SUSE Container Update Advisory: caasp/v4/cilium
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:3915-1
Container Tags        : caasp/v4/cilium:1.6.6 , caasp/v4/cilium:1.6.6-rev6 , caasp/v4/cilium:1.6.6-rev6-build3.17.1
Container Release     : 3.17.1
Severity              : critical
Type                  : security
References            : 1040589 1041742 1065270 1082318 1087072 1089497 1099272 1099695
                        1115529 1121227 1121230 1122004 1122021 1127591 1128846 1142579
                        1148309 1158763 1159635 1160285 1162964 1172113 1172427 1173277
                        1174075 1174414 1174911 1177047 1178233 1180065 1180689 1180713
                        1180995 1181475 1181826 1181961 1181961 1182959 1183533 1184501
                        1185597 1185637 1185712 1187512 1187906 1188374 1189152 1189282
                        1189802 1190447 1190926 1191157 1191473 1191502 1191908 1192951
                        1193007 1193015 1193489 1193625 1193659 1193759 1193805 1193841
                        1193929 1194038 1194229 1194550 1194597 1194640 1194642 1194768
                        1194770 1194783 1194848 1194883 1194898 1195054 1195149 1195217
                        1195251 1195258 1195283 1195326 1195468 1195517 1195529 1195560
                        1195628 1195633 1195654 1195773 1195792 1195856 1195899 1195999
                        1196025 1196025 1196026 1196036 1196061 1196093 1196107 1196167
                        1196168 1196169 1196171 1196275 1196317 1196368 1196406 1196490
                        1196514 1196784 1196840 1196861 1196861 1196877 1196925 1196939
                        1197004 1197004 1197024 1197065 1197134 1197178 1197443 1197459
                        1197592 1197684 1197716 1197771 1197775 1197794 1198062 1198062
                        1198237 1198237 1198341 1198422 1198446 1198458 1198627 1198731
                        1198752 1198925 1199042 1199132 1199132 1199140 1199166 1199223
                        1199224 1199232 1199240 1199492 1199524 1199895 1199918 1199926
                        1199927 1199944 1200170 1200441 1200441 1200485 1200550 1200735
                        1200737 1200800 1200842 1200962 1200993 1201092 1201099 1201225
                        1201576 1201627 1201638 1201680 1201783 1201959 1201972 1201978
                        1202020 1202175 1202593 1202816 1202966 1202967 1202969 1203248
                        1203249 1203438 1203649 1203652 1203652 1203715 1203760 1204111
                        1204112 1204113 1204357 1204366 1204367 1204383 1204505 1204548
                        1204585 1204585 1204690 1204708 1204956 1205126 1205145 1205570
                        1205636 1205646 1206080 1206309 1206337 1206346 1206346 1206412
                        1206480 1206480 1206513 1206556 1206579 1206684 1206684 1206949
                        1207533 1207534 1207534 1207536 1207992 1208037 1208038 1208040
                        1208067 1208329 1208409 1209122 1209209 1209210 1209211 1209212
                        1209214 1209406 1209533 1209624 1209642 1209873 1209878 1210096
                        1210297 1210323 1210411 1210412 1210434 1210507 1210557 1210557
                        1210593 1210733 1210740 1210870 1211079 1211231 1211232 1211233
                        1211261 1211339 1211419 1211427 1211427 1211430 1211604 1211605
                        1211606 1211607 1211661 1211945 1211946 1211947 1211948 1211951
                        1212101 1212101 1212126 1212187 1212187 1212222 1212422 1212475
                        1212475 1212475 1212475 1213231 1213282 1213458 1213487 1213517
                        1213557 1213673 1213853 1213854 1213865 1213915 1213915 1214025
                        1214052 1214052 1214052 1214052 1214054 1214290 1214292 1214395
                        1214460 1214460 1214565 1214567 1214579 1214580 1214604 1214611
                        1214619 1214620 1214623 1214624 1214625 1214768 1214806 1215007
                        1215286 1215427 1215505 1215713 1215979 1216006 1216006 1216091
                        1216129 1216174 1216378 1216664 1216922 CVE-2015-8985 CVE-2016-3709
                        CVE-2018-20573 CVE-2018-20574 CVE-2018-25032 CVE-2018-7738 CVE-2019-1010204
                        CVE-2019-19906 CVE-2019-2708 CVE-2019-6285 CVE-2019-6292 CVE-2020-14367
                        CVE-2020-19726 CVE-2020-29362 CVE-2021-20206 CVE-2021-20206 CVE-2021-22570
                        CVE-2021-28153 CVE-2021-32256 CVE-2021-3530 CVE-2021-3541 CVE-2021-3648
                        CVE-2021-36690 CVE-2021-3826 CVE-2021-3999 CVE-2021-4209 CVE-2021-45078
                        CVE-2021-46195 CVE-2021-46828 CVE-2021-46848 CVE-2022-0778 CVE-2022-1271
                        CVE-2022-1271 CVE-2022-1271 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586
                        CVE-2022-1664 CVE-2022-1706 CVE-2022-2068 CVE-2022-2097 CVE-2022-23218
                        CVE-2022-23219 CVE-2022-23308 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407
                        CVE-2022-2509 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313
                        CVE-2022-25314 CVE-2022-25315 CVE-2022-27781 CVE-2022-27782 CVE-2022-27943
                        CVE-2022-29155 CVE-2022-29458 CVE-2022-29824 CVE-2022-29824 CVE-2022-32206
                        CVE-2022-32208 CVE-2022-32221 CVE-2022-34903 CVE-2022-3515 CVE-2022-35205
                        CVE-2022-35206 CVE-2022-35252 CVE-2022-35737 CVE-2022-37434 CVE-2022-38126
                        CVE-2022-38127 CVE-2022-38533 CVE-2022-40303 CVE-2022-40304 CVE-2022-40674
                        CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-4285 CVE-2022-42898
                        CVE-2022-4304 CVE-2022-4304 CVE-2022-43552 CVE-2022-43680 CVE-2022-44840
                        CVE-2022-45703 CVE-2022-46908 CVE-2022-47629 CVE-2022-47673 CVE-2022-47695
                        CVE-2022-47696 CVE-2022-48063 CVE-2022-48064 CVE-2022-48065 CVE-2022-48468
                        CVE-2022-4899 CVE-2022-4904 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464
                        CVE-2023-0465 CVE-2023-0466 CVE-2023-0687 CVE-2023-1579 CVE-2023-1972
                        CVE-2023-2222 CVE-2023-23916 CVE-2023-25585 CVE-2023-25587 CVE-2023-25588
                        CVE-2023-2603 CVE-2023-2650 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535
                        CVE-2023-27536 CVE-2023-27538 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322
                        CVE-2023-28484 CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 CVE-2023-29499
                        CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 CVE-2023-32611
                        CVE-2023-32636 CVE-2023-32643 CVE-2023-32665 CVE-2023-3446 CVE-2023-34969
                        CVE-2023-35945 CVE-2023-36054 CVE-2023-3817 CVE-2023-39615 CVE-2023-4016
                        CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-4156
                        CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-4641 CVE-2023-4813
                        CVE-2023-5678 
-----------------------------------------------------------------

The container caasp/v4/cilium was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:337-1
Released:    Fri Feb  4 10:24:28 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1193007,1194597,1194898
This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)
- Fix exception handling when reading or writing credentials (bsc#1194898)
- Fix install path for parser (bsc#1194597)
- Fix Legacy include (bsc#1194597)
- Public header files on older distros must use c++11 (bsc#1194597)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:473-1
Released:    Thu Feb 17 10:29:42 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1195326
This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:498-1
Released:    Fri Feb 18 10:46:56 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1195054,1195217,CVE-2022-23852,CVE-2022-23990
This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:511-1
Released:    Fri Feb 18 12:41:53 2022
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1082318,1189152
This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
- Properly sort docs and license files (bsc#1082318).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:523-1
Released:    Fri Feb 18 12:49:09 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1193759,1193841
This update for systemd fixes the following issues:

- systemctl: exit with 1 if no unit files found (bsc#1193841).
- add rules for virtual devices (bsc#1193759).
- enforce 'none' for loop devices (bsc#1193759).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:38 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:
  
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:702-1
Released:    Thu Mar  3 18:22:59 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1196036,CVE-2022-24407
This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:713-1
Released:    Fri Mar  4 09:34:17 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
  
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:787-1
Released:    Thu Mar 10 11:20:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  
This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released:    Thu Mar 10 11:22:05 2022
Summary:     Recommended update for update-alternatives
Type:        recommended
Severity:    moderate
References:  1195654
This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:823-1
Released:    Mon Mar 14 15:16:37 2022
Summary:     Security update for protobuf
Type:        security
Severity:    moderate
References:  1195258,CVE-2021-22570
This update for protobuf fixes the following issues:

- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:832-1
Released:    Mon Mar 14 17:27:03 2022
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

glibc was updated to fix the following issues:

Security issues fixed:

- CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
- CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

Also the following bug was fixed:

- Fix pthread_rwlock_try*lock stalls (bsc#1195560)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:845-1
Released:    Tue Mar 15 11:40:52 2022
Summary:     Security update for chrony
Type:        security
Severity:    moderate
References:  1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367
This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  * Add support for NTS servers specified by IP address (matching
    Subject Alternative Name in server certificate)
  * Add source-specific configuration of trusted certificates
  * Allow multiple files and directories with trusted certificates
  * Allow multiple pairs of server keys and certificates
  * Add copy option to server/pool directive
  * Increase PPS lock limit to 40% of pulse interval
  * Perform source selection immediately after loading dump files
  * Reload dump files for addresses negotiated by NTS-KE server
  * Update seccomp filter and add less restrictive level
  * Restart ongoing name resolution on online command
  * Fix dump files to not include uncorrected offset
  * Fix initstepslew to accept time from own NTP clients
  * Reset NTP address and port when no longer negotiated by NTS-KE
    server

- Ensure the correct pool packages are installed for openSUSE
  and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  - Enhancements

    - Add support for Network Time Security (NTS) authentication
    - Add support for AES-CMAC keys (AES128, AES256) with Nettle
    - Add authselectmode directive to control selection of
      unauthenticated sources
    - Add binddevice, bindacqdevice, bindcmddevice directives
    - Add confdir directive to better support fragmented
      configuration
    - Add sourcedir directive and 'reload sources' command to
      support dynamic NTP sources specified in files
    - Add clockprecision directive
    - Add dscp directive to set Differentiated Services Code Point
      (DSCP)
    - Add -L option to limit log messages by severity
    - Add -p option to print whole configuration with included
      files
    - Add -U option to allow start under non-root user
    - Allow maxsamples to be set to 1 for faster update with -q/-Q
      option
    - Avoid replacing NTP sources with sources that have
      unreachable address
    - Improve pools to repeat name resolution to get 'maxsources'
      sources
    - Improve source selection with trusted sources
    - Improve NTP loop test to prevent synchronisation to itself
    - Repeat iburst when NTP source is switched from offline state
      to online
    - Update clock synchronisation status and leap status more
      frequently
    - Update seccomp filter
    - Add 'add pool' command
    - Add 'reset sources' command to drop all measurements
    - Add authdata command to print details about NTP
      authentication
    - Add selectdata command to print details about source
      selection
    - Add -N option and sourcename command to print original names
      of sources
    - Add -a option to some commands to print also unresolved
      sources
    - Add -k, -p, -r options to clients command to select, limit,
      reset data

  - Bug fixes

    - Don’t set interface for NTP responses to allow asymmetric
      routing
    - Handle RTCs that don’t support interrupts
    - Respond to command requests with correct address on
      multihomed hosts
  - Removed features
    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    - Drop support for long (non-standard) MACs in NTPv4 packets
      (chrony 2.x clients using non-MD5/SHA1 keys need to use
      option 'version 3')
    - Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
  only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).




Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in chrony-dnssrv@.service
  (bsc#1128846).


- Read runtime servers from /var/run/netconfig/chrony.servers to
  fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
  should be no executables in /usr/share.

Update to version 3.4

  * Enhancements

    + Add filter option to server/pool/peer directive
    + Add minsamples and maxsamples options to hwtimestamp directive
    + Add support for faster frequency adjustments in Linux 4.19
    + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd 
      without root privileges to remove it on exit
    + Disable sub-second polling intervals for distant NTP sources
    + Extend range of supported sub-second polling intervals
    + Get/set IPv4 destination/source address of NTP packets on FreeBSD
    + Make burst options and command useful with short polling intervals
    + Modify auto_offline option to activate when sending request failed
    + Respond from interface that received NTP request if possible
    + Add onoffline command to switch between online and offline state 
      according to current system network configuration
    + Improve example NetworkManager dispatcher script

  * Bug fixes

    + Avoid waiting in Linux getrandom system call
    + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  * Enhancements:

    + Add burst option to server/pool directive
    + Add stratum and tai options to refclock directive
    + Add support for Nettle crypto library
    + Add workaround for missing kernel receive timestamps on Linux
    + Wait for late hardware transmit timestamps
    + Improve source selection with unreachable sources
    + Improve protection against replay attacks on symmetric mode
    + Allow PHC refclock to use socket in /var/run/chrony
    + Add shutdown command to stop chronyd
    + Simplify format of response to manual list command
    + Improve handling of unknown responses in chronyc

  * Bug fixes:

    + Respond to NTPv1 client requests with zero mode
    + Fix -x option to not require CAP_SYS_TIME under non-root user
    + Fix acquisitionport directive to work with privilege separation
    + Fix handling of socket errors on Linux to avoid high CPU usage
    + Fix chronyc to not get stuck in infinite loop after clock step
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:853-1
Released:    Tue Mar 15 19:27:30 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1196877,CVE-2022-0778
This update for openssl-1_1 fixes the following issues:

- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:30:48 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
    
glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
    
linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:867-1
Released:    Wed Mar 16 07:14:44 2022
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1193805
This update for libtirpc fixes the following issues:

- Fix memory leak in client protocol version 2 code (bsc#1193805)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:874-1
Released:    Wed Mar 16 10:40:52 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1197004
This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:936-1
Released:    Tue Mar 22 18:10:17 2022
Summary:     Recommended update for filesystem and systemd-rpm-macros
Type:        recommended
Severity:    moderate
References:  1196275,1196406
This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1021-1
Released:    Tue Mar 29 13:24:21 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1195899
This update for systemd fixes the following issues:

- allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1047-1
Released:    Wed Mar 30 16:20:56 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1196093,1197024
This update for pam fixes the following issues:

- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. 
  This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1061-1
Released:    Wed Mar 30 18:27:06 2022
Summary:     Security update for zlib
Type:        security
Severity:    important
References:  1197459,CVE-2018-25032
This update for zlib fixes the following issues:

- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1073-1
Released:    Fri Apr  1 11:45:01 2022
Summary:     Security update for yaml-cpp
Type:        security
Severity:    moderate
References:  1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292
This update for yaml-cpp fixes the following issues:

- CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
- CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
- CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
- CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1099-1
Released:    Mon Apr  4 12:53:05 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1194883
This update for aaa_base fixes the following issues:

- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8
  multi byte characters as well as support the vi mode of readline library

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1109-1
Released:    Mon Apr  4 17:50:01 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    important
References:  1172427,1194642
This update for util-linux fixes the following issues:

- Improve throughput and reduce clock sequence increments for high load situation with time based 
  version 1 uuids. (bsc#1194642)
- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
- Warn if uuidd lock state is not usable. (bsc#1194642)
- Fix 'su -s' bash completion. (bsc#1172427)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1131-1
Released:    Fri Apr  8 09:43:53 2022
Summary:     Security update for libsolv, libzypp, zypper
Type:        security
Severity:    important
References:  1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134
This update for libsolv, libzypp, zypper fixes the following issues:

Security relevant fix:

- Harden package signature checks (bsc#1184501).

libsolv to 0.7.22:

- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
- support parsing of Debian's Multi-Arch indicator
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden vendor change
- support strict repository priorities
  new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members
  ('requires' is a keyword in C++20)
- support setting/reading userdata in solv files
  new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
  new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime

libzypp to 17.30.0:

- ZConfig: Update solver settings if target changes (bsc#1196368)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- Fix package signature check (bsc#1184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
  A previously released ISO image may need a bit more time to
  release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm
  protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)

zypper to 1.14.52:

- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1158-1
Released:    Tue Apr 12 14:44:43 2022
Summary:     Security update for xz
Type:        security
Severity:    important
References:  1198062,CVE-2022-1271
This update for xz fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1250-1
Released:    Sun Apr 17 15:39:47 2022
Summary:     Security update for gzip
Type:        security
Severity:    important
References:  1177047,1180713,1198062,CVE-2022-1271
This update for gzip fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

The following non-security bugs were fixed:

- Fixed an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)
- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1302-1
Released:    Fri Apr 22 10:04:46 2022
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1196939
This update for e2fsprogs fixes the following issues:

- Add support for 'libreadline7' for Leap. (bsc#1196939)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1409-1
Released:    Tue Apr 26 12:54:57 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1195628,1196107
This update for gcc11 fixes the following issues:

- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Fixed memory corruption when creating dependences with the D language frontend.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recommends.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1438-1
Released:    Wed Apr 27 15:27:19 2022
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    low
References:  1195251
This update for systemd-presets-common-SUSE fixes the following issue:

- enable vgauthd service for VMWare by default (bsc#1195251)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1439-1
Released:    Wed Apr 27 16:08:04 2022
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1198237
This update for binutils fixes the following issues:

- The official name IBM z16 for IBM zSeries arch14 is recognized.  (bsc#1198237)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1452-1
Released:    Thu Apr 28 10:48:06 2022
Summary:     Recommended update for perl
Type:        recommended
Severity:    moderate
References:  1193489
This update for perl fixes the following issues:

- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1655-1
Released:    Fri May 13 15:36:10 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1197794
This update for pam fixes the following issue:

- Do not include obsolete header files (bsc#1197794)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1656-1
Released:    Fri May 13 15:38:02 2022
Summary:     Recommended update for llvm7
Type:        recommended
Severity:    moderate
References:  1197775
This update for llvm7 fixes the following issues:

- Backport fixes and changes from Factory. (bsc#1197775)
- Drop RUNPATH from packaged binaries, instead set LD_LIBRARY_PATH for building and testing to simulate behavior of 
  actual package.
- Fix build with linux-glibc-devel 5.13.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1658-1
Released:    Fri May 13 15:40:20 2022
Summary:     Recommended update for libpsl
Type:        recommended
Severity:    important
References:  1197771
This update for libpsl fixes the following issues:

- Fix libpsl compilation issues (bsc#1197771)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1674-1
Released:    Mon May 16 10:12:11 2022
Summary:     Security update for gzip
Type:        security
Severity:    important
References:  CVE-2022-1271
This update for gzip fixes the following issues:

- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1688-1
Released:    Mon May 16 14:02:49 2022
Summary:     Security update for e2fsprogs
Type:        security
Severity:    important
References:  1198446,CVE-2022-1304
This update for e2fsprogs fixes the following issues:

- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
  and possibly arbitrary code execution. (bsc#1198446)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1691-1
Released:    Mon May 16 15:13:39 2022
Summary:     Recommended update for augeas
Type:        recommended
Severity:    moderate
References:  1197443
This update for augeas fixes the following issue:

- Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1750-1
Released:    Thu May 19 15:28:20 2022
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1196490,1199132,CVE-2022-23308,CVE-2022-29824
This update for libxml2 fixes the following issues:

- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1832-1
Released:    Tue May 24 11:52:33 2022
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1191157,1197004,1199240,CVE-2022-29155
This update for openldap2 fixes the following issues:

Security:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

Bugfixes:
- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
  resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1851-1
Released:    Thu May 26 08:59:55 2022
Summary:     Recommended update for gcc8
Type:        recommended
Severity:    moderate
References:  1197716
This update for gcc8 fixes the following issues:

- Fix build against SP4. (bsc#1197716)
- Remove bogus fixed include bits/statx.h from glibc 2.30 (bsc#1197716)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1887-1
Released:    Tue May 31 09:24:18 2022
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1040589
This update for grep fixes the following issues:

- Make profiling deterministic. (bsc#1040589, SLE-24115)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2019-1
Released:    Wed Jun  8 16:50:07 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1192951,1193659,1195283,1196861,1197065
This update for gcc11 fixes the following issues:

Update to the GCC 11.3.0 release.

* includes SLS hardening backport on x86_64.  [bsc#1195283]
* includes change to adjust gnats idea of the target, fixing the build of gprbuild.  [bsc#1196861]
* fixed miscompile of embedded premake in 0ad on i586.  [bsc#1197065]
* use --with-cpu rather than specifying --with-arch/--with-tune 
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines.  [bsc#1193659]
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build  [bsc#1192951]
* Package mwaitintrin.h

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2049-1
Released:    Mon Jun 13 09:23:52 2022
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1191908,1198422
This update for binutils fixes the following issues:

- Revert back to old behaviour of not ignoring the in-section content
  of to be relocated fields on x86-64, even though that's a RELA architecture.
  Compatibility with buggy object files generated by old tools.
  [bsc#1198422]
- Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2068-1
Released:    Tue Jun 14 10:14:47 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1185637,1199166,CVE-2022-1292
This update for openssl-1_1 fixes the following issues:

- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2157-1
Released:    Wed Jun 22 17:11:26 2022
Summary:     Recommended update for binutils
Type:        recommended
Severity:    moderate
References:  1198458
This update for binutils fixes the following issues:

- For building the shim 15.6~rc1 and later versions aarch64 image, objcopy
  needs to support efi-app-aarch64 target. (bsc#1198458)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2179-1
Released:    Fri Jun 24 14:05:25 2022
Summary:     Security update for openssl
Type:        security
Severity:    moderate
References:  1200550,CVE-2022-2068
This update for openssl fixes the following issues:

- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2311-1
Released:    Wed Jul  6 15:16:17 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1201099,CVE-2022-2097
This update for openssl-1_1 fixes the following issues:

- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2323-1
Released:    Thu Jul  7 12:16:58 2022
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    low
References:  
This update for systemd-presets-branding-SLE fixes the following issues:

- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2361-1
Released:    Tue Jul 12 12:05:01 2022
Summary:     Security update for pcre
Type:        security
Severity:    important
References:  1199232,CVE-2022-1586
This update for pcre fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2405-1
Released:    Fri Jul 15 11:47:57 2022
Summary:     Security update for p11-kit
Type:        security
Severity:    moderate
References:  1180065,CVE-2020-29362
This update for p11-kit fixes the following issues:

- CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2471-1
Released:    Thu Jul 21 04:42:58 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    important
References:  1148309,1191502,1195529,1200170
This update for systemd fixes the following issues:

- Allow control characters in environment variable values (bsc#1200170)
- basic/env-util: Allow newlines in values of environment variables
- man: tweak description of auto/noauto (bsc#1191502)
- shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)
- shared/install: fix error codes returned by install_context_apply()
- shared/install: ignore failures for auxiliary files
- systemctl: suppress enable/disable messages when `-q` is given
- test-env-util: Verify that \r is disallowed in env var values
- test-env-util: print function headers
- udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2571-1
Released:    Thu Jul 28 04:20:52 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1194550,1197684,1199042
This update for libzypp, zypper fixes the following issues:

libzypp:

- appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)
- zypp-rpm: flush rpm script output buffer before sending endOfScriptTag
- PluginRepoverification: initial version hooked into repo::Downloader and repo refresh
- Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)
- singletrans: no dry-run commit if doing just download-only
- Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were 
  removed at the  beginning of the repo.
- Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

zypper:

- Basic JobReport for 'cmdout/monitor'
- versioncmp: if verbose, also print the edition 'parts' which are compared
- Make sure MediaAccess is closed on exception (bsc#1194550)
- Display plus-content hint conditionally
- Honor the NO_COLOR environment variable when auto-detecting whether to use color
- Define table columns which should be sorted natural [case insensitive]
- lr/ls: Use highlight color on name and alias as well

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2717-1
Released:    Tue Aug  9 12:54:16 2022
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1198627,CVE-2022-29458
This update for ncurses fixes the following issues:

- CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2829-1
Released:    Wed Aug 17 13:33:11 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1199223,1199224,1200735,1200737,CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208
This update for curl fixes the following issues:

- CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite
  loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223).
- CVE-2022-27782: Fixed an issue where TLS and SSH connections would
  be reused even when a related option had been changed (bsc#1199224).
- CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused
  by an unbounded number of compression layers (bsc#1200735).
- CVE-2022-32208: Fixed an incorrect message verification issue when
  performing FTP transfers using krb5 (bsc#1200737).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2830-1
Released:    Wed Aug 17 14:36:26 2022
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1196167,1202020,CVE-2021-4209,CVE-2022-2509
This update for gnutls fixes the following issues:

- CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020).
- CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167). 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2866-1
Released:    Mon Aug 22 15:36:30 2022
Summary:     Security update for systemd-presets-common-SUSE
Type:        security
Severity:    moderate
References:  1199524,1200485,CVE-2022-1706
This update for systemd-presets-common-SUSE fixes the following issues:

- CVE-2022-1706: Fixed accessible configs from unprivileged containers in VMs running on VMware products (bsc#1199524).

The following non-security bugs were fixed:

- Modify branding-preset-states to fix systemd-presets-common-SUSE
  not enabling new user systemd service preset configuration just
  as it handles system service presets. By passing an (optional)
  second parameter 'user', the save/apply-changes commands now
  work with user services instead of system ones (bsc#1200485)

- Add the wireplumber user service preset to enable it by default
  in SLE15-SP4 where it replaced pipewire-media-session, but keep
  pipewire-media-session preset so we don't have to branch the
  systemd-presets-common-SUSE package for SP4 (bsc#1200485)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2905-1
Released:    Fri Aug 26 05:30:33 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1198341
This update for openldap2 fixes the following issues:

- Prevent memory reuse which may lead to instability (bsc#1198341)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2944-1
Released:    Wed Aug 31 05:39:14 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    important
References:  1181475
This update for procps fixes the following issues:

- Fix 'free' command reporting misleading 'used' value (bsc#1181475)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2947-1
Released:    Wed Aug 31 09:16:21 2022
Summary:     Security update for zlib
Type:        security
Severity:    important
References:  1202175,CVE-2022-37434
This update for zlib fixes the following issues:

- CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2991-1
Released:    Thu Sep  1 16:04:30 2022
Summary:     Security update for libtirpc
Type:        security
Severity:    important
References:  1198752,1200800,1201680,CVE-2021-46828
This update for libtirpc fixes the following issues:

- CVE-2021-46828: Fixed an uncontrolled file descriptor consumption,
  which could be exploited by remote attackers to prevent applications
  using the library from accepting new connections (bsc#1201680).

Non-security fixes:

- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
- Fix memory leak in params.r_addr assignement (bsc#1198752)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2994-1
Released:    Fri Sep  2 10:44:54 2022
Summary:     Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame
Type:        recommended
Severity:    moderate
References:  1198925

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)

No codechanges were done in this update.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3129-1
Released:    Wed Sep  7 04:42:53 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1197178,1198731,1200842
This update for util-linux fixes the following issues:

- su: Change owner and mode for pty (bsc#1200842)
- agetty: Resolve tty name even if stdin is specified (bsc#1197178)
- libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)
- mesg: use only stat() to get the current terminal status (bsc#1200842)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3144-1
Released:    Wed Sep  7 11:04:23 2022
Summary:     Security update for gpg2
Type:        security
Severity:    important
References:  1201225,CVE-2022-34903
This update for gpg2 fixes the following issues:

- CVE-2022-34903: Fixed a potential signature forgery via injection
  into the status line when certain unusual conditions are met (bsc#1201225).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3221-1
Released:    Fri Sep  9 04:31:28 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1199895,1200993,1201092,1201576,1201638
This update for libzypp, zypper fixes the following issues:

libzypp:

- Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)
- Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)
- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)
- Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test
  the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

zypper:

- Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)
- Reject install/remove modifier without argument (bsc#1201576)
- zypper-download: Handle unresolvable arguments as errors
- Put signing key supplying repository name in quotes

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3262-1
Released:    Tue Sep 13 15:34:29 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1199140

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3304-1
Released:    Mon Sep 19 11:43:25 2022
Summary:     Recommended update for libassuan
Type:        recommended
Severity:    moderate
References:  
This update for libassuan fixes the following issues:

- Add a timeout for writing to a SOCKS5 proxy
- Add workaround for a problem with LD_LIBRARY_PATH on newer systems
- Fix issue in the logging code
- Fix some build trivialities
- Upgrade autoconf

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3307-1
Released:    Mon Sep 19 13:26:51 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737
This update for sqlite3 fixes the following issues:

- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).
  
- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3549-1
Released:    Fri Oct  7 14:39:40 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1159635,CVE-2019-19906
This update for cyrus-sasl fixes the following issues:

- CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3566-1
Released:    Tue Oct 11 16:19:09 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    critical
References:  1189282,1201972,1203649
This update for libzypp, zypper fixes the following issues:

libzypp:
 
- Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Remove migration code that is no longer needed (bsc#1203649)
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

zypper:

- Fix contradiction in the man page: `--download-in-advance` option is the default behavior
- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)
- Fix tests to use locale 'C.UTF-8' rather than 'en_US'
- Make sure 'up' respects solver related CLI options (bsc#1201972)
- Remove unneeded code to compute the PPP status because it is now auto established
- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3597-1
Released:    Mon Oct 17 13:13:16 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1203438,CVE-2022-40674
This update for expat fixes the following issues:

- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3683-1
Released:    Fri Oct 21 11:48:39 2022
Summary:     Security update for libksba
Type:        security
Severity:    critical
References:  1204357,CVE-2022-3515
This update for libksba fixes the following issues:

  - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3774-1
Released:    Wed Oct 26 12:21:09 2022
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1202593,1204383,CVE-2022-32221,CVE-2022-35252
This update for curl fixes the following issues:

  - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
  - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3784-1
Released:    Wed Oct 26 18:03:28 2022
Summary:     Security update for libtasn1
Type:        security
Severity:    critical
References:  1204690,CVE-2021-46848
This update for libtasn1 fixes the following issues:

- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3805-1
Released:    Thu Oct 27 17:19:46 2022
Summary:     Security update for dbus-1
Type:        security
Severity:    important
References:  1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012
This update for dbus-1 fixes the following issues:

  - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111).
  - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112).
  - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).

  Bugfixes:

  - Disable asserts (bsc#1087072).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3871-1
Released:    Fri Nov  4 13:26:29 2022
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304
This update for libxml2 fixes the following issues:

  - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).
  - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).
  - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3882-1
Released:    Mon Nov  7 09:06:03 2022
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1180995
This update for openssl-1_1 fixes the following issues:

- FIPS: Default to RFC7919 groups when generating ECDH parameters
  using 'genpkey' or 'dhparam' in FIPS mode. (bsc#1180995)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3905-1
Released:    Tue Nov  8 12:23:17 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    important
References:  1196840,1199492,1199918,1199926,1199927
This update for aaa_base and iputils fixes the following issues:

aaa_base:

- Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927)
- The wrapper rootsh is not a restricted shell (bsc#1199492)

iputils:

- Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3910-1
Released:    Tue Nov  8 13:05:04 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  
This update for pam fixes the following issue:

- Update pam_motd to the most current version. (PED-1712)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3912-1
Released:    Tue Nov  8 13:38:11 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1204708,CVE-2022-43680
This update for expat fixes the following issues:

  - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3961-1
Released:    Mon Nov 14 07:33:50 2022
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:3975-1
Released:    Mon Nov 14 15:41:13 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1201959
This update for util-linux fixes the following issues:

- libuuid improvements (bsc#1201959, PED-1150):
  libuuid: Fix range when parsing UUIDs.
  Improve cache handling for short running applications-increment the cache size over runtime.
  Implement continuous clock handling for time based UUIDs.
  Check clock value from clock file to provide seamless libuuid.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4081-1
Released:    Fri Nov 18 15:40:46 2022
Summary:     Security update for dpkg
Type:        security
Severity:    low
References:  1199944,CVE-2022-1664
This update for dpkg fixes the following issues:

- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4146-1
Released:    Mon Nov 21 09:56:12 2022
Summary:     Security update for binutils
Type:        security
Severity:    moderate
References:  1142579,1185597,1185712,1188374,1191473,1193929,1194783,1197592,1198237,1202816,1202966,1202967,1202969,CVE-2019-1010204,CVE-2021-3530,CVE-2021-3648,CVE-2021-3826,CVE-2021-45078,CVE-2021-46195,CVE-2022-27943,CVE-2022-38126,CVE-2022-38127,CVE-2022-38533
This update for binutils fixes the following issues:

The following security bugs were fixed:

- CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).
- CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).
- CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).
- CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).
- CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).
- CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).
- CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).
- CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).
- CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).
- CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).


The following non-security bugs were fixed:
  
- SLE toolchain update of binutils, update to 2.39 from 2.37.
- Update to 2.39:  
  * The ELF linker will now generate a warning message if the stack is made
    executable.  Similarly it will warn if the output binary contains a
    segment with all three of the read, write and execute permission
    bits set.  These warnings are intended to help developers identify
    programs which might be vulnerable to attack via these executable
    memory regions.
    The warnings are enabled by default but can be disabled via a command
    line option.  It is also possible to build a linker with the warnings
    disabled, should that be necessary.
  * The ELF linker now supports a --package-metadata option that allows
    embedding a JSON payload in accordance to the Package Metadata
    specification. 
  * In linker scripts it is now possible to use TYPE= in an output
    section description to set the section type value.
  * The objdump program now supports coloured/colored syntax
    highlighting of its disassembler output for some architectures.
    (Currently: AVR, RiscV, s390, x86, x86_64).
  * The nm program now supports a --no-weak/-W option to make it ignore
    weak symbols.
  * The readelf and objdump programs now support a -wE option to prevent
    them from attempting to access debuginfod servers when following
    links.
  * The objcopy program's --weaken, --weaken-symbol, and
    --weaken-symbols options now works with unique symbols as well.

- Update to 2.38:
  * elfedit: Add --output-abiversion option to update ABIVERSION.
  * Add support for the LoongArch instruction set.
  * Tools which display symbols or strings (readelf, strings, nm, objdump)
    have a new command line option which controls how unicode characters are
    handled.  By default they are treated as normal for the tool.  Using
    --unicode=locale will display them according to the current locale.
    Using --unicode=hex will display them as hex byte values, whilst
    --unicode=escape will display them as escape sequences.  In addition
    using --unicode=highlight will display them as unicode escape sequences
    highlighted in red (if supported by the output device).
  * readelf -r dumps RELR relative relocations now.
  * Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been
    added to objcopy in order to enable UEFI development using binutils.
  * ar: Add --thin for creating thin archives. -T is a deprecated alias without
    diagnostics. In many ar implementations -T has a different meaning, as
    specified by X/Open System Interface.
  * Add support for AArch64 system registers that were missing in previous
    releases.
  * Add support for the LoongArch instruction set.
  * Add a command-line option, -muse-unaligned-vector-move, for x86 target
    to encode aligned vector move as unaligned vector move.
  * Add support for Cortex-R52+ for Arm.
  * Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64.
  * Add support for Cortex-A710 for Arm.
  * Add support for Scalable Matrix Extension (SME) for AArch64.
  * The --multibyte-handling=[allow|warn|warn-sym-only] option tells the
    assembler what to when it encoutners multibyte characters in the input.  The
    default is to allow them.  Setting the option to 'warn' will generate a
    warning message whenever any multibyte character is encountered.  Using the
    option to 'warn-sym-only' will make the assembler generate a warning whenever a
    symbol is defined containing multibyte characters.  (References to undefined
    symbols will not generate warnings).
  * Outputs of .ds.x directive and .tfloat directive with hex input from
    x86 assembler have been reduced from 12 bytes to 10 bytes to match the
    output of .tfloat directive.
  * Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and
    'armv9.3-a' for -march in AArch64 GAS.
  * Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a',
    'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS.
  * Add support for Intel AVX512_FP16 instructions.
  * Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF
    linker to pack relative relocations in the DT_RELR section.
  * Add support for the LoongArch architecture.
  * Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF
    linker to control canonical function pointers and copy relocation.
  * Add --max-cache-size=SIZE to set the the maximum cache size to SIZE
    bytes.
- Explicitly enable --enable-warn-execstack=yes and	--enable-warn-rwx-segments=yes.
- Add gprofng subpackage.
- Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).
- Add back fix for bsc#1191473, which got lost in the update to 2.38.
- Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).
- Enable PRU architecture for AM335x CPU (Beagle Bone Black board)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4155-1
Released:    Mon Nov 21 14:36:17 2022
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1205126,CVE-2022-42898
This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4214-1
Released:    Thu Nov 24 16:17:31 2022
Summary:     Security update for libdb-4_8
Type:        security
Severity:    low
References:  1174414,CVE-2019-2708
This update for libdb-4_8 fixes the following issues:

- CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4256-1
Released:    Mon Nov 28 12:36:32 2022
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.

The Go, D and Ada language compiler parts are available unsupported via the
PackageHub repositories.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

	https://gcc.gnu.org/gcc-12/changes.html


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4592-1
Released:    Tue Dec 20 16:51:35 2022
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1181961,CVE-2021-20206
This update for cni fixes the following issues:

- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4593-1
Released:    Tue Dec 20 16:55:16 2022
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1181961,CVE-2021-20206
This update for cni-plugins fixes the following issues:

- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4628-1
Released:    Wed Dec 28 09:23:13 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1206337,CVE-2022-46908
This update for sqlite3 fixes the following issues:

- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, 
  when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:56-1
Released:    Mon Jan  9 11:13:43 2023
Summary:     Security update for libksba
Type:        security
Severity:    moderate
References:  1206579,CVE-2022-47629
This update for libksba fixes the following issues:

- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL
  signature parser (bsc#1206579).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:181-1
Released:    Thu Jan 26 21:55:43 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1206412
This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412) 
- Make sure that correct library version is installed (bsc#1206412)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:188-1
Released:    Fri Jan 27 12:07:19 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:308-1
Released:    Tue Feb  7 17:33:37 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1207533,1207534,1207536,CVE-2022-4304,CVE-2023-0215,CVE-2023-0286
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:446-1
Released:    Fri Feb 17 09:52:43 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1205646
This update for util-linux fixes the following issues:

- Fix tests not passing when '@' character is in build path: 
  Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).
- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:486-1
Released:    Thu Feb 23 10:38:13 2023
Summary:     Security update for c-ares
Type:        security
Severity:    important
References:  1208067,CVE-2022-4904
This update for c-ares fixes the following issues:

  Updated to version 1.19.0:

  - CVE-2022-4904: Fixed missing string length check in config_sortlist() (bsc#1208067).


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:676-1
Released:    Wed Mar  8 14:33:23 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1204585
This update for libxml2 fixes the following issues:

- Add W3C conformance tests to the testsuite (bsc#1204585):
  * Added file xmlts20080827.tar.gz 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:776-1
Released:    Thu Mar 16 17:29:23 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.

SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes


This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided in the SUSE Linux
Enterprise Module for Development Tools.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

	https://gcc.gnu.org/gcc-12/changes.html


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:787-1
Released:    Thu Mar 16 19:37:18 2023
Summary:     Recommended update for libsolv, libzypp, zypper
Type:        recommended
Severity:    important
References:  1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949
This update for libsolv, libzypp, zypper fixes the following issues:

libsolv:

- Do not autouninstall SUSE PTF packages
- Ensure 'duplinvolvedmap_all' is reset when a solver is reused
- Fix 'keep installed' jobs not disabling 'best update' rules
- New '-P' and '-W' options for `testsolv`
- New introspection interface for weak dependencies similar to ruleinfos
- Ensure special case file dependencies are written correctly in the testcase writer
- Support better info about alternatives
- Support decision reason queries
- Support merging of related decisions
- Support stringification of multiple solvables
- Support stringification of ruleinfo, decisioninfo and decision reasons

libzypp:

- Avoid calling getsockopt when we know the info already.
  This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when
  accepting new socket connections (bsc#1178233)
- Avoid redirecting 'history.logfile=/dev/null' into the target
- Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)
- Enhance yaml-cpp detection
- Improve download of optional files
- MultiCurl: Make sure to reset the progress function when falling back.
- Properly reset range requests (bsc#1204548)
- Removing a PTF without enabled repos should always fail (bsc#1203248)
  Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. 
  To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the
  installed PTF packages to theit latest version.
- Skip media.1/media download for http repo status calc.
  This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed.
  This optimisation only takes place if the repo does specify only downloading base urls.
- Use a dynamic fallback for BLKSIZE in downloads.
  When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed,
  relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar
  metric as the MirrorCache implementation on the server side.
- ProgressData: enforce reporting the INIT||END state (bsc#1206949)
- ps: fix service detection on newer Tumbleweed systems (bsc#1205636)
    
zypper:

- Allow to (re)add a service with the same URL (bsc#1203715)
- Bump dependency requirement to libzypp-devel 17.31.7 or greater
- Explain outdatedness of repositories
- patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)
- Provide `removeptf` command (bsc#1203249)
  A remove command which prefers replacing dependant packages to removing them as well.
  A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant
  packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the
  remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official
  update versions.
- Update man page and explain '.no_auto_prune' (bsc#1204956)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1748-1
Released:    Tue Apr  4 09:06:59 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1209624,CVE-2023-0464
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1753-1
Released:    Tue Apr  4 11:55:00 2023
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  
This update for systemd-presets-common-SUSE fixes the following issue:

- Enable systemd-pstore.service by default (jsc#PED-2663)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1908-1
Released:    Wed Apr 19 08:38:53 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1209873,1209878,CVE-2023-0465,CVE-2023-0466
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0465: Fixed ignored invalid certificate policies in leaf certificates (bsc#1209878).
- CVE-2023-0466: Fixed disabled certificate policy check (bsc#1209873).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1979-1
Released:    Tue Apr 25 09:36:43 2023
Summary:     Security update for protobuf-c
Type:        security
Severity:    important
References:  1210323,CVE-2022-48468
This update for protobuf-c fixes the following issues:

- CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:1991-1
Released:    Tue Apr 25 13:22:19 2023
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1160285,1210096
This update for permissions fixes the following issues:

* mariadb: settings for new auth_pam_tool (bsc#1160285, bsc#1210096)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2048-1
Released:    Wed Apr 26 21:05:45 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469
This update for libxml2 fixes the following issues:

- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).
- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).
- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). 
  
  The following non-security bugs were fixed:

- Added W3C conformance tests to the testsuite (bsc#1204585).
- Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2068-1
Released:    Fri Apr 28 13:55:00 2023
Summary:     Security update for shadow
Type:        security
Severity:    moderate
References:  1210507,CVE-2023-29383
This update for shadow fixes the following issues:

- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2074-1
Released:    Fri Apr 28 17:02:25 2023
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1209533,CVE-2022-4899
This update for zstd fixes the following issues:

- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2104-1
Released:    Thu May  4 21:05:30 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1209122
This update for procps fixes the following issue:

- Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2111-1
Released:    Fri May  5 14:34:00 2023
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1210434,CVE-2023-29491
This update for ncurses fixes the following issues:

- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2133-1
Released:    Tue May  9 13:37:10 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1206513
This update for zlib fixes the following issues:

- Add DFLTCC support for using inflate() with a small window (bsc#1206513)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2226-1
Released:    Wed May 17 09:55:49 2023
Summary:     Security update for curl
Type:        security
Severity:    important
References:  1206309,1207992,1209209,1209210,1209211,1209212,1209214,1211231,1211232,1211233,1211339,CVE-2022-43552,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322
This update for curl fixes the following issues:

- CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).
- CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).
- CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).
- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).
- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).
- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).
- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).
- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).
- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).
- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2248-1
Released:    Thu May 18 17:06:33 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1127591,1195633,1208329,1209406,1210870
This update for libzypp, zypper fixes the following issues:

- Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)
- multicurl: propagate ssl settings stored in repo url (bsc#1127591)
- MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)
- zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)
- Teach MediaNetwork to retry on HTTP2 errors.
- Fix selecting installed patterns from picklist (bsc#1209406)
- man: better explanation of --priority

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2313-1
Released:    Tue May 30 09:29:25 2023
Summary:     Security update for c-ares
Type:        security
Severity:    important
References:  1211604,1211605,1211606,1211607,CVE-2023-31124,CVE-2023-31130,CVE-2023-31147,CVE-2023-32067
This update for c-ares fixes the following issues:

Update to version 1.19.1:

- CVE-2023-32067: 0-byte UDP payload causes Denial of Service (bsc#1211604)
- CVE-2023-31147: Insufficient randomness in generation of DNS query IDs (bsc#1211605)
- CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton() (bsc#1211606)
- CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607)
- Fix uninitialized memory warning in test
- ares_getaddrinfo() should allow a port of 0
- Fix memory leak in ares_send() on error
- Fix comment style in ares_data.h
- Fix typo in ares_init_options.3
- Sync ax_pthread.m4 with upstream
- Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2324-1
Released:    Tue May 30 15:52:17 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1200441

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2325-1
Released:    Tue May 30 15:57:30 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2327-1
Released:    Tue May 30 16:44:58 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1211430,CVE-2023-2650
This update for openssl-1_1 fixes the following issues:

- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2333-1
Released:    Wed May 31 09:01:28 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1210593
This update for zlib fixes the following issue:

- Fix function calling order to avoid crashes (bsc#1210593)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2472-1
Released:    Thu Jun  8 10:05:45 2023
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    moderate
References:  1211661
This update for libzypp fixes the following issues:

- Do not unconditionally release a medium if provideFile failed (bsc#1211661)
- libzypp.spec.cmake: remove duplicate file listing
- Update to version 17.31.12 (22)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2496-1
Released:    Tue Jun 13 15:19:20 2023
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1212187
This update for libzypp fixes the following issue:

- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2622-1
Released:    Fri Jun 23 13:42:21 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1201627,1207534,CVE-2022-4304
This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.
  The previous fix for this timing side channel turned out to cause a
  severe 2-3x performance regression in the typical use case (bsc#1207534).

- Update further expiring certificates that affect tests [bsc#1201627]
  * Add openssl-Update-further-expiring-certificates.patch

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2625-1
Released:    Fri Jun 23 17:16:11 2023
Summary:     Recommended update for gcc12
Type:        recommended
Severity:    moderate
References:  
This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

  * includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2644-1
Released:    Tue Jun 27 09:23:49 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1211261,1212187,1212222
This update for libzypp, zypper fixes the following issues:

libzypp was updated to version 17.31.14 (22):

- build: honor libproxy.pc's includedir (bsc#1212222)
- Curl: trim all custom headers (bsc#1212187)
  HTTP/2 RFC 9113 forbids fields ending with a space. So we make
  sure all custom headers are trimmed. This also includes headers
  returned by URL-Resolver plugins.

zypper was updated to version 1.14.61:

- targetos: Add an error note if XPath:/product/register/target
  is not defined in /etc/products.d/baseproduct (bsc#1211261)
- targetos: Update help and man page (bsc#1211261)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2868-1
Released:    Tue Jul 18 11:35:52 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2869-1
Released:    Tue Jul 18 11:39:26 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1206346

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2879-1
Released:    Wed Jul 19 09:45:34 2023
Summary:     Security update for dbus-1
Type:        security
Severity:    moderate
References:  1212126,CVE-2023-34969
This update for dbus-1 fixes the following issues:

- CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2918-1
Released:    Thu Jul 20 12:00:17 2023
Summary:     Recommended update for gpgme
Type:        recommended
Severity:    moderate
References:  1089497
This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)
    
libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2955-1
Released:    Tue Jul 25 05:22:54 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1193015
This update for util-linux fixes the following issues:

- Fix memory leak on parse errors in libmount. (bsc#1193015)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2956-1
Released:    Tue Jul 25 08:33:38 2023
Summary:     Security update for libcap
Type:        security
Severity:    moderate
References:  1211419,CVE-2023-2603
This update for libcap fixes the following issues:

- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2961-1
Released:    Tue Jul 25 09:32:56 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213487,CVE-2023-3446
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2998-1
Released:    Thu Jul 27 08:39:49 2023
Summary:     Recommended update for libdb-4_8
Type:        recommended
Severity:    moderate
References:  1099695
This update for libdb-4_8 fixes the following issues:

- Fix incomplete license tag (bsc#1099695)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3068-1
Released:    Mon Jul 31 16:33:43 2023
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1213517
This update for openssl-1_1 fixes the following issues:

- Dont pass zero length input to EVP_Cipher (bsc#1213517)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3191-1
Released:    Fri Aug  4 06:29:08 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3388-1
Released:    Wed Aug 23 17:14:22 2023
Summary:     Recommended update for binutils
Type:        recommended
Severity:    important
References:  1213282
This update for binutils fixes the following issues:

- Add `binutils-disable-dt-relr.sh` to address compatibility problems with the glibc version included in future
  SUSE Linux Enterprise releases (bsc#1213282, jsc#PED-1435)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3434-1
Released:    Thu Aug 24 15:05:22 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3472-1
Released:    Tue Aug 29 10:55:16 2023
Summary:     Security update for procps
Type:        security
Severity:    low
References:  1214290,CVE-2023-4016
This update for procps fixes the following issues:

  - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3513-1
Released:    Fri Sep  1 15:47:41 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1158763,1210740,1213231,1213557,1213673
This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3535-1
Released:    Tue Sep  5 14:46:31 2023
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1183533,1211945,1211946,1211947,1211948,1211951,CVE-2021-28153,CVE-2023-29499,CVE-2023-32611,CVE-2023-32636,CVE-2023-32643,CVE-2023-32665
This update for glib2 fixes the following issues:

- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files. (bsc#1183533)
- CVE-2023-32665: Fixed GVariant deserialisation which does not match spec for non-normal data. (bsc#1211945)
- CVE-2023-32643: Fixed a heap-buffer-overflow in g_variant_serialised_get_child(). (bsc#1211946)
- CVE-2023-29499: Fixed GVariant offset table entry size which is not checked in is_normal(). (bsc#1211947)
- CVE-2023-32636: Fixed a wrong timeout in fuzz_variant_text(). (bsc#1211948)
- CVE-2023-32611: Fixed an issue where g_variant_byteswap() can take a long time with some non-normal inputs. (bsc#1211951)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3661-1
Released:    Mon Sep 18 21:44:09 2023
Summary:     Security update for gcc12
Type:        security
Severity:    important
References:  1214052,CVE-2023-4039
This update for gcc12 fixes the following issues:

- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3686-1
Released:    Tue Sep 19 17:23:03 2023
Summary:     Security update for gcc7
Type:        security
Severity:    important
References:  1195517,1196861,1204505,1205145,1214052,CVE-2023-4039
This update for gcc7 fixes the following issues:

Security issue fixed:

- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

Other fixes:

- Fixed KASAN kernel compile.  [bsc#1205145]
- Fixed ICE with C++17 code as reported in [bsc#1204505]
- Fixed altivec.h redefining bool in C++ which makes bool unusable (bsc#1195517):
- Adjust gnats idea of the target, fixing the build of gprbuild.  [bsc#1196861]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3698-1
Released:    Wed Sep 20 11:01:15 2023
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1214768,CVE-2023-39615
This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3815-1
Released:    Wed Sep 27 18:20:25 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3816-1
Released:    Wed Sep 27 18:25:44 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1212475

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3825-1
Released:    Wed Sep 27 18:48:53 2023
Summary:     Security update for binutils
Type:        security
Severity:    important
References:  1200962,1206080,1206556,1208037,1208038,1208040,1208409,1209642,1210297,1210733,1213458,1214565,1214567,1214579,1214580,1214604,1214611,1214619,1214620,1214623,1214624,1214625,CVE-2020-19726,CVE-2021-32256,CVE-2022-35205,CVE-2022-35206,CVE-2022-4285,CVE-2022-44840,CVE-2022-45703,CVE-2022-47673,CVE-2022-47695,CVE-2022-47696,CVE-2022-48063,CVE-2022-48064,CVE-2022-48065,CVE-2023-0687,CVE-2023-1579,CVE-2023-1972,CVE-2023-2222,CVE-2023-25585,CVE-2023-25587,CVE-2023-25588
This update for binutils fixes the following issues:

Update to version 2.41 [jsc#PED-5778]:

* The MIPS port now supports the Sony Interactive Entertainment Allegrex
  processor, used with the PlayStation Portable, which implements the MIPS
  II ISA along with a single-precision FPU and a few implementation-specific
  integer instructions.
* Objdump's --private option can now be used on PE format files to display the
  fields in the file header and section headers.
* New versioned release of libsframe: libsframe.so.1.  This release introduces
  versioned symbols with version node name LIBSFRAME_1.0.  This release also
  updates the ABI in an incompatible way: this includes removal of
  sframe_get_funcdesc_with_addr API, change in the behavior of
  sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
* SFrame Version 2 is now the default (and only) format version supported by
  gas, ld, readelf and objdump.
* Add command-line option, --strip-section-headers, to objcopy and strip to
  remove ELF section header from ELF file.
* The RISC-V port now supports the following new standard extensions:

  - Zicond (conditional zero instructions)
  - Zfa (additional floating-point instructions)
  - Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,
    Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)

* The RISC-V port now supports the following vendor-defined extensions:
  - XVentanaCondOps
* Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
* A new .insn directive is recognized by x86 gas.
* Add SME2 support to the AArch64 port.
* The linker now accepts a command line option of --remap-inputs
  = to relace any input file that matches  with
  .  In addition the option --remap-inputs-file= can be used to
  specify a file containing any number of these remapping directives.
* The linker command line option --print-map-locals can be used to include
  local symbols in a linker map.  (ELF targets only).
* For most ELF based targets, if the --enable-linker-version option is used
  then the version of the linker will be inserted as a string into the .comment
  section.
* The linker script syntax has a new command for output sections: ASCIZ 'string'
  This will insert a zero-terminated string at the current location.
* Add command-line option, -z nosectionheader, to omit ELF section
  header.

- Contains fixes for these non-CVEs (not security bugs per upstreams
  SECURITY.md):
  * bsc#1209642 aka CVE-2023-1579 aka PR29988
  * bsc#1210297 aka CVE-2023-1972 aka PR30285
  * bsc#1210733 aka CVE-2023-2222 aka PR29936
  * bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
  * bsc#1214565 aka CVE-2020-19726 aka PR26240
  * bsc#1214567 aka CVE-2022-35206 aka PR29290
  * bsc#1214579 aka CVE-2022-35205 aka PR29289
  * bsc#1214580 aka CVE-2022-44840 aka PR29732
  * bsc#1214604 aka CVE-2022-45703 aka PR29799
  * bsc#1214611 aka CVE-2022-48065 aka PR29925
  * bsc#1214619 aka CVE-2022-48064 aka PR29922
  * bsc#1214620 aka CVE-2022-48063 aka PR29924
  * bsc#1214623 aka CVE-2022-47696 aka PR29677
  * bsc#1214624 aka CVE-2022-47695 aka PR29846
  * bsc#1214625 aka CVE-2022-47673 aka PR29876

- This only existed only for a very short while in SLE-15, as the main
  variant in devel:gcc subsumed this in binutils-revert-rela.diff.
  Hence:

- Document fixed CVEs:

  * bsc#1208037 aka CVE-2023-25588 aka PR29677
  * bsc#1208038 aka CVE-2023-25587 aka PR29846
  * bsc#1208040 aka CVE-2023-25585 aka PR29892
  * bsc#1208409 aka CVE-2023-0687 aka PR29444

- Enable bpf-none cross target and add bpf-none to the multitarget
  set of supported targets.
- Disable packed-relative-relocs for old codestreams.  They generate
  buggy relocations when binutils-revert-rela.diff is active.
  [bsc#1206556]
- Disable ZSTD debug section compress by default.
- Enable zstd compression algorithm (instead of zlib)
  for debug info sections by default.
- Pack libgprofng only for supported platforms.
- Move libgprofng-related libraries to the proper locations (packages).
- Add --without=bootstrap for skipping of bootstrap (faster testing
  of the package).

- Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]

Update to version 2.40:

* Objdump has a new command line option --show-all-symbols which will make it
  display all symbols that match a given address when disassembling.  (Normally
  only the first symbol that matches an address is shown).
* Add --enable-colored-disassembly configure time option to enable colored
  disassembly output by default, if the output device is a terminal.  Note,
  this configure option is disabled by default.
* DCO signed contributions are now accepted.
* objcopy --decompress-debug-sections now supports zstd compressed debug
  sections.  The new option --compress-debug-sections=zstd compresses debug
  sections with zstd.
* addr2line and objdump --dwarf now support zstd compressed debug sections.
* The dlltool program now accepts --deterministic-libraries and
  --non-deterministic-libraries as command line options to control whether or
  not it generates deterministic output libraries.  If neither of these options
  are used the default is whatever was set when the binutils were configured.
* readelf and objdump now have a newly added option --sframe which dumps the
  SFrame section.
* Add support for Intel RAO-INT instructions.
* Add support for Intel AVX-NE-CONVERT instructions.
* Add support for Intel MSRLIST instructions.
* Add support for Intel WRMSRNS instructions.
* Add support for Intel CMPccXADD instructions.
* Add support for Intel AVX-VNNI-INT8 instructions.
* Add support for Intel AVX-IFMA instructions.
* Add support for Intel PREFETCHI instructions.
* Add support for Intel AMX-FP16 instructions.
* gas now supports --compress-debug-sections=zstd to compress
  debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
  that selects the default compression algorithm
  for --enable-compressed-debug-sections.
* Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,
  XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,
  XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head
  ISA manual, which are implemented in the Allwinner D1.
* Add support for the RISC-V Zawrs extension, version 1.0-rc4.
* Add support for Cortex-X1C for Arm.
* New command line option --gsframe to generate SFrame unwind information
  on x86_64 and aarch64 targets.
* The linker has a new command line option to suppress the generation of any
  warning or error messages.  This can be useful when there is a need to create
  a known non-working binary.  The option is -w or --no-warnings.
* ld now supports zstd compressed debug sections.  The new option
  --compress-debug-sections=zstd compresses debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
  that selects the default compression algorithm
  for --enable-compressed-debug-sections.
* Remove support for -z bndplt (MPX prefix instructions).

- Includes fixes for these CVEs:

  * bsc#1206080 aka CVE-2022-4285 aka PR29699

- Enable by default: --enable-colored-disassembly.
- fix build on x86_64_vX platforms 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3937-1
Released:    Tue Oct  3 11:33:38 2023
Summary:     Recommended update for zypper
Type:        recommended
Severity:    moderate
References:  1213854,1214292,1214395,1215007
This update for zypper fixes the following issues:

- Fix name of the bash completion script (bsc#1215007)
- Update notes about failing signature checks (bsc#1214395)
- Improve the SIGINT handler to be signal safe (bsc#1214292)
- Update to version 1.14.64
- Changed location of bash completion script (bsc#1213854).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3958-1
Released:    Wed Oct  4 09:16:06 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4025-1
Released:    Tue Oct 10 13:41:02 2023
Summary:     Security update for shadow
Type:        security
Severity:    low
References:  1214806,CVE-2023-4641
This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4047-1
Released:    Wed Oct 11 10:40:26 2023
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1215286,1215505,CVE-2023-4813
This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)


Other changes:

- Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243)
- Run vismain only if linker supports protected data symbol (bsc#1215505)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4126-1
Released:    Thu Oct 19 09:38:31 2023
Summary:     Security update for cni
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4127-1
Released:    Thu Oct 19 09:43:23 2023
Summary:     Security update for cni-plugins
Type:        security
Severity:    important
References:  1212475,1216006

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4162-1
Released:    Mon Oct 23 15:33:03 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4217-1
Released:    Thu Oct 26 12:20:27 2023
Summary:     Security update for zlib
Type:        security
Severity:    moderate
References:  1216378,CVE-2023-45853
This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a
  buffer overflow in the minizip subcomponent (bsc#1216378).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4458-1
Released:    Thu Nov 16 14:38:48 2023
Summary:     Security update for gcc13
Type:        security
Severity:    important
References:  1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039
This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15
versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux
Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available
unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

        https://gcc.gnu.org/gcc-13/changes.html


Detailed changes:


* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable
  length stack allocations.  (bsc#1214052)

- Work around third party app crash during C++ standard library initialization.  [bsc#1216664]
- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
- Bump included newlib to version 4.3.0.
- Update to GCC trunk head (r13-5254-g05b9868b182bb9)
- Redo floatn fixinclude pick-up to simply keep what is there.
- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs
- Fixed missed optimization in Skia resulting in Firefox crashes when
  building with LTO.  [bsc#1212101]
- Make libstdc++6-devel packages own their directories since they
  can be installed standalone.  [bsc#1211427]
- Add new x86-related intrinsics (amxcomplexintrin.h).
- RISC-V: Add support for inlining subword atomic operations
- Use --enable-link-serialization rather that --enable-link-mutex,
  the benefit of the former one is that the linker jobs are not
  holding tokens of the make's jobserver.
- Add cross-bpf packages.  See https://gcc.gnu.org/wiki/BPFBackEnd
  for the general state of BPF with GCC.
- Add bootstrap conditional to allow --without=bootstrap to be
  specified to speed up local builds for testing.
- Bump included newlib to version 4.3.0. 
- Also package libhwasan_preinit.o on aarch64.
- Configure external timezone database provided by the timezone
  package.  Make libstdc++6 recommend timezone to get a fully
  working std::chrono.  Install timezone when running the testsuite.
- Package libhwasan_preinit.o on x86_64.
- Fixed unwinding on aarch64 with pointer signing.  [bsc#1206684]
- Enable PRU flavour for gcc13
- update floatn fixinclude pickup to check each header separately (bsc#1206480)
- Redo floatn fixinclude pick-up to simply keep what is there. 
- Bump libgo SONAME to libgo22.
- Do not package libhwasan for biarch (32-bit architecture)
  as the extension depends on 64-bit pointers.
- Adjust floatn fixincludes guard to work with SLE12 and earlier
  SLE15.
- Depend on at least LLVM 13 for GCN cross compiler.
- Update embedded newlib to version 4.2.0
- Allow cross-pru-gcc12-bootstrap for armv7l architecture.
  PRU architecture is used for real-time MCUs embedded into TI
  armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for
  armv7l in order to build both host applications and PRU firmware
  during the same build.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4464-1
Released:    Thu Nov 16 17:56:12 2023
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1216129,CVE-2023-45322
This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4512-1
Released:    Tue Nov 21 17:25:02 2023
Summary:     Security update for util-linux
Type:        security
Severity:    important
References:  1213865,CVE-2018-7738
This update for util-linux fixes the following issues:

- CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4520-1
Released:    Tue Nov 21 17:42:13 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1216922,CVE-2023-5678
This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4536-1
Released:    Thu Nov 23 08:19:05 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1041742,1203760,1212422,1215979,1216091
This update for libzypp, zypper fixes the following issues:

- Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091)
- Fix comment typo on zypp.conf (bsc#1215979)
- Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742)
- Make sure the old target is deleted before a new one is created (bsc#1203760)
- Return 104 also if info suggests near matches
- Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)
- commit: Insert a headline to separate output of different rpm scripts (bsc#1041742)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4613-1
Released:    Wed Nov 29 15:46:24 2023
Summary:     Updates Cilium
Type:        security
Severity:    important
References:  1215713,1216174,CVE-2023-35945,CVE-2023-44487
Updates Cilium addon as it got rebuild to include a couple of sercurity fixes

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150000.3.60.1 updated
- binutils-2.41-150100.7.46.1 updated
- cilium-proxy-20200109-150100.3.3.14.1 updated
- clang7-7.0.1-150100.3.22.2 updated
- cni-plugins-0.8.6-150100.3.20.1 updated
- cni-0.7.1-150100.3.16.1 updated
- coreutils-8.29-4.3.1 updated
- cpp7-7.5.0+r278197-150000.4.35.1 updated
- dbus-1-1.12.2-150100.8.17.1 updated
- filesystem-15.0-11.8.1 updated
- gawk-4.2.1-150000.3.3.1 updated
- gcc7-7.5.0+r278197-150000.4.35.1 updated
- glibc-32bit-2.26-150000.13.70.1 updated
- glibc-devel-32bit-2.26-150000.13.70.1 updated
- glibc-devel-2.26-150000.13.70.1 updated
- glibc-2.26-150000.13.70.1 updated
- gpg2-2.2.5-150000.4.22.1 updated
- grep-3.1-150000.4.6.1 updated
- gzip-1.10-150000.4.15.1 updated
- krb5-1.16.3-150100.3.30.1 updated
- libLLVM7-7.0.1-150100.3.22.2 updated
- libLTO7-7.0.1-150100.3.22.2 updated
- libasan4-7.5.0+r278197-150000.4.35.1 updated
- libassuan0-2.5.5-150000.4.5.2 updated
- libatomic1-13.2.1+git7813-150000.1.6.1 updated
- libaugeas0-1.10.1-150000.3.12.1 updated
- libblkid1-2.33.2-150100.4.40.1 updated
- libcap2-2.26-150000.4.9.1 updated
- libcares2-1.19.1-150000.3.23.1 updated
- libcilkrts5-7.5.0+r278197-150000.4.35.1 updated
- libclang7-7.0.1-150100.3.22.2 updated
- libcom_err2-1.43.8-150000.4.33.1 updated
- libcryptsetup12-2.0.6-150100.4.6.1 updated
- libctf-nobfd0-2.41-150100.7.46.1 updated
- libctf0-2.41-150100.7.46.1 updated
- libcurl4-7.60.0-150000.51.1 updated
- libdb-4_8-4.8.30-150000.7.9.1 updated
- libdbus-1-3-1.12.2-150100.8.17.1 updated
- libexpat1-2.2.5-150000.3.25.1 updated
- libfdisk1-2.33.2-150100.4.40.1 updated
- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated
- libglib-2_0-0-2.54.3-150000.4.29.1 updated
- libgnutls30-3.6.7-150000.6.45.2 updated
- libgomp1-13.2.1+git7813-150000.1.6.1 updated
- libgpgme11-1.10.0-150000.4.6.2 updated
- libitm1-13.2.1+git7813-150000.1.6.1 updated
- libksba8-1.3.5-150000.4.6.1 updated
- libldap-2_4-2-2.4.46-150000.9.74.3 updated
- libldap-data-2.4.46-150000.9.74.3 updated
- liblsan0-13.2.1+git7813-150000.1.6.1 updated
- liblzma5-5.2.3-150000.4.7.1 updated
- libmount1-2.33.2-150100.4.40.1 updated
- libmpx2-8.2.1+r264010-150000.1.6.4 updated
- libmpxwrappers2-8.2.1+r264010-150000.1.6.4 updated
- libncurses6-6.1-150000.5.15.1 updated
- libnghttp2-14-1.40.0-150000.3.17.1 updated
- libopenssl1_1-1.1.0i-150100.14.68.1 updated
- libp11-kit0-0.23.2-150000.4.16.1 updated
- libpcre1-8.45-150000.20.13.1 updated
- libprocps7-3.3.15-150000.7.34.1 updated
- libprotobuf-c-devel-1.3.0-150000.3.3.1 updated
- libprotobuf-c1-1.3.0-150000.3.3.1 updated
- libprotobuf-lite20-3.9.2-150100.8.3.3 added
- libprotobuf15-3.5.0-5.5.1 updated
- libprotoc15-3.5.0-5.5.1 updated
- libpsl5-0.20.1-150000.3.3.1 updated
- libsasl2-3-2.1.26-150000.5.13.1 updated
- libsmartcols1-2.33.2-150100.4.40.1 updated
- libsolv-tools-0.7.24-150100.4.12.1 updated
- libsqlite3-0-3.39.3-150000.3.20.1 updated
- libstdc++6-devel-gcc7-7.5.0+r278197-150000.4.35.1 updated
- libstdc++6-13.2.1+git7813-150000.1.6.1 updated
- libsystemd0-234-150000.24.111.1 updated
- libtasn1-6-4.13-150000.4.8.1 updated
- libtasn1-4.13-150000.4.8.1 updated
- libtirpc-netconfig-1.0.2-150000.3.18.1 updated
- libtirpc3-1.0.2-150000.3.18.1 updated
- libtsan0-11.3.0+git1637-150000.1.11.2 updated
- libubsan0-7.5.0+r278197-150000.4.35.1 updated
- libudev1-234-150000.24.111.1 updated
- libusb-1_0-0-1.0.21-150000.3.5.1 updated
- libuuid1-2.33.2-150100.4.40.1 updated
- libxml2-2-2.9.7-150000.3.63.1 updated
- libyaml-cpp0_6-0.6.1-4.5.1 updated
- libz1-1.2.11-150000.3.48.1 updated
- libzstd1-1.4.4-150000.1.9.1 updated
- libzypp-17.31.22-150100.3.120.1 updated
- llvm7-7.0.1-150100.3.22.2 updated
- ncurses-utils-6.1-150000.5.15.1 updated
- openssl-1_1-1.1.0i-150100.14.68.1 added
- openssl-1.1.0i-3.3.1 added
- pam-1.3.0-150000.6.61.1 updated
- perl-base-5.26.1-150000.7.15.1 updated
- permissions-20181116-150100.9.41.1 updated
- procps-3.3.15-150000.7.34.1 updated
- protobuf-c-1.3.0-150000.3.3.1 updated
- shadow-4.6-150100.3.11.1 updated
- systemd-presets-branding-SLE-15.1-150100.20.11.1 updated
- systemd-presets-common-SUSE-15-150100.8.20.1 updated
- systemd-234-150000.24.111.1 updated
- terminfo-base-6.1-150000.5.15.1 updated
- udev-234-150000.24.111.1 updated
- update-alternatives-1.19.0.4-150000.4.4.1 updated
- util-linux-2.33.2-150100.4.40.1 updated
- zypper-1.14.66-150100.3.90.1 updated
- container:sles15-image-15.0.0-6.2.848 updated
- libprotobuf-lite15-3.5.0-5.2.1 removed

SUSE: 2023:3915-1 caasp/v4/cilium Security Update

November 29, 2023
The container caasp/v4/cilium was updated

Summary

Advisory ID: SUSE-RU-2022:337-1 Released: Fri Feb 4 10:24:28 2022 Summary: Recommended update for libzypp Type: recommended Severity: important Advisory ID: SUSE-RU-2022:473-1 Released: Thu Feb 17 10:29:42 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:498-1 Released: Fri Feb 18 10:46:56 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-RU-2022:511-1 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:523-1 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:38 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:702-1 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Type: security Severity: important Advisory ID: SUSE-SU-2022:713-1 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-RU-2022:787-1 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:823-1 Released: Mon Mar 14 15:16:37 2022 Summary: Security update for protobuf Type: security Severity: moderate Advisory ID: SUSE-SU-2022:832-1 Released: Mon Mar 14 17:27:03 2022 Summary: Security update for glibc Type: security Severity: important Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:52 2022 Summary: Security update for chrony Type: security Severity: moderate Advisory ID: SUSE-SU-2022:853-1 Released: Tue Mar 15 19:27:30 2022 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:30:48 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:867-1 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:874-1 Released: Wed Mar 16 10:40:52 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1021-1 Released: Tue Mar 29 13:24:21 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important Advisory ID: SUSE-SU-2022:1073-1 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Type: security Severity: moderate Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1109-1 Released: Mon Apr 4 17:50:01 2022 Summary: Recommended update for util-linux Type: recommended Severity: important Advisory ID: SUSE-SU-2022:1131-1 Released: Fri Apr 8 09:43:53 2022 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: important Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important Advisory ID: SUSE-SU-2022:1250-1 Released: Sun Apr 17 15:39:47 2022 Summary: Security update for gzip Type: security Severity: important Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1438-1 Released: Wed Apr 27 15:27:19 2022 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: low Advisory ID: SUSE-RU-2022:1439-1 Released: Wed Apr 27 16:08:04 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1452-1 Released: Thu Apr 28 10:48:06 2022 Summary: Recommended update for perl Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1656-1 Released: Fri May 13 15:38:02 2022 Summary: Recommended update for llvm7 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important Advisory ID: SUSE-SU-2022:1674-1 Released: Mon May 16 10:12:11 2022 Summary: Security update for gzip Type: security Severity: important Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important Advisory ID: SUSE-RU-2022:1691-1 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1750-1 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-SU-2022:1832-1 Released: Tue May 24 11:52:33 2022 Summary: Security update for openldap2 Type: security Severity: important Advisory ID: SUSE-RU-2022:1851-1 Released: Thu May 26 08:59:55 2022 Summary: Recommended update for gcc8 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2049-1 Released: Mon Jun 13 09:23:52 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:2068-1 Released: Tue Jun 14 10:14:47 2022 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2022:2157-1 Released: Wed Jun 22 17:11:26 2022 Summary: Recommended update for binutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:2179-1 Released: Fri Jun 24 14:05:25 2022 Summary: Security update for openssl Type: security Severity: moderate Advisory ID: SUSE-SU-2022:2311-1 Released: Wed Jul 6 15:16:17 2022 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2022:2323-1 Released: Thu Jul 7 12:16:58 2022 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: low Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important Advisory ID: SUSE-SU-2022:2405-1 Released: Fri Jul 15 11:47:57 2022 Summary: Security update for p11-kit Type: security Severity: moderate Advisory ID: SUSE-RU-2022:2471-1 Released: Thu Jul 21 04:42:58 2022 Summary: Recommended update for systemd Type: recommended Severity: important Advisory ID: SUSE-RU-2022:2571-1 Released: Thu Jul 28 04:20:52 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:2717-1 Released: Tue Aug 9 12:54:16 2022 Summary: Security update for ncurses Type: security Severity: moderate Advisory ID: SUSE-SU-2022:2829-1 Released: Wed Aug 17 13:33:11 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-SU-2022:2830-1 Released: Wed Aug 17 14:36:26 2022 Summary: Security update for gnutls Type: security Severity: important Advisory ID: SUSE-SU-2022:2866-1 Released: Mon Aug 22 15:36:30 2022 Summary: Security update for systemd-presets-common-SUSE Type: security Severity: moderate Advisory ID: SUSE-RU-2022:2905-1 Released: Fri Aug 26 05:30:33 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2944-1 Released: Wed Aug 31 05:39:14 2022 Summary: Recommended update for procps Type: recommended Severity: important Advisory ID: SUSE-SU-2022:2947-1 Released: Wed Aug 31 09:16:21 2022 Summary: Security update for zlib Type: security Severity: important Advisory ID: SUSE-SU-2022:2991-1 Released: Thu Sep 1 16:04:30 2022 Summary: Security update for libtirpc Type: security Severity: important Advisory ID: SUSE-RU-2022:2994-1 Released: Fri Sep 2 10:44:54 2022 Summary: Recommended update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:3129-1 Released: Wed Sep 7 04:42:53 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:3144-1 Released: Wed Sep 7 11:04:23 2022 Summary: Security update for gpg2 Type: security Severity: important Advisory ID: SUSE-RU-2022:3221-1 Released: Fri Sep 9 04:31:28 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:3262-1 Released: Tue Sep 13 15:34:29 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate Advisory ID: SUSE-SU-2022:3549-1 Released: Fri Oct 7 14:39:40 2022 Summary: Security update for cyrus-sasl Type: security Severity: important Advisory ID: SUSE-RU-2022:3566-1 Released: Tue Oct 11 16:19:09 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: critical Advisory ID: SUSE-SU-2022:3597-1 Released: Mon Oct 17 13:13:16 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical Advisory ID: SUSE-SU-2022:3774-1 Released: Wed Oct 26 12:21:09 2022 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-SU-2022:3784-1 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Type: security Severity: critical Advisory ID: SUSE-SU-2022:3805-1 Released: Thu Oct 27 17:19:46 2022 Summary: Security update for dbus-1 Type: security Severity: important Advisory ID: SUSE-SU-2022:3871-1 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-RU-2022:3882-1 Released: Mon Nov 7 09:06:03 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:3905-1 Released: Tue Nov 8 12:23:17 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:3912-1 Released: Tue Nov 8 13:38:11 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-RU-2022:3961-1 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Type: recommended Severity: important Advisory ID: SUSE-RU-2022:3975-1 Released: Mon Nov 14 15:41:13 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:4081-1 Released: Fri Nov 18 15:40:46 2022 Summary: Security update for dpkg Type: security Severity: low Advisory ID: SUSE-SU-2022:4146-1 Released: Mon Nov 21 09:56:12 2022 Summary: Security update for binutils Type: security Severity: moderate Advisory ID: SUSE-SU-2022:4155-1 Released: Mon Nov 21 14:36:17 2022 Summary: Security update for krb5 Type: security Severity: important Advisory ID: SUSE-SU-2022:4214-1 Released: Thu Nov 24 16:17:31 2022 Summary: Security update for libdb-4_8 Type: security Severity: low Advisory ID: SUSE-RU-2022:4256-1 Released: Mon Nov 28 12:36:32 2022 Summary: Recommended update for gcc12 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:4592-1 Released: Tue Dec 20 16:51:35 2022 Summary: Security update for cni Type: security Severity: important Advisory ID: SUSE-SU-2022:4593-1 Released: Tue Dec 20 16:55:16 2022 Summary: Security update for cni-plugins Type: security Severity: important Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:56-1 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Type: security Severity: moderate Advisory ID: SUSE-RU-2023:181-1 Released: Thu Jan 26 21:55:43 2023 Summary: Recommended update for procps Type: recommended Severity: low Advisory ID: SUSE-RU-2023:188-1 Released: Fri Jan 27 12:07:19 2023 Summary: Recommended update for zlib Type: recommended Severity: important Advisory ID: SUSE-SU-2023:308-1 Released: Tue Feb 7 17:33:37 2023 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2023:446-1 Released: Fri Feb 17 09:52:43 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:486-1 Released: Thu Feb 23 10:38:13 2023 Summary: Security update for c-ares Type: security Severity: important Advisory ID: SUSE-RU-2023:676-1 Released: Wed Mar 8 14:33:23 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:776-1 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:787-1 Released: Thu Mar 16 19:37:18 2023 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important Advisory ID: SUSE-SU-2023:1748-1 Released: Tue Apr 4 09:06:59 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:1753-1 Released: Tue Apr 4 11:55:00 2023 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:1908-1 Released: Wed Apr 19 08:38:53 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:1979-1 Released: Tue Apr 25 09:36:43 2023 Summary: Security update for protobuf-c Type: security Severity: important Advisory ID: SUSE-RU-2023:1991-1 Released: Tue Apr 25 13:22:19 2023 Summary: Recommended update for permissions Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2048-1 Released: Wed Apr 26 21:05:45 2023 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-SU-2023:2068-1 Released: Fri Apr 28 13:55:00 2023 Summary: Security update for shadow Type: security Severity: moderate Advisory ID: SUSE-SU-2023:2074-1 Released: Fri Apr 28 17:02:25 2023 Summary: Security update for zstd Type: security Severity: moderate Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Type: security Severity: moderate Advisory ID: SUSE-RU-2023:2133-1 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2226-1 Released: Wed May 17 09:55:49 2023 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-RU-2023:2248-1 Released: Thu May 18 17:06:33 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2313-1 Released: Tue May 30 09:29:25 2023 Summary: Security update for c-ares Type: security Severity: important Advisory ID: SUSE-SU-2023:2324-1 Released: Tue May 30 15:52:17 2023 Summary: Security update for cni-plugins Type: security Severity: important Advisory ID: SUSE-SU-2023:2325-1 Released: Tue May 30 15:57:30 2023 Summary: Security update for cni Type: security Severity: important Advisory ID: SUSE-SU-2023:2327-1 Released: Tue May 30 16:44:58 2023 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2023:2333-1 Released: Wed May 31 09:01:28 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2472-1 Released: Thu Jun 8 10:05:45 2023 Summary: Recommended update for libzypp Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2496-1 Released: Tue Jun 13 15:19:20 2023 Summary: Recommended update for libzypp Type: recommended Severity: important Advisory ID: SUSE-SU-2023:2622-1 Released: Fri Jun 23 13:42:21 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:2625-1 Released: Fri Jun 23 17:16:11 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2644-1 Released: Tue Jun 27 09:23:49 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2868-1 Released: Tue Jul 18 11:35:52 2023 Summary: Security update for cni Type: security Severity: important Advisory ID: SUSE-SU-2023:2869-1 Released: Tue Jul 18 11:39:26 2023 Summary: Security update for cni-plugins Type: security Severity: important Advisory ID: SUSE-SU-2023:2879-1 Released: Wed Jul 19 09:45:34 2023 Summary: Security update for dbus-1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:2955-1 Released: Tue Jul 25 05:22:54 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:2956-1 Released: Tue Jul 25 08:33:38 2023 Summary: Security update for libcap Type: security Severity: moderate Advisory ID: SUSE-SU-2023:2961-1 Released: Tue Jul 25 09:32:56 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-RU-2023:2998-1 Released: Thu Jul 27 08:39:49 2023 Summary: Recommended update for libdb-4_8 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:3068-1 Released: Mon Jul 31 16:33:43 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:3191-1 Released: Fri Aug 4 06:29:08 2023 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate Advisory ID: SUSE-RU-2023:3388-1 Released: Wed Aug 23 17:14:22 2023 Summary: Recommended update for binutils Type: recommended Severity: important Advisory ID: SUSE-SU-2023:3434-1 Released: Thu Aug 24 15:05:22 2023 Summary: Security update for krb5 Type: security Severity: important Advisory ID: SUSE-SU-2023:3440-1 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Type: security Severity: low Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low Advisory ID: SUSE-RU-2023:3513-1 Released: Fri Sep 1 15:47:41 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3535-1 Released: Tue Sep 5 14:46:31 2023 Summary: Security update for glib2 Type: security Severity: important Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important Advisory ID: SUSE-SU-2023:3686-1 Released: Tue Sep 19 17:23:03 2023 Summary: Security update for gcc7 Type: security Severity: important Advisory ID: SUSE-SU-2023:3698-1 Released: Wed Sep 20 11:01:15 2023 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-SU-2023:3815-1 Released: Wed Sep 27 18:20:25 2023 Summary: Security update for cni Type: security Severity: important Advisory ID: SUSE-SU-2023:3816-1 Released: Wed Sep 27 18:25:44 2023 Summary: Security update for cni-plugins Type: security Severity: important Advisory ID: SUSE-SU-2023:3825-1 Released: Wed Sep 27 18:48:53 2023 Summary: Security update for binutils Type: security Severity: important Advisory ID: SUSE-RU-2023:3937-1 Released: Tue Oct 3 11:33:38 2023 Summary: Recommended update for zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:3958-1 Released: Wed Oct 4 09:16:06 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:4025-1 Released: Tue Oct 10 13:41:02 2023 Summary: Security update for shadow Type: security Severity: low Advisory ID: SUSE-SU-2023:4047-1 Released: Wed Oct 11 10:40:26 2023 Summary: Security update for glibc Type: security Severity: moderate Advisory ID: SUSE-SU-2023:4126-1 Released: Thu Oct 19 09:38:31 2023 Summary: Security update for cni Type: security Severity: important Advisory ID: SUSE-SU-2023:4127-1 Released: Thu Oct 19 09:43:23 2023 Summary: Security update for cni-plugins Type: security Severity: important Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important Advisory ID: SUSE-SU-2023:4217-1 Released: Thu Oct 26 12:20:27 2023 Summary: Security update for zlib Type: security Severity: moderate Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important Advisory ID: SUSE-SU-2023:4464-1 Released: Thu Nov 16 17:56:12 2023 Summary: Security update for libxml2 Type: security Severity: moderate Advisory ID: SUSE-SU-2023:4512-1 Released: Tue Nov 21 17:25:02 2023 Summary: Security update for util-linux Type: security Severity: important Advisory ID: SUSE-SU-2023:4520-1 Released: Tue Nov 21 17:42:13 2023 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2023:4536-1 Released: Thu Nov 23 08:19:05 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2023:4613-1 Released: Wed Nov 29 15:46:24 2023 Summary: Updates Cilium Type: security Severity: important

References

References : 1040589 1041742 1065270 1082318 1087072 1089497 1099272 1099695

1115529 1121227 1121230 1122004 1122021 1127591 1128846 1142579

1148309 1158763 1159635 1160285 1162964 1172113 1172427 1173277

1174075 1174414 1174911 1177047 1178233 1180065 1180689 1180713

1180995 1181475 1181826 1181961 1181961 1182959 1183533 1184501

1185597 1185637 1185712 1187512 1187906 1188374 1189152 1189282

1189802 1190447 1190926 1191157 1191473 1191502 1191908 1192951

1193007 1193015 1193489 1193625 1193659 1193759 1193805 1193841

1193929 1194038 1194229 1194550 1194597 1194640 1194642 1194768

1194770 1194783 1194848 1194883 1194898 1195054 1195149 1195217

1195251 1195258 1195283 1195326 1195468 1195517 1195529 1195560

1195628 1195633 1195654 1195773 1195792 1195856 1195899 1195999

1196025 1196025 1196026 1196036 1196061 1196093 1196107 1196167

1196168 1196169 1196171 1196275 1196317 1196368 1196406 1196490

1196514 1196784 1196840 1196861 1196861 1196877 1196925 1196939

1197004 1197004 1197024 1197065 1197134 1197178 1197443 1197459

1197592 1197684 1197716 1197771 1197775 1197794 1198062 1198062

1198237 1198237 1198341 1198422 1198446 1198458 1198627 1198731

1198752 1198925 1199042 1199132 1199132 1199140 1199166 1199223

1199224 1199232 1199240 1199492 1199524 1199895 1199918 1199926

1199927 1199944 1200170 1200441 1200441 1200485 1200550 1200735

1200737 1200800 1200842 1200962 1200993 1201092 1201099 1201225

1201576 1201627 1201638 1201680 1201783 1201959 1201972 1201978

1202020 1202175 1202593 1202816 1202966 1202967 1202969 1203248

1203249 1203438 1203649 1203652 1203652 1203715 1203760 1204111

1204112 1204113 1204357 1204366 1204367 1204383 1204505 1204548

1204585 1204585 1204690 1204708 1204956 1205126 1205145 1205570

1205636 1205646 1206080 1206309 1206337 1206346 1206346 1206412

1206480 1206480 1206513 1206556 1206579 1206684 1206684 1206949

1207533 1207534 1207534 1207536 1207992 1208037 1208038 1208040

1208067 1208329 1208409 1209122 1209209 1209210 1209211 1209212

1209214 1209406 1209533 1209624 1209642 1209873 1209878 1210096

1210297 1210323 1210411 1210412 1210434 1210507 1210557 1210557

1210593 1210733 1210740 1210870 1211079 1211231 1211232 1211233

1211261 1211339 1211419 1211427 1211427 1211430 1211604 1211605

1211606 1211607 1211661 1211945 1211946 1211947 1211948 1211951

1212101 1212101 1212126 1212187 1212187 1212222 1212422 1212475

1212475 1212475 1212475 1213231 1213282 1213458 1213487 1213517

1213557 1213673 1213853 1213854 1213865 1213915 1213915 1214025

1214052 1214052 1214052 1214052 1214054 1214290 1214292 1214395

1214460 1214460 1214565 1214567 1214579 1214580 1214604 1214611

1214619 1214620 1214623 1214624 1214625 1214768 1214806 1215007

1215286 1215427 1215505 1215713 1215979 1216006 1216006 1216091

1216129 1216174 1216378 1216664 1216922 CVE-2015-8985 CVE-2016-3709

CVE-2018-20573 CVE-2018-20574 CVE-2018-25032 CVE-2018-7738 CVE-2019-1010204

CVE-2019-19906 CVE-2019-2708 CVE-2019-6285 CVE-2019-6292 CVE-2020-14367

CVE-2020-19726 CVE-2020-29362 CVE-2021-20206 CVE-2021-20206 CVE-2021-22570

CVE-2021-28153 CVE-2021-32256 CVE-2021-3530 CVE-2021-3541 CVE-2021-3648

CVE-2021-36690 CVE-2021-3826 CVE-2021-3999 CVE-2021-4209 CVE-2021-45078

CVE-2021-46195 CVE-2021-46828 CVE-2021-46848 CVE-2022-0778 CVE-2022-1271

CVE-2022-1271 CVE-2022-1271 CVE-2022-1292 CVE-2022-1304 CVE-2022-1586

CVE-2022-1664 CVE-2022-1706 CVE-2022-2068 CVE-2022-2097 CVE-2022-23218

CVE-2022-23219 CVE-2022-23308 CVE-2022-23852 CVE-2022-23990 CVE-2022-24407

CVE-2022-2509 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236 CVE-2022-25313

CVE-2022-25314 CVE-2022-25315 CVE-2022-27781 CVE-2022-27782 CVE-2022-27943

CVE-2022-29155 CVE-2022-29458 CVE-2022-29824 CVE-2022-29824 CVE-2022-32206

CVE-2022-32208 CVE-2022-32221 CVE-2022-34903 CVE-2022-3515 CVE-2022-35205

CVE-2022-35206 CVE-2022-35252 CVE-2022-35737 CVE-2022-37434 CVE-2022-38126

CVE-2022-38127 CVE-2022-38533 CVE-2022-40303 CVE-2022-40304 CVE-2022-40674

CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-4285 CVE-2022-42898

CVE-2022-4304 CVE-2022-4304 CVE-2022-43552 CVE-2022-43680 CVE-2022-44840

CVE-2022-45703 CVE-2022-46908 CVE-2022-47629 CVE-2022-47673 CVE-2022-47695

CVE-2022-47696 CVE-2022-48063 CVE-2022-48064 CVE-2022-48065 CVE-2022-48468

CVE-2022-4899 CVE-2022-4904 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464

CVE-2023-0465 CVE-2023-0466 CVE-2023-0687 CVE-2023-1579 CVE-2023-1972

CVE-2023-2222 CVE-2023-23916 CVE-2023-25585 CVE-2023-25587 CVE-2023-25588

CVE-2023-2603 CVE-2023-2650 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535

CVE-2023-27536 CVE-2023-27538 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322

CVE-2023-28484 CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 CVE-2023-29499

CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 CVE-2023-32611

CVE-2023-32636 CVE-2023-32643 CVE-2023-32665 CVE-2023-3446 CVE-2023-34969

CVE-2023-35945 CVE-2023-36054 CVE-2023-3817 CVE-2023-39615 CVE-2023-4016

CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-4039 CVE-2023-4156

CVE-2023-44487 CVE-2023-45322 CVE-2023-45853 CVE-2023-4641 CVE-2023-4813

CVE-2023-5678

1193007,1194597,1194898

This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)

- Fix exception handling when reading or writing credentials (bsc#1194898)

- Fix install path for parser (bsc#1194597)

- Fix Legacy include (bsc#1194597)

- Public header files on older distros must use c++11 (bsc#1194597)

1195326

This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)

This fixes delays at the end of zypper operations, where

zypper unintentionally waits for appdata plugin scripts to

complete.

1195054,1195217,CVE-2022-23852,CVE-2022-23990

This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).

- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

1082318,1189152

This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).

- Properly sort docs and license files (bsc#1082318).

1193759,1193841

This update for systemd fixes the following issues:

- systemctl: exit with 1 if no unit files found (bsc#1193841).

- add rules for virtual devices (bsc#1193759).

- enforce 'none' for loop devices (bsc#1193759).

1187512

This update for yast2-network fixes the following issues:

- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

1190447

This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

1196036,CVE-2022-24407

This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315

This update for expat fixes the following issues:

- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).

- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).

- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).

- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).

- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

1195654

This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

1195468

This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if

someone sends such signal. Without the signal handler, SIGURG will

just be ignored. (bsc#1195468)

1195258,CVE-2021-22570

This update for protobuf fixes the following issues:

- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

glibc was updated to fix the following issues:

Security issues fixed:

- CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)

- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)

- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)

- CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

Also the following bug was fixed:

- Fix pthread_rwlock_try*lock stalls (bsc#1195560)

1196025,1196784,CVE-2022-25236

This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

* Add support for NTS servers specified by IP address (matching

Subject Alternative Name in server certificate)

* Add source-specific configuration of trusted certificates

* Allow multiple files and directories with trusted certificates

* Allow multiple pairs of server keys and certificates

* Add copy option to server/pool directive

* Increase PPS lock limit to 40% of pulse interval

* Perform source selection immediately after loading dump files

* Reload dump files for addresses negotiated by NTS-KE server

* Update seccomp filter and add less restrictive level

* Restart ongoing name resolution on online command

* Fix dump files to not include uncorrected offset

* Fix initstepslew to accept time from own NTP clients

* Reset NTP address and port when no longer negotiated by NTS-KE

server

- Ensure the correct pool packages are installed for openSUSE

and SLE (bsc#1180689).

- Fix pool package dependencies, so that SLE prefers chrony-pool-suse

over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

- Enhancements

- Add support for Network Time Security (NTS) authentication

- Add support for AES-CMAC keys (AES128, AES256) with Nettle

- Add authselectmode directive to control selection of

unauthenticated sources

- Add binddevice, bindacqdevice, bindcmddevice directives

- Add confdir directive to better support fragmented

configuration

- Add sourcedir directive and 'reload sources' command to

support dynamic NTP sources specified in files

- Add clockprecision directive

- Add dscp directive to set Differentiated Services Code Point

(DSCP)

- Add -L option to limit log messages by severity

- Add -p option to print whole configuration with included

files

- Add -U option to allow start under non-root user

- Allow maxsamples to be set to 1 for faster update with -q/-Q

option

- Avoid replacing NTP sources with sources that have

unreachable address

- Improve pools to repeat name resolution to get 'maxsources'

sources

- Improve source selection with trusted sources

- Improve NTP loop test to prevent synchronisation to itself

- Repeat iburst when NTP source is switched from offline state

to online

- Update clock synchronisation status and leap status more

frequently

- Update seccomp filter

- Add 'add pool' command

- Add 'reset sources' command to drop all measurements

- Add authdata command to print details about NTP

authentication

- Add selectdata command to print details about source

selection

- Add -N option and sourcename command to print original names

of sources

- Add -a option to some commands to print also unresolved

sources

- Add -k, -p, -r options to clients command to select, limit,

reset data

- Bug fixes

- Don’t set interface for NTP responses to allow asymmetric

routing

- Handle RTCs that don’t support interrupts

- Respond to command requests with correct address on

multihomed hosts

- Removed features

- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)

- Drop support for long (non-standard) MACs in NTPv4 packets

(chrony 2.x clients using non-MD5/SHA1 keys need to use

option 'version 3')

- Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so

only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the

expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial

synchronisation (bsc#1172113).

Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0

+ Add support for hardware timestamping on interfaces with read-only timestamping configuration

+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris

+ Update seccomp filter to work on more architectures

+ Validate refclock driver options

+ Fix bindaddress directive on FreeBSD

+ Fix transposition of hardware RX timestamp on Linux 4.13 and later

+ Fix building on non-glibc systems

- Fix location of helper script in chrony-dnssrv@.service

(bsc#1128846).

- Read runtime servers from /var/run/netconfig/chrony.servers to

fix bsc#1099272.

- Move chrony-helper to /usr/lib/chrony/helper, because there

should be no executables in /usr/share.

Update to version 3.4

* Enhancements

+ Add filter option to server/pool/peer directive

+ Add minsamples and maxsamples options to hwtimestamp directive

+ Add support for faster frequency adjustments in Linux 4.19

+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd

without root privileges to remove it on exit

+ Disable sub-second polling intervals for distant NTP sources

+ Extend range of supported sub-second polling intervals

+ Get/set IPv4 destination/source address of NTP packets on FreeBSD

+ Make burst options and command useful with short polling intervals

+ Modify auto_offline option to activate when sending request failed

+ Respond from interface that received NTP request if possible

+ Add onoffline command to switch between online and offline state

according to current system network configuration

+ Improve example NetworkManager dispatcher script

* Bug fixes

+ Avoid waiting in Linux getrandom system call

+ Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

* Enhancements:

+ Add burst option to server/pool directive

+ Add stratum and tai options to refclock directive

+ Add support for Nettle crypto library

+ Add workaround for missing kernel receive timestamps on Linux

+ Wait for late hardware transmit timestamps

+ Improve source selection with unreachable sources

+ Improve protection against replay attacks on symmetric mode

+ Allow PHC refclock to use socket in /var/run/chrony

+ Add shutdown command to stop chronyd

+ Simplify format of response to manual list command

+ Improve handling of unknown responses in chronyc

* Bug fixes:

+ Respond to NTPv1 client requests with zero mode

+ Fix -x option to not require CAP_SYS_TIME under non-root user

+ Fix acquisitionport directive to work with privilege separation

+ Fix handling of socket errors on Linux to avoid high CPU usage

+ Fix chronyc to not get stuck in infinite loop after clock step

1196877,CVE-2022-0778

This update for openssl-1_1 fixes the following issues:

- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

1182959,1195149,1195792,1195856

This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)

- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)

- FIPS: Fix function and reason error codes (bsc#1182959)

- Enable zlib compression support (bsc#1195149)

glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

1193805

This update for libtirpc fixes the following issues:

- Fix memory leak in client protocol version 2 code (bsc#1193805)

1197004

This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

1196275,1196406

This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

1195899

This update for systemd fixes the following issues:

- allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

1196093,1197024

This update for pam fixes the following issues:

- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)

- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.

This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

1197459,CVE-2018-25032

This update for zlib fixes the following issues:

- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292

This update for yaml-cpp fixes the following issues:

- CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).

- CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).

- CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).

- CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

1194883

This update for aaa_base fixes the following issues:

- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)

- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8

multi byte characters as well as support the vi mode of readline library

1172427,1194642

This update for util-linux fixes the following issues:

- Improve throughput and reduce clock sequence increments for high load situation with time based

version 1 uuids. (bsc#1194642)

- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)

- Warn if uuidd lock state is not usable. (bsc#1194642)

- Fix 'su -s' bash completion. (bsc#1172427)

1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134

This update for libsolv, libzypp, zypper fixes the following issues:

Security relevant fix:

- Harden package signature checks (bsc#1184501).

libsolv to 0.7.22:

- reworked choice rule generation to cover more usecases

- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)

- support parsing of Debian's Multi-Arch indicator

- fix segfault on conflict resolution when using bindings

- fix split provides not working if the update includes a forbidden vendor change

- support strict repository priorities

new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY

- support zstd compressed control files in debian packages

- add an ifdef allowing to rename Solvable dependency members

('requires' is a keyword in C++20)

- support setting/reading userdata in solv files

new functions: repowriter_set_userdata, solv_read_userdata

- support queying of the custom vendor check function

new function: pool_get_custom_vendorcheck

- support solv files with an idarray block

- allow accessing the toolversion at runtime

libzypp to 17.30.0:

- ZConfig: Update solver settings if target changes (bsc#1196368)

- Fix possible hang in singletrans mode (bsc#1197134)

- Do 2 retries if mount is still busy.

- Fix package signature check (bsc#1184501)

Pay attention that header and payload are secured by a valid

signature and report more detailed which signature is missing.

- Retry umount if device is busy (bsc#1196061, closes #381)

A previously released ISO image may need a bit more time to

release it's loop device. So we wait a bit and retry.

- Fix serializing/deserializing type mismatch in zypp-rpm

protocol (bsc#1196925)

- Fix handling of ISO media in releaseAll (bsc#1196061)

- Hint on common ptf resolver conflicts (bsc#1194848)

- Hint on ptf<>patch resolver conflicts (bsc#1194848)

zypper to 1.14.52:

- info: print the packages upstream URL if available (fixes #426)

- info: Fix SEGV with not installed PTFs (bsc#1196317)

- Don't prevent less restrictive umasks (bsc#1195999)

1198062,CVE-2022-1271

This update for xz fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

1177047,1180713,1198062,CVE-2022-1271

This update for gzip fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

The following non-security bugs were fixed:

- Fixed an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

1196939

This update for e2fsprogs fixes the following issues:

- Add support for 'libreadline7' for Leap. (bsc#1196939)

1195628,1196107

This update for gcc11 fixes the following issues:

- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from

packages provided by older GCC work. Add a requires from that

package to the corresponding libstc++6 package to keep those

at the same version. [bsc#1196107]

- Fixed memory corruption when creating dependences with the D language frontend.

- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]

- Put libstdc++6-pp Requires on the shared library and drop

to Recommends.

1195251

This update for systemd-presets-common-SUSE fixes the following issue:

- enable vgauthd service for VMWare by default (bsc#1195251)

1198237

This update for binutils fixes the following issues:

- The official name IBM z16 for IBM zSeries arch14 is recognized. (bsc#1198237)

1193489

This update for perl fixes the following issues:

- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

1197794

This update for pam fixes the following issue:

- Do not include obsolete header files (bsc#1197794)

1197775

This update for llvm7 fixes the following issues:

- Backport fixes and changes from Factory. (bsc#1197775)

- Drop RUNPATH from packaged binaries, instead set LD_LIBRARY_PATH for building and testing to simulate behavior of

actual package.

- Fix build with linux-glibc-devel 5.13.

1197771

This update for libpsl fixes the following issues:

- Fix libpsl compilation issues (bsc#1197771)

CVE-2022-1271

This update for gzip fixes the following issues:

- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)

1198446,CVE-2022-1304

This update for e2fsprogs fixes the following issues:

- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault

and possibly arbitrary code execution. (bsc#1198446)

1197443

This update for augeas fixes the following issue:

- Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

1196490,1199132,CVE-2022-23308,CVE-2022-29824

This update for libxml2 fixes the following issues:

- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).

- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

1191157,1197004,1199240,CVE-2022-29155

This update for openldap2 fixes the following issues:

Security:

- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

Bugfixes:

- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)

- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol

resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

1197716

This update for gcc8 fixes the following issues:

- Fix build against SP4. (bsc#1197716)

- Remove bogus fixed include bits/statx.h from glibc 2.30 (bsc#1197716)

1040589

This update for grep fixes the following issues:

- Make profiling deterministic. (bsc#1040589, SLE-24115)

1192951,1193659,1195283,1196861,1197065

This update for gcc11 fixes the following issues:

Update to the GCC 11.3.0 release.

* includes SLS hardening backport on x86_64. [bsc#1195283]

* includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]

* fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]

* use --with-cpu rather than specifying --with-arch/--with-tune

* Fix D memory corruption in -M output.

* Fix ICE in is_this_parameter with coroutines. [bsc#1193659]

* fixes issue with debug dumping together with -o /dev/null

* fixes libgccjit issue showing up in emacs build [bsc#1192951]

* Package mwaitintrin.h

1191908,1198422

This update for binutils fixes the following issues:

- Revert back to old behaviour of not ignoring the in-section content

of to be relocated fields on x86-64, even though that's a RELA architecture.

Compatibility with buggy object files generated by old tools.

[bsc#1198422]

- Fix a problem in crash not accepting some of our .ko.debug files. (bsc#1191908)

1185637,1199166,CVE-2022-1292

This update for openssl-1_1 fixes the following issues:

- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

1198458

This update for binutils fixes the following issues:

- For building the shim 15.6~rc1 and later versions aarch64 image, objcopy

needs to support efi-app-aarch64 target. (bsc#1198458)

1200550,CVE-2022-2068

This update for openssl fixes the following issues:

- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

1201099,CVE-2022-2097

This update for openssl-1_1 fixes the following issues:

- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for systemd-presets-branding-SLE fixes the following issues:

- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

1199232,CVE-2022-1586

This update for pcre fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

1180065,CVE-2020-29362

This update for p11-kit fixes the following issues:

- CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

1148309,1191502,1195529,1200170

This update for systemd fixes the following issues:

- Allow control characters in environment variable values (bsc#1200170)

- basic/env-util: Allow newlines in values of environment variables

- man: tweak description of auto/noauto (bsc#1191502)

- shared/install: avoid overwriting 'r' counter with a partial result (bsc#1148309)

- shared/install: fix error codes returned by install_context_apply()

- shared/install: ignore failures for auxiliary files

- systemctl: suppress enable/disable messages when `-q` is given

- test-env-util: Verify that \r is disallowed in env var values

- test-env-util: print function headers

- udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)

1194550,1197684,1199042

This update for libzypp, zypper fixes the following issues:

libzypp:

- appdata plugin: Pass path to the repodata/ directory inside the cache (bsc#1197684)

- zypp-rpm: flush rpm script output buffer before sending endOfScriptTag

- PluginRepoverification: initial version hooked into repo::Downloader and repo refresh

- Immediately start monitoring the download.transfer_timeout. Do not wait until the first data arrived (bsc#1199042)

- singletrans: no dry-run commit if doing just download-only

- Work around cases where sat repo.start points to an invalid solvable. May happen if (wrong arch) solvables were

removed at the beginning of the repo.

- Fix misplaced #endif SINGLE_RPMTRANS_AS_DEFAULT_FOR_ZYPPER

zypper:

- Basic JobReport for 'cmdout/monitor'

- versioncmp: if verbose, also print the edition 'parts' which are compared

- Make sure MediaAccess is closed on exception (bsc#1194550)

- Display plus-content hint conditionally

- Honor the NO_COLOR environment variable when auto-detecting whether to use color

- Define table columns which should be sorted natural [case insensitive]

- lr/ls: Use highlight color on name and alias as well

1198627,CVE-2022-29458

This update for ncurses fixes the following issues:

- CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

1199223,1199224,1200735,1200737,CVE-2022-27781,CVE-2022-27782,CVE-2022-32206,CVE-2022-32208

This update for curl fixes the following issues:

- CVE-2022-27781: Fixed an issue where curl will get stuck in an infinite

loop when trying to retrieve details about a TLS server's certificate chain (bnc#1199223).

- CVE-2022-27782: Fixed an issue where TLS and SSH connections would

be reused even when a related option had been changed (bsc#1199224).

- CVE-2022-32206: Fixed an uncontrolled memory consumption issue caused

by an unbounded number of compression layers (bsc#1200735).

- CVE-2022-32208: Fixed an incorrect message verification issue when

performing FTP transfers using krb5 (bsc#1200737).

1196167,1202020,CVE-2021-4209,CVE-2022-2509

This update for gnutls fixes the following issues:

- CVE-2022-2509: Fixed a double free issue during PKCS7 verification (bsc#1202020).

- CVE-2021-4209: Fixed null pointer dereference in MD_UPDATE (bsc#1196167).

1199524,1200485,CVE-2022-1706

This update for systemd-presets-common-SUSE fixes the following issues:

- CVE-2022-1706: Fixed accessible configs from unprivileged containers in VMs running on VMware products (bsc#1199524).

The following non-security bugs were fixed:

- Modify branding-preset-states to fix systemd-presets-common-SUSE

not enabling new user systemd service preset configuration just

as it handles system service presets. By passing an (optional)

second parameter 'user', the save/apply-changes commands now

work with user services instead of system ones (bsc#1200485)

- Add the wireplumber user service preset to enable it by default

in SLE15-SP4 where it replaced pipewire-media-session, but keep

pipewire-media-session preset so we don't have to branch the

systemd-presets-common-SUSE package for SP4 (bsc#1200485)

1198341

This update for openldap2 fixes the following issues:

- Prevent memory reuse which may lead to instability (bsc#1198341)

1181475

This update for procps fixes the following issues:

- Fix 'free' command reporting misleading 'used' value (bsc#1181475)

1202175,CVE-2022-37434

This update for zlib fixes the following issues:

- CVE-2022-37434: Fixed heap-based buffer over-read or buffer overflow via large gzip header extra field (bsc#1202175).

1198752,1200800,1201680,CVE-2021-46828

This update for libtirpc fixes the following issues:

- CVE-2021-46828: Fixed an uncontrolled file descriptor consumption,

which could be exploited by remote attackers to prevent applications

using the library from accepting new connections (bsc#1201680).

Non-security fixes:

- Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)

- Fix memory leak in params.r_addr assignement (bsc#1198752)

1198925

This update for lame, libass, libcdio-paranoia, libdc1394, libgsm, libva, libvdpau, libvorbis, libvpx, libwebp, openjpeg, opus, speex, twolame adds some missing 32bit libraries to some products. (bsc#1198925)

No codechanges were done in this update.

1197178,1198731,1200842

This update for util-linux fixes the following issues:

- su: Change owner and mode for pty (bsc#1200842)

- agetty: Resolve tty name even if stdin is specified (bsc#1197178)

- libmount: When moving a mount point, update all sub mount entries in utab (bsc#1198731)

- mesg: use only stat() to get the current terminal status (bsc#1200842)

1201225,CVE-2022-34903

This update for gpg2 fixes the following issues:

- CVE-2022-34903: Fixed a potential signature forgery via injection

into the status line when certain unusual conditions are met (bsc#1201225).

1199895,1200993,1201092,1201576,1201638

This update for libzypp, zypper fixes the following issues:

libzypp:

- Improve handling of package locks, allowing to reset the status of its initial state (bsc#1199895)

- Fix issues when receiving exceptions from curl_easy_cleanup (bsc#1201092)

- Don't auto-flag kernel-firmware as 'reboot-needed' (bsc#1200993)

- Remove Medianetwork and its dependent code. First reason for this is that MediaNetwork was just meant as a way to test

the new CURL based downloaded. Second the Provide API is going to completely replace the current media backend.

zypper:

- Truncate the 'Name' column when using `zypper lr`, if the table is wider than the terminal (bsc#1201638)

- Reject install/remove modifier without argument (bsc#1201576)

- zypper-download: Handle unresolvable arguments as errors

- Put signing key supplying repository name in quotes

1199140

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for libassuan fixes the following issues:

- Add a timeout for writing to a SOCKS5 proxy

- Add workaround for a problem with LD_LIBRARY_PATH on newer systems

- Fix issue in the logging code

- Fix some build trivialities

- Upgrade autoconf

1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737

This update for sqlite3 fixes the following issues:

- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783).

- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802).

- Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773).

1159635,CVE-2019-19906

This update for cyrus-sasl fixes the following issues:

- CVE-2019-19906: Fixed an out-of-bounds write that could lead to unauthenticated remote denial of service in OpenLDAP via a malformed LDAP packet (bsc#1159635).

1189282,1201972,1203649

This update for libzypp, zypper fixes the following issues:

libzypp:

- Enable 'zck' support for SUSE Linux Enterprise 15 Service Pack 4 and newer (bsc#1189282)

- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)

- Remove migration code that is no longer needed (bsc#1203649)

- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

zypper:

- Fix contradiction in the man page: `--download-in-advance` option is the default behavior

- Fix regression leading to `-allow-vendor-change` and `no-allow-vendor-change` options being ignored (bsc#1201972)

- Fix tests to use locale 'C.UTF-8' rather than 'en_US'

- Make sure 'up' respects solver related CLI options (bsc#1201972)

- Remove unneeded code to compute the PPP status because it is now auto established

- Store logrotate files in vendor specif directory '/usr/etc/logrotate.d' if so defined

1203438,CVE-2022-40674

This update for expat fixes the following issues:

- CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

1204357,CVE-2022-3515

This update for libksba fixes the following issues:

- CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357).

1202593,1204383,CVE-2022-32221,CVE-2022-35252

This update for curl fixes the following issues:

- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).

- CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).

1204690,CVE-2021-46848

This update for libtasn1 fixes the following issues:

- CVE-2021-46848: Fixed off-by-one array size check that affects asn1_encode_simple_der (bsc#1204690)

1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012

This update for dbus-1 fixes the following issues:

- CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111).

- CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112).

- CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113).

Bugfixes:

- Disable asserts (bsc#1087072).

1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304

This update for libxml2 fixes the following issues:

- CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978).

- CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366).

- CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367).

1180995

This update for openssl-1_1 fixes the following issues:

- FIPS: Default to RFC7919 groups when generating ECDH parameters

using 'genpkey' or 'dhparam' in FIPS mode. (bsc#1180995)

1196840,1199492,1199918,1199926,1199927

This update for aaa_base and iputils fixes the following issues:

aaa_base:

- Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927)

- The wrapper rootsh is not a restricted shell (bsc#1199492)

iputils:

- Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927)

This update for pam fixes the following issue:

- Update pam_motd to the most current version. (PED-1712)

1204708,CVE-2022-43680

This update for expat fixes the following issues:

- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

1203652

This update for zlib fixes the following issues:

- Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652)

1201959

This update for util-linux fixes the following issues:

- libuuid improvements (bsc#1201959, PED-1150):

libuuid: Fix range when parsing UUIDs.

Improve cache handling for short running applications-increment the cache size over runtime.

Implement continuous clock handling for time based UUIDs.

Check clock value from clock file to provide seamless libuuid.

1199944,CVE-2022-1664

This update for dpkg fixes the following issues:

- CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

1142579,1185597,1185712,1188374,1191473,1193929,1194783,1197592,1198237,1202816,1202966,1202967,1202969,CVE-2019-1010204,CVE-2021-3530,CVE-2021-3648,CVE-2021-3826,CVE-2021-45078,CVE-2021-46195,CVE-2022-27943,CVE-2022-38126,CVE-2022-38127,CVE-2022-38533

This update for binutils fixes the following issues:

The following security bugs were fixed:

- CVE-2019-1010204: Fixed out-of-bounds read in elfcpp/elfcpp_file.h (bsc#1142579).

- CVE-2021-3530: Fixed stack-based buffer overflow in demangle_path() in rust-demangle.c (bsc#1185597).

- CVE-2021-3648: Fixed infinite loop while demangling rust symbols (bsc#1188374).

- CVE-2021-3826: Fixed heap/stack buffer overflow in the dlang_lname function in d-demangle.c (bsc#1202969).

- CVE-2021-45078: Fixed out-of-bounds write in stab_xcoff_builtin_type() in stabs.c (bsc#1193929).

- CVE-2021-46195: Fixed uncontrolled recursion in libiberty/rust-demangle.c (bsc#1194783).

- CVE-2022-27943: Fixed stack exhaustion in demangle_const in (bsc#1197592).

- CVE-2022-38126: Fixed assertion fail in the display_debug_names() function in binutils/dwarf.c (bsc#1202966).

- CVE-2022-38127: Fixed NULL pointer dereference in the read_and_display_attr_value() function in binutils/dwarf.c (bsc#1202967).

- CVE-2022-38533: Fixed heap out-of-bounds read in bfd_getl32 (bsc#1202816).

The following non-security bugs were fixed:

- SLE toolchain update of binutils, update to 2.39 from 2.37.

- Update to 2.39:

* The ELF linker will now generate a warning message if the stack is made

executable. Similarly it will warn if the output binary contains a

segment with all three of the read, write and execute permission

bits set. These warnings are intended to help developers identify

programs which might be vulnerable to attack via these executable

memory regions.

The warnings are enabled by default but can be disabled via a command

line option. It is also possible to build a linker with the warnings

disabled, should that be necessary.

* The ELF linker now supports a --package-metadata option that allows

embedding a JSON payload in accordance to the Package Metadata

specification.

* In linker scripts it is now possible to use TYPE= in an output

section description to set the section type value.

* The objdump program now supports coloured/colored syntax

highlighting of its disassembler output for some architectures.

(Currently: AVR, RiscV, s390, x86, x86_64).

* The nm program now supports a --no-weak/-W option to make it ignore

weak symbols.

* The readelf and objdump programs now support a -wE option to prevent

them from attempting to access debuginfod servers when following

links.

* The objcopy program's --weaken, --weaken-symbol, and

--weaken-symbols options now works with unique symbols as well.

- Update to 2.38:

* elfedit: Add --output-abiversion option to update ABIVERSION.

* Add support for the LoongArch instruction set.

* Tools which display symbols or strings (readelf, strings, nm, objdump)

have a new command line option which controls how unicode characters are

handled. By default they are treated as normal for the tool. Using

--unicode=locale will display them according to the current locale.

Using --unicode=hex will display them as hex byte values, whilst

--unicode=escape will display them as escape sequences. In addition

using --unicode=highlight will display them as unicode escape sequences

highlighted in red (if supported by the output device).

* readelf -r dumps RELR relative relocations now.

* Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been

added to objcopy in order to enable UEFI development using binutils.

* ar: Add --thin for creating thin archives. -T is a deprecated alias without

diagnostics. In many ar implementations -T has a different meaning, as

specified by X/Open System Interface.

* Add support for AArch64 system registers that were missing in previous

releases.

* Add support for the LoongArch instruction set.

* Add a command-line option, -muse-unaligned-vector-move, for x86 target

to encode aligned vector move as unaligned vector move.

* Add support for Cortex-R52+ for Arm.

* Add support for Cortex-A510, Cortex-A710, Cortex-X2 for AArch64.

* Add support for Cortex-A710 for Arm.

* Add support for Scalable Matrix Extension (SME) for AArch64.

* The --multibyte-handling=[allow|warn|warn-sym-only] option tells the

assembler what to when it encoutners multibyte characters in the input. The

default is to allow them. Setting the option to 'warn' will generate a

warning message whenever any multibyte character is encountered. Using the

option to 'warn-sym-only' will make the assembler generate a warning whenever a

symbol is defined containing multibyte characters. (References to undefined

symbols will not generate warnings).

* Outputs of .ds.x directive and .tfloat directive with hex input from

x86 assembler have been reduced from 12 bytes to 10 bytes to match the

output of .tfloat directive.

* Add support for 'armv8.8-a', 'armv9-a', 'armv9.1-a', 'armv9.2-a' and

'armv9.3-a' for -march in AArch64 GAS.

* Add support for 'armv8.7-a', 'armv8.8-a', 'armv9-a', 'armv9.1-a',

'armv9.2-a' and 'armv9.3-a' for -march in Arm GAS.

* Add support for Intel AVX512_FP16 instructions.

* Add -z pack-relative-relocs/-z no pack-relative-relocs to x86 ELF

linker to pack relative relocations in the DT_RELR section.

* Add support for the LoongArch architecture.

* Add -z indirect-extern-access/-z noindirect-extern-access to x86 ELF

linker to control canonical function pointers and copy relocation.

* Add --max-cache-size=SIZE to set the the maximum cache size to SIZE

bytes.

- Explicitly enable --enable-warn-execstack=yes and --enable-warn-rwx-segments=yes.

- Add gprofng subpackage.

- Include recognition of 'z16' name for 'arch14' on s390. (bsc#1198237).

- Add back fix for bsc#1191473, which got lost in the update to 2.38.

- Install symlinks for all target specific tools on arm-eabi-none (bsc#1185712).

- Enable PRU architecture for AM335x CPU (Beagle Bone Black board)

1205126,CVE-2022-42898

This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

1174414,CVE-2019-2708

This update for libdb-4_8 fixes the following issues:

- CVE-2019-2708: Fixed partial DoS due to data store execution (bsc#1174414).

This update for gcc12 fixes the following issues:

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15

versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux

Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.

The Go, D and Ada language compiler parts are available unsupported via the

PackageHub repositories.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.

- override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

https://gcc.gnu.org/gcc-12/changes.html

1181961,CVE-2021-20206

This update for cni fixes the following issues:

- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

1181961,CVE-2021-20206

This update for cni-plugins fixes the following issues:

- CVE-2021-20206: Fixed arbitrary path injection via type field in CNI configuration (bsc#1181961).

1206337,CVE-2022-46908

This update for sqlite3 fixes the following issues:

- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism,

when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

1206579,CVE-2022-47629

This update for libksba fixes the following issues:

- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL

signature parser (bsc#1206579).

1206412

This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412)

- Make sure that correct library version is installed (bsc#1206412)

1203652

This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

1207533,1207534,1207536,CVE-2022-4304,CVE-2023-0215,CVE-2023-0286

This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).

- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).

- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).

1194038,1205646

This update for util-linux fixes the following issues:

- Fix tests not passing when '@' character is in build path:

Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

- libuuid continuous clock handling for time based UUIDs:

Prevent use of the new libuuid ABI by uuidd %post before update

of libuuid1 (bsc#1205646).

1208067,CVE-2022-4904

This update for c-ares fixes the following issues:

Updated to version 1.19.0:

- CVE-2022-4904: Fixed missing string length check in config_sortlist() (bsc#1208067).

1204585

This update for libxml2 fixes the following issues:

- Add W3C conformance tests to the testsuite (bsc#1204585):

* Added file xmlts20080827.tar.gz

This update for gcc12 fixes the following issues:

This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.

SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.

The compiler baselibraries are provided for all SUSE Linux Enterprise 15

versions and replace the same named GCC 11 ones.

The new compilers for C, C++, and Fortran are provided in the SUSE Linux

Enterprise Module for Development Tools.

To use gcc12 compilers use:

- install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.

- override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

For a full changelog with all new GCC12 features, check out

https://gcc.gnu.org/gcc-12/changes.html

1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949

This update for libsolv, libzypp, zypper fixes the following issues:

libsolv:

- Do not autouninstall SUSE PTF packages

- Ensure 'duplinvolvedmap_all' is reset when a solver is reused

- Fix 'keep installed' jobs not disabling 'best update' rules

- New '-P' and '-W' options for `testsolv`

- New introspection interface for weak dependencies similar to ruleinfos

- Ensure special case file dependencies are written correctly in the testcase writer

- Support better info about alternatives

- Support decision reason queries

- Support merging of related decisions

- Support stringification of multiple solvables

- Support stringification of ruleinfo, decisioninfo and decision reasons

libzypp:

- Avoid calling getsockopt when we know the info already.

This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when

accepting new socket connections (bsc#1178233)

- Avoid redirecting 'history.logfile=/dev/null' into the target

- Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956)

- Enhance yaml-cpp detection

- Improve download of optional files

- MultiCurl: Make sure to reset the progress function when falling back.

- Properly reset range requests (bsc#1204548)

- Removing a PTF without enabled repos should always fail (bsc#1203248)

Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well.

To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the

installed PTF packages to theit latest version.

- Skip media.1/media download for http repo status calc.

This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed.

This optimisation only takes place if the repo does specify only downloading base urls.

- Use a dynamic fallback for BLKSIZE in downloads.

When not receiving a blocklist via metalink file from the server MediaMultiCurl used to fallback to a fixed,

relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar

metric as the MirrorCache implementation on the server side.

- ProgressData: enforce reporting the INIT||END state (bsc#1206949)

- ps: fix service detection on newer Tumbleweed systems (bsc#1205636)

zypper:

- Allow to (re)add a service with the same URL (bsc#1203715)

- Bump dependency requirement to libzypp-devel 17.31.7 or greater

- Explain outdatedness of repositories

- patterns: Avoid dispylaing superfluous @System entries (bsc#1205570)

- Provide `removeptf` command (bsc#1203249)

A remove command which prefers replacing dependant packages to removing them as well.

A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant

packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the

remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official

update versions.

- Update man page and explain '.no_auto_prune' (bsc#1204956)

1209624,CVE-2023-0464

This update for openssl-1_1 fixes the following issues:

- CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624).

This update for systemd-presets-common-SUSE fixes the following issue:

- Enable systemd-pstore.service by default (jsc#PED-2663)

1209873,1209878,CVE-2023-0465,CVE-2023-0466

This update for openssl-1_1 fixes the following issues:

- CVE-2023-0465: Fixed ignored invalid certificate policies in leaf certificates (bsc#1209878).

- CVE-2023-0466: Fixed disabled certificate policy check (bsc#1209873).

1210323,CVE-2022-48468

This update for protobuf-c fixes the following issues:

- CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323)

1160285,1210096

This update for permissions fixes the following issues:

* mariadb: settings for new auth_pam_tool (bsc#1160285, bsc#1210096)

1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469

This update for libxml2 fixes the following issues:

- CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412).

- CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411).

- CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132).

The following non-security bugs were fixed:

- Added W3C conformance tests to the testsuite (bsc#1204585).

- Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) .

1210507,CVE-2023-29383

This update for shadow fixes the following issues:

- CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507).

1209533,CVE-2022-4899

This update for zstd fixes the following issues:

- CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533).

1209122

This update for procps fixes the following issue:

- Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122)

1210434,CVE-2023-29491

This update for ncurses fixes the following issues:

- CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

1206513

This update for zlib fixes the following issues:

- Add DFLTCC support for using inflate() with a small window (bsc#1206513)

1206309,1207992,1209209,1209210,1209211,1209212,1209214,1211231,1211232,1211233,1211339,CVE-2022-43552,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322

This update for curl fixes the following issues:

- CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231).

- CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232).

- CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233).

- CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209).

- CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210).

- CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211).

- CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212).

- CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214).

- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

- CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992).

1127591,1195633,1208329,1209406,1210870

This update for libzypp, zypper fixes the following issues:

- Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633)

- multicurl: propagate ssl settings stored in repo url (bsc#1127591)

- MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870)

- zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329)

- Teach MediaNetwork to retry on HTTP2 errors.

- Fix selecting installed patterns from picklist (bsc#1209406)

- man: better explanation of --priority

1211604,1211605,1211606,1211607,CVE-2023-31124,CVE-2023-31130,CVE-2023-31147,CVE-2023-32067

This update for c-ares fixes the following issues:

Update to version 1.19.1:

- CVE-2023-32067: 0-byte UDP payload causes Denial of Service (bsc#1211604)

- CVE-2023-31147: Insufficient randomness in generation of DNS query IDs (bsc#1211605)

- CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton() (bsc#1211606)

- CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607)

- Fix uninitialized memory warning in test

- ares_getaddrinfo() should allow a port of 0

- Fix memory leak in ares_send() on error

- Fix comment style in ares_data.h

- Fix typo in ares_init_options.3

- Sync ax_pthread.m4 with upstream

- Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support

1200441

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

1200441

This update of cni fixes the following issues:

- rebuild the package with the go 1.19 security release (bsc#1200441).

1211430,CVE-2023-2650

This update for openssl-1_1 fixes the following issues:

- CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430).

1210593

This update for zlib fixes the following issue:

- Fix function calling order to avoid crashes (bsc#1210593)

1211661

This update for libzypp fixes the following issues:

- Do not unconditionally release a medium if provideFile failed (bsc#1211661)

- libzypp.spec.cmake: remove duplicate file listing

- Update to version 17.31.12 (22)

1212187

This update for libzypp fixes the following issue:

- Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187]

1201627,1207534,CVE-2022-4304

This update for openssl-1_1 fixes the following issues:

- CVE-2022-4304: Reworked the fix for the Timing-Oracle in RSA decryption.

The previous fix for this timing side channel turned out to cause a

severe 2-3x performance regression in the typical use case (bsc#1207534).

- Update further expiring certificates that affect tests [bsc#1201627]

* Add openssl-Update-further-expiring-certificates.patch

This update for gcc12 fixes the following issues:

- Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

* includes regression and other bug fixes

- Speed up builds with --enable-link-serialization.

- Update embedded newlib to version 4.2.0

1211261,1212187,1212222

This update for libzypp, zypper fixes the following issues:

libzypp was updated to version 17.31.14 (22):

- build: honor libproxy.pc's includedir (bsc#1212222)

- Curl: trim all custom headers (bsc#1212187)

HTTP/2 RFC 9113 forbids fields ending with a space. So we make

sure all custom headers are trimmed. This also includes headers

returned by URL-Resolver plugins.

zypper was updated to version 1.14.61:

- targetos: Add an error note if XPath:/product/register/target

is not defined in /etc/products.d/baseproduct (bsc#1211261)

- targetos: Update help and man page (bsc#1211261)

1206346

This update of cni fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

1206346

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.20 security release (bsc#1206346).

1212126,CVE-2023-34969

This update for dbus-1 fixes the following issues:

- CVE-2023-34969: Fixed a possible dbus-daemon crash by an unprivileged users (bsc#1212126).

1089497

This update for gpgme fixes the following issues:

gpgme:

- Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497)

libassuan:

- Version upgrade to 2.5.5 in LTSS to address gpgme new requirements

1193015

This update for util-linux fixes the following issues:

- Fix memory leak on parse errors in libmount. (bsc#1193015)

1211419,CVE-2023-2603

This update for libcap fixes the following issues:

- CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

1213487,CVE-2023-3446

This update for openssl-1_1 fixes the following issues:

- CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487).

1099695

This update for libdb-4_8 fixes the following issues:

- Fix incomplete license tag (bsc#1099695)

1213517

This update for openssl-1_1 fixes the following issues:

- Dont pass zero length input to EVP_Cipher (bsc#1213517)

1211079

This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

1213282

This update for binutils fixes the following issues:

- Add `binutils-disable-dt-relr.sh` to address compatibility problems with the glibc version included in future

SUSE Linux Enterprise releases (bsc#1213282, jsc#PED-1435)

1214054,CVE-2023-36054

This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

1214025,CVE-2023-4156

This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

1214290,CVE-2023-4016

This update for procps fixes the following issues:

- CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

1158763,1210740,1213231,1213557,1213673

This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)

- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)

- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)

- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)

- Revised explanation of --force-resolution in man page (bsc#1213557)

- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

1183533,1211945,1211946,1211947,1211948,1211951,CVE-2021-28153,CVE-2023-29499,CVE-2023-32611,CVE-2023-32636,CVE-2023-32643,CVE-2023-32665

This update for glib2 fixes the following issues:

- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files. (bsc#1183533)

- CVE-2023-32665: Fixed GVariant deserialisation which does not match spec for non-normal data. (bsc#1211945)

- CVE-2023-32643: Fixed a heap-buffer-overflow in g_variant_serialised_get_child(). (bsc#1211946)

- CVE-2023-29499: Fixed GVariant offset table entry size which is not checked in is_normal(). (bsc#1211947)

- CVE-2023-32636: Fixed a wrong timeout in fuzz_variant_text(). (bsc#1211948)

- CVE-2023-32611: Fixed an issue where g_variant_byteswap() can take a long time with some non-normal inputs. (bsc#1211951)

1214052,CVE-2023-4039

This update for gcc12 fixes the following issues:

- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

1195517,1196861,1204505,1205145,1214052,CVE-2023-4039

This update for gcc7 fixes the following issues:

Security issue fixed:

- CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

Other fixes:

- Fixed KASAN kernel compile. [bsc#1205145]

- Fixed ICE with C++17 code as reported in [bsc#1204505]

- Fixed altivec.h redefining bool in C++ which makes bool unusable (bsc#1195517):

- Adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]

1214768,CVE-2023-39615

This update for libxml2 fixes the following issues:

- CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

1212475

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

1212475

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

1200962,1206080,1206556,1208037,1208038,1208040,1208409,1209642,1210297,1210733,1213458,1214565,1214567,1214579,1214580,1214604,1214611,1214619,1214620,1214623,1214624,1214625,CVE-2020-19726,CVE-2021-32256,CVE-2022-35205,CVE-2022-35206,CVE-2022-4285,CVE-2022-44840,CVE-2022-45703,CVE-2022-47673,CVE-2022-47695,CVE-2022-47696,CVE-2022-48063,CVE-2022-48064,CVE-2022-48065,CVE-2023-0687,CVE-2023-1579,CVE-2023-1972,CVE-2023-2222,CVE-2023-25585,CVE-2023-25587,CVE-2023-25588

This update for binutils fixes the following issues:

Update to version 2.41 [jsc#PED-5778]:

* The MIPS port now supports the Sony Interactive Entertainment Allegrex

processor, used with the PlayStation Portable, which implements the MIPS

II ISA along with a single-precision FPU and a few implementation-specific

integer instructions.

* Objdump's --private option can now be used on PE format files to display the

fields in the file header and section headers.

* New versioned release of libsframe: libsframe.so.1. This release introduces

versioned symbols with version node name LIBSFRAME_1.0. This release also

updates the ABI in an incompatible way: this includes removal of

sframe_get_funcdesc_with_addr API, change in the behavior of

sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.

* SFrame Version 2 is now the default (and only) format version supported by

gas, ld, readelf and objdump.

* Add command-line option, --strip-section-headers, to objcopy and strip to

remove ELF section header from ELF file.

* The RISC-V port now supports the following new standard extensions:

- Zicond (conditional zero instructions)

- Zfa (additional floating-point instructions)

- Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,

Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)

* The RISC-V port now supports the following vendor-defined extensions:

- XVentanaCondOps

* Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.

* A new .insn directive is recognized by x86 gas.

* Add SME2 support to the AArch64 port.

* The linker now accepts a command line option of --remap-inputs

= to relace any input file that matches with

. In addition the option --remap-inputs-file= can be used to

specify a file containing any number of these remapping directives.

* The linker command line option --print-map-locals can be used to include

local symbols in a linker map. (ELF targets only).

* For most ELF based targets, if the --enable-linker-version option is used

then the version of the linker will be inserted as a string into the .comment

section.

* The linker script syntax has a new command for output sections: ASCIZ 'string'

This will insert a zero-terminated string at the current location.

* Add command-line option, -z nosectionheader, to omit ELF section

header.

- Contains fixes for these non-CVEs (not security bugs per upstreams

SECURITY.md):

* bsc#1209642 aka CVE-2023-1579 aka PR29988

* bsc#1210297 aka CVE-2023-1972 aka PR30285

* bsc#1210733 aka CVE-2023-2222 aka PR29936

* bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)

* bsc#1214565 aka CVE-2020-19726 aka PR26240

* bsc#1214567 aka CVE-2022-35206 aka PR29290

* bsc#1214579 aka CVE-2022-35205 aka PR29289

* bsc#1214580 aka CVE-2022-44840 aka PR29732

* bsc#1214604 aka CVE-2022-45703 aka PR29799

* bsc#1214611 aka CVE-2022-48065 aka PR29925

* bsc#1214619 aka CVE-2022-48064 aka PR29922

* bsc#1214620 aka CVE-2022-48063 aka PR29924

* bsc#1214623 aka CVE-2022-47696 aka PR29677

* bsc#1214624 aka CVE-2022-47695 aka PR29846

* bsc#1214625 aka CVE-2022-47673 aka PR29876

- This only existed only for a very short while in SLE-15, as the main

variant in devel:gcc subsumed this in binutils-revert-rela.diff.

Hence:

- Document fixed CVEs:

* bsc#1208037 aka CVE-2023-25588 aka PR29677

* bsc#1208038 aka CVE-2023-25587 aka PR29846

* bsc#1208040 aka CVE-2023-25585 aka PR29892

* bsc#1208409 aka CVE-2023-0687 aka PR29444

- Enable bpf-none cross target and add bpf-none to the multitarget

set of supported targets.

- Disable packed-relative-relocs for old codestreams. They generate

buggy relocations when binutils-revert-rela.diff is active.

[bsc#1206556]

- Disable ZSTD debug section compress by default.

- Enable zstd compression algorithm (instead of zlib)

for debug info sections by default.

- Pack libgprofng only for supported platforms.

- Move libgprofng-related libraries to the proper locations (packages).

- Add --without=bootstrap for skipping of bootstrap (faster testing

of the package).

- Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]

Update to version 2.40:

* Objdump has a new command line option --show-all-symbols which will make it

display all symbols that match a given address when disassembling. (Normally

only the first symbol that matches an address is shown).

* Add --enable-colored-disassembly configure time option to enable colored

disassembly output by default, if the output device is a terminal. Note,

this configure option is disabled by default.

* DCO signed contributions are now accepted.

* objcopy --decompress-debug-sections now supports zstd compressed debug

sections. The new option --compress-debug-sections=zstd compresses debug

sections with zstd.

* addr2line and objdump --dwarf now support zstd compressed debug sections.

* The dlltool program now accepts --deterministic-libraries and

--non-deterministic-libraries as command line options to control whether or

not it generates deterministic output libraries. If neither of these options

are used the default is whatever was set when the binutils were configured.

* readelf and objdump now have a newly added option --sframe which dumps the

SFrame section.

* Add support for Intel RAO-INT instructions.

* Add support for Intel AVX-NE-CONVERT instructions.

* Add support for Intel MSRLIST instructions.

* Add support for Intel WRMSRNS instructions.

* Add support for Intel CMPccXADD instructions.

* Add support for Intel AVX-VNNI-INT8 instructions.

* Add support for Intel AVX-IFMA instructions.

* Add support for Intel PREFETCHI instructions.

* Add support for Intel AMX-FP16 instructions.

* gas now supports --compress-debug-sections=zstd to compress

debug sections with zstd.

* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}

that selects the default compression algorithm

for --enable-compressed-debug-sections.

* Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,

XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,

XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head

ISA manual, which are implemented in the Allwinner D1.

* Add support for the RISC-V Zawrs extension, version 1.0-rc4.

* Add support for Cortex-X1C for Arm.

* New command line option --gsframe to generate SFrame unwind information

on x86_64 and aarch64 targets.

* The linker has a new command line option to suppress the generation of any

warning or error messages. This can be useful when there is a need to create

a known non-working binary. The option is -w or --no-warnings.

* ld now supports zstd compressed debug sections. The new option

--compress-debug-sections=zstd compresses debug sections with zstd.

* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}

that selects the default compression algorithm

for --enable-compressed-debug-sections.

* Remove support for -z bndplt (MPX prefix instructions).

- Includes fixes for these CVEs:

* bsc#1206080 aka CVE-2022-4285 aka PR29699

- Enable by default: --enable-colored-disassembly.

- fix build on x86_64_vX platforms

1213854,1214292,1214395,1215007

This update for zypper fixes the following issues:

- Fix name of the bash completion script (bsc#1215007)

- Update notes about failing signature checks (bsc#1214395)

- Improve the SIGINT handler to be signal safe (bsc#1214292)

- Update to version 1.14.64

- Changed location of bash completion script (bsc#1213854).

1213853,CVE-2023-3817

This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)

1214806,CVE-2023-4641

This update for shadow fixes the following issues:

- CVE-2023-4641: Fixed potential password leak (bsc#1214806).

1215286,1215505,CVE-2023-4813

This update for glibc fixes the following issues:

Security issue fixed:

- CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931)

Other changes:

- Added GB18030-2022 charmap (jsc#PED-4908, BZ #30243)

- Run vismain only if linker supports protected data symbol (bsc#1215505)

1212475,1216006

This update of cni fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

1212475,1216006

This update of cni-plugins fixes the following issues:

- rebuild the package with the go 1.21 security release (bsc#1212475).

1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039

This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15

versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux

Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available

unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.

- override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

https://gcc.gnu.org/gcc-13/changes.html

Detailed changes:

* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable

length stack allocations. (bsc#1214052)

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs

- Fixed missed optimization in Skia resulting in Firefox crashes when

building with LTO. [bsc#1212101]

- Make libstdc++6-devel packages own their directories since they

can be installed standalone. [bsc#1211427]

- Add new x86-related intrinsics (amxcomplexintrin.h).

- RISC-V: Add support for inlining subword atomic operations

- Use --enable-link-serialization rather that --enable-link-mutex,

the benefit of the former one is that the linker jobs are not

holding tokens of the make's jobserver.

- Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd

for the general state of BPF with GCC.

- Add bootstrap conditional to allow --without=bootstrap to be

specified to speed up local builds for testing.

- Bump included newlib to version 4.3.0.

- Also package libhwasan_preinit.o on aarch64.

- Configure external timezone database provided by the timezone

package. Make libstdc++6 recommend timezone to get a fully

working std::chrono. Install timezone when running the testsuite.

- Package libhwasan_preinit.o on x86_64.

- Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]

- Enable PRU flavour for gcc13

- update floatn fixinclude pickup to check each header separately (bsc#1206480)

- Redo floatn fixinclude pick-up to simply keep what is there.

- Bump libgo SONAME to libgo22.

- Do not package libhwasan for biarch (32-bit architecture)

as the extension depends on 64-bit pointers.

- Adjust floatn fixincludes guard to work with SLE12 and earlier

SLE15.

- Depend on at least LLVM 13 for GCN cross compiler.

- Update embedded newlib to version 4.2.0

- Allow cross-pru-gcc12-bootstrap for armv7l architecture.

PRU architecture is used for real-time MCUs embedded into TI

armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for

armv7l in order to build both host applications and PRU firmware

during the same build.

1216378,CVE-2023-45853

This update for zlib fixes the following issues:

- CVE-2023-45853: Fixed an integer overflow that would lead to a

buffer overflow in the minizip subcomponent (bsc#1216378).

1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039

This update for gcc13 fixes the following issues:

This update ship the GCC 13.2 compiler suite and its base libraries.

The compiler base libraries are provided for all SUSE Linux Enterprise 15

versions and replace the same named GCC 12 ones.

The new compilers for C, C++, and Fortran are provided for SUSE Linux

Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.

The Go, D, Ada and Modula 2 language compiler parts are available

unsupported via the PackageHub repositories.

To use gcc13 compilers use:

- install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.

- override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

For a full changelog with all new GCC13 features, check out

https://gcc.gnu.org/gcc-13/changes.html

Detailed changes:

* CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable

length stack allocations. (bsc#1214052)

- Work around third party app crash during C++ standard library initialization. [bsc#1216664]

- Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)

- Bump included newlib to version 4.3.0.

- Update to GCC trunk head (r13-5254-g05b9868b182bb9)

- Redo floatn fixinclude pick-up to simply keep what is there.

- Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

- Also handle -static-pie in the default-PIE specs

- Fixed missed optimization in Skia resulting in Firefox crashes when

building with LTO. [bsc#1212101]

- Make libstdc++6-devel packages own their directories since they

can be installed standalone. [bsc#1211427]

- Add new x86-related intrinsics (amxcomplexintrin.h).

- RISC-V: Add support for inlining subword atomic operations

- Use --enable-link-serialization rather that --enable-link-mutex,

the benefit of the former one is that the linker jobs are not

holding tokens of the make's jobserver.

- Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd

for the general state of BPF with GCC.

- Add bootstrap conditional to allow --without=bootstrap to be

specified to speed up local builds for testing.

- Bump included newlib to version 4.3.0.

- Also package libhwasan_preinit.o on aarch64.

- Configure external timezone database provided by the timezone

package. Make libstdc++6 recommend timezone to get a fully

working std::chrono. Install timezone when running the testsuite.

- Package libhwasan_preinit.o on x86_64.

- Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]

- Enable PRU flavour for gcc13

- update floatn fixinclude pickup to check each header separately (bsc#1206480)

- Redo floatn fixinclude pick-up to simply keep what is there.

- Bump libgo SONAME to libgo22.

- Do not package libhwasan for biarch (32-bit architecture)

as the extension depends on 64-bit pointers.

- Adjust floatn fixincludes guard to work with SLE12 and earlier

SLE15.

- Depend on at least LLVM 13 for GCN cross compiler.

- Update embedded newlib to version 4.2.0

- Allow cross-pru-gcc12-bootstrap for armv7l architecture.

PRU architecture is used for real-time MCUs embedded into TI

armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for

armv7l in order to build both host applications and PRU firmware

during the same build.

1216129,CVE-2023-45322

This update for libxml2 fixes the following issues:

- CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

1213865,CVE-2018-7738

This update for util-linux fixes the following issues:

- CVE-2018-7738: Fixed shell code injection in umount bash-completions (bsc#1213865).

1216922,CVE-2023-5678

This update for openssl-1_1 fixes the following issues:

- CVE-2023-5678: Fixed generating and checking of excessively long X9.42 DH keys that resulted in a possible Denial of Service (bsc#1216922).

1041742,1203760,1212422,1215979,1216091

This update for libzypp, zypper fixes the following issues:

- Preliminary disable 'rpm --runposttrans' usage for chrooted systems (bsc#1216091)

- Fix comment typo on zypp.conf (bsc#1215979)

- Attempt to delay %transfiletrigger(postun|in) execution if rpm supports it (bsc#1041742)

- Make sure the old target is deleted before a new one is created (bsc#1203760)

- Return 104 also if info suggests near matches

- Rephrase upgrade message for openSUSE Tumbleweed (bsc#1212422)

- commit: Insert a headline to separate output of different rpm scripts (bsc#1041742)

1215713,1216174,CVE-2023-35945,CVE-2023-44487

Updates Cilium addon as it got rebuild to include a couple of sercurity fixes

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-150000.3.60.1 updated

- binutils-2.41-150100.7.46.1 updated

- cilium-proxy-20200109-150100.3.3.14.1 updated

- clang7-7.0.1-150100.3.22.2 updated

- cni-plugins-0.8.6-150100.3.20.1 updated

- cni-0.7.1-150100.3.16.1 updated

- coreutils-8.29-4.3.1 updated

- cpp7-7.5.0+r278197-150000.4.35.1 updated

- dbus-1-1.12.2-150100.8.17.1 updated

- filesystem-15.0-11.8.1 updated

- gawk-4.2.1-150000.3.3.1 updated

- gcc7-7.5.0+r278197-150000.4.35.1 updated

- glibc-32bit-2.26-150000.13.70.1 updated

- glibc-devel-32bit-2.26-150000.13.70.1 updated

- glibc-devel-2.26-150000.13.70.1 updated

- glibc-2.26-150000.13.70.1 updated

- gpg2-2.2.5-150000.4.22.1 updated

- grep-3.1-150000.4.6.1 updated

- gzip-1.10-150000.4.15.1 updated

- krb5-1.16.3-150100.3.30.1 updated

- libLLVM7-7.0.1-150100.3.22.2 updated

- libLTO7-7.0.1-150100.3.22.2 updated

- libasan4-7.5.0+r278197-150000.4.35.1 updated

- libassuan0-2.5.5-150000.4.5.2 updated

- libatomic1-13.2.1+git7813-150000.1.6.1 updated

- libaugeas0-1.10.1-150000.3.12.1 updated

- libblkid1-2.33.2-150100.4.40.1 updated

- libcap2-2.26-150000.4.9.1 updated

- libcares2-1.19.1-150000.3.23.1 updated

- libcilkrts5-7.5.0+r278197-150000.4.35.1 updated

- libclang7-7.0.1-150100.3.22.2 updated

- libcom_err2-1.43.8-150000.4.33.1 updated

- libcryptsetup12-2.0.6-150100.4.6.1 updated

- libctf-nobfd0-2.41-150100.7.46.1 updated

- libctf0-2.41-150100.7.46.1 updated

- libcurl4-7.60.0-150000.51.1 updated

- libdb-4_8-4.8.30-150000.7.9.1 updated

- libdbus-1-3-1.12.2-150100.8.17.1 updated

- libexpat1-2.2.5-150000.3.25.1 updated

- libfdisk1-2.33.2-150100.4.40.1 updated

- libgcc_s1-13.2.1+git7813-150000.1.6.1 updated

- libglib-2_0-0-2.54.3-150000.4.29.1 updated

- libgnutls30-3.6.7-150000.6.45.2 updated

- libgomp1-13.2.1+git7813-150000.1.6.1 updated

- libgpgme11-1.10.0-150000.4.6.2 updated

- libitm1-13.2.1+git7813-150000.1.6.1 updated

- libksba8-1.3.5-150000.4.6.1 updated

- libldap-2_4-2-2.4.46-150000.9.74.3 updated

- libldap-data-2.4.46-150000.9.74.3 updated

- liblsan0-13.2.1+git7813-150000.1.6.1 updated

- liblzma5-5.2.3-150000.4.7.1 updated

- libmount1-2.33.2-150100.4.40.1 updated

- libmpx2-8.2.1+r264010-150000.1.6.4 updated

- libmpxwrappers2-8.2.1+r264010-150000.1.6.4 updated

- libncurses6-6.1-150000.5.15.1 updated

- libnghttp2-14-1.40.0-150000.3.17.1 updated

- libopenssl1_1-1.1.0i-150100.14.68.1 updated

- libp11-kit0-0.23.2-150000.4.16.1 updated

- libpcre1-8.45-150000.20.13.1 updated

- libprocps7-3.3.15-150000.7.34.1 updated

- libprotobuf-c-devel-1.3.0-150000.3.3.1 updated

- libprotobuf-c1-1.3.0-150000.3.3.1 updated

- libprotobuf-lite20-3.9.2-150100.8.3.3 added

- libprotobuf15-3.5.0-5.5.1 updated

- libprotoc15-3.5.0-5.5.1 updated

- libpsl5-0.20.1-150000.3.3.1 updated

- libsasl2-3-2.1.26-150000.5.13.1 updated

- libsmartcols1-2.33.2-150100.4.40.1 updated

- libsolv-tools-0.7.24-150100.4.12.1 updated

- libsqlite3-0-3.39.3-150000.3.20.1 updated

- libstdc++6-devel-gcc7-7.5.0+r278197-150000.4.35.1 updated

- libstdc++6-13.2.1+git7813-150000.1.6.1 updated

- libsystemd0-234-150000.24.111.1 updated

- libtasn1-6-4.13-150000.4.8.1 updated

- libtasn1-4.13-150000.4.8.1 updated

- libtirpc-netconfig-1.0.2-150000.3.18.1 updated

- libtirpc3-1.0.2-150000.3.18.1 updated

- libtsan0-11.3.0+git1637-150000.1.11.2 updated

- libubsan0-7.5.0+r278197-150000.4.35.1 updated

- libudev1-234-150000.24.111.1 updated

- libusb-1_0-0-1.0.21-150000.3.5.1 updated

- libuuid1-2.33.2-150100.4.40.1 updated

- libxml2-2-2.9.7-150000.3.63.1 updated

- libyaml-cpp0_6-0.6.1-4.5.1 updated

- libz1-1.2.11-150000.3.48.1 updated

- libzstd1-1.4.4-150000.1.9.1 updated

- libzypp-17.31.22-150100.3.120.1 updated

- llvm7-7.0.1-150100.3.22.2 updated

- ncurses-utils-6.1-150000.5.15.1 updated

- openssl-1_1-1.1.0i-150100.14.68.1 added

- openssl-1.1.0i-3.3.1 added

- pam-1.3.0-150000.6.61.1 updated

- perl-base-5.26.1-150000.7.15.1 updated

- permissions-20181116-150100.9.41.1 updated

- procps-3.3.15-150000.7.34.1 updated

- protobuf-c-1.3.0-150000.3.3.1 updated

- shadow-4.6-150100.3.11.1 updated

- systemd-presets-branding-SLE-15.1-150100.20.11.1 updated

- systemd-presets-common-SUSE-15-150100.8.20.1 updated

- systemd-234-150000.24.111.1 updated

- terminfo-base-6.1-150000.5.15.1 updated

- udev-234-150000.24.111.1 updated

- update-alternatives-1.19.0.4-150000.4.4.1 updated

- util-linux-2.33.2-150100.4.40.1 updated

- zypper-1.14.66-150100.3.90.1 updated

- container:sles15-image-15.0.0-6.2.848 updated

- libprotobuf-lite15-3.5.0-5.2.1 removed

Severity
Container Advisory ID : SUSE-CU-2023:3915-1
Container Tags : caasp/v4/cilium:1.6.6 , caasp/v4/cilium:1.6.6-rev6 , caasp/v4/cilium:1.6.6-rev6-build3.17.1
Container Release : 3.17.1
Severity : critical
Type : security

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo