-aliyun-python-sdk-pts
    python-aliyun-python-sdk-push
    python-aliyun-python-sdk-pvtz
    python-aliyun-python-sdk-qualitycheck
    python-aliyun-python-sdk-quickbi-public
    python-aliyun-python-sdk-ram
    python-aliyun-python-sdk-rdc
    python-aliyun-python-sdk-rds
    python-aliyun-python-sdk-reid
    python-aliyun-python-sdk-resourcemanager
    python-aliyun-python-sdk-retailcloud
    python-aliyun-python-sdk-risk
    python-aliyun-python-sdk-r-kvstore
    python-aliyun-python-sdk-ros
    python-aliyun-python-sdk-rtc
    python-aliyun-python-sdk-sae
    python-aliyun-python-sdk-saf
    python-aliyun-python-sdk-sas-api
    python-aliyun-python-sdk-sas
    python-aliyun-python-sdk-scdn
    python-aliyun-python-sdk-schedulerx2
    python-aliyun-python-sdk-sddp
    python-aliyun-python-sdk-slb
    python-aliyun-python-sdk-smartag
    python-aliyun-python-sdk-smc
    python-aliyun-python-sdk-snsuapi
    python-aliyun-python-sdk-status
    python-aliyun-python-sdk-sts
    python-aliyun-python-sdk
    python-aliyun-python-sdk-tag
    python-aliyun-python-sdk-tesladam
    python-aliyun-python-sdk-teslamaxcompute
    python-aliyun-python-sdk-teslastream
    python-aliyun-python-sdk-trademark
    python-aliyun-python-sdk-ubsms
    python-aliyun-python-sdk-uis
    python-aliyun-python-sdk-unimkt
    python-aliyun-python-sdk-vcs
    python-aliyun-python-sdk-viapiutils
    python-aliyun-python-sdk-videoenhan
    python-aliyun-python-sdk-videorecog
    python-aliyun-python-sdk-videosearch
    python-aliyun-python-sdk-videoseg
    python-aliyun-python-sdk-visionai-poc
    python-aliyun-python-sdk-visionai
    python-aliyun-python-sdk-vod
    python-aliyun-python-sdk-voicenavigator
    python-aliyun-python-sdk-vpc
    python-aliyun-python-sdk-vs
    python-aliyun-python-sdk-waf-openapi
    python-aliyun-python-sdk-webplus
    python-aliyun-python-sdk-welfare-inner
    python-aliyun-python-sdk-workorder
    python-aliyun-python-sdk-xspace
    python-aliyun-python-sdk-xtrace
    python-aliyun-python-sdk-yundun-ds
    python-aliyun-python-sdk-yundun
    python-pycryptodome

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2988-1
Released:    Wed Oct 21 17:35:34 2020
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:

- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:04:52 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}= to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3285-1 Released: Wed Nov 11 11:22:14 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to version 17.25.1: - Fix bsc#1176902: When kernel-rt has been installed, the purge-kernels service fails during boot. - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - New solver testcase format. - Link against libzsd to close libsolvs open references (as we link statically) zypper was updated to version 1.14.40. - info: Assume descriptions starting with '

' are richtext (bsc#935885) - Use new testcase API in libzypp. - BuildRequires: libzypp-devel >= 17.25.0. - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to version 0.7.16: - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3546-1 Released: Fri Nov 27 11:21:09 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3560-1 Released: Mon Nov 30 12:21:34 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1158499,1160158,1161198,1161203,1163569,1165281,1165534,1166848,1175847,1177479 This update for openssl-1_1 fixes the following issues: This update backports various bugfixes for FIPS: - Restore private key check in EC_KEY_check_key [bsc#1177479] - Add shared secret KAT to FIPS DH selftest [bsc#1175847] - Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847] - Fix locking issue uncovered by python testsuite (bsc#1166848) - Fix the sequence of locking operations in FIPS mode [bsc#1165534] - Fix deadlock in FIPS rand code (bsc#1165281) - Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) - Fix FIPS DRBG without derivation function (bsc#1161198) - Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203) - Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499) - Restore the EVP_PBE_scrypt() behavior from before the KDF patch by treating salt=NULL as salt='' (bsc#1160158) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3566-1 Released: Mon Nov 30 16:56:52 2020 Summary: Security update for python-setuptools Type: security Severity: important References: 1176262,CVE-2019-20916 This update for python-setuptools fixes the following issues: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3579-1 Released: Tue Dec 1 14:24:31 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: - Add support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3593-1 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Type: security Severity: important References: 1176262,1179193,CVE-2019-20916 This update for python3 fixes the following issues: Update to 3.6.12 (bsc#1179193), including: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3720-1 Released: Wed Dec 9 13:36:26 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3723-1 Released: Wed Dec 9 13:37:55 2020 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1177120,CVE-2020-26137 This update for python-urllib3 fixes the following issues: - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3733-1 Released: Wed Dec 9 18:18:35 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount –a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(…). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:305-1 Released: Thu Feb 4 15:00:37 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:580-1 Released: Wed Feb 24 11:16:42 2021 Summary: Optional update for python-cffi Type: optional Severity: low References: 1182471 This update for python-cffi fixes the following issues: - Restored compatibility with Python 2.7 update (bsc#1182471) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:02 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:43:43 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1806-1 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Type: security Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2008-1 Released: Thu Jun 17 18:07:45 2021 Summary: Security update for python-rsa Type: security Severity: important References: 1172389,CVE-2020-13757 This update for python-rsa fixes the following issues: - CVE-2020-13757: Proper handling of leading '\0' bytes during decryption of ciphertext (bsc#1172389) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2292-1 Released: Mon Jul 12 08:25:20 2021 Summary: Security update for dbus-1 Type: security Severity: important References: 1187105,CVE-2020-35512 This update for dbus-1 fixes the following issues: - CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2404-1 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184994,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2440-1 Released: Wed Jul 21 13:48:24 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2810-1 Released: Mon Aug 23 12:14:30 2021 Summary: Security update for dbus-1 Type: security Severity: moderate References: 1172505,CVE-2020-12049 This update for dbus-1 fixes the following issues: - CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:2816-1 Released: Mon Aug 23 14:16:58 2021 Summary: Optional update for python-kubernetes Type: optional Severity: low References: This patch provides the python3-kubernetes package to the following modules: - Container Module for SUSE Linux Enterprise 15 SP2 - Container Module for SUSE Linux Enterprise 15 SP3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2817-1 Released: Mon Aug 23 15:05:36 2021 Summary: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 Type: security Severity: moderate References: 1102408,1138715,1138746,1176389,1177120,1182421,1182422,CVE-2020-26137 This patch updates the Python AWS SDK stack in SLE 15: General: # aws-cli - Version updated to upstream release v1.19.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-boto3 - Version updated to upstream release 1.17.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-botocore - Version updated to upstream release 1.20.9 For a detailed list of all changes, please refer to the changelog file of this package. # python-urllib3 - Version updated to upstream release 1.25.10 For a detailed list of all changes, please refer to the changelog file of this package. # python-service_identity - Added this new package to resolve runtime dependencies for other packages. Version: 18.1.0 # python-trustme - Added this new package to resolve runtime dependencies for other packages. Version: 0.6.0 Security fixes: # python-urllib3: - CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2831-1 Released: Tue Aug 24 16:20:45 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following security issue: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2863-1 Released: Mon Aug 30 08:18:50 2021 Summary: Recommended update for python-dbus-python Type: recommended Severity: moderate References: 1183818 This update for python-dbus-python fixes the following issues: - Update to latest version from tumbleweed. (jsc#ECO-3589, bsc#1183818) - update to 1.2.16: * All tests are run even if the 'tap.py' module is not available, althoug diagnostics for failing tests will be better if it is present. - Support builds with more than one python3 flavor - Clean duplicate python flavor variables for configure - Version update to version 1.2.14: * Ensure that the numeric types from dbus.types get the same str() under Python 3.8 that they did under previous versions. * Disable -Winline. * Add clearer license information using SPDX-License-Identifier. * Include inherited methods and properties when documenting objects, which regressed when migrating from epydoc to sphinx. * Add missing variant_level member to UnixFd type, for parity with the other dbus.types types * Don't reply to method calls if they have the NO_REPLY_EXPECTED flag * Silence '-Wcast-function-type' with gcc 8. * Fix distcheck with python3.7 by deleting '__pycache__' during uninstall. * Consistently save and restore the exception indicator when called from C code. - Add missing dependency for pkg-config files - Version update to version 1.2.8: * Python 2.7 required or 3.4 respectively * Upstream dropped epydoc completely - Add dbus-1-python3 package - Make BusConnection.list_activatable_names actually call struct entries than the signature allows with libdbus 1.4 imports dbus, is finalized, is re-initialized, and re-imports - When removing signal matches, clean up internal state, avoiding a memory leak in long-lived Python processes that connect to - When setting the sender of a message, allow it to be org.freedesktop.DBus so you can implement a D-Bus daemon - New package: dbus-1-python-devel ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2968-1 Released: Tue Sep 7 09:53:00 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3278-1 Released: Mon Oct 4 09:30:10 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1190858 This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1191987 This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3523-1 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1122417,1125886,1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix 'mount' output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3781-1 Released: Tue Nov 23 23:48:43 2021 Summary: This update for libzypp, zypper and libsolv fixes the following issues: Type: recommended Severity: moderate References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436 This update for zypper fixes the following issues: - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) - Allow trusted repos to add additional signing keys. (bsc#1184326) - MediaCurl: Fix logging of redirects. - Let negative values wait forever for the zypp lock. (bsc#1184399) - Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325) - Fix service detection with cgroupv2. (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Enhance XML output of repo GPG options - Add optional attributes showing the raw values actually present in the '.repo' file. - Link all executables with -pie (bsc#1186447) - Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645) - Fix solver jobs for PTFs. (bsc#1186503) - choice rules: treat orphaned packages as newest. (bc#1190465) - Add need reboot/restart hint to XML install summary. (bsc#1188435) - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix obs:// platform guessing for Leap. (bsc#1187425) - Fix purge-kernels fails. (bsc#1187738) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156) - Do not check of signatures and keys two times(redundant). (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760) - Show key fpr from signature when signature check fails. (bsc#1187224) - Make sure to keep states alives while transitioning. (bsc#1190199) - Fix crashes in logging code when shutting down. (bsc#1189031) - Manpage: Improve description about patch updates. (bsc#1187466) - Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602) - Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858) - Disable logger in the child after fork (bsc#1192436) - Check log writer before accessing it (bsc#1192337) - Allow uname-r format in purge kernels keepspec - zypper should keep cached files if transaction is aborted (bsc#1190356) - Require a minimum number of mirrors for multicurl (bsc#1191609) - Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324) - Fix translations (bsc#1191370) - RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3799-1 Released: Wed Nov 24 18:07:54 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided: To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3809-1 Released: Fri Nov 26 00:31:59 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1189803,1190325,1190440,1190984,1191252,1192161 This update for systemd fixes the following issues: - Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103) - Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161) - shutdown: Reduce log level of unmounts (bsc#1191252) - pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803) - core: rework how we connect to the bus (bsc#1190325) - mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984) - virt: detect Amazon EC2 Nitro instance (bsc#1190440) - Several fixes for umount - busctl: use usec granularity for the timestamp printed by the busctl monitor command - fix unitialized fields in MountPoint in dm_list_get() - shutdown: explicitly set a log target - mount-util: add mount_option_mangle() - dissect: automatically mark partitions read-only that have a read-only file system - build-sys: require proper libmount version - systemd-shutdown: use log_set_prohibit_ipc(true) - rationalize interface for opening/closing logging - pid1: when we can't log to journal, remember our fallback log target - log: remove LOG_TARGET_SAFE pseudo log target - log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console() - log: add new 'prohibit_ipc' flag to logging system - log: make log_set_upgrade_syslog_to_journal() take effect immediately - dbus: split up bus_done() into seperate functions - machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 - virt: if we detect Xen by DMI, trust that over CPUID ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3830-1 Released: Wed Dec 1 13:45:46 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1027496,1183085,CVE-2016-10228 This update for glibc fixes the following issues: - libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) - CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3891-1 Released: Fri Dec 3 10:21:49 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1029961,1113013,1187654 This update for keyutils fixes the following issues: - Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) keyutils was updated to 1.6.3 (jsc#SLE-20016): * Revert the change notifications that were using /dev/watch_queue. * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). * Allow 'keyctl supports' to retrieve raw capability data. * Allow 'keyctl id' to turn a symbolic key ID into a numeric ID. * Allow 'keyctl new_session' to name the keyring. * Allow 'keyctl add/padd/etc.' to take hex-encoded data. * Add 'keyctl watch*' to expose kernel change notifications on keys. * Add caps for namespacing and notifications. * Set a default TTL on keys that upcall for name resolution. * Explicitly clear memory after it's held sensitive information. * Various manual page fixes. * Fix C++-related errors. * Add support for keyctl_move(). * Add support for keyctl_capabilities(). * Make key=val list optional for various public-key ops. * Fix system call signature for KEYCTL_PKEY_QUERY. * Fix 'keyctl pkey_query' argument passing. * Use keyctl_read_alloc() in dump_key_tree_aux(). * Various manual page fixes. Updated to 1.6: * Apply various specfile cleanups from Fedora. * request-key: Provide a command line option to suppress helper execution. * request-key: Find least-wildcard match rather than first match. * Remove the dependency on MIT Kerberos. * Fix some error messages * keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. * Fix doc and comment typos. * Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). * Add pkg-config support for finding libkeyutils. * upstream isn't offering PGP signatures for the source tarballs anymore Updated to 1.5.11 (bsc#1113013) * Add keyring restriction support. * Add KDF support to the Diffie-Helman function. * DNS: Add support for AFS config files and SRV records ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3899-1 Released: Fri Dec 3 11:27:41 2021 Summary: Security update for aaa_base Type: security Severity: moderate References: 1162581,1174504,1191563,1192248 This update for aaa_base fixes the following issues: - Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504). - Add $HOME/.local/bin to PATH, if it exists (bsc#1192248). - Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563). - Support xz compressed kernel (bsc#1162581) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3930-1 Released: Mon Dec 6 11:16:10 2021 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1192790 This update for curl fixes the following issues: - Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3946-1 Released: Mon Dec 6 14:57:42 2021 Summary: Security update for gmp Type: security Severity: moderate References: 1192717,CVE-2021-43618 This update for gmp fixes the following issues: - CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4015-1 Released: Mon Dec 13 17:16:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737 This update for python3 fixes the following issues: - CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241) - CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287) - CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374) - Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4017-1 Released: Tue Dec 14 07:26:55 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1180995 This update for openssl-1_1 fixes the following issues: - Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters consistently with our other codestreams (bsc#1180995) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4139-1 Released: Tue Dec 21 17:02:44 2021 Summary: Recommended update for systemd Type: recommended Severity: critical References: 1193481,1193521 This update for systemd fixes the following issues: - Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481) sleep-config: partitions can't be deleted, only files can shared/sleep-config: exclude zram devices from hibernation candidates ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:4154-1 Released: Wed Dec 22 11:02:38 2021 Summary: Security update for p11-kit Type: security Severity: important References: 1180064,1187993,CVE-2020-29361 This update for p11-kit fixes the following issues: - CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064) - Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:4182-1 Released: Thu Dec 23 11:51:51 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1192688 This update for zlib fixes the following issues: - Fix hardware compression incorrect result on z15 hardware (bsc#1192688) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4-1 Released: Mon Jan 3 08:28:54 2022 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1193480 This update for libgcrypt fixes the following issues: - Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:57-1 Released: Wed Jan 12 07:10:42 2022 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1193488,954813 This update for libzypp fixes the following issues: - Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488) - Fix wrong encoding of URI compontents of ISO images (bsc#954813) - When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible - Introduce zypp-curl as a sublibrary for CURL related code - zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set - Save all signatures associated with a public key in its PublicKeyData ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:178-1 Released: Tue Jan 25 14:16:23 2022 Summary: Security update for expat Type: security Severity: important References: 1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827 This update for expat fixes the following issues: - CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251). - CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362). - CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474). - CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476). - CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477). - CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478). - CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479). - CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480). The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-3.52.1 updated - bash-4.4-9.14.1 updated - boost-license1_66_0-1.66.0-5.3.1 updated - ca-certificates-mozilla-2.44-4.32.1 updated - cpio-2.12-3.9.1 updated - dbus-1-1.12.2-8.11.2 updated - diffutils-3.6-4.3.1 updated - file-magic-5.32-7.14.1 updated - filesystem-15.0-11.3.2 updated - findutils-4.6.0-4.3.1 updated - glib2-tools-2.54.3-4.24.1 updated - glibc-2.26-13.62.1 updated - gpg2-2.2.5-4.19.8 updated - grep-3.1-4.3.12 updated - krb5-1.16.3-3.24.1 updated - libaudit1-2.8.1-5.5.1 updated - libaugeas0-1.10.1-3.3.1 updated - libblkid1-2.33.2-4.16.1 updated - libboost_system1_66_0-1.66.0-5.3.1 updated - libboost_thread1_66_0-1.66.0-5.3.1 updated - libbz2-1-1.0.6-5.11.1 updated - libcap2-2.26-4.6.1 updated - libcom_err2-1.43.8-4.26.1 updated - libcurl4-7.60.0-28.1 updated - libdbus-1-3-1.12.2-8.11.2 updated - libexpat1-2.2.5-3.9.1 updated - libfdisk1-2.33.2-4.16.1 updated - libgcc_s1-11.2.1+git610-1.3.9 updated - libgcrypt20-1.8.2-8.42.1 updated - libgio-2_0-0-2.54.3-4.24.1 updated - libglib-2_0-0-2.54.3-4.24.1 updated - libgmodule-2_0-0-2.54.3-4.24.1 updated - libgmp10-6.1.2-4.9.1 updated - libgnutls30-3.6.7-6.40.2 updated - libgobject-2_0-0-2.54.3-4.24.1 updated - libhogweed4-3.4.1-4.18.1 updated - libidn2-0-2.2.0-3.6.1 updated - libkeyutils1-1.6.3-5.6.1 updated - libldap-2_4-2-2.4.46-9.58.1 updated - libldap-data-2.4.46-9.58.1 updated - liblua5_3-5-5.3.6-3.6.1 updated - liblz4-1-1.8.0-3.8.1 updated - libmagic1-5.32-7.14.1 updated - libmount1-2.33.2-4.16.1 updated - libncurses6-6.1-5.9.1 updated - libnettle6-3.4.1-4.18.1 updated - libnghttp2-14-1.40.0-3.11.1 updated - libopenssl1_1-1.1.0i-14.24.3 updated - libp11-kit0-0.23.2-4.13.1 updated - libpcre1-8.45-20.10.1 updated - libprocps7-3.3.15-7.19.1 updated - libprotobuf-lite15-3.5.0-5.2.1 added - libproxy1-0.4.15-4.3.1 updated - libpython3_6m1_0-3.6.15-3.91.3 updated - libreadline7-7.0-9.14.1 updated - libselinux1-2.8-8.3.1 updated - libsigc-2_0-0-2.10.0-3.7.1 added - libsmartcols1-2.33.2-4.16.1 updated - libsolv-tools-0.7.20-4.3.1 updated - libsqlite3-0-3.36.0-3.12.1 updated - libssh4-0.8.7-10.12.1 updated - libstdc++6-11.2.1+git610-1.3.9 updated - libsystemd0-234-24.102.1 updated - libudev1-234-24.102.1 updated - libusb-1_0-0-1.0.21-3.3.1 updated - libuuid1-2.33.2-4.16.1 updated - libxml2-2-2.9.7-3.37.1 updated - libyaml-cpp0_6-0.6.1-4.2.1 added - libz1-1.2.11-3.24.1 updated - libzstd1-1.4.4-1.6.1 added - libzypp-17.29.0-3.64.1 updated - ncurses-utils-6.1-5.9.1 updated - netcfg-11.6-3.3.1 updated - openssl-1_1-1.1.0i-14.24.3 updated - p11-kit-tools-0.23.2-4.13.1 updated - p11-kit-0.23.2-4.13.1 updated - pam-1.3.0-6.50.1 updated - perl-base-5.26.1-7.12.1 updated - permissions-20181116-9.38.1 updated - procps-3.3.15-7.19.1 updated - python3-PyJWT-1.7.1-6.4.1 updated - python3-PyYAML-5.3.1-6.10.1 updated - python3-adal-1.2.4-7.4.1 updated - python3-asn1crypto-0.24.0-3.2.1 updated - python3-base-3.6.15-3.91.3 updated - python3-blinker-1.4-3.4.1 updated - python3-cachetools-2.0.1-3.3.1 updated - python3-cffi-1.11.2-4.6.1 updated - python3-cryptography-2.8-7.4.1 updated - python3-dbus-python-1.2.16-6.3.1 updated - python3-ecdsa-0.13.3-3.7.1 updated - python3-google-auth-1.5.1-3.4.1 updated - python3-httplib2-0.19.0-3.3.1 updated - python3-kubernetes-8.0.1-3.5.1 updated - python3-oauth2client-gce-4.1.2-3.2.1 updated - python3-oauth2client-4.1.2-3.2.1 updated - python3-oauthlib-2.0.6-3.4.1 updated - python3-pyOpenSSL-17.5.0-3.9.1 added - python3-pyasn1-0.4.2-3.2.1 updated - python3-pycparser-2.17-3.2.1 updated - python3-pycryptodome-3.9.0-3.3.2 added - python3-py-1.8.1-5.6.1 updated - python3-requests-oauthlib-0.8.0-3.4.1 updated - python3-requests-2.24.0-6.10.2 updated - python3-rsa-3.4.2-3.4.1 updated - python3-setuptools-40.5.0-6.3.1 updated - python3-six-1.14.0-7.3.1 updated - python3-urllib3-1.25.10-9.14.1 updated - python3-websocket-client-0.57.0-6.4.1 updated - python3-3.6.15-3.91.4 updated - rpm-4.14.1-10.19.8 updated - sed-4.4-4.3.1 updated - sles-release-15.1-66.1 added - sysuser-shadow-2.0-4.2.8 updated - terminfo-base-6.1-5.9.1 updated - util-linux-2.33.2-4.16.1 updated - zypper-1.14.50-3.46.1 updated - container:sles15-image-15.0.0-6.2.559 updated - dbus-1-glib-0.108-1.29 removed - python-rpm-macros-20200117.8e39013-3.8.1 removed - python3-pycrypto-2.6.1-1.28 removed